fix: I dunno, I'm making git server changes

2025-12-29 08:44:49 -06:00
parent 57d2c43da7
commit 9b0de6a5b8
18 changed files with 2584 additions and 512 deletions
--- a/config/deployment/state.json
+++ b/config/deployment/state.json
@@ -0,0 +1,21 @@
+{
+  "active_stack": "blue",
+  "inactive_stack": "green",
+  "last_deployment": null,
+  "last_deployment_commit": null,
+  "last_deployment_status": null,
+  "blue": {
+    "version": null,
+    "commit": null,
+    "deployed_at": null,
+    "healthy": false
+  },
+  "green": {
+    "version": null,
+    "commit": null,
+    "deployed_at": null,
+    "healthy": false
+  },
+  "rollback_available": false,
+  "maintenance_mode": false
+}
--- a/config/traefik/dynamic/blue-green.yml
+++ b/config/traefik/dynamic/blue-green.yml
@@ -0,0 +1,116 @@
+# Traefik Dynamic Configuration for Blue-Green Deployment
+# This file is watched by Traefik and reloaded on changes
+# Traffic weights are updated by scripts/ci/switch-traffic.sh
+#
+# Current active stack is determined by weights:
+#   - blue=100, green=0  -> Blue is active
+#   - blue=0, green=100  -> Green is active
+#   - Gradual: 75/25, 50/50, 25/75 for canary deployments
+
+http:
+  # ========================================
+  # Routers - Route traffic to weighted services
+  # ========================================
+  routers:
+    # Frontend router with weighted service
+    mvp-frontend-bluegreen:
+      rule: "(Host(`motovaultpro.com`) || Host(`www.motovaultpro.com`)) && !PathPrefix(`/api`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      service: mvp-frontend-weighted
+      priority: 10
+
+    # Backend API router with weighted service
+    mvp-backend-bluegreen:
+      rule: "(Host(`motovaultpro.com`) || Host(`www.motovaultpro.com`)) && PathPrefix(`/api`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      service: mvp-backend-weighted
+      priority: 20
+
+    # Health check router (always routes to active stack)
+    mvp-backend-health:
+      rule: "(Host(`motovaultpro.com`) || Host(`www.motovaultpro.com`)) && Path(`/api/health`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      service: mvp-backend-weighted
+      priority: 30
+
+  # ========================================
+  # Services - Weighted load balancers
+  # ========================================
+  services:
+    # Frontend weighted service
+    # Weights are updated by switch-traffic.sh
+    mvp-frontend-weighted:
+      weighted:
+        services:
+          - name: mvp-frontend-blue-svc
+            weight: 100
+          - name: mvp-frontend-green-svc
+            weight: 0
+        healthCheck: {}
+
+    # Backend weighted service
+    # Weights are updated by switch-traffic.sh
+    mvp-backend-weighted:
+      weighted:
+        services:
+          - name: mvp-backend-blue-svc
+            weight: 100
+          - name: mvp-backend-green-svc
+            weight: 0
+        healthCheck: {}
+
+    # Individual stack services
+    mvp-frontend-blue-svc:
+      loadBalancer:
+        servers:
+          - url: "http://mvp-frontend-blue:3000"
+        healthCheck:
+          path: /
+          interval: 10s
+          timeout: 3s
+        passHostHeader: true
+
+    mvp-frontend-green-svc:
+      loadBalancer:
+        servers:
+          - url: "http://mvp-frontend-green:3000"
+        healthCheck:
+          path: /
+          interval: 10s
+          timeout: 3s
+        passHostHeader: true
+
+    mvp-backend-blue-svc:
+      loadBalancer:
+        servers:
+          - url: "http://mvp-backend-blue:3001"
+        healthCheck:
+          path: /health
+          interval: 10s
+          timeout: 3s
+        passHostHeader: true
+
+    mvp-backend-green-svc:
+      loadBalancer:
+        servers:
+          - url: "http://mvp-backend-green:3001"
+        healthCheck:
+          path: /health
+          interval: 10s
+          timeout: 3s
+        passHostHeader: true
+
+    # Maintenance mode service (optional)
+    mvp-maintenance:
+      loadBalancer:
+        servers:
+          - url: "http://mvp-maintenance:80"
--- a/config/traefik/dynamic/middleware.yml
+++ b/config/traefik/dynamic/middleware.yml
@@ -0,0 +1,180 @@
+http:
+  middlewares:
+    # Security headers middleware
+    secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+          - POST
+          - DELETE
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        frameDeny: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    # CORS middleware for API endpoints
+    cors:
+      headers:
+        accessControlAllowCredentials: true
+        accessControlAllowHeaders:
+          - "Authorization"
+          - "Content-Type"
+          - "X-Requested-With"
+          - "X-Tenant-ID"
+        accessControlAllowMethods:
+          - "GET"
+          - "POST"
+          - "PUT"
+          - "DELETE"
+          - "OPTIONS"
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        accessControlMaxAge: 100
+
+    # API authentication middleware
+    api-auth:
+      forwardAuth:
+        address: "http://admin-backend:3001/auth/verify"
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Auth-Roles"
+          - "X-Tenant-ID"
+        authRequestHeaders:
+          - "Authorization"
+          - "X-Tenant-ID"
+        trustForwardHeader: true
+
+    # Platform API authentication middleware
+    platform-auth:
+      forwardAuth:
+        address: "http://admin-backend:3001/auth/verify-platform"
+        authResponseHeaders:
+          - "X-Service-Name"
+          - "X-Auth-Scope"
+        authRequestHeaders:
+          - "X-API-Key"
+          - "Authorization"
+        trustForwardHeader: true
+
+    # Rate limiting middleware
+    rate-limit:
+      rateLimit:
+        burst: 100
+        average: 50
+        period: 1m
+
+    # Request/response size limits
+    size-limit:
+      buffering:
+        maxRequestBodyBytes: 26214400  # 25MB
+        maxResponseBodyBytes: 26214400  # 25MB
+
+    # IP whitelist for development (optional)
+    local-ips:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "10.0.0.0/8"
+          - "172.16.0.0/12"
+          - "192.168.0.0/16"
+
+    # Advanced security headers for production
+    security-headers-strict:
+      headers:
+        accessControlAllowCredentials: false
+        accessControlAllowMethods:
+          - GET
+          - POST
+          - OPTIONS
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        browserXssFilter: true
+        contentTypeNosniff: true
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+        customResponseHeaders:
+          X-Frame-Options: DENY
+          X-Content-Type-Options: nosniff
+          Referrer-Policy: strict-origin-when-cross-origin
+          Permissions-Policy: "geolocation=(), microphone=(), camera=()"
+        forceSTSHeader: true
+        frameDeny: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+
+    # Circuit breaker for reliability
+    circuit-breaker:
+      circuitBreaker:
+        expression: "NetworkErrorRatio() > 0.3 || ResponseCodeRatio(500, 600, 0, 600) > 0.3"
+        checkPeriod: 30s
+        fallbackDuration: 10s
+        recoveryDuration: 30s
+
+    # Request retry for resilience
+    retry-policy:
+      retry:
+        attempts: 3
+        initialInterval: 100ms
+
+    # Timeout middleware
+    timeout:
+      timeout: 30s
+
+    # Compress responses for performance
+    compression:
+      compress: {}
+
+    # Health check middleware chain
+    health-check-chain:
+      chain:
+        middlewares:
+          - compression
+          - secure-headers
+          - timeout
+
+    # API middleware chain
+    api-chain:
+      chain:
+        middlewares:
+          - compression
+          - security-headers-strict
+          - cors
+          - rate-limit
+          - api-auth
+          - retry-policy
+          - timeout
+
+    # Platform API middleware chain
+    platform-chain:
+      chain:
+        middlewares:
+          - compression
+          - security-headers-strict
+          - rate-limit
+          - platform-auth
+          - circuit-breaker
+          - retry-policy
+          - timeout
+
+    # Public frontend middleware chain
+    frontend-chain:
+      chain:
+        middlewares:
+          - compression
+          - secure-headers
+          - timeout
--- a/config/traefik/traefik.yml
+++ b/config/traefik/traefik.yml
@@ -21,7 +21,8 @@ providers:
    exposedByDefault: false
    # Network auto-discovery - Traefik will use the networks it's connected to
  file:
-    filename: /etc/traefik/middleware.yml
+    # Watch directory for dynamic configuration (blue-green routing, middleware)
+    directory: /etc/traefik/dynamic
    watch: true

 certificatesResolvers: