nvoi 0.1.7 → 0.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 91c0d6ae24cfc163dd6c00008e5199cfdca4b9864ed6c2b56644b58b90d04ca6
-  data.tar.gz: 319109891843c14ae0dfe4c66553bdf06a5bf5a1d009855f97f0c6ffc17bccc6
+  metadata.gz: 29c741e5b25ff6ab371cd67fa720bbfbe45d2edbb3f59cf060cbe22aadde790e
+  data.tar.gz: dd4af8ac050b8ce0d95ed5a55a69f0e778ad015074df9860e33dce878f026334
 SHA512:
-  metadata.gz: 34b0c1e73b479bb2e10356b27f397a7c34dc9476bd7244490450163736fc7106bd28143ec91bfba1aa27a16c5b1f15d722cfd09d98d7a4155ce7dd752ff30949
-  data.tar.gz: 9706c433e608299ac10f71ff257a9d73a0e4f97bab126d3b99d0050474c426dde79fb793204dc55d9369b0654bfba162621106c34d3791fb4e9fb7fed651d8e2
+  metadata.gz: 7764ee8e3a9bb39b3059798c49f2e8c8c42c9cd15e69ff0187d7bea84f6b8eea4e36c2d3d4d18db0ba90e3fdf52f4214981311a255e188d84c3c36cbdc6ea3aa
+  data.tar.gz: 1b4d265fe116bb22967fcdba974cc0aea8d29fffb98f4ed41acc003eba4cd2a8de07218d04eb034e8ee1c37b06831c8334db88c63ba323ee0ef25b898148057e

data/.claude/todos/buckets.md

@@ -0,0 +1,41 @@
+# Scaleway Bucket Automation
+
+Automate bucket provisioning for new tenants/environments.
+
+## API
+
+No separate management API - use S3-compatible REST API directly via `aws-sdk-s3` gem.
+
+```ruby
+require "aws-sdk-s3"
+
+client = Aws::S3::Client.new(
+  region: "fr-par",
+  endpoint: "https://s3.fr-par.scw.cloud",
+  access_key_id: Rails.application.credentials.dig(:scaleway, :access_key_id),
+  secret_access_key: Rails.application.credentials.dig(:scaleway, :secret_key)
+)
+
+# Create bucket
+client.create_bucket(bucket: "tenant-#{tenant_slug}-#{Rails.env}")
+
+# Set CORS
+client.put_bucket_cors(
+  bucket: bucket_name,
+  cors_configuration: {
+    cors_rules: [{
+      allowed_origins: ["https://notiplus.com", "https://*.notiplus.com"],
+      allowed_methods: ["GET", "PUT"],
+      allowed_headers: ["*"],
+      max_age_seconds: 3000
+    }]
+  }
+)
+```
+
+## Tasks
+
+- [ ] Create `Scaleway::BucketService` to handle create/configure
+- [ ] Add rake task for provisioning new environment buckets
+- [ ] Hook into tenant creation flow (if multi-tenant)
+- [ ] Add lifecycle rules for old/temp files cleanup

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    nvoi (0.1.7)
+    nvoi (0.1.8)
       aws-sdk-ec2 (~> 1.400)
       faraday (~> 2.7)
       net-scp (~> 4.0)

data/lib/nvoi/cli/deploy/command.rb

@@ -123,24 +123,40 @@ module Nvoi
             require_relative "steps/cleanup_images"
 
             ssh = External::Ssh.new(server_ip, @config.ssh_key_path)
+            registry_port = Utils::Constants::REGISTRY_PORT
 
-            # Acquire deployment lock
-            acquire_lock(ssh)
+            # Start SSH tunnel to registry
+            registry_tunnel = External::SshTunnel.new(
+              ip: server_ip,
+              user: "deploy",
+              key_path: @config.ssh_key_path,
+              local_port: registry_port,
+              remote_port: registry_port
+            )
+
+            registry_tunnel.start
 
             begin
-              # Build and push image
-              timestamp = Time.now.strftime("%Y%m%d%H%M%S")
-              image_tag = @config.namer.image_tag(timestamp)
+              # Acquire deployment lock
+              acquire_lock(ssh)
+
+              begin
+                # Build and push image via tunnel
+                timestamp = Time.now.strftime("%Y%m%d%H%M%S")
+                image_tag = @config.namer.image_tag(timestamp)
 
-              Steps::BuildImage.new(@config, ssh, @log).run(working_dir, image_tag)
+                registry_tag = Steps::BuildImage.new(@config, @log).run(working_dir, image_tag)
 
-              # Deploy all services
-              Steps::DeployService.new(@config, ssh, tunnels, @log).run(image_tag, timestamp)
+                # Deploy all services (image already in registry)
+                Steps::DeployService.new(@config, ssh, tunnels, @log).run(registry_tag, timestamp)
 
-              # Cleanup old images
-              Steps::CleanupImages.new(@config, ssh, @log).run(timestamp)
+                # Cleanup old images
+                Steps::CleanupImages.new(@config, ssh, @log).run(timestamp)
+              ensure
+                release_lock(ssh)
+              end
             ensure
-              release_lock(ssh)
+              registry_tunnel.stop
             end
           end
 

data/lib/nvoi/cli/deploy/steps/build_image.rb

@@ -4,22 +4,64 @@ module Nvoi
   class Cli
     module Deploy
       module Steps
-        # BuildImage handles Docker image building and pushing to cluster
+        # BuildImage handles Docker image building and pushing to registry
         class BuildImage
-          def initialize(config, ssh, log)
+          def initialize(config, log)
             @config = config
-            @ssh = ssh
             @log = log
           end
 
+          # Build locally and push to registry via SSH tunnel
+          # Returns the registry tag for use in k8s deployments
           def run(working_dir, image_tag)
             @log.info "Building Docker image: %s", image_tag
 
-            containerd = External::Containerd.new(@ssh)
-            containerd.build_and_deploy_image(working_dir, image_tag, cache_from: @config.namer.latest_image_tag)
+            build_image(working_dir, image_tag)
+            registry_tag = push_to_registry(image_tag)
 
-            @log.success "Image built: %s", image_tag
+            @log.success "Image built and pushed: %s", registry_tag
+            registry_tag
           end
+
+          private
+
+            def build_image(working_dir, tag)
+              cache_from = @config.namer.latest_image_tag
+              cache_args = "--cache-from #{cache_from}"
+
+              build_cmd = [
+                "cd #{working_dir} &&",
+                "DOCKER_BUILDKIT=1 docker build",
+                "--platform linux/amd64",
+                cache_args,
+                "--build-arg BUILDKIT_INLINE_CACHE=1",
+                "-t #{tag} ."
+              ].join(" ")
+
+              unless system("bash", "-c", build_cmd)
+                raise Errors::SshError, "docker build failed"
+              end
+
+              # Tag as :latest for next build's cache
+              system("docker", "tag", tag, cache_from)
+            end
+
+            def push_to_registry(tag)
+              registry_port = Utils::Constants::REGISTRY_PORT
+              registry_tag = "localhost:#{registry_port}/#{@config.container_prefix}:#{tag.split(':').last}"
+
+              @log.info "Tagging for registry: %s", registry_tag
+              unless system("docker", "tag", tag, registry_tag)
+                raise Errors::SshError, "docker tag failed"
+              end
+
+              @log.info "Pushing to registry via SSH tunnel..."
+              unless system("docker", "push", registry_tag)
+                raise Errors::SshError, "docker push failed - is the SSH tunnel active?"
+              end
+
+              registry_tag
+            end
         end
       end
     end

data/lib/nvoi/cli/deploy/steps/deploy_service.rb

@@ -22,10 +22,9 @@ module Nvoi
             @kubectl = External::Kubectl.new(ssh)
           end
 
-          def run(image_tag, timestamp)
-            # Push to in-cluster registry
-            registry_tag = "localhost:#{Utils::Constants::REGISTRY_PORT}/#{@config.container_prefix}:#{timestamp}"
-            push_to_registry(image_tag, registry_tag)
+          def run(registry_tag, timestamp)
+            # Image is already in registry (pushed via SSH tunnel in BuildImage step)
+            @log.info "Using image from registry: %s", registry_tag
 
             # Gather env vars
             first_service = @config.deploy.application.app.keys.first
@@ -65,15 +64,6 @@ module Nvoi
 
           private
 
-            def push_to_registry(local_tag, registry_tag)
-              @log.info "Pushing to in-cluster registry: %s", registry_tag
-
-              @ssh.execute("sudo ctr -n k8s.io images tag #{local_tag} #{registry_tag}")
-              @ssh.execute("sudo ctr -n k8s.io images push --plain-http #{registry_tag}")
-
-              @log.success "Image pushed to registry"
-            end
-
             def deploy_app_secret(env_vars)
               secret_name = @namer.app_secret_name
 

data/lib/nvoi/external/containerd.rb

@@ -3,6 +3,7 @@
 module Nvoi
   module External
     # Containerd manages container operations on remote servers via containerd/ctr
+    # Used for image listing and cleanup on the remote server
     class Containerd
       attr_reader :ssh
 
@@ -10,54 +11,6 @@ module Nvoi
         @ssh = ssh
       end
 
-      # Build image locally, save to tar, rsync to remote, load with containerd
-      def build_and_deploy_image(path, tag, cache_from: nil)
-        cache_args = cache_from ? "--cache-from #{cache_from}" : ""
-        local_build_cmd = "cd #{path} && DOCKER_BUILDKIT=1 docker build --platform linux/amd64 #{cache_args} --build-arg BUILDKIT_INLINE_CACHE=1 -t #{tag} ."
-
-        unless system("bash", "-c", local_build_cmd)
-          raise Errors::SshError, "local build failed"
-        end
-
-        # Tag as :latest for next build's cache
-        system("docker", "tag", tag, cache_from) if cache_from
-
-        tar_file = "/tmp/#{tag.tr(':', '_')}.tar"
-        unless system("docker", "save", tag, "-o", tar_file)
-          raise Errors::SshError, "docker save failed"
-        end
-
-        begin
-          remote_tar_path = "/tmp/#{tag.tr(':', '_')}.tar"
-          rsync_cmd = [
-            "rsync", "-avz",
-            "-e", "ssh -i #{@ssh.ssh_key} -o StrictHostKeyChecking=no",
-            tar_file,
-            "#{@ssh.user}@#{@ssh.ip}:#{remote_tar_path}"
-          ]
-
-          unless system(*rsync_cmd)
-            raise Errors::SshError, "rsync failed"
-          end
-
-          Nvoi.logger.info "Importing image into containerd..."
-          @ssh.execute("sudo ctr -n k8s.io images import #{remote_tar_path}")
-
-          full_image_ref = "docker.io/library/#{tag}"
-
-          begin
-            @ssh.execute("sudo ctr -n k8s.io images tag #{full_image_ref} #{tag}")
-          rescue Errors::SshCommandError => e
-            list_output = @ssh.execute("sudo ctr -n k8s.io images ls") rescue ""
-            raise Errors::SshError, "failed to tag imported image: #{e.message}\nAvailable images:\n#{list_output}"
-          end
-
-          @ssh.execute_ignore_errors("rm #{remote_tar_path}")
-        ensure
-          File.delete(tar_file) if File.exist?(tar_file)
-        end
-      end
-
       def list_images(filter)
         output = @ssh.execute("sudo ctr -n k8s.io images ls -q | grep '#{filter}' | sort -r")
         return [] if output.empty?

data/lib/nvoi/external/ssh.rb

@@ -62,18 +62,6 @@ module Nvoi
         raise Errors::SshCommandError, "SCP download failed: #{output}" unless status.success?
       end
 
-      def rsync(local_path, remote_path)
-        rsync_args = [
-          "-avz",
-          "-e", "ssh #{build_ssh_args.join(' ')}",
-          local_path,
-          "#{@user}@#{@ip}:#{remote_path}"
-        ]
-
-        output, status = Open3.capture2e("rsync", *rsync_args)
-        raise Errors::SshCommandError, "rsync failed: #{output}" unless status.success?
-      end
-
       private
 
         def build_ssh_args

data/lib/nvoi/external/ssh_tunnel.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require "net/ssh"
+
+module Nvoi
+  module External
+    # SshTunnel manages SSH port forwarding using net-ssh
+    class SshTunnel
+      attr_reader :local_port, :remote_port
+
+      def initialize(ip:, user:, key_path:, local_port:, remote_port:)
+        @ip = ip
+        @user = user
+        @key_path = key_path
+        @local_port = local_port
+        @remote_port = remote_port
+        @session = nil
+        @thread = nil
+        @running = false
+      end
+
+      def start
+        Nvoi.logger.info "Starting SSH tunnel: localhost:%d -> %s:%d", @local_port, @ip, @remote_port
+
+        @session = Net::SSH.start(
+          @ip,
+          @user,
+          keys: [@key_path],
+          non_interactive: true,
+          verify_host_key: :never
+        )
+
+        @session.forward.local(@local_port, "localhost", @remote_port)
+        @running = true
+
+        @thread = Thread.new do
+          Thread.current.report_on_exception = false
+          @session.loop { @running }
+        rescue IOError, Net::SSH::Disconnect, Errno::EBADF
+          # Session closed during shutdown, exit gracefully
+        end
+
+        # Wait for tunnel to establish
+        sleep 0.3
+        verify_tunnel!
+
+        Nvoi.logger.success "SSH tunnel established"
+      end
+
+      def stop
+        return unless @running
+
+        Nvoi.logger.info "Stopping SSH tunnel"
+        @running = false
+
+        # Give the event loop a moment to see @running = false
+        sleep 0.1
+
+        begin
+          @session&.forward&.cancel_local(@local_port)
+        rescue StandardError
+          # Ignore errors during cleanup
+        end
+
+        begin
+          @session&.close
+        rescue StandardError
+          # Ignore errors during cleanup
+        end
+
+        # Wait for thread to exit gracefully
+        @thread&.join(1)
+
+        @session = nil
+        @thread = nil
+
+        Nvoi.logger.success "SSH tunnel closed"
+      end
+
+      def alive?
+        @running && @thread&.alive? && @session && !@session.closed?
+      end
+
+      private
+
+        def verify_tunnel!
+          unless alive?
+            raise Errors::SshError, "SSH tunnel failed to start"
+          end
+
+          # Verify the port is actually listening
+          require "socket"
+          socket = TCPSocket.new("localhost", @local_port)
+          socket.close
+        rescue Errno::ECONNREFUSED
+          raise Errors::SshError, "SSH tunnel started but port #{@local_port} not accessible"
+        end
+    end
+  end
+end

data/lib/nvoi/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Nvoi
-  VERSION = "0.1.7"
+  VERSION = "0.1.8"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nvoi
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.1.8
 platform: ruby
 authors:
 - NVOI
@@ -204,6 +204,7 @@ files:
 - ".claude/todo/scaleway.impl.md"
 - ".claude/todo/scaleway.reference.md"
 - ".claude/todos.md"
+- ".claude/todos/buckets.md"
 - ".rubocop.yml"
 - Gemfile
 - Gemfile.lock
@@ -384,6 +385,7 @@ files:
 - lib/nvoi/external/dns/cloudflare.rb
 - lib/nvoi/external/kubectl.rb
 - lib/nvoi/external/ssh.rb
+- lib/nvoi/external/ssh_tunnel.rb
 - lib/nvoi/objects/config_override.rb
 - lib/nvoi/objects/configuration.rb
 - lib/nvoi/objects/database.rb