sneak/upaas
1
0
Fork 0
Code Issues 6 Pull Requests 6 Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: sneak:feature/backup-restore-config
Branches Tags
sneak:main sneak:feature/observability-improvements sneak:feature/private-registry-auth sneak:feature/github-gitlab-webhook-support sneak:feature/backup-restore-config sneak:feature/custom-healthcheck-command sneak:feature/cpu-memory-resource-limits sneak:fix/js-formatting sneak:fix/module-path sneak:fix/1.0-audit-bugs sneak:fix/disable-api-write-methods sneak:chore/code-cleanup sneak:ci/check-workflow-only sneak:fix/repo-url-validation sneak:fix/main-lint-issues sneak:feature/api-token-auth sneak:revert/pr-98 sneak:feat/ci-make-check sneak:ci/add-check-action sneak:fix/deploy-cancel-cleanup sneak:schema-consolidation sneak:feature/json-api sneak:chore/update-todo sneak:feature/edit-config-entities sneak:feature/deployment-rollback-tests sneak:update-todo-md sneak:feature/edit-entities sneak:feature/deployment-rollback sneak:feature/deploy-cancel
sneak:1.0.0
..
compare: sneak:feature/private-registry-auth
Branches Tags
sneak:feature/observability-improvements sneak:feature/private-registry-auth sneak:feature/github-gitlab-webhook-support sneak:feature/backup-restore-config sneak:feature/custom-healthcheck-command sneak:feature/cpu-memory-resource-limits sneak:main sneak:fix/js-formatting sneak:fix/module-path sneak:fix/1.0-audit-bugs sneak:fix/disable-api-write-methods sneak:chore/code-cleanup sneak:ci/check-workflow-only sneak:fix/repo-url-validation sneak:fix/main-lint-issues sneak:feature/api-token-auth sneak:revert/pr-98 sneak:feat/ci-make-check sneak:ci/add-check-action sneak:fix/deploy-cancel-cleanup sneak:schema-consolidation sneak:feature/json-api sneak:chore/update-todo sneak:feature/edit-config-entities sneak:feature/deployment-rollback-tests sneak:update-todo-md sneak:feature/edit-entities sneak:feature/deployment-rollback sneak:feature/deploy-cancel
sneak:1.0.0

2 Commits
feature/ba ... feature/pr

Author SHA1 Message Date
clawbot
9627942573 fix: move writeLogsToFile doc comment to correct position
All checks were successful
Check / check (pull_request) Successful in 3m16s
Details 
The buildRegistryAuths function was inserted between the writeLogsToFile
doc comment and the writeLogsToFile function body, causing Go to treat
the writeLogsToFile comment as part of buildRegistryAuths godoc.

Move the writeLogsToFile comment to sit directly above its function,
and keep only the buildRegistryAuths comment above buildRegistryAuths.
 2026-03-17 02:39:38 -07:00
user
0f4acb554e feat: add private Docker registry authentication for base images
All checks were successful
Check / check (pull_request) Successful in 3m34s
Details 
Add per-app registry credentials that are passed to Docker during image
builds, allowing apps to use base images from private registries.

- New registry_credentials table (migration 007)
- RegistryCredential model with full CRUD operations
- Docker client passes AuthConfigs to ImageBuild when credentials exist
- Deploy service fetches app registry credentials before builds
- Web UI section for managing registry credentials (add/edit/delete)
- Comprehensive unit tests for model and auth config builder
- README updated to list the feature
 2026-03-17 02:14:39 -07:00
19 changed files with 654 additions and 1752 deletions
Expand all files Collapse all files

2
README.md
View File

@@ -9,9 +9,9 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
- Per-app UUID-based webhook URLs for Gitea integration
- Branch filtering - only deploy on configured branch changes
- Environment variables, labels, and volume mounts per app
- Private Docker registry authentication for base images
- Docker builds via socket access
- Notifications via ntfy and Slack-compatible webhooks
- Backup/restore of app configurations (JSON export/import via UI and API)
- Simple server-rendered UI with Tailwind CSS
## Non-Goals

11
internal/database/migrations/007_add_registry_credentials.sql Normal file
View File

@@ -0,0 +1,11 @@
-- Add registry credentials for private Docker registry authentication during builds
CREATE TABLE registry_credentials (
id INTEGER PRIMARY KEY,
app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
registry TEXT NOT NULL,
username TEXT NOT NULL,
password TEXT NOT NULL,
UNIQUE(app_id, registry)
);
CREATE INDEX idx_registry_credentials_app_id ON registry_credentials(app_id);

96
internal/docker/auth_test.go Normal file
View File

@@ -0,0 +1,96 @@
package docker //nolint:testpackage // tests unexported buildAuthConfigs
import (
"testing"
)
func TestBuildAuthConfigsEmpty(t *testing.T) {
t.Parallel()
result := buildAuthConfigs(nil)
if len(result) != 0 {
t.Errorf("expected empty map, got %d entries", len(result))
}
}
func TestBuildAuthConfigsSingle(t *testing.T) {
t.Parallel()
auths := []RegistryAuth{
{
Registry: "registry.example.com",
Username: "user",
Password: "pass",
},
}
result := buildAuthConfigs(auths)
if len(result) != 1 {
t.Fatalf("expected 1 entry, got %d", len(result))
}
cfg, ok := result["registry.example.com"]
if !ok {
t.Fatal("expected registry.example.com key")
}
if cfg.Username != "user" {
t.Errorf("expected username 'user', got %q", cfg.Username)
}
if cfg.Password != "pass" {
t.Errorf("expected password 'pass', got %q", cfg.Password)
}
if cfg.ServerAddress != "registry.example.com" {
t.Errorf("expected server address 'registry.example.com', got %q", cfg.ServerAddress)
}
}
func TestBuildAuthConfigsMultiple(t *testing.T) {
t.Parallel()
auths := []RegistryAuth{
{Registry: "ghcr.io", Username: "ghuser", Password: "ghtoken"},
{Registry: "docker.io", Username: "dkuser", Password: "dktoken"},
}
result := buildAuthConfigs(auths)
if len(result) != 2 {
t.Fatalf("expected 2 entries, got %d", len(result))
}
ghcr := result["ghcr.io"]
if ghcr.Username != "ghuser" || ghcr.Password != "ghtoken" {
t.Errorf("unexpected ghcr.io config: %+v", ghcr)
}
dkr := result["docker.io"]
if dkr.Username != "dkuser" || dkr.Password != "dktoken" {
t.Errorf("unexpected docker.io config: %+v", dkr)
}
}
func TestRegistryAuthStruct(t *testing.T) {
t.Parallel()
auth := RegistryAuth{
Registry: "registry.example.com",
Username: "testuser",
Password: "testpass",
}
if auth.Registry != "registry.example.com" {
t.Errorf("expected registry 'registry.example.com', got %q", auth.Registry)
}
if auth.Username != "testuser" {
t.Errorf("expected username 'testuser', got %q", auth.Username)
}
if auth.Password != "testpass" {
t.Errorf("expected password 'testpass', got %q", auth.Password)
}
}

36
internal/docker/client.go
View File

@@ -20,6 +20,7 @@ import (
"github.com/docker/docker/api/types/image"
"github.com/docker/docker/api/types/mount"
"github.com/docker/docker/api/types/network"
"github.com/docker/docker/api/types/registry"
"github.com/docker/docker/client"
"github.com/docker/docker/pkg/archive"
"github.com/docker/go-connections/nat"
@@ -105,12 +106,20 @@ func (c *Client) IsConnected() bool {
return c.docker != nil
}
// RegistryAuth contains authentication credentials for a Docker registry.
type RegistryAuth struct {
Registry string
Username string
Password string //nolint:gosec // credential field required for registry auth
}
// BuildImageOptions contains options for building an image.
type BuildImageOptions struct {
ContextDir string
DockerfilePath string
Tags []string
LogWriter io.Writer // Optional writer for build output
LogWriter io.Writer // Optional writer for build output
RegistryAuths []RegistryAuth // Optional registry credentials for pulling private base images
}
// BuildImage builds a Docker image from a context directory.
@@ -161,6 +170,21 @@ type PortMapping struct {
Protocol string // "tcp" or "udp"
}
// buildAuthConfigs converts RegistryAuth slices into Docker's AuthConfigs map.
func buildAuthConfigs(auths []RegistryAuth) map[string]registry.AuthConfig {
configs := make(map[string]registry.AuthConfig, len(auths))
for _, auth := range auths {
configs[auth.Registry] = registry.AuthConfig{
Username: auth.Username,
Password: auth.Password,
ServerAddress: auth.Registry,
}
}
return configs
}
// buildPortConfig converts port mappings to Docker port configuration.
func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
exposedPorts := make(nat.PortSet)
@@ -513,12 +537,18 @@ func (c *Client) performBuild(
}()
// Build image
resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{
buildOpts := dockertypes.ImageBuildOptions{
Dockerfile: opts.DockerfilePath,
Tags: opts.Tags,
Remove: true,
NoCache: false,
})
}
if len(opts.RegistryAuths) > 0 {
buildOpts.AuthConfigs = buildAuthConfigs(opts.RegistryAuths)
}
resp, err := c.docker.ImageBuild(ctx, tarArchive, buildOpts)
if err != nil {
return "", fmt.Errorf("failed to build image: %w", err)
}

5
internal/handlers/api_test.go
View File

@@ -27,11 +27,6 @@ func apiRouter(tc *testContext) http.Handler {
apiR.Get("/apps", tc.handlers.HandleAPIListApps())
apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
// Backup/Restore API
apiR.Get("/apps/{id}/export", tc.handlers.HandleAPIExportApp())
apiR.Get("/backup/export", tc.handlers.HandleAPIExportAllApps())
apiR.Post("/backup/import", tc.handlers.HandleAPIImportApps())
})
})

145
internal/handlers/app.go
View File

@@ -148,6 +148,7 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
labels, _ := application.GetLabels(request.Context())
volumes, _ := application.GetVolumes(request.Context())
ports, _ := application.GetPorts(request.Context())
registryCreds, _ := application.GetRegistryCredentials(request.Context())
deployments, _ := application.GetDeployments(
request.Context(),
recentDeploymentsLimit,
@@ -163,16 +164,17 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
deployKey := formatDeployKey(application.SSHPublicKey, application.CreatedAt, application.Name)
data := h.addGlobals(map[string]any{
"App": application,
"EnvVars": envVars,
"Labels": labels,
"Volumes": volumes,
"Ports": ports,
"Deployments": deployments,
"LatestDeployment": latestDeployment,
"WebhookURL": webhookURL,
"DeployKey": deployKey,
"Success": request.URL.Query().Get("success"),
"App": application,
"EnvVars": envVars,
"Labels": labels,
"Volumes": volumes,
"Ports": ports,
"RegistryCredentials": registryCreds,
"Deployments": deployments,
"LatestDeployment": latestDeployment,
"WebhookURL": webhookURL,
"DeployKey": deployKey,
"Success": request.URL.Query().Get("success"),
}, request)
h.renderTemplate(writer, tmpl, "app_detail.html", data)
@@ -1382,3 +1384,126 @@ func formatDeployKey(pubKey string, createdAt time.Time, appName string) string
return parts[0] + " " + parts[1] + " " + comment
}
// HandleRegistryCredentialAdd handles adding a registry credential.
func (h *Handlers) HandleRegistryCredentialAdd() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
application, findErr := models.FindApp(request.Context(), h.db, appID)
if findErr != nil || application == nil {
http.NotFound(writer, request)
return
}
parseErr := request.ParseForm()
if parseErr != nil {
http.Error(writer, "Bad Request", http.StatusBadRequest)
return
}
registryURL := strings.TrimSpace(request.FormValue("registry"))
username := strings.TrimSpace(request.FormValue("username"))
password := request.FormValue("password")
if registryURL == "" || username == "" || password == "" {
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
return
}
cred := models.NewRegistryCredential(h.db)
cred.AppID = appID
cred.Registry = registryURL
cred.Username = username
cred.Password = password
saveErr := cred.Save(request.Context())
if saveErr != nil {
h.log.Error("failed to save registry credential", "error", saveErr)
}
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
}
}
// HandleRegistryCredentialEdit handles editing an existing registry credential.
func (h *Handlers) HandleRegistryCredentialEdit() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
credIDStr := chi.URLParam(request, "credID")
credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
if parseErr != nil {
http.NotFound(writer, request)
return
}
cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
if findErr != nil || cred == nil || cred.AppID != appID {
http.NotFound(writer, request)
return
}
formErr := request.ParseForm()
if formErr != nil {
http.Error(writer, "Bad Request", http.StatusBadRequest)
return
}
registryURL := strings.TrimSpace(request.FormValue("registry"))
username := strings.TrimSpace(request.FormValue("username"))
password := request.FormValue("password")
if registryURL == "" || username == "" || password == "" {
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
return
}
cred.Registry = registryURL
cred.Username = username
cred.Password = password
saveErr := cred.Save(request.Context())
if saveErr != nil {
h.log.Error("failed to update registry credential", "error", saveErr)
}
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
}
}
// HandleRegistryCredentialDelete handles deleting a registry credential.
func (h *Handlers) HandleRegistryCredentialDelete() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
credIDStr := chi.URLParam(request, "credID")
credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
if parseErr != nil {
http.NotFound(writer, request)
return
}
cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
if findErr != nil || cred == nil || cred.AppID != appID {
http.NotFound(writer, request)
return
}
deleteErr := cred.Delete(request.Context())
if deleteErr != nil {
h.log.Error("failed to delete registry credential", "error", deleteErr)
}
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
}
}

282
internal/handlers/backup.go
View File

@@ -1,282 +0,0 @@
package handlers
import (
"encoding/json"
"fmt"
"net/http"
"time"
"github.com/go-chi/chi/v5"
"sneak.berlin/go/upaas/internal/models"
"sneak.berlin/go/upaas/internal/service/app"
"sneak.berlin/go/upaas/templates"
)
// importMaxBodyBytes is the maximum allowed request body size for backup import (10 MB).
const importMaxBodyBytes = 10 << 20
// HandleExportApp exports a single app's configuration as a JSON download.
func (h *Handlers) HandleExportApp() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
application, findErr := models.FindApp(request.Context(), h.db, appID)
if findErr != nil || application == nil {
http.NotFound(writer, request)
return
}
bundle, exportErr := h.appService.ExportApp(request.Context(), application)
if exportErr != nil {
h.log.Error("failed to export app", "error", exportErr, "app", application.Name)
http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
return
}
filename := fmt.Sprintf("upaas-backup-%s-%s.json",
application.Name,
time.Now().UTC().Format("20060102-150405"),
)
writer.Header().Set("Content-Type", "application/json")
writer.Header().Set("Content-Disposition",
`attachment; filename="`+filename+`"`)
encoder := json.NewEncoder(writer)
encoder.SetIndent("", " ")
err := encoder.Encode(bundle)
if err != nil {
h.log.Error("failed to encode backup", "error", err)
}
}
}
// HandleExportAllApps exports all app configurations as a JSON download.
func (h *Handlers) HandleExportAllApps() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
bundle, exportErr := h.appService.ExportAllApps(request.Context())
if exportErr != nil {
h.log.Error("failed to export all apps", "error", exportErr)
http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
return
}
filename := fmt.Sprintf("upaas-backup-all-%s.json",
time.Now().UTC().Format("20060102-150405"),
)
writer.Header().Set("Content-Type", "application/json")
writer.Header().Set("Content-Disposition",
`attachment; filename="`+filename+`"`)
encoder := json.NewEncoder(writer)
encoder.SetIndent("", " ")
err := encoder.Encode(bundle)
if err != nil {
h.log.Error("failed to encode backup", "error", err)
}
}
}
// HandleImportPage renders the import/restore page.
func (h *Handlers) HandleImportPage() http.HandlerFunc {
tmpl := templates.GetParsed()
return func(writer http.ResponseWriter, request *http.Request) {
data := h.addGlobals(map[string]any{
"Success": request.URL.Query().Get("success"),
}, request)
h.renderTemplate(writer, tmpl, "backup_import.html", data)
}
}
// HandleImportApps processes an uploaded backup JSON file and imports apps.
func (h *Handlers) HandleImportApps() http.HandlerFunc {
tmpl := templates.GetParsed()
return func(writer http.ResponseWriter, request *http.Request) {
bundle, parseErr := h.parseBackupUpload(request)
if parseErr != "" {
data := h.addGlobals(map[string]any{"Error": parseErr}, request)
h.renderTemplate(writer, tmpl, "backup_import.html", data)
return
}
imported, skipped, importErr := h.appService.ImportApps(
request.Context(), bundle,
)
if importErr != nil {
h.log.Error("failed to import apps", "error", importErr)
data := h.addGlobals(map[string]any{
"Error": "Import failed: " + importErr.Error(),
}, request)
h.renderTemplate(writer, tmpl, "backup_import.html", data)
return
}
successMsg := fmt.Sprintf("Imported %d app(s)", len(imported))
if len(skipped) > 0 {
successMsg += fmt.Sprintf(", skipped %d (name conflict)", len(skipped))
}
http.Redirect(writer, request,
"/backup/import?success="+successMsg,
http.StatusSeeOther,
)
}
}
// parseBackupUpload extracts and validates a BackupBundle from a multipart upload.
// Returns the bundle and an empty string on success, or nil and an error message.
func (h *Handlers) parseBackupUpload(
request *http.Request,
) (*app.BackupBundle, string) {
request.Body = http.MaxBytesReader(nil, request.Body, importMaxBodyBytes)
parseErr := request.ParseMultipartForm(importMaxBodyBytes)
if parseErr != nil {
return nil, "Failed to parse upload: " + parseErr.Error()
}
file, _, openErr := request.FormFile("backup_file")
if openErr != nil {
return nil, "Please select a backup file to import"
}
defer func() { _ = file.Close() }()
var bundle app.BackupBundle
decodeErr := json.NewDecoder(file).Decode(&bundle)
if decodeErr != nil {
return nil, "Invalid backup file: " + decodeErr.Error()
}
if bundle.Version != 1 {
return nil, fmt.Sprintf(
"Unsupported backup version: %d (expected 1)", bundle.Version,
)
}
if len(bundle.Apps) == 0 {
return nil, "Backup file contains no apps"
}
return &bundle, ""
}
// HandleAPIExportApp exports a single app's configuration as JSON via API.
func (h *Handlers) HandleAPIExportApp() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
application, err := h.appService.GetApp(request.Context(), appID)
if err != nil {
h.respondJSON(writer, request,
map[string]string{"error": "internal server error"},
http.StatusInternalServerError)
return
}
if application == nil {
h.respondJSON(writer, request,
map[string]string{"error": "app not found"},
http.StatusNotFound)
return
}
bundle, exportErr := h.appService.ExportApp(request.Context(), application)
if exportErr != nil {
h.log.Error("failed to export app", "error", exportErr)
h.respondJSON(writer, request,
map[string]string{"error": "failed to export app"},
http.StatusInternalServerError)
return
}
h.respondJSON(writer, request, bundle, http.StatusOK)
}
}
// HandleAPIExportAllApps exports all app configurations as JSON via API.
func (h *Handlers) HandleAPIExportAllApps() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
bundle, exportErr := h.appService.ExportAllApps(request.Context())
if exportErr != nil {
h.log.Error("failed to export all apps", "error", exportErr)
h.respondJSON(writer, request,
map[string]string{"error": "failed to export apps"},
http.StatusInternalServerError)
return
}
h.respondJSON(writer, request, bundle, http.StatusOK)
}
}
// HandleAPIImportApps imports app configurations from a JSON request body via API.
func (h *Handlers) HandleAPIImportApps() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
request.Body = http.MaxBytesReader(writer, request.Body, importMaxBodyBytes)
var bundle app.BackupBundle
decodeErr := json.NewDecoder(request.Body).Decode(&bundle)
if decodeErr != nil {
h.respondJSON(writer, request,
map[string]string{"error": "invalid request body"},
http.StatusBadRequest)
return
}
if bundle.Version != 1 {
h.respondJSON(writer, request,
map[string]string{"error": fmt.Sprintf(
"unsupported backup version: %d", bundle.Version,
)},
http.StatusBadRequest)
return
}
if len(bundle.Apps) == 0 {
h.respondJSON(writer, request,
map[string]string{"error": "backup contains no apps"},
http.StatusBadRequest)
return
}
imported, skipped, importErr := h.appService.ImportApps(
request.Context(), &bundle,
)
if importErr != nil {
h.log.Error("api: failed to import apps", "error", importErr)
h.respondJSON(writer, request,
map[string]string{"error": "import failed: " + importErr.Error()},
http.StatusInternalServerError)
return
}
h.respondJSON(writer, request, map[string]any{
"imported": imported,
"skipped": skipped,
}, http.StatusOK)
}
}

582
internal/handlers/backup_test.go
View File

@@ -1,582 +0,0 @@
package handlers_test
import (
"bytes"
"context"
"encoding/json"
"io"
"mime/multipart"
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"sneak.berlin/go/upaas/internal/models"
"sneak.berlin/go/upaas/internal/service/app"
)
// createTestAppWithConfig creates an app with env vars, labels, volumes, and ports.
func createTestAppWithConfig(
t *testing.T,
tc *testContext,
name string,
) *models.App {
t.Helper()
createdApp := createTestApp(t, tc, name)
// Add env vars
ev := models.NewEnvVar(tc.database)
ev.AppID = createdApp.ID
ev.Key = "DATABASE_URL"
ev.Value = "postgres://localhost/mydb"
require.NoError(t, ev.Save(context.Background()))
// Add label
label := models.NewLabel(tc.database)
label.AppID = createdApp.ID
label.Key = "traefik.enable"
label.Value = "true"
require.NoError(t, label.Save(context.Background()))
// Add volume
volume := models.NewVolume(tc.database)
volume.AppID = createdApp.ID
volume.HostPath = "/data/app"
volume.ContainerPath = "/app/data"
volume.ReadOnly = false
require.NoError(t, volume.Save(context.Background()))
// Add port
port := models.NewPort(tc.database)
port.AppID = createdApp.ID
port.HostPort = 8080
port.ContainerPort = 80
port.Protocol = models.PortProtocolTCP
require.NoError(t, port.Save(context.Background()))
return createdApp
}
// createTestAppWithConfigPort creates an app with a custom host port.
func createTestAppWithConfigPort(
t *testing.T,
tc *testContext,
name string,
hostPort int,
) *models.App {
t.Helper()
createdApp := createTestApp(t, tc, name)
ev := models.NewEnvVar(tc.database)
ev.AppID = createdApp.ID
ev.Key = "DATABASE_URL"
ev.Value = "postgres://localhost/mydb"
require.NoError(t, ev.Save(context.Background()))
port := models.NewPort(tc.database)
port.AppID = createdApp.ID
port.HostPort = hostPort
port.ContainerPort = 80
port.Protocol = models.PortProtocolTCP
require.NoError(t, port.Save(context.Background()))
return createdApp
}
func TestHandleExportApp(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
createdApp := createTestAppWithConfig(t, testCtx, "export-test-app")
request := httptest.NewRequest(http.MethodGet, "/apps/"+createdApp.ID+"/export", nil)
request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleExportApp()
handler.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusOK, recorder.Code)
assert.Contains(t, recorder.Header().Get("Content-Type"), "application/json")
assert.Contains(t, recorder.Header().Get("Content-Disposition"), "attachment")
assert.Contains(t, recorder.Header().Get("Content-Disposition"), "export-test-app")
var bundle app.BackupBundle
require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &bundle))
assert.Equal(t, 1, bundle.Version)
assert.NotEmpty(t, bundle.ExportedAt)
require.Len(t, bundle.Apps, 1)
appBackup := bundle.Apps[0]
assert.Equal(t, "export-test-app", appBackup.Name)
assert.Equal(t, "main", appBackup.Branch)
assert.Len(t, appBackup.EnvVars, 1)
assert.Equal(t, "DATABASE_URL", appBackup.EnvVars[0].Key)
assert.Equal(t, "postgres://localhost/mydb", appBackup.EnvVars[0].Value)
assert.Len(t, appBackup.Labels, 1)
assert.Equal(t, "traefik.enable", appBackup.Labels[0].Key)
assert.Len(t, appBackup.Volumes, 1)
assert.Equal(t, "/data/app", appBackup.Volumes[0].HostPath)
assert.Len(t, appBackup.Ports, 1)
assert.Equal(t, 8080, appBackup.Ports[0].HostPort)
}
func TestHandleExportAppNotFound(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
request := httptest.NewRequest(http.MethodGet, "/apps/nonexistent/export", nil)
request = addChiURLParams(request, map[string]string{"id": "nonexistent"})
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleExportApp()
handler.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusNotFound, recorder.Code)
}
func TestHandleExportAllApps(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
createTestAppWithConfig(t, testCtx, "export-all-app1")
createTestAppWithConfigPort(t, testCtx, "export-all-app2", 8081)
request := httptest.NewRequest(http.MethodGet, "/backup/export", nil)
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleExportAllApps()
handler.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusOK, recorder.Code)
assert.Contains(t, recorder.Header().Get("Content-Disposition"), "upaas-backup-all")
var bundle app.BackupBundle
require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &bundle))
assert.Equal(t, 1, bundle.Version)
assert.Len(t, bundle.Apps, 2)
}
func TestHandleExportAllAppsEmpty(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
request := httptest.NewRequest(http.MethodGet, "/backup/export", nil)
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleExportAllApps()
handler.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusOK, recorder.Code)
var bundle app.BackupBundle
require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &bundle))
assert.Empty(t, bundle.Apps)
}
// createMultipartBackupRequest builds a multipart form request with backup JSON as a file upload.
func createMultipartBackupRequest(
t *testing.T,
backupJSON string,
) *http.Request {
t.Helper()
var body bytes.Buffer
writer := multipart.NewWriter(&body)
part, err := writer.CreateFormFile("backup_file", "backup.json")
require.NoError(t, err)
_, err = io.WriteString(part, backupJSON)
require.NoError(t, err)
require.NoError(t, writer.Close())
request := httptest.NewRequest(http.MethodPost, "/backup/import", &body)
request.Header.Set("Content-Type", writer.FormDataContentType())
return request
}
func TestHandleImportApps(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
backupJSON := `{
"version": 1,
"exportedAt": "2025-01-01T00:00:00Z",
"apps": [{
"name": "imported-app",
"repoUrl": "git@example.com:user/repo.git",
"branch": "main",
"dockerfilePath": "Dockerfile",
"envVars": [{"key": "FOO", "value": "bar"}],
"labels": [{"key": "app.name", "value": "test"}],
"volumes": [{"hostPath": "/data", "containerPath": "/app/data", "readOnly": true}],
"ports": [{"hostPort": 3000, "containerPort": 8080, "protocol": "tcp"}]
}]
}`
request := createMultipartBackupRequest(t, backupJSON)
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleImportApps()
handler.ServeHTTP(recorder, request)
// Should redirect on success
assert.Equal(t, http.StatusSeeOther, recorder.Code)
assert.Contains(t, recorder.Header().Get("Location"), "success=")
// Verify the app was created
apps, err := models.AllApps(context.Background(), testCtx.database)
require.NoError(t, err)
require.Len(t, apps, 1)
assert.Equal(t, "imported-app", apps[0].Name)
// Verify env vars
envVars, _ := apps[0].GetEnvVars(context.Background())
require.Len(t, envVars, 1)
assert.Equal(t, "FOO", envVars[0].Key)
assert.Equal(t, "bar", envVars[0].Value)
// Verify labels
labels, _ := apps[0].GetLabels(context.Background())
require.Len(t, labels, 1)
assert.Equal(t, "app.name", labels[0].Key)
// Verify volumes
volumes, _ := apps[0].GetVolumes(context.Background())
require.Len(t, volumes, 1)
assert.Equal(t, "/data", volumes[0].HostPath)
assert.True(t, volumes[0].ReadOnly)
// Verify ports
ports, _ := apps[0].GetPorts(context.Background())
require.Len(t, ports, 1)
assert.Equal(t, 3000, ports[0].HostPort)
assert.Equal(t, 8080, ports[0].ContainerPort)
}
func TestHandleImportAppsSkipsDuplicateNames(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
// Create an existing app with same name
createTestApp(t, testCtx, "existing-app")
backupJSON := `{
"version": 1,
"exportedAt": "2025-01-01T00:00:00Z",
"apps": [
{
"name": "existing-app",
"repoUrl": "git@example.com:user/repo.git",
"branch": "main",
"dockerfilePath": "Dockerfile",
"envVars": [],
"labels": [],
"volumes": [],
"ports": []
},
{
"name": "new-app",
"repoUrl": "git@example.com:user/new.git",
"branch": "main",
"dockerfilePath": "Dockerfile",
"envVars": [],
"labels": [],
"volumes": [],
"ports": []
}
]
}`
request := createMultipartBackupRequest(t, backupJSON)
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleImportApps()
handler.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusSeeOther, recorder.Code)
assert.Contains(t, recorder.Header().Get("Location"), "skipped")
// Should have 2 apps total (existing + new)
apps, err := models.AllApps(context.Background(), testCtx.database)
require.NoError(t, err)
assert.Len(t, apps, 2)
}
func TestHandleImportAppsInvalidJSON(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
request := createMultipartBackupRequest(t, "not valid json")
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleImportApps()
handler.ServeHTTP(recorder, request)
// Should render the page with error, not redirect
assert.Equal(t, http.StatusOK, recorder.Code)
assert.Contains(t, recorder.Body.String(), "Invalid backup file")
}
func TestHandleImportAppsUnsupportedVersion(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
backupJSON := `{"version": 99, "exportedAt": "2025-01-01T00:00:00Z", "apps": [{"name": "test"}]}`
request := createMultipartBackupRequest(t, backupJSON)
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleImportApps()
handler.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusOK, recorder.Code)
assert.Contains(t, recorder.Body.String(), "Unsupported backup version")
}
func TestHandleImportAppsEmptyBundle(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
backupJSON := `{"version": 1, "exportedAt": "2025-01-01T00:00:00Z", "apps": []}`
request := createMultipartBackupRequest(t, backupJSON)
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleImportApps()
handler.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusOK, recorder.Code)
assert.Contains(t, recorder.Body.String(), "contains no apps")
}
func TestHandleImportPage(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
request := httptest.NewRequest(http.MethodGet, "/backup/import", nil)
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleImportPage()
handler.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusOK, recorder.Code)
assert.Contains(t, recorder.Body.String(), "Import Backup")
}
func TestExportImportRoundTrip(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
createTestAppWithConfig(t, testCtx, "roundtrip-app")
// Export
exportReq := httptest.NewRequest(http.MethodGet, "/backup/export", nil)
exportRec := httptest.NewRecorder()
testCtx.handlers.HandleExportAllApps().ServeHTTP(exportRec, exportReq)
require.Equal(t, http.StatusOK, exportRec.Code)
exportedJSON := exportRec.Body.String()
// Delete the original app
apps, _ := models.AllApps(context.Background(), testCtx.database)
for _, a := range apps {
require.NoError(t, a.Delete(context.Background()))
}
// Import
importReq := createMultipartBackupRequest(t, exportedJSON)
importRec := httptest.NewRecorder()
testCtx.handlers.HandleImportApps().ServeHTTP(importRec, importReq)
assert.Equal(t, http.StatusSeeOther, importRec.Code)
// Verify the app was recreated with all config
restoredApps, _ := models.AllApps(context.Background(), testCtx.database)
require.Len(t, restoredApps, 1)
assert.Equal(t, "roundtrip-app", restoredApps[0].Name)
envVars, _ := restoredApps[0].GetEnvVars(context.Background())
assert.Len(t, envVars, 1)
labels, _ := restoredApps[0].GetLabels(context.Background())
assert.Len(t, labels, 1)
volumes, _ := restoredApps[0].GetVolumes(context.Background())
assert.Len(t, volumes, 1)
ports, _ := restoredApps[0].GetPorts(context.Background())
assert.Len(t, ports, 1)
}
// TestAPIExportApp tests the API endpoint for exporting a single app.
func TestAPIExportApp(t *testing.T) {
t.Parallel()
tc, cookies := setupAPITest(t)
createdApp, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
Name: "api-export-app",
RepoURL: "git@example.com:user/repo.git",
})
require.NoError(t, err)
rr := apiGet(t, tc, cookies, "/api/v1/apps/"+createdApp.ID+"/export")
assert.Equal(t, http.StatusOK, rr.Code)
var bundle app.BackupBundle
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &bundle))
assert.Equal(t, 1, bundle.Version)
require.Len(t, bundle.Apps, 1)
assert.Equal(t, "api-export-app", bundle.Apps[0].Name)
}
// TestAPIExportAppNotFound tests the API endpoint for a nonexistent app.
func TestAPIExportAppNotFound(t *testing.T) {
t.Parallel()
tc, cookies := setupAPITest(t)
rr := apiGet(t, tc, cookies, "/api/v1/apps/nonexistent/export")
assert.Equal(t, http.StatusNotFound, rr.Code)
}
// TestAPIExportAllApps tests the API endpoint for exporting all apps.
func TestAPIExportAllApps(t *testing.T) {
t.Parallel()
tc, cookies := setupAPITest(t)
_, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
Name: "api-export-all-1",
RepoURL: "git@example.com:user/repo1.git",
})
require.NoError(t, err)
_, err = tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
Name: "api-export-all-2",
RepoURL: "git@example.com:user/repo2.git",
})
require.NoError(t, err)
rr := apiGet(t, tc, cookies, "/api/v1/backup/export")
assert.Equal(t, http.StatusOK, rr.Code)
var bundle app.BackupBundle
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &bundle))
assert.Len(t, bundle.Apps, 2)
}
// TestAPIImportApps tests the API import endpoint.
func TestAPIImportApps(t *testing.T) {
t.Parallel()
tc, cookies := setupAPITest(t)
backupJSON := `{
"version": 1,
"exportedAt": "2025-01-01T00:00:00Z",
"apps": [{
"name": "api-imported-app",
"repoUrl": "git@example.com:user/repo.git",
"branch": "main",
"dockerfilePath": "Dockerfile",
"envVars": [],
"labels": [],
"volumes": [],
"ports": []
}]
}`
r := apiRouter(tc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/backup/import", strings.NewReader(backupJSON))
req.Header.Set("Content-Type", "application/json")
for _, c := range cookies {
req.AddCookie(c)
}
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
var resp map[string]any
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
imported, ok := resp["imported"].([]any)
require.True(t, ok)
assert.Len(t, imported, 1)
assert.Equal(t, "api-imported-app", imported[0])
}
// TestAPIImportAppsInvalidBody tests that the API rejects bad JSON.
func TestAPIImportAppsInvalidBody(t *testing.T) {
t.Parallel()
tc, cookies := setupAPITest(t)
r := apiRouter(tc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/backup/import", strings.NewReader("not json"))
req.Header.Set("Content-Type", "application/json")
for _, c := range cookies {
req.AddCookie(c)
}
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
}
// TestAPIImportAppsUnsupportedVersion tests that the API rejects bad versions.
func TestAPIImportAppsUnsupportedVersion(t *testing.T) {
t.Parallel()
tc, cookies := setupAPITest(t)
r := apiRouter(tc)
body := `{"version": 42, "apps": [{"name": "x"}]}`
req := httptest.NewRequest(http.MethodPost, "/api/v1/backup/import", strings.NewReader(body))
req.Header.Set("Content-Type", "application/json")
for _, c := range cookies {
req.AddCookie(c)
}
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
}

5
internal/models/app.go
View File

@@ -119,6 +119,11 @@ func (a *App) GetWebhookEvents(
return FindWebhookEventsByAppID(ctx, a.db, a.ID, limit)
}
// GetRegistryCredentials returns all registry credentials for the app.
func (a *App) GetRegistryCredentials(ctx context.Context) ([]*RegistryCredential, error) {
return FindRegistryCredentialsByAppID(ctx, a.db, a.ID)
}
func (a *App) exists(ctx context.Context) bool {
if a.ID == "" {
return false

134
internal/models/models_test.go
View File

@@ -23,6 +23,7 @@ const (
testBranch = "main"
testValue = "value"
testEventType = "push"
testUser = "user"
)
func setupTestDB(t *testing.T) (*database.Database, func()) {
@@ -704,6 +705,127 @@ func TestAppGetWebhookEvents(t *testing.T) {
assert.Len(t, events, 1)
}
// RegistryCredential Tests.
func TestRegistryCredentialCreateAndFind(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
app := createTestApp(t, testDB)
cred := models.NewRegistryCredential(testDB)
cred.AppID = app.ID
cred.Registry = "registry.example.com"
cred.Username = "myuser"
cred.Password = "mypassword"
err := cred.Save(context.Background())
require.NoError(t, err)
assert.NotZero(t, cred.ID)
creds, err := models.FindRegistryCredentialsByAppID(
context.Background(), testDB, app.ID,
)
require.NoError(t, err)
require.Len(t, creds, 1)
assert.Equal(t, "registry.example.com", creds[0].Registry)
assert.Equal(t, "myuser", creds[0].Username)
assert.Equal(t, "mypassword", creds[0].Password)
}
func TestRegistryCredentialUpdate(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
app := createTestApp(t, testDB)
cred := models.NewRegistryCredential(testDB)
cred.AppID = app.ID
cred.Registry = "old.registry.com"
cred.Username = "olduser"
cred.Password = "oldpass"
err := cred.Save(context.Background())
require.NoError(t, err)
cred.Registry = "new.registry.com"
cred.Username = "newuser"
cred.Password = "newpass"
err = cred.Save(context.Background())
require.NoError(t, err)
found, err := models.FindRegistryCredential(context.Background(), testDB, cred.ID)
require.NoError(t, err)
require.NotNil(t, found)
assert.Equal(t, "new.registry.com", found.Registry)
assert.Equal(t, "newuser", found.Username)
assert.Equal(t, "newpass", found.Password)
}
func TestRegistryCredentialDelete(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
app := createTestApp(t, testDB)
cred := models.NewRegistryCredential(testDB)
cred.AppID = app.ID
cred.Registry = "delete.registry.com"
cred.Username = testUser
cred.Password = "pass"
err := cred.Save(context.Background())
require.NoError(t, err)
err = cred.Delete(context.Background())
require.NoError(t, err)
creds, err := models.FindRegistryCredentialsByAppID(
context.Background(), testDB, app.ID,
)
require.NoError(t, err)
assert.Empty(t, creds)
}
func TestRegistryCredentialFindByIDNotFound(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
found, err := models.FindRegistryCredential(context.Background(), testDB, 99999)
require.NoError(t, err)
assert.Nil(t, found)
}
func TestAppGetRegistryCredentials(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
app := createTestApp(t, testDB)
cred := models.NewRegistryCredential(testDB)
cred.AppID = app.ID
cred.Registry = "ghcr.io"
cred.Username = testUser
cred.Password = "token"
_ = cred.Save(context.Background())
creds, err := app.GetRegistryCredentials(context.Background())
require.NoError(t, err)
assert.Len(t, creds, 1)
assert.Equal(t, "ghcr.io", creds[0].Registry)
}
// Cascade Delete Tests.
//nolint:funlen // Test function with many assertions - acceptable for integration tests
@@ -749,6 +871,13 @@ func TestCascadeDelete(t *testing.T) {
deploy.Status = models.DeploymentStatusSuccess
_ = deploy.Save(context.Background())
regCred := models.NewRegistryCredential(testDB)
regCred.AppID = app.ID
regCred.Registry = "registry.example.com"
regCred.Username = testUser
regCred.Password = "pass"
_ = regCred.Save(context.Background())
// Delete app.
err := app.Delete(context.Background())
require.NoError(t, err)
@@ -778,6 +907,11 @@ func TestCascadeDelete(t *testing.T) {
context.Background(), testDB, app.ID, 10,
)
assert.Empty(t, deployments)
regCreds, _ := models.FindRegistryCredentialsByAppID(
context.Background(), testDB, app.ID,
)
assert.Empty(t, regCreds)
})
}

130
internal/models/registry_credential.go Normal file
View File

@@ -0,0 +1,130 @@
package models
import (
"context"
"database/sql"
"errors"
"fmt"
"sneak.berlin/go/upaas/internal/database"
)
// RegistryCredential represents authentication credentials for a private Docker registry.
type RegistryCredential struct {
db *database.Database
ID int64
AppID string
Registry string
Username string
Password string //nolint:gosec // credential field required for registry auth
}
// NewRegistryCredential creates a new RegistryCredential with a database reference.
func NewRegistryCredential(db *database.Database) *RegistryCredential {
return &RegistryCredential{db: db}
}
// Save inserts or updates the registry credential in the database.
func (r *RegistryCredential) Save(ctx context.Context) error {
if r.ID == 0 {
return r.insert(ctx)
}
return r.update(ctx)
}
// Delete removes the registry credential from the database.
func (r *RegistryCredential) Delete(ctx context.Context) error {
_, err := r.db.Exec(ctx, "DELETE FROM registry_credentials WHERE id = ?", r.ID)
return err
}
func (r *RegistryCredential) insert(ctx context.Context) error {
query := "INSERT INTO registry_credentials (app_id, registry, username, password) VALUES (?, ?, ?, ?)"
result, err := r.db.Exec(ctx, query, r.AppID, r.Registry, r.Username, r.Password)
if err != nil {
return err
}
id, err := result.LastInsertId()
if err != nil {
return err
}
r.ID = id
return nil
}
func (r *RegistryCredential) update(ctx context.Context) error {
query := "UPDATE registry_credentials SET registry = ?, username = ?, password = ? WHERE id = ?"
_, err := r.db.Exec(ctx, query, r.Registry, r.Username, r.Password, r.ID)
return err
}
// FindRegistryCredential finds a registry credential by ID.
//
//nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
func FindRegistryCredential(
ctx context.Context,
db *database.Database,
id int64,
) (*RegistryCredential, error) {
cred := NewRegistryCredential(db)
row := db.QueryRow(ctx,
"SELECT id, app_id, registry, username, password FROM registry_credentials WHERE id = ?",
id,
)
err := row.Scan(&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
}
return nil, fmt.Errorf("scanning registry credential: %w", err)
}
return cred, nil
}
// FindRegistryCredentialsByAppID finds all registry credentials for an app.
func FindRegistryCredentialsByAppID(
ctx context.Context,
db *database.Database,
appID string,
) ([]*RegistryCredential, error) {
query := `
SELECT id, app_id, registry, username, password FROM registry_credentials
WHERE app_id = ? ORDER BY registry`
rows, err := db.Query(ctx, query, appID)
if err != nil {
return nil, fmt.Errorf("querying registry credentials by app: %w", err)
}
defer func() { _ = rows.Close() }()
var creds []*RegistryCredential
for rows.Next() {
cred := NewRegistryCredential(db)
scanErr := rows.Scan(
&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password,
)
if scanErr != nil {
return nil, scanErr
}
creds = append(creds, cred)
}
return creds, rows.Err()
}

14
internal/server/routes.go
View File

@@ -99,11 +99,10 @@ func (s *Server) SetupRoutes() {
r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
// Backup/Restore
r.Get("/apps/{id}/export", s.handlers.HandleExportApp())
r.Get("/backup/export", s.handlers.HandleExportAllApps())
r.Get("/backup/import", s.handlers.HandleImportPage())
r.Post("/backup/import", s.handlers.HandleImportApps())
// Registry Credentials
r.Post("/apps/{id}/registry-credentials", s.handlers.HandleRegistryCredentialAdd())
r.Post("/apps/{id}/registry-credentials/{credID}/edit", s.handlers.HandleRegistryCredentialEdit())
r.Post("/apps/{id}/registry-credentials/{credID}/delete", s.handlers.HandleRegistryCredentialDelete())
})
})
@@ -121,11 +120,6 @@ func (s *Server) SetupRoutes() {
r.Get("/apps", s.handlers.HandleAPIListApps())
r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
// Backup/Restore API
r.Get("/apps/{id}/export", s.handlers.HandleAPIExportApp())
r.Get("/backup/export", s.handlers.HandleAPIExportAllApps())
r.Post("/backup/import", s.handlers.HandleAPIImportApps())
})
})

391
internal/service/app/backup.go
View File

@@ -1,391 +0,0 @@
package app
import (
"context"
"fmt"
"time"
"sneak.berlin/go/upaas/internal/models"
)
// BackupEnvVar represents an environment variable in a backup.
type BackupEnvVar struct {
Key string `json:"key"`
Value string `json:"value"`
}
// BackupLabel represents a Docker label in a backup.
type BackupLabel struct {
Key string `json:"key"`
Value string `json:"value"`
}
// BackupVolume represents a volume mount in a backup.
type BackupVolume struct {
HostPath string `json:"hostPath"`
ContainerPath string `json:"containerPath"`
ReadOnly bool `json:"readOnly"`
}
// BackupPort represents a port mapping in a backup.
type BackupPort struct {
HostPort int `json:"hostPort"`
ContainerPort int `json:"containerPort"`
Protocol string `json:"protocol"`
}
// Backup represents the exported configuration of a single app.
type Backup struct {
Name string `json:"name"`
RepoURL string `json:"repoUrl"`
Branch string `json:"branch"`
DockerfilePath string `json:"dockerfilePath"`
DockerNetwork string `json:"dockerNetwork,omitempty"`
NtfyTopic string `json:"ntfyTopic,omitempty"`
SlackWebhook string `json:"slackWebhook,omitempty"`
EnvVars []BackupEnvVar `json:"envVars"`
Labels []BackupLabel `json:"labels"`
Volumes []BackupVolume `json:"volumes"`
Ports []BackupPort `json:"ports"`
}
// BackupBundle represents a complete backup of one or more apps.
type BackupBundle struct {
Version int `json:"version"`
ExportedAt string `json:"exportedAt"`
Apps []Backup `json:"apps"`
}
// backupVersion is the current backup format version.
const backupVersion = 1
// ExportApp exports a single app's configuration as a BackupBundle.
func (svc *Service) ExportApp(
ctx context.Context,
application *models.App,
) (*BackupBundle, error) {
appBackup, err := svc.buildAppBackup(ctx, application)
if err != nil {
return nil, err
}
return &BackupBundle{
Version: backupVersion,
ExportedAt: time.Now().UTC().Format(time.RFC3339),
Apps: []Backup{appBackup},
}, nil
}
// ExportAllApps exports all app configurations as a BackupBundle.
func (svc *Service) ExportAllApps(ctx context.Context) (*BackupBundle, error) {
apps, err := models.AllApps(ctx, svc.db)
if err != nil {
return nil, fmt.Errorf("listing apps for export: %w", err)
}
backups := make([]Backup, 0, len(apps))
for _, application := range apps {
appBackup, buildErr := svc.buildAppBackup(ctx, application)
if buildErr != nil {
return nil, buildErr
}
backups = append(backups, appBackup)
}
return &BackupBundle{
Version: backupVersion,
ExportedAt: time.Now().UTC().Format(time.RFC3339),
Apps: backups,
}, nil
}
// ImportApps imports app configurations from a BackupBundle.
// It creates new apps (with fresh IDs, SSH keys, and webhook secrets)
// and populates their env vars, labels, volumes, and ports.
// Apps whose names conflict with existing apps are skipped and reported.
func (svc *Service) ImportApps(
ctx context.Context,
bundle *BackupBundle,
) ([]string, []string, error) {
// Build a set of existing app names for conflict detection
existingApps, listErr := models.AllApps(ctx, svc.db)
if listErr != nil {
return nil, nil, fmt.Errorf("listing existing apps: %w", listErr)
}
existingNames := make(map[string]bool, len(existingApps))
for _, a := range existingApps {
existingNames[a.Name] = true
}
var imported, skipped []string
for _, ab := range bundle.Apps {
if existingNames[ab.Name] {
skipped = append(skipped, ab.Name)
continue
}
importErr := svc.importSingleApp(ctx, ab)
if importErr != nil {
return imported, skipped, fmt.Errorf(
"importing app %q: %w", ab.Name, importErr,
)
}
imported = append(imported, ab.Name)
}
return imported, skipped, nil
}
// importSingleApp creates a single app from backup data.
func (svc *Service) importSingleApp(
ctx context.Context,
ab Backup,
) error {
createdApp, createErr := svc.CreateApp(ctx, CreateAppInput{
Name: ab.Name,
RepoURL: ab.RepoURL,
Branch: ab.Branch,
DockerfilePath: ab.DockerfilePath,
DockerNetwork: ab.DockerNetwork,
NtfyTopic: ab.NtfyTopic,
SlackWebhook: ab.SlackWebhook,
})
if createErr != nil {
return fmt.Errorf("creating app: %w", createErr)
}
envErr := svc.importEnvVars(ctx, createdApp.ID, ab.EnvVars)
if envErr != nil {
return envErr
}
labelErr := svc.importLabels(ctx, createdApp.ID, ab.Labels)
if labelErr != nil {
return labelErr
}
volErr := svc.importVolumes(ctx, createdApp.ID, ab.Volumes)
if volErr != nil {
return volErr
}
portErr := svc.importPorts(ctx, createdApp.ID, ab.Ports)
if portErr != nil {
return portErr
}
svc.log.Info("app imported from backup",
"id", createdApp.ID, "name", createdApp.Name)
return nil
}
// importEnvVars adds env vars from backup to an app.
func (svc *Service) importEnvVars(
ctx context.Context,
appID string,
envVars []BackupEnvVar,
) error {
for _, ev := range envVars {
addErr := svc.AddEnvVar(ctx, appID, ev.Key, ev.Value)
if addErr != nil {
return fmt.Errorf("adding env var %q: %w", ev.Key, addErr)
}
}
return nil
}
// importLabels adds labels from backup to an app.
func (svc *Service) importLabels(
ctx context.Context,
appID string,
labels []BackupLabel,
) error {
for _, l := range labels {
addErr := svc.AddLabel(ctx, appID, l.Key, l.Value)
if addErr != nil {
return fmt.Errorf("adding label %q: %w", l.Key, addErr)
}
}
return nil
}
// importVolumes adds volumes from backup to an app.
func (svc *Service) importVolumes(
ctx context.Context,
appID string,
volumes []BackupVolume,
) error {
for _, v := range volumes {
addErr := svc.AddVolume(ctx, appID, v.HostPath, v.ContainerPath, v.ReadOnly)
if addErr != nil {
return fmt.Errorf("adding volume %q: %w", v.ContainerPath, addErr)
}
}
return nil
}
// importPorts adds ports from backup to an app.
func (svc *Service) importPorts(
ctx context.Context,
appID string,
ports []BackupPort,
) error {
for _, p := range ports {
port := models.NewPort(svc.db)
port.AppID = appID
port.HostPort = p.HostPort
port.ContainerPort = p.ContainerPort
port.Protocol = models.PortProtocol(p.Protocol)
if port.Protocol == "" {
port.Protocol = models.PortProtocolTCP
}
saveErr := port.Save(ctx)
if saveErr != nil {
return fmt.Errorf("adding port %d: %w", p.HostPort, saveErr)
}
}
return nil
}
// buildAppBackup collects all configuration for a single app into a Backup.
func (svc *Service) buildAppBackup(
ctx context.Context,
application *models.App,
) (Backup, error) {
envVars, labels, volumes, ports, err := svc.fetchAppResources(ctx, application)
if err != nil {
return Backup{}, err
}
backup := Backup{
Name: application.Name,
RepoURL: application.RepoURL,
Branch: application.Branch,
DockerfilePath: application.DockerfilePath,
EnvVars: convertEnvVars(envVars),
Labels: convertLabels(labels),
Volumes: convertVolumes(volumes),
Ports: convertPorts(ports),
}
if application.DockerNetwork.Valid {
backup.DockerNetwork = application.DockerNetwork.String
}
if application.NtfyTopic.Valid {
backup.NtfyTopic = application.NtfyTopic.String
}
if application.SlackWebhook.Valid {
backup.SlackWebhook = application.SlackWebhook.String
}
return backup, nil
}
// fetchAppResources retrieves all sub-resources for an app.
func (svc *Service) fetchAppResources(
ctx context.Context,
application *models.App,
) ([]*models.EnvVar, []*models.Label, []*models.Volume, []*models.Port, error) {
envVars, err := application.GetEnvVars(ctx)
if err != nil {
return nil, nil, nil, nil, fmt.Errorf(
"getting env vars for %q: %w", application.Name, err,
)
}
labels, err := application.GetLabels(ctx)
if err != nil {
return nil, nil, nil, nil, fmt.Errorf(
"getting labels for %q: %w", application.Name, err,
)
}
volumes, err := application.GetVolumes(ctx)
if err != nil {
return nil, nil, nil, nil, fmt.Errorf(
"getting volumes for %q: %w", application.Name, err,
)
}
ports, err := application.GetPorts(ctx)
if err != nil {
return nil, nil, nil, nil, fmt.Errorf(
"getting ports for %q: %w", application.Name, err,
)
}
return envVars, labels, volumes, ports, nil
}
// convertEnvVars converts model env vars to backup format.
func convertEnvVars(envVars []*models.EnvVar) []BackupEnvVar {
result := make([]BackupEnvVar, 0, len(envVars))
for _, ev := range envVars {
result = append(result, BackupEnvVar{
Key: ev.Key,
Value: ev.Value,
})
}
return result
}
// convertLabels converts model labels to backup format.
func convertLabels(labels []*models.Label) []BackupLabel {
result := make([]BackupLabel, 0, len(labels))
for _, l := range labels {
result = append(result, BackupLabel{
Key: l.Key,
Value: l.Value,
})
}
return result
}
// convertVolumes converts model volumes to backup format.
func convertVolumes(volumes []*models.Volume) []BackupVolume {
result := make([]BackupVolume, 0, len(volumes))
for _, v := range volumes {
result = append(result, BackupVolume{
HostPath: v.HostPath,
ContainerPath: v.ContainerPath,
ReadOnly: v.ReadOnly,
})
}
return result
}
// convertPorts converts model ports to backup format.
func convertPorts(ports []*models.Port) []BackupPort {
result := make([]BackupPort, 0, len(ports))
for _, p := range ports {
result = append(result, BackupPort{
HostPort: p.HostPort,
ContainerPort: p.ContainerPort,
Protocol: string(p.Protocol),
})
}
return result
}

379
internal/service/app/backup_test.go
View File

@@ -1,379 +0,0 @@
package app_test
import (
"context"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"go.uber.org/fx"
"sneak.berlin/go/upaas/internal/config"
"sneak.berlin/go/upaas/internal/database"
"sneak.berlin/go/upaas/internal/globals"
"sneak.berlin/go/upaas/internal/logger"
"sneak.berlin/go/upaas/internal/models"
"sneak.berlin/go/upaas/internal/service/app"
)
// backupTestContext bundles test dependencies for backup tests.
type backupTestContext struct {
svc *app.Service
db *database.Database
}
func setupBackupTest(t *testing.T) *backupTestContext {
t.Helper()
tmpDir := t.TempDir()
globals.SetAppname("upaas-test")
globals.SetVersion("test")
globalsInst, err := globals.New(fx.Lifecycle(nil))
require.NoError(t, err)
loggerInst, err := logger.New(
fx.Lifecycle(nil),
logger.Params{Globals: globalsInst},
)
require.NoError(t, err)
cfg := &config.Config{
Port: 8080,
DataDir: tmpDir,
SessionSecret: "test-secret-key-at-least-32-chars",
}
dbInst, err := database.New(fx.Lifecycle(nil), database.Params{
Logger: loggerInst,
Config: cfg,
})
require.NoError(t, err)
svc, err := app.New(fx.Lifecycle(nil), app.ServiceParams{
Logger: loggerInst,
Database: dbInst,
})
require.NoError(t, err)
return &backupTestContext{svc: svc, db: dbInst}
}
// createAppWithFullConfig creates an app with env vars, labels, volumes, and ports.
func createAppWithFullConfig(
t *testing.T,
btc *backupTestContext,
name string,
) *models.App {
t.Helper()
createdApp, err := btc.svc.CreateApp(context.Background(), app.CreateAppInput{
Name: name,
RepoURL: "git@example.com:user/" + name + ".git",
Branch: "develop",
NtfyTopic: "https://ntfy.sh/" + name,
DockerNetwork: "test-network",
})
require.NoError(t, err)
require.NoError(t, btc.svc.AddEnvVar(
context.Background(), createdApp.ID, "DB_HOST", "localhost",
))
require.NoError(t, btc.svc.AddEnvVar(
context.Background(), createdApp.ID, "DB_PORT", "5432",
))
require.NoError(t, btc.svc.AddLabel(
context.Background(), createdApp.ID, "traefik.enable", "true",
))
require.NoError(t, btc.svc.AddVolume(
context.Background(), createdApp.ID, "/data", "/app/data", false,
))
port := models.NewPort(btc.db)
port.AppID = createdApp.ID
port.HostPort = 9090
port.ContainerPort = 8080
port.Protocol = models.PortProtocolTCP
require.NoError(t, port.Save(context.Background()))
return createdApp
}
// createAppWithConfigPort creates an app like createAppWithFullConfig but with
// a custom host port to avoid UNIQUE constraint collisions.
func createAppWithConfigPort(
t *testing.T,
btc *backupTestContext,
name string,
hostPort int,
) *models.App {
t.Helper()
createdApp, err := btc.svc.CreateApp(context.Background(), app.CreateAppInput{
Name: name,
RepoURL: "git@example.com:user/" + name + ".git",
Branch: "develop",
NtfyTopic: "https://ntfy.sh/" + name,
DockerNetwork: "test-network",
})
require.NoError(t, err)
require.NoError(t, btc.svc.AddEnvVar(
context.Background(), createdApp.ID, "DB_HOST", "localhost",
))
require.NoError(t, btc.svc.AddLabel(
context.Background(), createdApp.ID, "traefik.enable", "true",
))
require.NoError(t, btc.svc.AddVolume(
context.Background(), createdApp.ID, "/data2", "/app/data2", false,
))
port := models.NewPort(btc.db)
port.AppID = createdApp.ID
port.HostPort = hostPort
port.ContainerPort = 8080
port.Protocol = models.PortProtocolTCP
require.NoError(t, port.Save(context.Background()))
return createdApp
}
func TestExportApp(t *testing.T) {
t.Parallel()
btc := setupBackupTest(t)
createdApp := createAppWithFullConfig(t, btc, "export-svc-test")
bundle, err := btc.svc.ExportApp(context.Background(), createdApp)
require.NoError(t, err)
assert.Equal(t, 1, bundle.Version)
assert.NotEmpty(t, bundle.ExportedAt)
require.Len(t, bundle.Apps, 1)
ab := bundle.Apps[0]
assert.Equal(t, "export-svc-test", ab.Name)
assert.Equal(t, "develop", ab.Branch)
assert.Equal(t, "test-network", ab.DockerNetwork)
assert.Equal(t, "https://ntfy.sh/export-svc-test", ab.NtfyTopic)
assert.Len(t, ab.EnvVars, 2)
assert.Len(t, ab.Labels, 1)
assert.Len(t, ab.Volumes, 1)
assert.Len(t, ab.Ports, 1)
assert.Equal(t, 9090, ab.Ports[0].HostPort)
assert.Equal(t, 8080, ab.Ports[0].ContainerPort)
assert.Equal(t, "tcp", ab.Ports[0].Protocol)
}
func TestExportAllApps(t *testing.T) {
t.Parallel()
btc := setupBackupTest(t)
createAppWithFullConfig(t, btc, "export-all-1")
createAppWithConfigPort(t, btc, "export-all-2", 9091)
bundle, err := btc.svc.ExportAllApps(context.Background())
require.NoError(t, err)
assert.Equal(t, 1, bundle.Version)
assert.Len(t, bundle.Apps, 2)
}
func TestExportAllAppsEmpty(t *testing.T) {
t.Parallel()
btc := setupBackupTest(t)
bundle, err := btc.svc.ExportAllApps(context.Background())
require.NoError(t, err)
assert.Empty(t, bundle.Apps)
}
func TestImportApps(t *testing.T) {
t.Parallel()
btc := setupBackupTest(t)
bundle := &app.BackupBundle{
Version: 1,
ExportedAt: "2025-01-01T00:00:00Z",
Apps: []app.Backup{
{
Name: "imported-test",
RepoURL: "git@example.com:user/imported.git",
Branch: "main",
DockerfilePath: "Dockerfile",
DockerNetwork: "my-network",
EnvVars: []app.BackupEnvVar{
{Key: "FOO", Value: "bar"},
},
Labels: []app.BackupLabel{
{Key: "app", Value: "test"},
},
Volumes: []app.BackupVolume{
{HostPath: "/host", ContainerPath: "/container", ReadOnly: true},
},
Ports: []app.BackupPort{
{HostPort: 3000, ContainerPort: 8080, Protocol: "tcp"},
},
},
},
}
imported, skipped, err := btc.svc.ImportApps(context.Background(), bundle)
require.NoError(t, err)
assert.Equal(t, []string{"imported-test"}, imported)
assert.Empty(t, skipped)
// Verify the app was created
apps, _ := btc.svc.ListApps(context.Background())
require.Len(t, apps, 1)
assert.Equal(t, "imported-test", apps[0].Name)
assert.True(t, apps[0].DockerNetwork.Valid)
assert.Equal(t, "my-network", apps[0].DockerNetwork.String)
// Has fresh secrets
assert.NotEmpty(t, apps[0].WebhookSecret)
assert.NotEmpty(t, apps[0].SSHPublicKey)
// Verify sub-resources
envVars, _ := apps[0].GetEnvVars(context.Background())
assert.Len(t, envVars, 1)
labels, _ := apps[0].GetLabels(context.Background())
assert.Len(t, labels, 1)
volumes, _ := apps[0].GetVolumes(context.Background())
assert.Len(t, volumes, 1)
assert.True(t, volumes[0].ReadOnly)
ports, _ := apps[0].GetPorts(context.Background())
assert.Len(t, ports, 1)
assert.Equal(t, 3000, ports[0].HostPort)
}
func TestImportAppsSkipsDuplicates(t *testing.T) {
t.Parallel()
btc := setupBackupTest(t)
// Create existing app
_, err := btc.svc.CreateApp(context.Background(), app.CreateAppInput{
Name: "existing",
RepoURL: "git@example.com:user/existing.git",
})
require.NoError(t, err)
bundle := &app.BackupBundle{
Version: 1,
ExportedAt: "2025-01-01T00:00:00Z",
Apps: []app.Backup{
{
Name: "existing",
RepoURL: "git@example.com:user/existing.git",
Branch: "main",
DockerfilePath: "Dockerfile",
EnvVars: []app.BackupEnvVar{},
Labels: []app.BackupLabel{},
Volumes: []app.BackupVolume{},
Ports: []app.BackupPort{},
},
{
Name: "brand-new",
RepoURL: "git@example.com:user/new.git",
Branch: "main",
DockerfilePath: "Dockerfile",
EnvVars: []app.BackupEnvVar{},
Labels: []app.BackupLabel{},
Volumes: []app.BackupVolume{},
Ports: []app.BackupPort{},
},
},
}
imported, skipped, err := btc.svc.ImportApps(context.Background(), bundle)
require.NoError(t, err)
assert.Equal(t, []string{"brand-new"}, imported)
assert.Equal(t, []string{"existing"}, skipped)
}
func TestImportAppsPortDefaultProtocol(t *testing.T) {
t.Parallel()
btc := setupBackupTest(t)
bundle := &app.BackupBundle{
Version: 1,
ExportedAt: "2025-01-01T00:00:00Z",
Apps: []app.Backup{
{
Name: "port-default-test",
RepoURL: "git@example.com:user/repo.git",
Branch: "main",
DockerfilePath: "Dockerfile",
EnvVars: []app.BackupEnvVar{},
Labels: []app.BackupLabel{},
Volumes: []app.BackupVolume{},
Ports: []app.BackupPort{
{HostPort: 80, ContainerPort: 80, Protocol: ""},
},
},
},
}
imported, _, err := btc.svc.ImportApps(context.Background(), bundle)
require.NoError(t, err)
assert.Len(t, imported, 1)
apps, _ := btc.svc.ListApps(context.Background())
ports, _ := apps[0].GetPorts(context.Background())
require.Len(t, ports, 1)
assert.Equal(t, models.PortProtocolTCP, ports[0].Protocol)
}
func TestExportImportRoundTripService(t *testing.T) {
t.Parallel()
btc := setupBackupTest(t)
createAppWithFullConfig(t, btc, "roundtrip-svc")
// Export
bundle, err := btc.svc.ExportAllApps(context.Background())
require.NoError(t, err)
require.Len(t, bundle.Apps, 1)
// Delete original
apps, _ := btc.svc.ListApps(context.Background())
for _, a := range apps {
require.NoError(t, btc.svc.DeleteApp(context.Background(), a))
}
// Import
imported, skipped, err := btc.svc.ImportApps(context.Background(), bundle)
require.NoError(t, err)
assert.Len(t, imported, 1)
assert.Empty(t, skipped)
// Verify round-trip fidelity
restored, _ := btc.svc.ListApps(context.Background())
require.Len(t, restored, 1)
assert.Equal(t, "roundtrip-svc", restored[0].Name)
assert.Equal(t, "develop", restored[0].Branch)
assert.Equal(t, "test-network", restored[0].DockerNetwork.String)
envVars, _ := restored[0].GetEnvVars(context.Background())
assert.Len(t, envVars, 2)
labels, _ := restored[0].GetLabels(context.Background())
assert.Len(t, labels, 1)
volumes, _ := restored[0].GetVolumes(context.Background())
assert.Len(t, volumes, 1)
ports, _ := restored[0].GetPorts(context.Background())
assert.Len(t, ports, 1)
}

36
internal/service/deploy/deploy.go
View File

@@ -830,6 +830,13 @@ func (svc *Service) buildImage(
logWriter := newDeploymentLogWriter(ctx, deployment)
defer logWriter.Close()
// Fetch registry credentials for private base images
registryAuths, err := svc.buildRegistryAuths(ctx, app)
if err != nil {
svc.log.Warn("failed to fetch registry credentials", "error", err, "app", app.Name)
// Continue without auth — public images will still work
}
// BuildImage creates a tar archive from the local filesystem,
// so it needs the container path where files exist, not the host path.
imageID, err := svc.docker.BuildImage(ctx, docker.BuildImageOptions{
@@ -837,6 +844,7 @@ func (svc *Service) buildImage(
DockerfilePath: app.DockerfilePath,
Tags: []string{imageTag},
LogWriter: logWriter,
RegistryAuths: registryAuths,
})
if err != nil {
svc.notify.NotifyBuildFailed(ctx, app, deployment, err)
@@ -1227,6 +1235,34 @@ func (svc *Service) failDeployment(
_ = app.Save(ctx)
}
// buildRegistryAuths fetches registry credentials for an app and converts them
// to Docker RegistryAuth objects for use during image builds.
func (svc *Service) buildRegistryAuths(
ctx context.Context,
app *models.App,
) ([]docker.RegistryAuth, error) {
creds, err := app.GetRegistryCredentials(ctx)
if err != nil {
return nil, fmt.Errorf("failed to get registry credentials: %w", err)
}
if len(creds) == 0 {
return nil, nil
}
auths := make([]docker.RegistryAuth, 0, len(creds))
for _, cred := range creds {
auths = append(auths, docker.RegistryAuth{
Registry: cred.Registry,
Username: cred.Username,
Password: cred.Password,
})
}
return auths, nil
}
// writeLogsToFile writes the deployment logs to a file on disk.
// Structure: DataDir/logs/<hostname>/<appname>/<appname>_<sha>_<timestamp>.log.txt
func (svc *Service) writeLogsToFile(app *models.App, deployment *models.Deployment) {

75
templates/app_detail.html
View File

@@ -154,6 +154,69 @@
<div class="hidden">{{ .CSRFField }}</div>
</div>
<!-- Registry Credentials -->
<div class="card p-6 mb-6">
<h2 class="section-title mb-4">Registry Credentials</h2>
<p class="text-sm text-gray-500 mb-3">Authenticate to private Docker registries when pulling base images during builds.</p>
{{if .RegistryCredentials}}
<div class="overflow-x-auto mb-4">
<table class="table">
<thead class="table-header">
<tr>
<th>Registry</th>
<th>Username</th>
<th>Password</th>
<th class="text-right">Actions</th>
</tr>
</thead>
<tbody class="table-body">
{{range .RegistryCredentials}}
<tr x-data="{ editing: false }">
<template x-if="!editing">
<td class="font-mono">{{.Registry}}</td>
</template>
<template x-if="!editing">
<td class="font-mono">{{.Username}}</td>
</template>
<template x-if="!editing">
<td class="font-mono text-gray-400">••••••••</td>
</template>
<template x-if="!editing">
<td class="text-right">
<button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
<form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this registry credential?')" @submit="confirm($event)">
{{ $.CSRFField }}
<button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
</form>
</td>
</template>
<template x-if="editing">
<td colspan="4">
<form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/edit" class="flex gap-2 items-center">
{{ $.CSRFField }}
<input type="text" name="registry" value="{{.Registry}}" required class="input flex-1 font-mono text-sm" placeholder="registry.example.com">
<input type="text" name="username" value="{{.Username}}" required class="input flex-1 font-mono text-sm" placeholder="username">
<input type="password" name="password" required class="input flex-1 font-mono text-sm" placeholder="password">
<button type="submit" class="btn-primary text-sm">Save</button>
<button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
</form>
</td>
</template>
</tr>
{{end}}
</tbody>
</table>
</div>
{{end}}
<form method="POST" action="/apps/{{.App.ID}}/registry-credentials" class="flex flex-col sm:flex-row gap-2">
{{ .CSRFField }}
<input type="text" name="registry" placeholder="registry.example.com" required class="input flex-1 font-mono text-sm">
<input type="text" name="username" placeholder="username" required class="input flex-1 font-mono text-sm">
<input type="password" name="password" placeholder="password" required class="input flex-1 font-mono text-sm">
<button type="submit" class="btn-primary">Add</button>
</form>
</div>
<!-- Labels -->
<div class="card p-6 mb-6">
<h2 class="section-title mb-4">Docker Labels</h2>
@@ -432,18 +495,6 @@
</div>
</div>
<!-- Backup -->
<div class="card p-6 mb-6">
<h2 class="section-title mb-4">Backup</h2>
<p class="text-sm text-gray-500 mb-3">Export this app's configuration (settings, env vars, labels, volumes, ports) as a JSON file for backup or migration.</p>
<a href="/apps/{{.App.ID}}/export" class="btn-secondary">
<svg class="w-4 h-4 mr-1 inline" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-4l-4 4m0 0l-4-4m4 4V4"/>
</svg>
Export Config
</a>
</div>
<!-- Danger Zone -->
<div class="card border-2 border-error-500/20 bg-error-50/50 p-6">
<h2 class="text-lg font-medium text-error-700 mb-4">Danger Zone</h2>

62
templates/backup_import.html
View File

@@ -1,62 +0,0 @@
{{template "base" .}}
{{define "title"}}Import Backup - µPaaS{{end}}
{{define "content"}}
{{template "nav" .}}
<main class="max-w-4xl mx-auto px-4 py-8">
<div class="mb-6">
<a href="/" class="text-primary-600 hover:text-primary-800 inline-flex items-center">
<svg class="w-4 h-4 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 19l-7-7 7-7"/>
</svg>
Back to Dashboard
</a>
</div>
{{template "alert-success" .}}
{{template "alert-error" .}}
<h1 class="text-2xl font-medium text-gray-900 mb-6">Import Backup</h1>
<div class="card p-6 mb-6">
<h2 class="section-title mb-4">Restore from Backup File</h2>
<p class="text-sm text-gray-500 mb-4">
Upload a previously exported µPaaS backup file (JSON) to restore app configurations.
New apps will be created with fresh SSH keys and webhook secrets.
Apps whose names already exist will be skipped.
</p>
<form method="POST" action="/backup/import" enctype="multipart/form-data">
{{ .CSRFField }}
<div class="mb-4">
<label for="backup_file" class="form-label">Backup File</label>
<input type="file" id="backup_file" name="backup_file" accept=".json,application/json"
class="block w-full text-sm text-gray-500
file:mr-4 file:py-2 file:px-4
file:rounded file:border-0
file:text-sm file:font-medium
file:bg-primary-50 file:text-primary-700
hover:file:bg-primary-100
cursor-pointer">
</div>
<button type="submit" class="btn-primary">Import</button>
</form>
</div>
<div class="card p-6">
<h2 class="section-title mb-4">Export All Apps</h2>
<p class="text-sm text-gray-500 mb-4">
Download a backup of all app configurations. This includes app settings,
environment variables, labels, volumes, and port mappings.
Secrets (SSH keys, webhook tokens) are not included — they are regenerated on import.
</p>
<a href="/backup/export" class="btn-secondary">
<svg class="w-4 h-4 mr-1 inline" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-4l-4 4m0 0l-4-4m4 4V4"/>
</svg>
Export All Apps
</a>
</div>
</main>
{{end}}

20
templates/dashboard.html
View File

@@ -11,20 +11,12 @@
<div class="section-header">
<h1 class="text-2xl font-medium text-gray-900">Applications</h1>
<div class="flex gap-3">
<a href="/backup/import" class="btn-secondary">
<svg class="w-4 h-4 mr-1 inline" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-8l-4-4m0 0L8 8m4-4v12"/>
</svg>
Backup / Restore
</a>
<a href="/apps/new" class="btn-primary">
<svg class="w-5 h-5 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"/>
</svg>
New App
</a>
</div>
<a href="/apps/new" class="btn-primary">
<svg class="w-5 h-5 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"/>
</svg>
New App
</a>
</div>
{{if .AppStats}}

1
templates/templates.go
View File

@@ -45,7 +45,6 @@ func initTemplates() {
"app_edit.html",
"deployments.html",
"webhook_events.html",
"backup_import.html",
}
pageTemplates = make(map[string]*template.Template)