Skip to content

Latest commit

 

History

History
131 lines (99 loc) · 4.98 KB

File metadata and controls

131 lines (99 loc) · 4.98 KB

Production Deployment

This service deploys as an immutable Docker image published to GitHub Container Registry (GHCR). Runtime configuration is injected through the EC2 .env file generated by GitHub Actions; private resource files are not copied into the image or bind-mounted from the host.

Required GitHub Secrets

Deployment access:

  • EC2_HOST
  • EC2_USER
  • EC2_SSH_KEY
  • GHCR_USERNAME
  • GHCR_READ_TOKEN

Runtime image and port:

  • BACKEND_HTTP_PORT (optional, defaults to 8080)
  • BACKEND_MEMORY_LIMIT (optional, defaults to 768m; use 640m if the EC2 instance is memory constrained)
  • BACKEND_CPU_LIMIT (optional, defaults to 1.0)

Spring and database:

  • SPRING_APPLICATION_NAME
  • SPRING_DATASOURCE_URL (jdbc:mysql://ontime-prod.cpoeguokwaq5.ap-northeast-2.rds.amazonaws.com:3306/ontime_prod?useSSL=true&serverTimezone=Asia/Seoul&characterEncoding=UTF-8)
  • SPRING_DATASOURCE_USERNAME (ontimeadmin)
  • SPRING_DATASOURCE_PASSWORD

The deploy workflow hardcodes safe production defaults for the datasource driver, JPA DDL mode, and Flyway:

  • SPRING_DATASOURCE_DRIVER_CLASS_NAME=com.mysql.cj.jdbc.Driver
  • SPRING_JPA_HIBERNATE_DDL_AUTO=validate
  • SPRING_FLYWAY_ENABLED=true
  • SPRING_FLYWAY_BASELINE_ON_MIGRATE=false

It also fails before restart if the datasource URL does not point to an RDS MySQL endpoint using the ontime_prod database, or if EC2 cannot reach RDS on 3306.

Authentication and OAuth:

  • JWT_SECRETKEY
  • JWT_ACCESS_EXPIRATION
  • JWT_REFRESH_EXPIRATION
  • JWT_ACCESS_HEADER
  • JWT_REFRESH_HEADER
  • GOOGLE_WEB_CLIENT_ID
  • GOOGLE_APP_CLIENT_ID
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENT_SECRET
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_SCOPE
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_REDIRECT_URI
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_AUTHORIZATION_GRANT_TYPE
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENT_NAME
  • SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_AUTHORIZATION_URI
  • SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_TOKEN_URI
  • SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_USER_INFO_URI
  • SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_USER_NAME_ATTRIBUTE
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_CLIENT_ID
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_SCOPE
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_REDIRECT_URI
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_AUTHORIZATION_GRANT_TYPE
  • SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_CLIENT_NAME
  • SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KAKAO_AUTHORIZATION_URI
  • SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KAKAO_TOKEN_URI
  • SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KAKAO_USER_INFO_URI
  • SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KAKAO_USER_NAME_ATTRIBUTE
  • APPLE_CLIENT_ID
  • APPLE_TEAM_ID
  • APPLE_LOGIN_KEY
  • APPLE_PRIVATE_KEY_BASE64
  • FEATURE_APPLE_LOGIN_ENABLED (optional, defaults to true)

Firebase:

  • FIREBASE_CREDENTIALS_BASE64

Set the base64 secrets from the ignored local credential files:

base64 -i ontime-back/src/main/resources/ontime-c63f1-firebase-adminsdk-fbsvc-a043cdc829.json | tr -d '\n' | gh secret set FIREBASE_CREDENTIALS_BASE64 --repo DevKor-github/OnTime-back
base64 -i ontime-back/src/main/resources/key/AuthKey_743M7R5W3W.p8 | tr -d '\n' | gh secret set APPLE_PRIVATE_KEY_BASE64 --repo DevKor-github/OnTime-back

Build And Release Flow

Push to the main branch, or run .github/workflows/deploy.yml manually, to deploy production.

Pushes to dev run CI only. There is no dev-server deploy workflow in the one-EC2 plan.

The workflow:

  1. Builds ontime-back/Dockerfile from the ontime-back/ context.
  2. Pushes two GHCR tags:
    • ghcr.io/devkor-github/ontime-back:<commit-sha>
    • ghcr.io/devkor-github/ontime-back:deploy-latest
  3. Uploads docker-compose.yml to /home/ubuntu/OnTime-back.
  4. Writes /home/ubuntu/OnTime-back/.env from GitHub secrets.
  5. Verifies EC2 can reach private RDS on 3306.
  6. Runs docker compose pull && docker compose up -d --remove-orphans.
  7. Waits until the ontime-container Docker health status is healthy.

Health Verification

The production image exposes a Docker healthcheck against:

/actuator/health/readiness

Manual checks on EC2:

cd /home/ubuntu/OnTime-back
sudo docker compose ps
sudo docker inspect -f '{{.State.Health.Status}}' ontime-container
curl -fsS http://localhost:8080/actuator/health/readiness
nc -zv ontime-prod.cpoeguokwaq5.ap-northeast-2.rds.amazonaws.com 3306

Rollback

Every deploy is tagged by commit SHA. To roll back, set IMAGE_TAG in /home/ubuntu/OnTime-back/.env to the previous known-good SHA, then restart from the existing Compose file:

cd /home/ubuntu/OnTime-back
sudo docker compose pull
sudo docker compose up -d --remove-orphans
sudo docker inspect -f '{{.State.Health.Status}}' ontime-container

Keep the previous SHA in the release notes or GitHub Actions deploy history so rollback does not depend on deploy-latest.