Automatyczna zmiana: 1754157020

This reverts commit 8396169b19.

Dockerfile

@@ -1,5 +1,18 @@
-FROM python:3.11.7-slim-bookworm
+FROM python:3.11.7-alpine
+
+# Wersja i data builda jako build-arg
+ARG APP_VERSION=unknown
+ARG BUILD_DATE=unknown
+
+# Ustawiamy zmienne w ENV, by były dostępne w kontenerze
+ENV APP_VERSION=$APP_VERSION
+ENV BUILD_DATE=$BUILD_DATE
+
 WORKDIR /app
+
 COPY api .
+
+RUN apk add --no-cache curl
 RUN pip install -r requirements.txt
-CMD python3 app.py
+
+CMD python3 app.py

api/app.py

@@ -2,46 +2,69 @@ from dotenv import load_dotenv
 from flask import Flask, jsonify
 from flask_jwt_extended import JWTManager
 from jwt import ExpiredSignatureError
-from models import db
+from models import db, RevokedToken
 import os
-from utils import init_db
+from tech_views import tech_bp
+from utils import init_db, wait_for_db
 from views import user_bp
 from werkzeug.exceptions import HTTPException
 
-# App initialization
-load_dotenv()
-app = Flask(__name__)
-app.config['SQLALCHEMY_DATABASE_URI'] = os.getenv('SQLALCHEMY_DATABASE_URI')
-app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = True
-app.config['JWT_SECRET_KEY'] = os.getenv('JWT_SECRET_KEY', 'changeme')
+def create_app(config_name="default"):
+    """Creates and returns a new instance of Flask app."""
+    load_dotenv()
+    app = Flask(__name__)
+    
+    # Database settings
+    if config_name == "testing":
+        app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:"  # Database in memory
+        app.config["TESTING"] = True
+    else:
+        app.config["SQLALCHEMY_DATABASE_URI"] = os.getenv("SQLALCHEMY_DATABASE_URI")
+    app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
 
-# Blueprint registration
-app.register_blueprint(user_bp)
+    # JWT settings
+    app.config["JWT_SECRET_KEY"] = os.getenv("JWT_SECRET_KEY", "changeme")
 
-# Database and JWT initialization
-db.init_app(app)
-jwt = JWTManager(app)
+    # Blueprints registration
+    app.register_blueprint(user_bp)
+    app.register_blueprint(tech_bp)
 
-# Global error handler
-@app.errorhandler(Exception)
-def global_error_handler(error):
-    if isinstance(error, HTTPException):
-        response = jsonify({"error": error.description})
-        response.status_code = error.code
-    elif isinstance(error, ExpiredSignatureError):
-        response = jsonify({"error": "Token has expired"})
-        response.status_code = 401
-    else:  # Wszystkie inne błędy
-        response = jsonify({"error": str(error)})
-        response.status_code = 500
-    return response
+    # Database and JWT initialization
+    db.init_app(app)
+    jwt = JWTManager(app)
+
+    # Function to check if JWT token is revoked
+    @jwt.token_in_blocklist_loader
+    def check_if_token_revoked(jwt_header, jwt_payload):
+        token = db.session.get(RevokedToken, jwt_payload["jti"])
+        return token is not None
+
+    # Global error handler
+    @app.errorhandler(Exception)
+    def global_error_handler(error):
+        if isinstance(error, HTTPException):
+            response = jsonify({"error": error.description})
+            response.status_code = error.code
+        elif isinstance(error, ExpiredSignatureError):
+            response = jsonify({"error": "Token has expired"})
+            response.status_code = 401
+        else:  # All other errors
+            response = jsonify({"error": str(error)})
+            response.status_code = 500
+        return response
+
+    # Fill database by initial values (only if we are not testing)
+    with app.app_context():
+        wait_for_db(max_retries=100)
+        db.create_all()
+        if config_name != "testing":
+            init_db()
+    return app
 
 
-# Fill database by initial values
-with app.app_context():
-    db.create_all()
-    init_db()
-
-# Server start
+# Server start only if we run app directly
 if __name__ == "__main__":
-    app.run(host='0.0.0.0')
+    from waitress import serve
+    app = create_app()
+    port = os.getenv("APP_PORT", "80")
+    serve(app, host="0.0.0.0", port=port)

api/models.py

@@ -15,3 +15,6 @@ class User(db.Model):
     @staticmethod
     def get_editable_fields():
         return {"username", "email", "role", "password"}
+
+class RevokedToken(db.Model):
+    jti = db.Column(db.String(100), primary_key=True)

api/requirements.txt

@@ -11,4 +11,5 @@ mysql-connector-python==9.2.0
 python-dotenv==1.0.0
 SQLAlchemy==2.0.23
 typing_extensions==4.8.0
+waitress==3.0.2
 Werkzeug==3.0.1

api/tech_views.py

@@ -0,0 +1,20 @@
+from flask import Blueprint, jsonify
+from models import db
+from sqlalchemy import text
+from utils import db_ready
+
+# Blueprint with technical endpoints
+tech_bp = Blueprint('tech_bp', __name__)
+
+@tech_bp.route('/health', methods=['GET'])
+def health_check():
+    "Check if service works and database is functional"
+    try:
+        with db.engine.connect() as connection:
+            connection.execute(text("SELECT 1"))
+        return jsonify(status="healthy"), 200
+    except Exception:
+        if db_ready:
+            return jsonify(status="unhealthy"), 500
+        else:
+            return jsonify(status="starting"), 503

api/tests/conftest.py

@@ -1,6 +1,8 @@
 import pytest
 from app import create_app
-from models import db
+from flask_jwt_extended import create_access_token
+from models import db, User
+from werkzeug.security import generate_password_hash
 
 @pytest.fixture
 def test_client():
@@ -13,3 +15,33 @@ def test_client():
             yield client
             db.session.remove()
             db.drop_all()
+
+@pytest.fixture
+def test_user():
+    """Create a new user for testing."""
+    user = User(username="testuser", email="test@example.com", password=generate_password_hash("testpass"), role="User")
+    db.session.add(user)
+    db.session.commit()
+    return user
+
+@pytest.fixture
+def test_user2():
+    """Create a user nr 2 for testing."""
+    user2 = User(username="testuser2", email="test2@example.com", password=generate_password_hash("testpass2"), role="User")
+    db.session.add(user2)
+    db.session.commit()
+    return user2
+
+@pytest.fixture
+def test_admin():
+    """Create a new admin user for testing."""
+    admin = User(username="adminuser", email="admin@example.com", password=generate_password_hash("adminpass"), role="Administrator")
+    db.session.add(admin)
+    db.session.commit()
+    return admin
+
+def login_test_user(identity):
+    """Return Bearer auth header for user identified by provided id"""
+    access_token = create_access_token(identity=str(identity))
+    auth_header = {"Authorization": f"Bearer {access_token}"}
+    return auth_header

api/tests/test_users.py

@@ -1,113 +1,132 @@
+from conftest import login_test_user
 import json
-from models import User, db
-from flask_jwt_extended import create_access_token
-from werkzeug.security import generate_password_hash
 
-def test_create_user(test_client):
+def test_create_user(test_client, test_user, test_admin):
     """New user registration test"""
 
     # Anonymous try to create common user
-    test_user_data = {"username": "testuser", "email": "test@example.com", "password": "testpass", "role": "User"}
+    test_user_data = {"username": "test", "email": "testemail@example.com", "password": "testpassword", "role": "User"}
     response = test_client.post("/users", data=json.dumps(test_user_data), content_type="application/json")
-    assert response.status_code == 201 # User should be created successfully
+    assert response.status_code == 201, "Each should can register in the service"
     data = response.get_json()
-    assert data["username"] == "testuser"
+    assert data["username"] == "test"
 
     # Anonymous try to create admin user
     admin_user_data = {"username": "testadmin", "email": "testadmin@example.com", "password": "adminpass", "role": "Administrator"}
     response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json")
-    assert response.status_code == 401 # Anonymous cannot create admin users
+    assert response.status_code == 401, "Anonymous should cannot create admin users"
 
     # Login common user and try to create admin user
-    access_token = create_access_token(identity='1')
-    headers = {"Authorization": f"Bearer {access_token}"}
+    headers = login_test_user(test_user.id)
     response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json", headers=headers)
-    assert response.status_code == 403 # Common user cannot create admin users
+    assert response.status_code == 403, "Common user should cannot create admin users"
 
     # Try to create admin user using admin account
-    hashed_pass = generate_password_hash("adminpass")
-    user = User(username="admin", email="admin@example.com", password=hashed_pass, role="Administrator")
-    db.session.add(user)
-    db.session.commit()
-    access_token = create_access_token(identity=str(user.id))
-    headers = {"Authorization": f"Bearer {access_token}"}
+    headers = login_test_user(test_admin.id)
     response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json", headers=headers)
-    assert response.status_code == 201 # Logged administrators can create new admin users
+    assert response.status_code == 201, "Logged administrators should can create new admin users"
 
+def test_edit_user(test_client, test_user, test_admin):
+    "User edit test"
+    # Anonymous cannot edit any user
+    admin_data = test_admin.to_dict()
+    response = test_client.patch(f"/users/{test_admin.id}", data=json.dumps({"username": admin_data["username"], "password": "adminpass"}))
+    assert response.status_code == 401
 
-def test_login(test_client):
+    # Login users (get dict with auth header and merge it with dict with rest of headers)
+    admin_headers = login_test_user(test_admin.id) | {"Content-Type": "application/json"}
+    user_headers = login_test_user(test_user.id) | {"Content-Type": "application/json"}
+
+    # Check if PUT request contains all editable fields
+    response = test_client.put(f"/users/{test_user.id}", data=json.dumps({"username": test_user.username, "password": "testpass"}), headers=user_headers)
+    assert response.status_code == 400, "PUT request data must have all editable fields"
+
+    # Check if user can edit their own data
+    response = test_client.patch(f"/users/{test_user.id}", data=json.dumps({"username": test_user.username, "password": "testpass"}), headers=user_headers)
+    assert response.status_code == 200, "Common user should can edit own account data"
+
+    # Check if user cannot edit other user data
+    response = test_client.patch(f"/users/{test_admin.id}", data=json.dumps({"username": admin_data["username"], "password": "adminpass"}), headers=user_headers)
+    assert response.status_code == 403, "Common user should cannot edit other user data"
+
+    # Check if admin can edit other user data
+    response = test_client.patch(f"/users/{test_user.id}", data=json.dumps({"username": test_user.username, "password": "testpass"}), headers=admin_headers)
+    assert response.status_code == 200, "Admin user should can edit other user data"
+
+def test_remove_user(test_client, test_user, test_user2, test_admin):
+    "User remove test"
+    # Anonymous try to remove user
+    response = test_client.delete(f"/users/{test_user.id}")
+    assert response.status_code == 401, "Anonymous should cannot remove user account"
+
+    # Logged user try to remove other user account
+    headers = login_test_user(test_user.id)
+    response = test_client.delete(f"/users/{test_admin.id}", headers=headers)
+    assert response.status_code == 403, "Common user should cannot remove other user account"
+
+    # Logged user try to remove own account
+    response = test_client.delete(f"/users/{test_user.id}", headers=headers)
+    assert response.status_code == 200, "Common user should can remove their own account"
+
+    # Logged admin can remove other user account
+    admin_headers = login_test_user(test_admin.id)
+    response = test_client.delete(f"/users/{test_user2.id}", headers=admin_headers)
+    assert response.status_code == 200, "Admin user should can remove other user account"
+
+def test_login(test_client, test_user):
     """User login test"""
-    hashed_pass = generate_password_hash("testpass")
-    user = User(username="testuser", email="test@example.com", password=hashed_pass, role="User")
-    db.session.add(user)
-    db.session.commit()
 
     response = test_client.post(
         "/login",
         data=json.dumps({"username": "testuser", "password": "wrongpass"}),
         content_type="application/json",
     )
-    assert response.status_code == 401 # User should not be logged - wrong password
+    assert response.status_code == 401, "User should not become logged if provided wrong password"
     response = test_client.post(
         "/login",
         data=json.dumps({"username": "testuser", "password": "testpass"}),
         content_type="application/json",
     )
-    assert response.status_code == 200 # User should be logged - right password
+    assert response.status_code == 200, "User should become logged if provided right password"
 
-
-def test_get_users(test_client):
+def test_get_users(test_client, test_user, test_admin):
     """Get all users test"""
     response = test_client.get("/users")
-    assert response.status_code == 401 # Anonymous cannot get all users data
+    assert response.status_code == 401, "Anonymous should cannot get all users data"
     
     # Common user try to get all users data
-    hashed_pass = generate_password_hash("testpass")
-    user = User(username="testuser", email="test@example.com", password=hashed_pass, role="User")
-    db.session.add(user)
-    db.session.commit()
-    access_token = create_access_token(identity=str(user.id))
-    headers = {"Authorization": f"Bearer {access_token}"}
+    headers = login_test_user(test_user.id)
     response = test_client.get("/users", headers=headers)
-    assert response.status_code == 403 # Common user cannot get all users data
+    assert response.status_code == 403, "Common user should cannot get all users data"
     
     # Admin user try to get all users data
-    hashed_pass = generate_password_hash("adminpass")
-    user = User(username="testadmin", email="testadmin@example.com", password=hashed_pass, role="Administrator")
-    db.session.add(user)
-    db.session.commit()
-    access_token = create_access_token(identity=str(user.id))
-    headers = {"Authorization": f"Bearer {access_token}"}
+    headers = login_test_user(test_admin.id)
     response = test_client.get("/users", headers=headers)
-    assert response.status_code == 200 # Admin user should can get all users data
+    assert response.status_code == 200, "Admin user should be able to get all users data"
 
-def test_get_user_with_token(test_client):
+def test_get_user_with_token(test_client, test_user, test_admin):
     """Test to get user data before and after auth using JWT token"""
-    admin_pass = generate_password_hash("admin_pass")
-    admin = User(username="admin", email="admin@example.com", password=admin_pass, role="Administrator")
-    db.session.add(admin)
-    db.session.commit()
+    response = test_client.get(f"/users/{test_admin.id}")
+    assert response.status_code == 401, "Anonymous should cannot get user data without login"
 
-    response = test_client.get(f"/users/{admin.id}")
-    assert response.status_code == 401 # Try to get user data without login
-    
-    access_token = create_access_token(identity=str(admin.id))
-    admin_headers = {"Authorization": f"Bearer {access_token}"}
-
-    response = test_client.get(f"/users/{admin.id}", headers=admin_headers)
+    admin_headers = login_test_user(test_admin.id)
+    response = test_client.get(f"/users/{test_admin.id}", headers=admin_headers)
     assert response.status_code == 200
     data = response.get_json()
-    assert data["username"] == "admin"
+    assert data["username"] == "adminuser"
 
-    user_pass = generate_password_hash("test_pass")
-    user = User(username="testuser", email="test@example.com", password=user_pass, role="User")
-    db.session.add(user)
-    db.session.commit()
-    access_token = create_access_token(identity=str(user.id))
-    headers = {"Authorization": f"Bearer {access_token}"}
-    response = test_client.get(f"/users/{user.id}", headers=headers)
-    assert response.status_code == 200 # Common user can get own user data
-    response = test_client.get(f"/users/{admin.id}", headers=headers)
-    assert response.status_code == 403 # Common user cannot get other user data
-    response = test_client.get(f"/users/{user.id}", headers=admin_headers)
-    assert response.status_code == 200 # Admin can access all user data
+    headers = login_test_user(test_user.id)
+    response = test_client.get(f"/users/{test_user.id}", headers=headers)
+    assert response.status_code == 200, "Common user should can get own user data"
+    response = test_client.get(f"/users/{test_admin.id}", headers=headers)
+    assert response.status_code == 403, "Common user should cannot get other user data"
+    response = test_client.get(f"/users/{test_user.id}", headers=admin_headers)
+    assert response.status_code == 200, "Admin should can access all user data"
+
+def test_user_logout(test_client, test_user):
+    """Test if logout works and JWT token is revoked"""
+    headers = login_test_user(test_user.id)
+    response = test_client.get(f"/logout", headers=headers)
+    assert response.status_code == 200, "Logged user should can logout"
+    response = test_client.get(f"/logout", headers=headers)
+    assert response.status_code == 401, "Token should be revoked after logout"

api/tests/tests.py

@@ -1,55 +0,0 @@
-import json
-from models import User, db
-from flask_jwt_extended import create_access_token
-from werkzeug.security import generate_password_hash
-
-def test_create_user(test_client):
-    """New user registration test"""
-    response = test_client.post(
-        "/users",
-        data=json.dumps({"username": "testuser", "email": "test@example.com", "password": "testpass", "role": "User"}),
-        content_type="application/json",
-    )
-    assert response.status_code == 201 # User should be created successfully
-    data = response.get_json()
-    assert data["username"] == "testuser"
-
-def test_login(test_client):
-    """User login test"""
-    hashed_pass = generate_password_hash("testpass")
-    user = User(username="testuser", email="test@example.com", password=hashed_pass, role="User")
-    db.session.add(user)
-    db.session.commit()
-
-    response = test_client.post(
-        "/login",
-        data=json.dumps({"username": "testuser", "password": "wrongpass"}),
-        content_type="application/json",
-    )
-    assert response.status_code == 401 # User should not be logged - wrong password
-    response = test_client.post(
-        "/login",
-        data=json.dumps({"username": "testuser", "password": "testpass"}),
-        content_type="application/json",
-    )
-    assert response.status_code == 200 # User should be logged - right password
-
-def test_get_users(test_client):
-    """Get all users test - JWT required"""
-    response = test_client.get("/users")
-    assert response.status_code == 401
-
-def test_get_user_with_token(test_client):
-    """Test to get user data after auth using JWT token"""
-    user = User(username="admin", email="admin@example.com", password="hashed_pass", role="Administrator")
-    print(user.id)
-    db.session.add(user)
-    db.session.commit()
-    
-    access_token = create_access_token(identity=str(user.id))
-    headers = {"Authorization": f"Bearer {access_token}"}
-
-    response = test_client.get(f"/users/{user.id}", headers=headers)
-    assert response.status_code == 200
-    data = response.get_json()
-    assert data["username"] == "admin"

api/utils.py

@@ -2,23 +2,50 @@ from flask import abort
 from flask_jwt_extended import get_jwt_identity
 from models import User, db
 import os
+from sqlalchemy import text
+from sqlalchemy.exc import DatabaseError, InterfaceError
+import time
 from werkzeug.security import generate_password_hash
 
+db_ready = False
 
 def admin_required(user_id, message='Access denied.'):
-    user = User.query.get(user_id)
+    "Check if common user try to make administrative action."
+    user = db.session.get(User, user_id)
     if user is None or user.role != "Administrator":
         abort(403, message)
 
 
 def validate_access(owner_id, message='Access denied.'):
-    # Check if user try to access or edit resource that does not belong to them 
+    "Check if user try to access or edit resource that does not belong to them."
     logged_user_id = int(get_jwt_identity())
-    logged_user_role = User.query.get(logged_user_id).role
+    logged_user_role = db.session.get(User, logged_user_id).role
     if logged_user_role != "Administrator" and logged_user_id != owner_id:
         abort(403, message)
 
 
+def get_user_or_404(user_id):
+    "Get user from database or abort 404"
+    user = db.session.get(User, user_id)
+    if user is None:
+        abort(404, "User not found")
+    return user
+
+
+def wait_for_db(max_retries):
+    "Try to connect with database <max_retries> times."
+    global db_ready
+    for _ in range(max_retries):
+        try:
+            with db.engine.connect() as connection:
+                connection.execute(text("SELECT 1"))
+            db_ready = True
+            return
+        except DatabaseError | InterfaceError:
+            time.sleep(3)
+    raise Exception("Failed to connect to database.")
+
+
 def init_db():
     """Create default admin account if database is empty"""
     with db.session.begin():

api/views.py

@@ -1,7 +1,9 @@
 from flask import Blueprint, jsonify, request, abort
-from flask_jwt_extended import create_access_token, set_access_cookies, jwt_required, verify_jwt_in_request, get_jwt_identity, unset_jwt_cookies
-from models import User, db
-from utils import admin_required, validate_access
+from flask_jwt_extended import create_access_token, set_access_cookies, jwt_required, \
+verify_jwt_in_request, get_jwt_identity, unset_jwt_cookies, get_jwt
+from models import db, RevokedToken, User
+import os
+from utils import admin_required, validate_access, get_user_or_404
 from werkzeug.security import check_password_hash, generate_password_hash
 
 user_bp = Blueprint('user_bp', __name__)
@@ -22,7 +24,7 @@ def get_all_users():
 @jwt_required()
 def get_user(user_id):
     validate_access(user_id) # check if user tries to read other user account details
-    user = User.query.get_or_404(user_id)
+    user = get_user_or_404(user_id)
     return jsonify(user.to_dict())
 
 
@@ -56,7 +58,7 @@ def edit_user(user_id):
         if request_fields != editable_fields:
             abort(400, "Invalid request data structure.")
 
-    user_to_update = User.query.get_or_404(user_id)
+    user_to_update = get_user_or_404(user_id)
     for field_name in editable_fields:
         requested_value = request_data.get(field_name)
         if requested_value is None:
@@ -72,7 +74,7 @@ def edit_user(user_id):
 @jwt_required()
 def remove_user(user_id):
     validate_access(user_id) # Only admin can remove other users accounts
-    user_to_delete = User.query.get_or_404(user_id)
+    user_to_delete = get_user_or_404(user_id)
     db.session.delete(user_to_delete)
     db.session.commit()
     return jsonify({"msg": "User removed successfully."})
@@ -102,6 +104,17 @@ def user_login():
 @user_bp.route('/logout', methods=['GET'])
 @jwt_required()
 def user_logout():
+    jti = get_jwt()["jti"]
+    revoked_token = RevokedToken(jti=jti)
+    db.session.add(revoked_token)
+    db.session.commit()
     response = jsonify({"msg": "User logged out successfully."})
     unset_jwt_cookies(response)
     return response
+
+@user_bp.route('/version', methods=['GET'])
+def version():
+    return jsonify({
+        "version": os.getenv("APP_VERSION", "unknown"),
+        "build_time": os.getenv("BUILD_DATE", "unknown")
+    })

argo-workflows/argo-ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argo-ingress
+  namespace: argo
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: argo.marcin00.pl
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: argo-server
+                port:
+                  number: 2746

argo-workflows/argo-workflow-manager-role.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argo-workflow-manager
+  namespace: argo-events
+rules:
+  - apiGroups: ["argoproj.io"]
+    resources: ["workflows", "workflowtemplates", "cronworkflows"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-ui-user-read-access
+  namespace: argo-events
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-workflow-manager
+subjects:
+  - kind: ServiceAccount
+    name: argo-ui-user
+    namespace: argo

argo-workflows/deploy-sensor.yaml

@@ -0,0 +1,109 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Sensor
+metadata:
+  name: webhook-deploy
+  namespace: argo-events
+spec:
+  template:
+    serviceAccountName: operate-workflow-sa
+  dependencies:
+    - name: gitea-push
+      eventSourceName: webhook
+      eventName: user-microservice-deploy
+  triggers:
+    - template:
+        name: deploy-user-microservice
+        k8s:
+          operation: create
+          source:
+            resource:
+              apiVersion: argoproj.io/v1alpha1
+              kind: Workflow
+              metadata:
+                generateName: deploy-user-microservice-
+              spec:
+                entrypoint: main
+                serviceAccountName: operate-workflow-sa
+                volumeClaimTemplates:
+                  - metadata:
+                      name: workspace
+                    spec:
+                      accessModes: ["ReadWriteOnce"]
+                      resources:
+                        requests:
+                          storage: 128Mi
+                templates:
+                  - name: main
+                    steps:
+                      - - name: checkout
+                          template: checkout
+                      - - name: deploy
+                          template: deploy
+
+                  - name: checkout
+                    container:
+                      image: alpine/git
+                      command: [sh, -c]
+                      workingDir: /workspace
+                      env:
+                        - name: REPO_URL
+                          value: https://gitea.marcin00.pl/pikram/user-microservice-deploy.git
+                        - name: REPO_BRANCH
+                          value: argo-deploy
+                      args:
+                        - |
+                          git clone --depth 1 --branch "${REPO_BRANCH}" --single-branch "${REPO_URL}" repo
+                      volumeMounts:
+                        - name: workspace
+                          mountPath: /workspace
+
+                  - name: deploy
+                    container:
+                      image: marcin00.azurecr.io/azure-cli-kubectl:latest
+                      command: [sh, -c]
+                      workingDir: /workspace/repo
+                      env:
+                        - name: CLIENT_ID
+                          value: "c302726f-fafb-4143-94c1-67a70975574a"
+                        - name: CLUSTER_NAME
+                          value: "build"
+                        - name: RESOURCE_GROUP
+                          value: "tst-aks-rg"
+                        - name: DEPLOY_FILES
+                          value: "namespace.yaml secret-store.yaml deploy.yaml ingress.yaml"
+                        - name: DEPLOYMENT
+                          value: "api"
+                        - name: NAMESPACE
+                          value: "user-microservice"
+                        - name: HEALTHCHECK_URL
+                          value: "https://user-microservice.marcin00.pl/health"
+                      args:
+                        - |
+                          echo "===> Logging in to Azure"
+                          az login --identity --client-id $CLIENT_ID
+                          az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --overwrite-existing
+                          kubelogin convert-kubeconfig -l azurecli
+
+                          echo "===> Applying Kubernetes manifests"
+                          for file in $DEPLOY_FILES; do
+                            kubectl apply -f "$file"
+                          done
+
+                          echo "===> Waiting for deployment to complete"
+                          kubectl rollout status deployment/$DEPLOYMENT -n $NAMESPACE --timeout=60s
+
+                          echo "===> Running health check"
+                          for i in $(seq 1 120); do
+                            if curl -sf $HEALTHCHECK_URL; then
+                              echo "Health check OK"
+                              exit 0
+                            else
+                              echo "Health check failed. Retry $i..."
+                              sleep 5
+                            fi
+                          done
+                          echo "Health check failed"
+                          exit 1
+                      volumeMounts:
+                        - name: workspace
+                          mountPath: /workspace

argo-workflows/eventbus-default.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: EventBus
+metadata:
+  name: default
+  namespace: argo-events
+spec:
+  nats:
+    native:
+      # Optional, defaults to 3.
+      # If it is < 3, set it to 3, that is the minimal requirement.
+      replicas: 3
+      # Optional, authen strategy, "none" or "token", defaults to "none"
+      auth: token

argo-workflows/permissions.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: operate-workflow-sa
+  namespace: argo-events
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operate-workflow-role
+  namespace: argo-events
+rules:
+  - apiGroups: [ "argoproj.io" ]
+    resources: [ "workflows" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "argoproj.io" ]
+    resources: [ "workflowtaskresults" ]
+    verbs: [ "create", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "patch" ]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operate-workflow-role-binding
+  namespace: argo-events
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: operate-workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: operate-workflow-sa
+    namespace: argo-events

argo-workflows/secret-store.yaml

@@ -0,0 +1,30 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: azure-keyvault
+  namespace: argo-events
+spec:
+  provider: azure
+  secretObjects:
+    - secretName: gitea-secrets
+      type: Opaque
+      data:
+        - objectName: gitea-known-host
+          key: GITEA_KNOWN_HOST
+        - objectName: gitea-deploy-key
+          key: GITEA_DEPLOY_KEY
+  parameters:
+    usePodIdentity: "false"
+    useVMManagedIdentity: "true"
+    userAssignedIdentityID: "f91aef65-7d2a-4df8-a884-e33b05d54a31" # client_id of the user-assigned managed identity
+    clientID: "f91aef65-7d2a-4df8-a884-e33b05d54a31"               # client_id of the user-assigned managed identity
+    keyvaultName: "dev-aks"
+    objects:  |
+      array:
+        - |
+          objectName: gitea-known-host
+          objectType: secret
+        - |
+          objectName: gitea-deploy-key
+          objectType: secret
+    tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"

argo-workflows/sensor.yaml

@@ -0,0 +1,172 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Sensor
+metadata:
+  name: webhook-build
+  namespace: argo-events
+spec:
+  template:
+    serviceAccountName: operate-workflow-sa
+  dependencies:
+    - name: gitea-push
+      eventSourceName: webhook
+      eventName: user-microservice
+  triggers:
+    - template:
+        name: trigger-build-workflow
+        k8s:
+          group: argoproj.io
+          version: v1alpha1
+          resource: workflows
+          operation: create
+          source:
+            resource:
+              apiVersion: argoproj.io/v1alpha1
+              kind: Workflow
+              metadata:
+                generateName: build-workflow-
+                namespace: argo-events
+              spec:
+                entrypoint: main
+                serviceAccountName: operate-workflow-sa
+                volumeClaimTemplates:
+                  - metadata:
+                      name: workspace
+                    spec:
+                      accessModes: ["ReadWriteOnce"]
+                      resources:
+                        requests:
+                          storage: 128Mi
+                volumes:
+                  - name: secrets-store
+                    csi:
+                      driver: secrets-store.csi.k8s.io
+                      readOnly: true
+                      volumeAttributes:
+                        secretProviderClass: azure-keyvault
+                templates:
+                  - name: main
+                    steps:
+                      - - name: checkout
+                          template: checkout
+                      - - name: tests
+                          template: tests
+                      - - name: build-and-push-image
+                          template: build-and-push-image
+                          arguments:
+                            parameters:
+                              - name: git-sha
+                                value: "{{steps.checkout.outputs.parameters.git-sha}}"
+                      - - name: gitops-commit
+                          template: gitops-commit
+                          arguments:
+                            parameters:
+                              - name: git-sha
+                                value: "{{steps.checkout.outputs.parameters.git-sha}}"
+                  - name: checkout
+                    container:
+                      image: alpine/git
+                      command: [sh, -c]
+                      workingDir: /workspace
+                      env:
+                        - name: REPO_URL
+                          value: https://gitea.marcin00.pl/pikram/user-microservice.git
+                        - name: REPO_BRANCH
+                          value: argo-workflows
+                      args:
+                        - |
+                          git clone --depth 1 --branch "${REPO_BRANCH}" --single-branch "${REPO_URL}" repo
+                          cd repo
+                          git rev-parse HEAD > /tmp/gitsha.txt
+                      volumeMounts:
+                        - name: workspace
+                          mountPath: /workspace
+                    outputs:
+                      parameters:
+                        - name: git-sha
+                          valueFrom:
+                            path: /tmp/gitsha.txt
+                  - name: tests
+                    script:
+                      image: python:3.11.7-alpine
+                      command: [sh]
+                      workingDir: /workspace/repo/api
+                      source: |
+                        python3 -m venv env
+                        source env/bin/activate
+                        pip install -r requirements.txt pytest
+                        python3 -m pytest --junit-xml=pytest_junit.xml
+                      volumeMounts:
+                        - name: workspace
+                          mountPath: /workspace
+                  - name: build-and-push-image
+                    inputs:
+                      parameters:
+                        - name: git-sha
+                    podSpecPatch: |
+                      runtimeClassName: sysbox-runc
+                    metadata:
+                      annotations:
+                        io.kubernetes.cri-o.userns-mode: "auto:size=65536"
+                    container:
+                      image: marcin00.azurecr.io/azure-cli-docker:slim-bookworm
+                      command: [sh, -c]
+                      workingDir: /workspace/repo
+                      env:
+                        - name: DOCKER_IMAGE
+                          value: marcin00.azurecr.io/user-microservice:{{inputs.parameters.git-sha}}
+                        - name: CLIENT_ID
+                          value: c302726f-fafb-4143-94c1-67a70975574a
+                        - name: ACR_NAME
+                          value: marcin00
+                      args:
+                        - |
+                          dockerd &
+                          docker build -t $DOCKER_IMAGE --build-arg APP_VERSION={{inputs.parameters.git-sha}} --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") .
+                          az login --identity --client-id ${CLIENT_ID}
+                          az acr login --name ${ACR_NAME}
+                          docker push ${DOCKER_IMAGE}
+                      volumeMounts:
+                        - name: workspace
+                          mountPath: /workspace
+                  - name: gitops-commit
+                    inputs:
+                      parameters:
+                        - name: git-sha
+                    container:
+                      image: alpine/git
+                      command: [sh, -c]
+                      env:
+                        - name: DEPLOY_REPO_URL
+                          value: ssh://git@srv22.mikr.us:20343/pikram/user-microservice-deploy.git
+                        - name: DEPLOY_REPO_BRANCH
+                          value: argo-deploy
+                        - name: CI_COMMIT_SHA
+                          value: "{{inputs.parameters.git-sha}}"
+                      args:
+                        - |
+                          mkdir -p ~/.ssh
+                          cp /mnt/secrets/gitea-known-host ~/.ssh/known_hosts
+                          chmod 644 ~/.ssh/known_hosts
+                          cp /mnt/secrets/gitea-deploy-key ~/.ssh/id_ed25519
+                          chmod 600 ~/.ssh/id_ed25519
+                          git config --global user.name "argo[bot]"
+                          git config --global user.email "argo@marcin00.pl"
+                          git clone --depth 1 --branch $DEPLOY_REPO_BRANCH --single-branch $DEPLOY_REPO_URL repo
+                          cd repo
+                          awk -v commit="$CI_COMMIT_SHA" '
+                          $0 ~ /name:[[:space:]]*api/ { in_api_container = 1; print; next }
+                          in_api_container && $0 ~ /^[[:space:]]*image:[[:space:]]*/ {
+                              sub(/:[^:[:space:]]+$/, ":" commit)
+                              in_api_container = 0
+                              print
+                              next
+                          }
+                          { print }
+                          ' deploy.yaml > deploy.tmp && mv deploy.tmp deploy.yaml
+                          git add deploy.yaml
+                          git diff-index --quiet HEAD || git commit -m "Argo: Changed deployed version to $CI_COMMIT_SHA"
+                          git push origin $DEPLOY_REPO_BRANCH
+                      volumeMounts:
+                        - name: secrets-store
+                          mountPath: "/mnt/secrets"
+                          readOnly: true

argo-workflows/source.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: EventSource
+metadata:
+  name: webhook
+  namespace: argo-events
+spec:
+  service:
+    ports:
+    - port: 12000
+      targetPort: 12000
+  webhook:
+    user-microservice:
+      endpoint: /user-microservice
+      method: POST
+      port: "12000"
+    user-microservice-deploy:
+      endpoint: /user-microservice-deploy
+      method: POST
+      port: "12000"      

argo-workflows/webhook-ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argo-ingress
+  namespace: argo-events
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: argo-hook.marcin00.pl
+      http:
+        paths:
+          - path: /user-microservice
+            pathType: Prefix
+            backend:
+              service:
+                name: webhook-eventsource-svc
+                port:
+                  number: 12000
+          - path: /user-microservice-deploy
+            pathType: Prefix
+            backend:
+              service:
+                name: webhook-eventsource-svc
+                port:
+                  number: 12000

argo-workflows/webhook-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook-eventsource-svc
+  namespace: argo-events
+spec:
+  type: ClusterIP
+  ports:
+  - name: default
+    port: 12000
+    protocol: TCP
+    targetPort: 12000
+  selector:
+    controller: eventsource-controller
+    eventsource-name: webhook
+    owner-name: webhook

deployment_timer.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# === KONFIGURACJA ===
+APP_URL="https://user-microservice.marcin00.pl/version"
+MARKER_FILE="version_marker.txt"
+OUTPUT_FILE="deployment_times.csv"
+CHECK_INTERVAL=1  # sekundy
+
+# === POBRANIE AKTUALNEJ WERSJI APLIKACJI ===
+echo "[INFO] Pobieranie aktualnej wersji z /version..."
+OLD_VERSION=$(curl -s "$APP_URL" | jq -r '.version')
+
+if [[ -z "$OLD_VERSION" ]]; then
+  echo "[ERROR] Nie udało się pobrać aktualnej wersji aplikacji."
+  exit 1
+fi
+
+echo "[INFO] Aktualna wersja: $OLD_VERSION"
+
+# === Modyfikacja pliku, commit i push ===
+TIMESTAMP=$(date +%s)
+echo "$TIMESTAMP" > "$MARKER_FILE"
+
+git add "$MARKER_FILE"
+git commit -m "Automatyczna zmiana: $TIMESTAMP"
+START_TIME=$(date +%s)
+
+echo "[INFO] Wykonuję git push..."
+git push
+
+if [[ $? -ne 0 ]]; then
+  echo "[ERROR] Push nie powiódł się."
+  exit 1
+fi
+
+echo "[INFO] Oczekiwanie na wdrożenie nowej wersji..."
+
+# === Odpytywanie endpointa /version ===
+WAITED=0
+echo "[WAIT] Oczekiwanie na nową wersję..."
+
+while true; do
+  sleep $CHECK_INTERVAL
+  WAITED=$((WAITED + CHECK_INTERVAL))
+
+  NEW_VERSION=$(curl -s "$APP_URL" | jq -r '.version')
+
+  if [[ "$NEW_VERSION" != "$OLD_VERSION" ]]; then
+    END_TIME=$(date +%s)
+    DURATION=$((END_TIME - START_TIME))
+
+    # Nadpisujemy linię z licznikiem
+    printf "\r[INFO] Nowa wersja wdrożona po %d healtcheck próbach: %s\n" "$WAITED" "$NEW_VERSION"
+    echo "[INFO] Czas wdrożenia: $DURATION sekund"
+
+    echo "$START_TIME,$END_TIME,$DURATION,$OLD_VERSION,$NEW_VERSION" >> "$OUTPUT_FILE"
+    break
+  else
+    # Nadpisujemy TYLKO linię z licznikiem
+    printf "\r[WAIT] Czekam... wykonano %d healtcheck prób" "$WAITED"
+  fi
+done
+
+# Żeby kursor przeszedł do nowej linii po zakończeniu
+echo ""

docker-compose.yml

@@ -7,9 +7,24 @@ services:
     build: .
     env_file:
       - api/.env
+    ports:
+      - 80:80
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 15s
   db:
     container_name: db
     hostname: db
     image: mysql:latest
     env_file:
       - db/.env
+    ports:
+      - 3306:3306
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 10s
+      timeout: 5s
+      retries: 5

version_marker.txt

@@ -0,0 +1 @@
+1754157020