From 0e3baae415f57ce6064f561fdcfc0d328aeef555 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Sun, 8 Feb 2026 01:33:36 -0600
Subject: [PATCH] feat(ci): Add OpenBao and Orchestrator image builds to
 Woodpecker CI

Add missing Docker image builds for swarm deployment.

Changes:
- Added docker-build-openbao step to .woodpecker.yml
- Added docker-build-orchestrator step to .woodpecker.yml
- Updated docker-compose.swarm.yml to use registry images
  (git.mosaicstack.dev/mosaic/*)
- Added IMAGE_TAG variable support for versioned deployments
- Updated deploy-swarm.sh to support both registry and local images

Image tagging strategy:
- All commits: SHA tag (e.g., 658ec077)
- main branch: latest + SHA
- develop branch: dev + SHA
- git tags: version tag + SHA

Registry images:
- git.mosaicstack.dev/mosaic/postgres
- git.mosaicstack.dev/mosaic/openbao
- git.mosaicstack.dev/mosaic/api
- git.mosaicstack.dev/mosaic/orchestrator
- git.mosaicstack.dev/mosaic/web

Deployment modes:
- IMAGE_TAG=latest (default, use registry latest)
- IMAGE_TAG=dev (use registry dev tag)
- IMAGE_TAG=local (use local builds via build-images.sh)
---
 .env.example             | 12 ++++++++
 .woodpecker.yml          | 60 ++++++++++++++++++++++++++++++++++++
 deploy-swarm.sh          | 66 ++++++++++++++++++++++++++--------------
 docker-compose.swarm.yml | 10 +++---
 4 files changed, 121 insertions(+), 27 deletions(-)

diff --git a/.env.example b/.env.example
index a647c1e..42cbd99 100644
--- a/.env.example
+++ b/.env.example
@@ -158,6 +158,18 @@ SEMANTIC_SEARCH_SIMILARITY_THRESHOLD=0.5
 # ======================
 NODE_ENV=development
 
+# ======================
+# Docker Image Configuration
+# ======================
+# Docker image tag for swarm deployments
+# Options:
+#   - latest: Pull latest stable images from registry (default for production)
+#   - dev: Pull development images from registry
+#   - local: Use locally built images (for development)
+#   - <commit-sha>: Use specific commit SHA tag (e.g., 658ec077)
+#   - <version>: Use specific version tag (e.g., v1.0.0)
+IMAGE_TAG=latest
+
 # ======================
 # Docker Compose Profiles
 # ======================
diff --git a/.woodpecker.yml b/.woodpecker.yml
index 3901163..9bf8663 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -204,3 +204,63 @@ steps:
         event: [push, manual, tag]
     depends_on:
       - build
+
+  # Build and push OpenBao image using Kaniko
+  docker-build-openbao:
+    image: gcr.io/kaniko-project/executor:debug
+    environment:
+      GITEA_USER:
+        from_secret: gitea_username
+      GITEA_TOKEN:
+        from_secret: gitea_token
+      CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
+      CI_COMMIT_TAG: ${CI_COMMIT_TAG}
+      CI_COMMIT_SHA: ${CI_COMMIT_SHA}
+    commands:
+      - *kaniko_setup
+      - |
+        DESTINATIONS="--destination git.mosaicstack.dev/mosaic/openbao:${CI_COMMIT_SHA:0:8}"
+        if [ "$CI_COMMIT_BRANCH" = "main" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaic/openbao:latest"
+        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaic/openbao:dev"
+        fi
+        if [ -n "$CI_COMMIT_TAG" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaic/openbao:$CI_COMMIT_TAG"
+        fi
+        /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile $DESTINATIONS
+    when:
+      - branch: [main, develop]
+        event: [push, manual, tag]
+    depends_on:
+      - build
+
+  # Build and push Orchestrator image using Kaniko
+  docker-build-orchestrator:
+    image: gcr.io/kaniko-project/executor:debug
+    environment:
+      GITEA_USER:
+        from_secret: gitea_username
+      GITEA_TOKEN:
+        from_secret: gitea_token
+      CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
+      CI_COMMIT_TAG: ${CI_COMMIT_TAG}
+      CI_COMMIT_SHA: ${CI_COMMIT_SHA}
+    commands:
+      - *kaniko_setup
+      - |
+        DESTINATIONS="--destination git.mosaicstack.dev/mosaic/orchestrator:${CI_COMMIT_SHA:0:8}"
+        if [ "$CI_COMMIT_BRANCH" = "main" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaic/orchestrator:latest"
+        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaic/orchestrator:dev"
+        fi
+        if [ -n "$CI_COMMIT_TAG" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaic/orchestrator:$CI_COMMIT_TAG"
+        fi
+        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile $DESTINATIONS
+    when:
+      - branch: [main, develop]
+        event: [push, manual, tag]
+    depends_on:
+      - build
diff --git a/deploy-swarm.sh b/deploy-swarm.sh
index 9e4e760..5eb3554 100755
--- a/deploy-swarm.sh
+++ b/deploy-swarm.sh
@@ -6,10 +6,12 @@ set -euo pipefail
 
 STACK_NAME="${1:-mosaic}"
 COMPOSE_FILE="docker-compose.swarm.yml"
+IMAGE_TAG="${IMAGE_TAG:-latest}"
 
 echo "🚀 Deploying Mosaic Stack to Docker Swarm..."
 echo "Stack name: $STACK_NAME"
 echo "Compose file: $COMPOSE_FILE"
+echo "Image tag: $IMAGE_TAG"
 echo ""
 
 # Check if .env exists
@@ -72,38 +74,58 @@ else
     echo "✅ traefik-public network already exists"
 fi
 
-# Check if images exist, offer to build if not
+# Check if using registry images or local images
 echo ""
-echo "🔍 Checking if images are built..."
-IMAGES_MISSING=0
-for img in mosaic-stack-postgres mosaic-stack-openbao mosaic-stack-api mosaic-stack-orchestrator mosaic-stack-web; do
-    if ! docker images --format "{{.Repository}}" | grep -q "^${img}$"; then
-        echo "   ⚠️  Missing: $img"
-        IMAGES_MISSING=1
-    fi
-done
+REGISTRY="git.mosaicstack.dev"
+USE_REGISTRY=true
 
-if [ $IMAGES_MISSING -eq 1 ]; then
-    echo ""
-    echo "❌ Some images are missing. Build them first:"
-    echo "   ./build-images.sh"
-    echo ""
-    read -p "Build images now? [Y/n]: " BUILD_NOW
-    BUILD_NOW=${BUILD_NOW:-Y}
-    if [[ $BUILD_NOW =~ ^[Yy]$ ]]; then
-        ./build-images.sh || exit 1
+# If IMAGE_TAG is set to "local", use local images
+if [ "$IMAGE_TAG" = "local" ]; then
+    USE_REGISTRY=false
+    echo "🔍 Using local images (IMAGE_TAG=local)"
+    IMAGES_MISSING=0
+    for img in mosaic-stack-postgres mosaic-stack-openbao mosaic-stack-api mosaic-stack-orchestrator mosaic-stack-web; do
+        if ! docker images --format "{{.Repository}}" | grep -q "^${img}$"; then
+            echo "   ⚠️  Missing: $img"
+            IMAGES_MISSING=1
+        fi
+    done
+
+    if [ $IMAGES_MISSING -eq 1 ]; then
+        echo ""
+        echo "❌ Some local images are missing. Build them first:"
+        echo "   ./build-images.sh"
+        echo ""
+        read -p "Build images now? [Y/n]: " BUILD_NOW
+        BUILD_NOW=${BUILD_NOW:-Y}
+        if [[ $BUILD_NOW =~ ^[Yy]$ ]]; then
+            ./build-images.sh || exit 1
+        else
+            echo "Aborting deployment. Build images first."
+            exit 1
+        fi
     else
-        echo "Aborting deployment. Build images first."
-        exit 1
+        echo "✅ All local images are built"
     fi
 else
-    echo "✅ All images are built"
+    echo "🔍 Using registry images from $REGISTRY"
+    echo "   Tag: $IMAGE_TAG"
+    echo ""
+    echo "   Images will be pulled from:"
+    echo "   - $REGISTRY/mosaic/postgres:$IMAGE_TAG"
+    echo "   - $REGISTRY/mosaic/openbao:$IMAGE_TAG"
+    echo "   - $REGISTRY/mosaic/api:$IMAGE_TAG"
+    echo "   - $REGISTRY/mosaic/orchestrator:$IMAGE_TAG"
+    echo "   - $REGISTRY/mosaic/web:$IMAGE_TAG"
+    echo ""
+    echo "   Note: Ensure you're logged in to the registry:"
+    echo "   docker login $REGISTRY"
 fi
 
 # Deploy the stack
 echo ""
 echo "📦 Deploying stack..."
-docker stack deploy -c $COMPOSE_FILE --with-registry-auth $STACK_NAME
+IMAGE_TAG=$IMAGE_TAG docker stack deploy -c $COMPOSE_FILE --with-registry-auth $STACK_NAME
 
 echo ""
 echo "✅ Stack deployed successfully!"
diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml
index 0584043..56e9e87 100644
--- a/docker-compose.swarm.yml
+++ b/docker-compose.swarm.yml
@@ -3,7 +3,7 @@ services:
   # PostgreSQL Database
   # ======================
   postgres:
-    image: mosaic-stack-postgres:latest
+    image: git.mosaicstack.dev/mosaic/postgres:${IMAGE_TAG:-latest}
     env_file: .env
     environment:
       POSTGRES_USER: ${POSTGRES_USER:-mosaic}
@@ -56,7 +56,7 @@ services:
   # OpenBao Secrets Vault
   # ======================
   openbao:
-    image: mosaic-stack-openbao:latest
+    image: git.mosaicstack.dev/mosaic/openbao:${IMAGE_TAG:-latest}
     env_file: .env
     environment:
       OPENBAO_ADDR: ${OPENBAO_ADDR:-http://0.0.0.0:8200}
@@ -225,7 +225,7 @@ services:
   # Mosaic API
   # ======================
   api:
-    image: mosaic-stack-api:latest
+    image: git.mosaicstack.dev/mosaic/api:${IMAGE_TAG:-latest}
     env_file: .env
     environment:
       NODE_ENV: production
@@ -268,7 +268,7 @@ services:
   # Mosaic Orchestrator
   # ======================
   orchestrator:
-    image: mosaic-stack-orchestrator:latest
+    image: git.mosaicstack.dev/mosaic/orchestrator:${IMAGE_TAG:-latest}
     env_file: .env
     user: "1000:1000"
     environment:
@@ -309,7 +309,7 @@ services:
   # Mosaic Web
   # ======================
   web:
-    image: mosaic-stack-web:latest
+    image: git.mosaicstack.dev/mosaic/web:${IMAGE_TAG:-latest}
     env_file: .env
     environment:
       NODE_ENV: production