test pas sur du tout

.gitea/workflows/docker-build.yaml

@@ -1,82 +0,0 @@
-name: Docker Build and Push
-
-on:
-  pull_request:
-    branches: [master]
-  push:
-    branches: [master]
-  schedule:
-    - cron: '0 0 * * *'
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-
-      - name: Hadolint
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5  # v3.3.0
-        with:
-          dockerfile: Dockerfile
-
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-
-      - name: Build image
-        run: docker build -t ci-image:${{ github.sha }} .
-
-      - name: Save image
-        run: docker save -o image.tar ci-image:${{ github.sha }}
-
-      - name: Upload artifact
-        uses: https://github.com/ChristopherHX/gitea-upload-artifact@62ac910c5d3dfa85c7cb2df15afe2e342b2407c2  # main
-        with:
-          name: docker-image
-          path: image.tar
-          retention-days: 1
-
-  test:
-    runs-on: ubuntu-latest
-    needs: [lint, build]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-
-      - name: Download artifact
-        uses: https://github.com/ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7  # main
-        with:
-          name: docker-image
-
-      - name: Load image
-        run: docker load < image.tar
-
-      - name: Run tests
-        run: bash tests/test.sh ci-image:${{ github.sha }}
-
-  push:
-    runs-on: ubuntu-latest
-    needs: test
-    if: github.event_name != 'pull_request'
-    steps:
-      - name: Download artifact
-        uses: https://github.com/ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7  # main
-        with:
-          name: docker-image
-
-      - name: Load image
-        run: docker load < image.tar
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee  # v4
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Tag and push
-        run: |
-          docker tag ci-image:${{ github.sha }} jcabillot/ip:latest
-          docker push jcabillot/ip:latest

AGENTS.md

@@ -1,30 +0,0 @@
-# AGENTS.md
-
-## 1. Overview
-
-Lightweight PHP micro-service that returns the client's public IP address as JSON. Containerized with Docker and deployed on Kubernetes.
-
-## 2. Folder Structure
-
-- `root/`: Application source code served by Apache.
-    - `index.php`: Single endpoint returning `REMOTE_ADDR` as JSON.
-- `.gitea/workflows/`: Gitea Actions CI pipelines.
-    - `docker-build.yaml`: Build and push Docker image to Docker Hub on push/PR to master + daily cron.
-- `Dockerfile`: Multi-stage build extending `jcabillot/phpapache` base image, copies `root/` into `/var/www/html`.
-- `.gitlab-ci.yml`: Legacy GitLab CI config (deprecated, replaced by Gitea Actions).
-- `Jenkinsfile`: Legacy Jenkins pipeline (deprecated, replaced by Gitea Actions).
-
-## 3. Core Behaviors & Patterns
-
-- **Request/Response Flow**: Single PHP endpoint sets `Content-Type: application/json` header and returns `$_SERVER['REMOTE_ADDR']` encoded as JSON string. No routing, no framework, no state.
-- **Container Base Image Pattern**: `Dockerfile` uses `ARG VERSION="latest"` to allow version pinning at build time, extends `jcabillot/phpapache` which provides PHP + Apache pre-configured. Application code is layered on top via `COPY root /var/www/html`.
-- **Traefik IngressRoute with HTTPS Redirect**: Two IngressRoute resources handle traffic — `ip-websecure` serves HTTPS on the `websecure` entrypoint, `ip-web` catches HTTP on `web` entrypoint and applies a `redirectScheme` middleware for permanent HTTPS redirect. The Service reference in the HTTP IngressRoute is required by Traefik even though the middleware intercepts before reaching it.
-- **Health Probes**: Deployment defines both `livenessProbe` and `readinessProbe` using `httpGet` on `/` at the named `http` port (8080). Kubernetes uses these to restart unhealthy pods and exclude unready pods from the Service endpoints.
-- **Security Hardening**: Pod spec sets `automountServiceAccountToken: false` to prevent unnecessary Kubernetes API access from the container.
-
-## 4. Conventions
-
-- **Kubernetes Labels**: Pods use `app: "front"` for Service selector matching and `owner: "jcabillot"` for resource attribution. Deployment-level labels use `app: "front"`.
-- **Named Ports**: Container port is named `http` (8080) and referenced by name in probes and Service targetPort, avoiding hardcoded port numbers.
-- **Docker Image Tagging**: CI uses `docker/metadata-action` to generate tags — `latest` for master branch pushes, branch/PR/SHA tags for other events. Push is skipped on pull requests.
-- **CI Secrets**: Docker Hub credentials are stored as Gitea Actions secrets (`DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN`), never hardcoded.

Jenkinsfile

@@ -2,10 +2,16 @@ pipeline {
   environment {
     registry = 'https://registry.hub.docker.com'
     registryCredential = 'dockerhub_jcabillot'
-    dockerImage = 'jcabillot/ip'
+    dockerImage = 'jcabillot/ip:arm64'
   }
 
-  agent any
+  //agent any
+  agent {
+    kubernetes {
+      defaultContainer 'docker' // All `steps` instructions will be executed by this container
+      yamlFile 'Jenkinsfile-pod-template.yml'
+    }
+  }
 
   triggers {
     cron('@midnight')
@@ -14,13 +20,15 @@ pipeline {
   stages {
     stage('Clone repository') {
       steps{
+        container('jnlp') {
           checkout scm
         }
       }
+    }
 
     stage('Build image') {
       steps{
-        sh 'docker build --force-rm=true --no-cache=true --pull -t ${dockerImage} .'
+        sh 'docker build --build-arg VERSION=arm64 --force-rm=true --no-cache=true --pull -t ${dockerImage} .'
       }
     }
 

Jenkinsfile-pod-template.yml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    jenkins: 'true'
+spec:
+  containers:
+  - name: jnlp
+    image: 'jcabillot/docker-inbound-agent-arm64'
+  - name: docker
+    image: docker:20.10-dind
+    securityContext:
+      privileged: true
+    #volumeMounts:
+    #- mountPath: '/var/run/docker.sock'
+    #  name: docker-socket
+  #volumes:
+  #- name: docker-socket
+  #  hostPath:
+  #    path: '/var/run/docker.sock'
+  securityContext:
+    runAsUser: 0

kustomize/depl.yml

@@ -1,35 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: "ip"
-  labels:
-    app: "front"
-spec:
-  template:
-    metadata:
-      name: "front-apache"
-      labels:
-        owner: "jcabillot"
-        app: "front"
-    spec:
-      automountServiceAccountToken: false
-      containers:
-        - name:  "front-apache"
-          image: "jcabillot/ip"
-          ports:
-            - name: "http"
-              containerPort: 8080
-              protocol: "TCP"
-          livenessProbe:
-            httpGet:
-              path: "/"
-              port: "http"
-          readinessProbe:
-            httpGet:
-              path: "/"
-              port: "http"
-
-  replicas: 1
-  selector:
-    matchLabels:
-      app: "front"

kustomize/ingress.yml

@@ -1,25 +0,0 @@
----
-#apiVersion: networking.k8s.io/v1
-#kind: Ingress
-#metadata:
-#  name: "ip"
-#  annotations:
-#    kubernetes.io/ingress.class: "traefik"
-#    traefik.ingress.kubernetes.io/router.entrypoints: "web,websecure"
-#    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-#spec:
-#  tls:
-#    - hosts:
-#        - "ip.opti.cabillot.eu"
-#      secretName: "ipcabilloteu-tls"
-#  rules:
-#  - host: "ip.opti.cabillot.eu"
-#    http:
-#      paths:
-#      - path: "/"
-#        pathType: "Prefix"
-#        backend:
-#          service:
-#            name: "ip"
-#            port:
-#              name: "http"

kustomize/ingressroute.yml

@@ -1,50 +0,0 @@
----
-# TODO: Named port for service
-# but currently unsupported on my k3s cluster https://github.com/traefik/traefik/pull/7668
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: "ip-websecure"
-spec:
-  entryPoints:
-    - "websecure"
-  routes:
-  - kind: Rule
-    match: Host(`ip.opti.cabillot.eu`)
-    middlewares: []
-    priority: 10
-    services:
-    - kind: Service
-      name: "ip"
-      port: 80
-  tls:
-    secretName: "ipcabilloteu-tls"
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: "ip-web"
-spec:
-  entryPoints:
-    - "web"
-  routes:
-  - match: Host(`ip.opti.cabillot.eu`)
-    kind: Rule
-    priority: 10
-    services:
-    # in this IngressRoute the service will be never called
-    # because of the redirect middleware BUT DO NOT REMOVE !
-    - kind: Service
-      name: "ip"
-      port: 80
-    middlewares:
-    - name: "httpsredirect"
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: "httpsredirect"
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true

kustomize/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- depl.yml
-- ingress.yml
-- ingressroute.yml
-- svc.yml

kustomize/svc.yml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: 'ip'
-spec:
-  type: "ClusterIP"
-  ports:
-    - name: "http"
-      port: 80
-      protocol: "TCP"
-      targetPort: "http"
-  selector:
-    app: "front"

renovate.json

@@ -1,17 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "customManagers": [
-    {
-      "customType": "regex",
-      "description": "Detect ARG VERSION pin for jcabillot/phpapache base image",
-      "managerFilePatterns": [
-        "/^Dockerfile$/"
-      ],
-      "matchStrings": [
-        "ARG\\s+VERSION=\"(?<currentValue>[^\"]+)\""
-      ],
-      "depNameTemplate": "jcabillot/phpapache",
-      "datasourceTemplate": "docker"
-    }
-  ]
-}

tests/test.sh

@@ -1,72 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-IMAGE="${1:?Usage: test.sh <image>}"
-CONTAINER_NAME="test-$(echo "$IMAGE" | tr ':/' '-')-$$"
-PASSED=0
-FAILED=0
-TOTAL=0
-
-cleanup() {
-  docker rm -f "$CONTAINER_NAME" >/dev/null 2>&1 || true
-}
-trap cleanup EXIT
-
-assert() {
-  local name="$1" expected="$2" actual="$3"
-  TOTAL=$((TOTAL + 1))
-  if [ "$expected" = "$actual" ]; then
-    echo "  PASS: $name"
-    PASSED=$((PASSED + 1))
-  else
-    echo "  FAIL: $name (expected: '$expected', got: '$actual')"
-    FAILED=$((FAILED + 1))
-  fi
-}
-
-assert_match() {
-  local name="$1" pattern="$2" actual="$3"
-  TOTAL=$((TOTAL + 1))
-  if echo "$actual" | grep -qE "$pattern"; then
-    echo "  PASS: $name"
-    PASSED=$((PASSED + 1))
-  else
-    echo "  FAIL: $name (pattern: '$pattern', got: '$actual')"
-    FAILED=$((FAILED + 1))
-  fi
-}
-
-echo "Running container: $IMAGE"
-docker run -d --name "$CONTAINER_NAME" -p 8080:8080 "$IMAGE" >/dev/null
-
-DOCKER_GW=$(docker network inspect bridge --format '{{range .IPAM.Config}}{{.Gateway}}{{end}}')
-BASE_URL="http://${DOCKER_GW}:8080"
-
-echo "Waiting for container on ${DOCKER_GW}:8080..."
-for i in $(seq 1 30); do
-  if curl -sf "$BASE_URL/" >/dev/null 2>&1; then
-    echo "Container ready after ${i}s"
-    break
-  fi
-  if [ "$i" -eq 30 ]; then
-    echo "FAIL: Container did not become ready within 30s"
-    docker logs "$CONTAINER_NAME"
-    exit 1
-  fi
-  sleep 1
-done
-
-echo ""
-echo "Test: GET /"
-RESPONSE=$(curl -sf -D - "$BASE_URL/")
-STATUS=$(echo "$RESPONSE" | head -1 | grep -oP '\d{3}')
-CONTENT_TYPE=$(echo "$RESPONSE" | grep -i 'content-type' | tr -d '\r' | cut -d: -f2- | xargs)
-BODY=$(echo "$RESPONSE" | tail -1)
-
-assert "HTTP status is 200" "200" "$STATUS"
-assert_match "Content-Type is application/json" "application/json" "$CONTENT_TYPE"
-assert_match "Body contains valid IP" '^(\"[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\"|\"[0-9a-fA-F:]+\")$' "$BODY"
-
-echo ""
-echo "Results: $PASSED/$TOTAL passed, $FAILED failed"
-[ "$FAILED" -eq 0 ]