Post-Tyranny-Tech-Infrastru.../scripts/collect-client-versions.sh

#!/usr/bin/env bash
#
# Collect deployed software versions from a client and update registry
#
# Usage: ./scripts/collect-client-versions.sh <client_name>
#
# Queries the deployed server for actual running versions:
# - Docker container image versions
# - Ubuntu OS version
# - Updates the client registry with collected versions

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
REGISTRY_FILE="$PROJECT_ROOT/clients/registry.yml"

# Check arguments
if [ $# -ne 1 ]; then
    echo -e "${RED}Error: Client name required${NC}"
    echo "Usage: $0 <client_name>"
    echo ""
    echo "Example: $0 dev"
    exit 1
fi

CLIENT_NAME="$1"

# Check if yq is available
if ! command -v yq &> /dev/null; then
    echo -e "${RED}Error: 'yq' not found. Install with: brew install yq${NC}"
    exit 1
fi

# Load Hetzner API token from SOPS if not already set
if [ -z "${HCLOUD_TOKEN:-}" ]; then
    # shellcheck source=scripts/load-secrets-env.sh
    source "$SCRIPT_DIR/load-secrets-env.sh" > /dev/null 2>&1
fi

# Check if registry exists
if [ ! -f "$REGISTRY_FILE" ]; then
    echo -e "${RED}Error: Registry file not found: $REGISTRY_FILE${NC}"
    exit 1
fi

# Check if client exists in registry
if yq eval ".clients.\"$CLIENT_NAME\"" "$REGISTRY_FILE" | grep -q "null"; then
    echo -e "${RED}Error: Client '$CLIENT_NAME' not found in registry${NC}"
    exit 1
fi

echo -e "${BLUE}Collecting versions for client: $CLIENT_NAME${NC}"
echo ""

cd "$PROJECT_ROOT/ansible"

# Check if server is reachable
if ! timeout 10 ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m ping -o &>/dev/null; then
    echo -e "${RED}Error: Cannot reach server for client '$CLIENT_NAME'${NC}"
    echo "Server may not be deployed or network is unreachable"
    exit 1
fi

echo -e "${YELLOW}Querying deployed versions...${NC}"
echo ""

# Query Docker container versions
echo "Collecting Docker container versions..."

# Function to extract version from image tag
extract_version() {
    local image=$1
    # Extract version after the colon, or return "latest"
    if [[ $image == *":"* ]]; then
        echo "$image" | awk -F: '{print $2}'
    else
        echo "latest"
    fi
}

# Collect Authentik version
AUTHENTIK_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect authentik-server 2>/dev/null | jq -r '.[0].Config.Image' 2>/dev/null || echo 'unknown'" -o 2>/dev/null | tail -1 | awk '{print $NF}')
AUTHENTIK_VERSION=$(extract_version "$AUTHENTIK_IMAGE")

# Collect Nextcloud version
NEXTCLOUD_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect nextcloud 2>/dev/null | jq -r '.[0].Config.Image' 2>/dev/null || echo 'unknown'" -o 2>/dev/null | tail -1 | awk '{print $NF}')
NEXTCLOUD_VERSION=$(extract_version "$NEXTCLOUD_IMAGE")

# Collect Traefik version
TRAEFIK_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect traefik 2>/dev/null | jq -r '.[0].Config.Image' 2>/dev/null || echo 'unknown'" -o 2>/dev/null | tail -1 | awk '{print $NF}')
TRAEFIK_VERSION=$(extract_version "$TRAEFIK_IMAGE")

# Collect Ubuntu version
UBUNTU_VERSION=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "lsb_release -rs 2>/dev/null || echo 'unknown'" -o 2>/dev/null | tail -1 | awk '{print $NF}')

echo -e "${GREEN}✓ Versions collected${NC}"
echo ""

# Display collected versions
echo "Collected versions:"
echo "  Authentik:  $AUTHENTIK_VERSION"
echo "  Nextcloud:  $NEXTCLOUD_VERSION"
echo "  Traefik:    $TRAEFIK_VERSION"
echo "  Ubuntu:     $UBUNTU_VERSION"
echo ""

# Update registry
echo -e "${YELLOW}Updating registry...${NC}"

# Update versions in registry
yq eval -i ".clients.\"$CLIENT_NAME\".versions.authentik = \"$AUTHENTIK_VERSION\"" "$REGISTRY_FILE"
yq eval -i ".clients.\"$CLIENT_NAME\".versions.nextcloud = \"$NEXTCLOUD_VERSION\"" "$REGISTRY_FILE"
yq eval -i ".clients.\"$CLIENT_NAME\".versions.traefik = \"$TRAEFIK_VERSION\"" "$REGISTRY_FILE"
yq eval -i ".clients.\"$CLIENT_NAME\".versions.ubuntu = \"$UBUNTU_VERSION\"" "$REGISTRY_FILE"

echo -e "${GREEN}✓ Registry updated${NC}"
echo ""
echo "Updated: $REGISTRY_FILE"
echo ""
echo "To view registry:"
echo "  ./scripts/client-status.sh $CLIENT_NAME"
feat: Add version tracking and maintenance monitoring (issue #15) Complete implementation of automatic version tracking and drift detection: New Scripts: - scripts/collect-client-versions.sh: Query deployed versions from Docker - Connects via Ansible to running servers - Extracts versions from container images - Updates registry automatically - scripts/check-client-versions.sh: Compare versions across clients - Multiple formats: table (colorized), CSV, JSON - Filter by outdated versions - Highlights drift with color coding - scripts/detect-version-drift.sh: Identify version differences - Detects clients with outdated versions - Threshold-based staleness detection (default 30 days) - Actionable recommendations - Exit code 1 if drift detected (CI/monitoring friendly) Updated Scripts: - scripts/deploy-client.sh: Auto-collect versions after deployment - scripts/rebuild-client.sh: Auto-collect versions after rebuild Documentation: - docs/maintenance-tracking.md: Complete maintenance guide - Version management workflows - Security update procedures - Monitoring integration examples - Troubleshooting guide Features: ✅ Automatic version collection from deployed servers ✅ Multi-client version comparison reports ✅ Version drift detection with recommendations ✅ Integration with deployment workflows ✅ Export to CSV/JSON for external tools ✅ Canary-first update workflow support Usage Examples: ```bash # Collect versions ./scripts/collect-client-versions.sh dev # Compare all clients ./scripts/check-client-versions.sh # Detect drift ./scripts/detect-version-drift.sh # Export for monitoring ./scripts/check-client-versions.sh --format=json ``` Closes #15 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-17 20:53:15 +01:00			`#!/usr/bin/env bash`
			`#`
			`# Collect deployed software versions from a client and update registry`
			`#`
			`# Usage: ./scripts/collect-client-versions.sh <client_name>`
			`#`
			`# Queries the deployed server for actual running versions:`
			`# - Docker container image versions`
			`# - Ubuntu OS version`
			`# - Updates the client registry with collected versions`

			`set -euo pipefail`

			`# Colors for output`
			`RED='\033[0;31m'`
			`GREEN='\033[0;32m'`
			`YELLOW='\033[1;33m'`
			`BLUE='\033[0;34m'`
			`NC='\033[0m' # No Color`

			`# Script directory`
			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"`
			`REGISTRY_FILE="$PROJECT_ROOT/clients/registry.yml"`

			`# Check arguments`
			`if [ $# -ne 1 ]; then`
			`echo -e "${RED}Error: Client name required${NC}"`
			`echo "Usage: $0 <client_name>"`
			`echo ""`
			`echo "Example: $0 dev"`
			`exit 1`
			`fi`

			`CLIENT_NAME="$1"`

			`# Check if yq is available`
			`if ! command -v yq &> /dev/null; then`
			`echo -e "${RED}Error: 'yq' not found. Install with: brew install yq${NC}"`
			`exit 1`
			`fi`

feat: Move Hetzner API token to SOPS encrypted secrets Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-18 18:17:15 +01:00			`# Load Hetzner API token from SOPS if not already set`
feat: Add version tracking and maintenance monitoring (issue #15) Complete implementation of automatic version tracking and drift detection: New Scripts: - scripts/collect-client-versions.sh: Query deployed versions from Docker - Connects via Ansible to running servers - Extracts versions from container images - Updates registry automatically - scripts/check-client-versions.sh: Compare versions across clients - Multiple formats: table (colorized), CSV, JSON - Filter by outdated versions - Highlights drift with color coding - scripts/detect-version-drift.sh: Identify version differences - Detects clients with outdated versions - Threshold-based staleness detection (default 30 days) - Actionable recommendations - Exit code 1 if drift detected (CI/monitoring friendly) Updated Scripts: - scripts/deploy-client.sh: Auto-collect versions after deployment - scripts/rebuild-client.sh: Auto-collect versions after rebuild Documentation: - docs/maintenance-tracking.md: Complete maintenance guide - Version management workflows - Security update procedures - Monitoring integration examples - Troubleshooting guide Features: ✅ Automatic version collection from deployed servers ✅ Multi-client version comparison reports ✅ Version drift detection with recommendations ✅ Integration with deployment workflows ✅ Export to CSV/JSON for external tools ✅ Canary-first update workflow support Usage Examples: ```bash # Collect versions ./scripts/collect-client-versions.sh dev # Compare all clients ./scripts/check-client-versions.sh # Detect drift ./scripts/detect-version-drift.sh # Export for monitoring ./scripts/check-client-versions.sh --format=json ``` Closes #15 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-17 20:53:15 +01:00			`if [ -z "${HCLOUD_TOKEN:-}" ]; then`
feat: Move Hetzner API token to SOPS encrypted secrets Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-18 18:17:15 +01:00			`# shellcheck source=scripts/load-secrets-env.sh`
			`source "$SCRIPT_DIR/load-secrets-env.sh" > /dev/null 2>&1`
feat: Add version tracking and maintenance monitoring (issue #15) Complete implementation of automatic version tracking and drift detection: New Scripts: - scripts/collect-client-versions.sh: Query deployed versions from Docker - Connects via Ansible to running servers - Extracts versions from container images - Updates registry automatically - scripts/check-client-versions.sh: Compare versions across clients - Multiple formats: table (colorized), CSV, JSON - Filter by outdated versions - Highlights drift with color coding - scripts/detect-version-drift.sh: Identify version differences - Detects clients with outdated versions - Threshold-based staleness detection (default 30 days) - Actionable recommendations - Exit code 1 if drift detected (CI/monitoring friendly) Updated Scripts: - scripts/deploy-client.sh: Auto-collect versions after deployment - scripts/rebuild-client.sh: Auto-collect versions after rebuild Documentation: - docs/maintenance-tracking.md: Complete maintenance guide - Version management workflows - Security update procedures - Monitoring integration examples - Troubleshooting guide Features: ✅ Automatic version collection from deployed servers ✅ Multi-client version comparison reports ✅ Version drift detection with recommendations ✅ Integration with deployment workflows ✅ Export to CSV/JSON for external tools ✅ Canary-first update workflow support Usage Examples: ```bash # Collect versions ./scripts/collect-client-versions.sh dev # Compare all clients ./scripts/check-client-versions.sh # Detect drift ./scripts/detect-version-drift.sh # Export for monitoring ./scripts/check-client-versions.sh --format=json ``` Closes #15 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-17 20:53:15 +01:00			`fi`

			`# Check if registry exists`
			`if [ ! -f "$REGISTRY_FILE" ]; then`
			`echo -e "${RED}Error: Registry file not found: $REGISTRY_FILE${NC}"`
			`exit 1`
			`fi`

			`# Check if client exists in registry`
			`if yq eval ".clients.\"$CLIENT_NAME\"" "$REGISTRY_FILE" \| grep -q "null"; then`
			`echo -e "${RED}Error: Client '$CLIENT_NAME' not found in registry${NC}"`
			`exit 1`
			`fi`

			`echo -e "${BLUE}Collecting versions for client: $CLIENT_NAME${NC}"`
			`echo ""`

			`cd "$PROJECT_ROOT/ansible"`

			`# Check if server is reachable`
			`if ! timeout 10 ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m ping -o &>/dev/null; then`
			`echo -e "${RED}Error: Cannot reach server for client '$CLIENT_NAME'${NC}"`
			`echo "Server may not be deployed or network is unreachable"`
			`exit 1`
			`fi`

			`echo -e "${YELLOW}Querying deployed versions...${NC}"`
			`echo ""`

			`# Query Docker container versions`
			`echo "Collecting Docker container versions..."`

			`# Function to extract version from image tag`
			`extract_version() {`
			`local image=$1`
			`# Extract version after the colon, or return "latest"`
			`if [[ $image == ":" ]]; then`
			`echo "$image" \| awk -F: '{print $2}'`
			`else`
			`echo "latest"`
			`fi`
			`}`

			`# Collect Authentik version`
			`AUTHENTIK_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect authentik-server 2>/dev/null \| jq -r '.[0].Config.Image' 2>/dev/null \|\| echo 'unknown'" -o 2>/dev/null \| tail -1 \| awk '{print $NF}')`
			`AUTHENTIK_VERSION=$(extract_version "$AUTHENTIK_IMAGE")`

			`# Collect Nextcloud version`
			`NEXTCLOUD_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect nextcloud 2>/dev/null \| jq -r '.[0].Config.Image' 2>/dev/null \|\| echo 'unknown'" -o 2>/dev/null \| tail -1 \| awk '{print $NF}')`
			`NEXTCLOUD_VERSION=$(extract_version "$NEXTCLOUD_IMAGE")`

			`# Collect Traefik version`
			`TRAEFIK_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect traefik 2>/dev/null \| jq -r '.[0].Config.Image' 2>/dev/null \|\| echo 'unknown'" -o 2>/dev/null \| tail -1 \| awk '{print $NF}')`
			`TRAEFIK_VERSION=$(extract_version "$TRAEFIK_IMAGE")`

			`# Collect Ubuntu version`
			`UBUNTU_VERSION=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "lsb_release -rs 2>/dev/null \|\| echo 'unknown'" -o 2>/dev/null \| tail -1 \| awk '{print $NF}')`

			`echo -e "${GREEN}✓ Versions collected${NC}"`
			`echo ""`

			`# Display collected versions`
			`echo "Collected versions:"`
			`echo " Authentik: $AUTHENTIK_VERSION"`
			`echo " Nextcloud: $NEXTCLOUD_VERSION"`
			`echo " Traefik: $TRAEFIK_VERSION"`
			`echo " Ubuntu: $UBUNTU_VERSION"`
			`echo ""`

			`# Update registry`
			`echo -e "${YELLOW}Updating registry...${NC}"`

			`# Update versions in registry`
			`yq eval -i ".clients.\"$CLIENT_NAME\".versions.authentik = \"$AUTHENTIK_VERSION\"" "$REGISTRY_FILE"`
			`yq eval -i ".clients.\"$CLIENT_NAME\".versions.nextcloud = \"$NEXTCLOUD_VERSION\"" "$REGISTRY_FILE"`
			`yq eval -i ".clients.\"$CLIENT_NAME\".versions.traefik = \"$TRAEFIK_VERSION\"" "$REGISTRY_FILE"`
			`yq eval -i ".clients.\"$CLIENT_NAME\".versions.ubuntu = \"$UBUNTU_VERSION\"" "$REGISTRY_FILE"`

			`echo -e "${GREEN}✓ Registry updated${NC}"`
			`echo ""`
			`echo "Updated: $REGISTRY_FILE"`
			`echo ""`
			`echo "To view registry:"`
			`echo " ./scripts/client-status.sh $CLIENT_NAME"`