pipeline rewrite v3
This commit is contained in:
parent
29345fc292
commit
16b458a249
192
.woodpecker.yml
192
.woodpecker.yml
@ -1,87 +1,129 @@
|
|||||||
---
|
---
|
||||||
kind: pipeline
|
kind: pipeline
|
||||||
type: docker
|
type: docker
|
||||||
name: staging
|
name: ssh-test
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: fetch-img-tag
|
|
||||||
image: google/cloud-sdk:latest
|
|
||||||
when:
|
|
||||||
event: [push, manual]
|
|
||||||
branch: [master]
|
|
||||||
commands:
|
|
||||||
- set -euo pipefail
|
|
||||||
- echo -n $(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev) > .img_tag
|
|
||||||
- gcloud auth print-access-token > .gcp_token
|
|
||||||
- echo "Wrote .img_tag and .gcp_token"
|
|
||||||
|
|
||||||
- name: security-scan
|
- name: security-scan
|
||||||
image: aquasec/trivy:0.52
|
image: google/cloud-sdk:latest
|
||||||
depends_on: [fetch-img-tag]
|
entrypoint:
|
||||||
environment:
|
- bash
|
||||||
REG: us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo
|
- -c
|
||||||
commands:
|
- |
|
||||||
- set -euo pipefail
|
set -euo pipefail
|
||||||
- IMG_TAG=$(cat .img_tag)
|
# Get the image tag from the same secret you already use
|
||||||
- export TRIVY_USERNAME=oauth2accesstoken
|
IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)
|
||||||
- export TRIVY_PASSWORD=$(cat .gcp_token)
|
REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo
|
||||||
- trivy image --exit-code 1 --severity CRITICAL $REG/server1:$IMG_TAG
|
|
||||||
- trivy image --exit-code 1 --severity CRITICAL $REG/server2:$IMG_TAG
|
# Install Trivy (keeps your flow, no extra images)
|
||||||
- trivy image --exit-code 1 --severity CRITICAL $REG/server3:$IMG_TAG
|
apt-get update -qq
|
||||||
- trivy image --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG
|
apt-get install -y -qq gnupg apt-transport-https curl
|
||||||
- echo "✅ Security scan passed for all images"
|
curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key \
|
||||||
|
| gpg --dearmor -o /usr/share/keyrings/trivy.gpg
|
||||||
|
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb stable main" \
|
||||||
|
> /etc/apt/sources.list.d/trivy.list
|
||||||
|
apt-get update -qq && apt-get install -y -qq trivy
|
||||||
|
|
||||||
|
# Auth to Artifact Registry so Trivy can pull manifests
|
||||||
|
gcloud auth configure-docker us-central1-docker.pkg.dev -q
|
||||||
|
|
||||||
|
trivy image --exit-code 1 --severity CRITICAL $REG/server1:$IMG_TAG
|
||||||
|
trivy image --exit-code 1 --severity CRITICAL $REG/server2:$IMG_TAG
|
||||||
|
trivy image --exit-code 1 --severity CRITICAL $REG/server3:$IMG_TAG
|
||||||
|
trivy image --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG
|
||||||
|
|
||||||
- name: staging-deploy
|
- name: staging-deploy
|
||||||
image: google/cloud-sdk:latest
|
image: google/cloud-sdk:latest
|
||||||
depends_on: [security-scan]
|
entrypoint:
|
||||||
|
- bash
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
mkdir -p ~/.ssh
|
||||||
|
|
||||||
|
# ── Inject known-hosts and SSH key ───────────────────────────────
|
||||||
|
gcloud secrets versions access latest \
|
||||||
|
--secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
|
||||||
|
| base64 -d > ~/.ssh/known_hosts
|
||||||
|
chmod 644 ~/.ssh/known_hosts
|
||||||
|
|
||||||
|
gcloud secrets versions access latest \
|
||||||
|
--secret=STAGING_SSH_KEY --project=aptivaai-dev \
|
||||||
|
| base64 -d > ~/.ssh/id_ed25519
|
||||||
|
chmod 600 ~/.ssh/id_ed25519
|
||||||
|
|
||||||
|
echo "🔑 SSH prerequisites installed"
|
||||||
|
|
||||||
|
# ── SSH into staging and deploy ──────────────────────────────────
|
||||||
|
ssh -o StrictHostKeyChecking=yes \
|
||||||
|
-i ~/.ssh/id_ed25519 \
|
||||||
|
jcoakley@10.128.0.12 \
|
||||||
|
'set -euo pipefail; \
|
||||||
|
PROJECT=aptivaai-dev; \
|
||||||
|
ENV=staging; \
|
||||||
|
IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
|
||||||
|
export IMG_TAG; \
|
||||||
|
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); \
|
||||||
|
export JWT_SECRET; \
|
||||||
|
OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); \
|
||||||
|
export OPENAI_API_KEY; \
|
||||||
|
ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project=$PROJECT); \
|
||||||
|
export ONET_USERNAME; \
|
||||||
|
ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project=$PROJECT); \
|
||||||
|
export ONET_PASSWORD; \
|
||||||
|
STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project=$PROJECT); \
|
||||||
|
export STRIPE_SECRET_KEY; \
|
||||||
|
STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project=$PROJECT); \
|
||||||
|
export STRIPE_PUBLISHABLE_KEY; \
|
||||||
|
STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project=$PROJECT); \
|
||||||
|
export STRIPE_WH_SECRET; \
|
||||||
|
STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project=$PROJECT); \
|
||||||
|
export STRIPE_PRICE_PREMIUM_MONTH; \
|
||||||
|
STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project=$PROJECT); \
|
||||||
|
export STRIPE_PRICE_PREMIUM_YEAR; \
|
||||||
|
STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project=$PROJECT); \
|
||||||
|
export STRIPE_PRICE_PRO_MONTH; \
|
||||||
|
STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project=$PROJECT); \
|
||||||
|
export STRIPE_PRICE_PRO_YEAR; \
|
||||||
|
DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project=$PROJECT); \
|
||||||
|
export DB_NAME; \
|
||||||
|
DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project=$PROJECT); \
|
||||||
|
export DB_HOST; \
|
||||||
|
DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project=$PROJECT); \
|
||||||
|
export DB_PORT; \
|
||||||
|
DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project=$PROJECT); \
|
||||||
|
export DB_USER; \
|
||||||
|
DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project=$PROJECT); \
|
||||||
|
export DB_PASSWORD; \
|
||||||
|
DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project=$PROJECT); \
|
||||||
|
export DB_SSL_CA; \
|
||||||
|
DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project=$PROJECT); \
|
||||||
|
export DB_SSL_CERT; \
|
||||||
|
DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project=$PROJECT); \
|
||||||
|
export DB_SSL_KEY; \
|
||||||
|
TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project=$PROJECT); \
|
||||||
|
export TWILIO_ACCOUNT_SID; \
|
||||||
|
TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project=$PROJECT); \
|
||||||
|
export TWILIO_AUTH_TOKEN; \
|
||||||
|
TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project=$PROJECT); \
|
||||||
|
export TWILIO_MESSAGING_SERVICE_SID; \
|
||||||
|
KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project=$PROJECT); \
|
||||||
|
export KMS_KEY_NAME; \
|
||||||
|
DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); \
|
||||||
|
export DEK_PATH; \
|
||||||
|
export FROM_SECRETS_MANAGER=true; \
|
||||||
|
cd /home/jcoakley/aptiva-staging-app; \
|
||||||
|
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH \
|
||||||
|
docker compose pull; \
|
||||||
|
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH \
|
||||||
|
docker compose up -d --force-recreate --remove-orphans; \
|
||||||
|
echo "✅ Staging stack refreshed with tag $IMG_TAG"'
|
||||||
|
|
||||||
secrets:
|
secrets:
|
||||||
- STAGING_SSH_KEY
|
- STAGING_SSH_KEY
|
||||||
- STAGING_KNOWN_HOSTS
|
- STAGING_KNOWN_HOSTS
|
||||||
commands:
|
|
||||||
- set -euo pipefail
|
|
||||||
- mkdir -p ~/.ssh
|
|
||||||
- gcloud secrets versions access latest --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev | base64 -d > ~/.ssh/known_hosts
|
|
||||||
- chmod 644 ~/.ssh/known_hosts
|
|
||||||
- gcloud secrets versions access latest --secret=STAGING_SSH_KEY --project=aptivaai-dev | base64 -d > ~/.ssh/id_ed25519
|
|
||||||
- chmod 600 ~/.ssh/id_ed25519
|
|
||||||
- echo "🔑 SSH prerequisites installed"
|
|
||||||
|
|
||||||
- export IMG_TAG=$(cat .img_tag)
|
when:
|
||||||
- |
|
event:
|
||||||
ssh -o StrictHostKeyChecking=yes -i ~/.ssh/id_ed25519 jcoakley@10.128.0.12 '
|
- push
|
||||||
set -euo pipefail
|
|
||||||
PROJECT=aptivaai-dev
|
|
||||||
ENV=staging
|
|
||||||
ENV_NAME=staging
|
|
||||||
export IMG_TAG='"$IMG_TAG"'
|
|
||||||
|
|
||||||
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET
|
|
||||||
OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY
|
|
||||||
ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project=$PROJECT); export ONET_USERNAME
|
|
||||||
ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project=$PROJECT); export ONET_PASSWORD
|
|
||||||
STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project=$PROJECT); export STRIPE_SECRET_KEY
|
|
||||||
STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project=$PROJECT); export STRIPE_PUBLISHABLE_KEY
|
|
||||||
STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project=$PROJECT); export STRIPE_WH_SECRET
|
|
||||||
STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project=$PROJECT); export STRIPE_PRICE_PREMIUM_MONTH
|
|
||||||
STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project=$PROJECT); export STRIPE_PRICE_PREMIUM_YEAR
|
|
||||||
STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project=$PROJECT); export STRIPE_PRICE_PRO_MONTH
|
|
||||||
STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project=$PROJECT); export STRIPE_PRICE_PRO_YEAR
|
|
||||||
DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project=$PROJECT); export DB_NAME
|
|
||||||
DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project=$PROJECT); export DB_HOST
|
|
||||||
DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project=$PROJECT); export DB_PORT
|
|
||||||
DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project=$PROJECT); export DB_USER
|
|
||||||
DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project=$PROJECT); export DB_PASSWORD
|
|
||||||
DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project=$PROJECT); export DB_SSL_CA
|
|
||||||
DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project=$PROJECT); export DB_SSL_CERT
|
|
||||||
DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project=$PROJECT); export DB_SSL_KEY
|
|
||||||
TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project=$PROJECT); export TWILIO_ACCOUNT_SID
|
|
||||||
TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project=$PROJECT); export TWILIO_AUTH_TOKEN
|
|
||||||
TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project=$PROJECT); export TWILIO_MESSAGING_SERVICE_SID
|
|
||||||
KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project=$PROJECT); export KMS_KEY_NAME
|
|
||||||
DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); export DEK_PATH
|
|
||||||
|
|
||||||
export FROM_SECRETS_MANAGER=true
|
|
||||||
cd /home/jcoakley/aptiva-staging-app
|
|
||||||
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,ENV,ENV_NAME,PROJECT docker compose pull
|
|
||||||
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,ENV,ENV_NAME,PROJECT docker compose up -d --force-recreate --remove-orphans
|
|
||||||
echo "✅ Staging stack refreshed with tag $IMG_TAG"
|
|
||||||
'
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user