jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DEK isolation
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source
This commit is contained in:
Josh 2025-08-07 15:01:03 +00:00
parent 16e01ab004
commit 1d50efe646
3 changed files with 41 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.env
View File

@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
SERVER1_PORT=5000 SERVER1_PORT=5000
SERVER2_PORT=5001 SERVER2_PORT=5001
SERVER3_PORT=5002 SERVER3_PORT=5002
IMG_TAG=69fce4f-202508071311 IMG_TAG=16e01ab-202508071457

35
Backup_data.sh Normal file
View File

@ -0,0 +1,35 @@
#!/bin/bash
set -euo pipefail
# === CONFIG ===
DB_NAME="aptiva_dev"
DB_USER="root"
DB_HOST="127.0.0.1"
DB_PORT="3306"
BACKUP_DIR="./dev_backups"
DATE=$(date +"%Y-%m-%d_%H-%M-%S")
SNAPSHOT_NAME="dev_snapshot_${DATE}.sql.gz"
EDEK_NAME="dev_edek_${DATE}.bin"
KMS_KEY="projects/aptiva/locations/us-central1/keyRings/aptiva-db/cryptoKeys/field-level"
mkdir -p "$BACKUP_DIR"
# === STEP 1: Dump encrypted DB ===
echo "🔄 Dumping dev MySQL database..."
mysqldump -h "$DB_HOST" -P "$DB_PORT" -u "$DB_USER" "$DB_NAME" | gzip > "$BACKUP_DIR/$SNAPSHOT_NAME"
# === STEP 2: Backup current EDEK ===
echo "🔐 Backing up current EDEK..."
cp /run/secrets/dek.enc "$BACKUP_DIR/$EDEK_NAME"
# === STEP 3: Verify EDEK unwrap ===
echo "🧪 Verifying EDEK unwrap with KMS..."
gcloud kms decrypt \
--location="us-central1" \
--keyring="aptiva-db" \
--key="field-level" \
--ciphertext-file="$BACKUP_DIR/$EDEK_NAME" \
--plaintext-file="/dev/null" \
> /dev/null
echo "✅ Dev backup complete: $SNAPSHOT_NAME + $EDEK_NAME"

9
docker-compose.yml
View File

@ -31,7 +31,7 @@ services:
volumes: volumes:
- ./salary_info.db:/app/salary_info.db:ro - ./salary_info.db:/app/salary_info.db:ro
- ./user_profile.db:/app/user_profile.db - ./user_profile.db:/app/user_profile.db
- dek-vol:/run/secrets/dev - dek-vol:/run/secrets
healthcheck: healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:${SERVER1_PORT}/healthz || exit 1"] test: ["CMD-SHELL", "curl -f http://localhost:${SERVER1_PORT}/healthz || exit 1"]
interval: 30s interval: 30s
@ -62,7 +62,7 @@ services:
- ./public:/app/public:ro - ./public:/app/public:ro
- ./salary_info.db:/app/salary_info.db:ro - ./salary_info.db:/app/salary_info.db:ro
- ./user_profile.db:/app/user_profile.db - ./user_profile.db:/app/user_profile.db
- dek-vol:/run/secrets/dev - dek-vol:/run/secrets
healthcheck: healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:${SERVER2_PORT}/healthz || exit 1"] test: ["CMD-SHELL", "curl -f http://localhost:${SERVER2_PORT}/healthz || exit 1"]
interval: 30s interval: 30s
@ -103,7 +103,7 @@ services:
volumes: volumes:
- ./salary_info.db:/app/salary_info.db:ro - ./salary_info.db:/app/salary_info.db:ro
- ./user_profile.db:/app/user_profile.db - ./user_profile.db:/app/user_profile.db
- dek-vol:/run/secrets/dev - dek-vol:/run/secrets
healthcheck: healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:${SERVER3_PORT}/healthz || exit 1"] test: ["CMD-SHELL", "curl -f http://localhost:${SERVER3_PORT}/healthz || exit 1"]
interval: 30s interval: 30s
@ -130,6 +130,7 @@ networks:
external: true external: true
volumes: volumes:
dek-vol: dek-vol:
name:
driver: local driver: local