jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed pipeline, deploy_all.sh, and encryption.js for field-level. Added fast-fail to encryption.js

Browse Source
This commit is contained in:
Josh 2025-08-06 22:34:10 +00:00
parent 3aef4502f8
commit 96fe61e956
4 changed files with 81 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.env
View File

@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
SERVER1_PORT=5000
SERVER2_PORT=5001
SERVER3_PORT=5002
IMG_TAG=1e039bf-202508061933
IMG_TAG=3aef450-202508062222

138
.woodpecker.yml
View File

@ -1,97 +1,77 @@
---
kind: pipeline
type: docker
name: ssh-test
# .woodpecker.yml (only the relevant step shown)
steps:
- name: ssh-test
- name: deploy-staging
image: google/cloud-sdk:latest
entrypoint:
- bash
- -c
- -euco
- |
set -euo pipefail
#####################################################################
# 1) PARAMETERS #
#####################################################################
PROJECT=aptivaai-dev # GCP project that holds secrets
ENV=staging # < change once, covers suffixes
HOST=10.128.0.12 # staging VM
SSH_USER=jcoakley
# One authoritative list of secret names (same as deploy_all.sh)
SECRETS=(
JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET
STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR
STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD
DB_SSL_CERT DB_SSL_KEY DB_SSL_CA
TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID
KMS_KEY_NAME DEK_PATH # ← NEW
)
#####################################################################
# 2) SSH prerequisites #
#####################################################################
mkdir -p ~/.ssh
# ── Inject known-hosts and SSH key ───────────────────────────────
gcloud secrets versions access latest \
--secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
| base64 -d > ~/.ssh/known_hosts
--secret=STAGING_KNOWN_HOSTS --project="$PROJECT" | base64 -d \
> ~/.ssh/known_hosts
chmod 644 ~/.ssh/known_hosts
gcloud secrets versions access latest \
--secret=STAGING_SSH_KEY --project=aptivaai-dev \
| base64 -d > ~/.ssh/id_ed25519
--secret=STAGING_SSH_KEY --project="$PROJECT" | base64 -d \
> ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
echo "🔑 SSH prerequisites installed"
echo "🔑 SSH key & knownhosts installed"
# ── SSH into staging and deploy ──────────────────────────────────
ssh -o StrictHostKeyChecking=yes \
-i ~/.ssh/id_ed25519 \
jcoakley@10.128.0.12 \
'set -euo pipefail; \
PROJECT=aptivaai-dev; \
ENV=dev; \
IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
export IMG_TAG; \
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_dev --project=$PROJECT); \
export JWT_SECRET; \
OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_dev --project=$PROJECT); \
export OPENAI_API_KEY; \
ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_dev --project=$PROJECT); \
export ONET_USERNAME; \
ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_dev --project=$PROJECT); \
export ONET_PASSWORD; \
STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_dev --project=$PROJECT); \
export STRIPE_SECRET_KEY; \
STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_dev --project=$PROJECT); \
export STRIPE_PUBLISHABLE_KEY; \
STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_dev --project=$PROJECT); \
export STRIPE_WH_SECRET; \
STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_dev --project=$PROJECT); \
export STRIPE_PRICE_PREMIUM_MONTH; \
STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_dev --project=$PROJECT); \
export STRIPE_PRICE_PREMIUM_YEAR; \
STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_dev --project=$PROJECT); \
export STRIPE_PRICE_PRO_MONTH; \
STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_dev --project=$PROJECT); \
export STRIPE_PRICE_PRO_YEAR; \
DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_dev --project=$PROJECT); \
export DB_NAME;
DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_dev --project=$PROJECT); \
export DB_HOST; \
DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_dev --project=$PROJECT); \
export DB_PORT; \
DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_dev --project=$PROJECT); \
export DB_USER; \
DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_dev --project=$PROJECT); \
export DB_PASSWORD; \
DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_dev --project=$PROJECT); \
export DB_SSL_CA; \
DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_dev --project=$PROJECT); \
export DB_SSL_CERT; \
DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_dev --project=$PROJECT); \
export DB_SSL_KEY; \
TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_dev --project=$PROJECT); \
export TWILIO_ACCOUNT_SID; \
TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_dev --project=$PROJECT); \
export TWILIO_AUTH_TOKEN; \
TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_dev --project=$PROJECT); \
export TWILIO_MESSAGING_SERVICE_SID; \
export FROM_SECRETS_MANAGER=true; \
cd /home/jcoakley/aptiva-staging-app; \
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID \
docker compose pull; \
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID \
docker compose up -d --force-recreate --remove-orphans; \
echo "✅ Staging stack refreshed with tag $IMG_TAG"'
#####################################################################
# 3) Build the remote export block #
#####################################################################
export_block="PROJECT=${PROJECT}; ENV=${ENV}; "
export_block+="IMG_TAG=\$(gcloud secrets versions access latest \
--secret=IMG_TAG --project=\${PROJECT}); export IMG_TAG; "
for S in "${SECRETS[@]}"; do
export_block+="${S}=\$(gcloud secrets versions access latest \
--secret=${S}_${ENV} --project=\${PROJECT}); export ${S}; "
done
export_block+="export FROM_SECRETS_MANAGER=true; "
#####################################################################
# 4) Remote dockercompose update #
#####################################################################
export_block+="cd /home/${SSH_USER}/aptiva-staging-app; "
# Include every exported var in --preserve-env
preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]})
export_block+="sudo --preserve-env=${preserve} docker compose pull; "
export_block+="sudo --preserve-env=${preserve} \
docker compose up -d --force-recreate --remove-orphans; "
export_block+="echo '✅ Staging stack refreshed with tag \$IMG_TAG';"
#####################################################################
# 5) Execute over SSH #
#####################################################################
ssh -o StrictHostKeyChecking=yes -i ~/.ssh/id_ed25519 \
"${SSH_USER}@${HOST}" "${export_block}"
secrets:
- STAGING_SSH_KEY
- STAGING_KNOWN_HOSTS
when:
event:
- push

5
backend/shared/crypto/encryption.js
View File

@ -24,6 +24,11 @@ const MAGIC = 'gcm:'; // prefix to mark ciphertext
const KMS_KEY = (process.env.KMS_KEY_NAME || '').trim(); // projects/*/locations/*/keyRings/*/cryptoKeys/*
const EDEK_PATH = (process.env.DEK_PATH || '').trim(); // e.g. /run/secrets/dev/dek.enc
if (!EDEK_PATH) {
console.error('FATAL: DEK_PATH env var is unset — check deploy script');
process.exit(1);
}
let dek; // inmemory dataencryptionkey
let initPromise = null;

20
deploy_all.sh
View File

@ -1,10 +1,22 @@
# ───────────────────────── config ─────────────────────────
ENV=dev
PROJECT=aptivaai-dev
ROOT=/home/jcoakley/aptiva-dev1-app
REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo
#!/usr/bin/env bash
set -euo pipefail # fail fast, surfacing missing vars
# Accept priority: 1) CLI arg 2) exported variable 3) default 'dev'
ENV="${1:-${ENV:-dev}}"
case "$ENV" in dev|staging|prod) ;; # sanity guard
*) echo "❌ Unknown ENV='$ENV'"; exit 1 ;;
esac
PROJECT="aptivaai-${ENV}" # adjust if prod lives elsewhere
REG="us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo"
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ENV_FILE="${ROOT}/.env"
echo "🔧 Deploying environment: $ENV (GCP: $PROJECT)"
SECRETS=(
JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET \