From d6bffc6dd5809cb72bf188547f488e1948cf5c7a Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 6 Aug 2025 22:42:46 +0000 Subject: [PATCH] reverted pipeline back to working and added KMS and DEK secrets --- .woodpecker.yml | 97 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 63 insertions(+), 34 deletions(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index 63ba6f5..c59aad4 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -28,41 +28,70 @@ steps: echo "πŸ”‘ SSH prerequisites installed" # ── SSH into staging and deploy ────────────────────────────────── - ssh -o StrictHostKeyChecking=yes \ - -i ~/.ssh/id_ed25519 \ - jcoakley@10.128.0.12 \ - 'set -euo pipefail - PROJECT=aptivaai-dev - ENV=staging # ← or β€œdev”, β€œprod”, etc. - IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT) - export IMG_TAG + ssh -o StrictHostKeyChecking=yes \ + -i ~/.ssh/id_ed25519 \ + jcoakley@10.128.0.12 \ + 'set -euo pipefail; \ + PROJECT=aptivaai-dev; \ + ENV=dev; \ + IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \ + export IMG_TAG; \ + JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_dev --project=$PROJECT); \ + export JWT_SECRET; \ + OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_dev --project=$PROJECT); \ + export OPENAI_API_KEY; \ + ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_dev --project=$PROJECT); \ + export ONET_USERNAME; \ + ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_dev --project=$PROJECT); \ + export ONET_PASSWORD; \ + STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_dev --project=$PROJECT); \ + export STRIPE_SECRET_KEY; \ + STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_dev --project=$PROJECT); \ + export STRIPE_PUBLISHABLE_KEY; \ + STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_dev --project=$PROJECT); \ + export STRIPE_WH_SECRET; \ + STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_dev --project=$PROJECT); \ + export STRIPE_PRICE_PREMIUM_MONTH; \ + STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_dev --project=$PROJECT); \ + export STRIPE_PRICE_PREMIUM_YEAR; \ + STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_dev --project=$PROJECT); \ + export STRIPE_PRICE_PRO_MONTH; \ + STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_dev --project=$PROJECT); \ + export STRIPE_PRICE_PRO_YEAR; \ + DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_dev --project=$PROJECT); \ + export DB_NAME; + DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_dev --project=$PROJECT); \ + export DB_HOST; \ + DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_dev --project=$PROJECT); \ + export DB_PORT; \ + DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_dev --project=$PROJECT); \ + export DB_USER; \ + DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_dev --project=$PROJECT); \ + export DB_PASSWORD; \ + DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_dev --project=$PROJECT); \ + export DB_SSL_CA; \ + DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_dev --project=$PROJECT); \ + export DB_SSL_CERT; \ + DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_dev --project=$PROJECT); \ + export DB_SSL_KEY; \ + TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_dev --project=$PROJECT); \ + export TWILIO_ACCOUNT_SID; \ + TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_dev --project=$PROJECT); \ + export TWILIO_AUTH_TOKEN; \ + TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_dev --project=$PROJECT); \ + export TWILIO_MESSAGING_SERVICE_SID; \ + KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_dev --project=$PROJECT); \ + export KMS_KEY_NAME; \ + DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_dev --project=$PROJECT); \ + export DEK_PATH; \ - # pull every secret in the SECRETS array - declare -a SECRETS=( - JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD - STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET - STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR - STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR - DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD - DB_SSL_CERT DB_SSL_KEY DB_SSL_CA - TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID - KMS_KEY_NAME DEK_PATH - ) - for S in "${SECRETS[@]}"; do - # no quotes on the left‑hand side - export ${S}="$(gcloud secrets versions access latest \ - --secret="${S}_${ENV}" --project="$PROJECT")" - done - export FROM_SECRETS_MANAGER=true - - cd /home/jcoakley/aptiva-staging-app - # build the --preserve-env list dynamically so new vars flow through - preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]}) - sudo --preserve-env="$preserve" docker compose pull - sudo --preserve-env="$preserve" docker compose up -d --force-recreate --remove-orphans - - echo "βœ… Staging stack refreshed with tag $IMG_TAG" - ' + export FROM_SECRETS_MANAGER=true; \ + cd /home/jcoakley/aptiva-staging-app; \ + sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID \ + docker compose pull; \ + sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID \ + docker compose up -d --force-recreate --remove-orphans; \ + echo "βœ… Staging stack refreshed with tag $IMG_TAG"' secrets: - STAGING_SSH_KEY