fixed pipeline, deploy_all.sh, and encryption.js for field-level. Added fast-fail to encryption.js
This commit is contained in:
parent
a39da26729
commit
e2141737e8
2
.env
2
.env
@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
|
|||||||
SERVER1_PORT=5000
|
SERVER1_PORT=5000
|
||||||
SERVER2_PORT=5001
|
SERVER2_PORT=5001
|
||||||
SERVER3_PORT=5002
|
SERVER3_PORT=5002
|
||||||
IMG_TAG=1e039bf-202508061933
|
IMG_TAG=3aef450-202508062222
|
||||||
138
.woodpecker.yml
138
.woodpecker.yml
@ -1,97 +1,77 @@
|
|||||||
---
|
# .woodpecker.yml (only the relevant step shown)
|
||||||
kind: pipeline
|
|
||||||
type: docker
|
|
||||||
name: ssh-test
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: ssh-test
|
- name: deploy-staging
|
||||||
image: google/cloud-sdk:latest
|
image: google/cloud-sdk:latest
|
||||||
entrypoint:
|
entrypoint:
|
||||||
- bash
|
- bash
|
||||||
- -c
|
- -euco
|
||||||
- |
|
- |
|
||||||
set -euo pipefail
|
#####################################################################
|
||||||
|
# 1) PARAMETERS #
|
||||||
|
#####################################################################
|
||||||
|
PROJECT=aptivaai-dev # GCP project that holds secrets
|
||||||
|
ENV=staging # <‑‑ change once, covers suffixes
|
||||||
|
HOST=10.128.0.12 # staging VM
|
||||||
|
SSH_USER=jcoakley
|
||||||
|
|
||||||
|
# One authoritative list of secret names (same as deploy_all.sh)
|
||||||
|
SECRETS=(
|
||||||
|
JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
|
||||||
|
STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET
|
||||||
|
STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR
|
||||||
|
STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
|
||||||
|
DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD
|
||||||
|
DB_SSL_CERT DB_SSL_KEY DB_SSL_CA
|
||||||
|
TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID
|
||||||
|
KMS_KEY_NAME DEK_PATH # ← NEW
|
||||||
|
)
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# 2) SSH prerequisites #
|
||||||
|
#####################################################################
|
||||||
mkdir -p ~/.ssh
|
mkdir -p ~/.ssh
|
||||||
|
|
||||||
# ── Inject known-hosts and SSH key ───────────────────────────────
|
|
||||||
gcloud secrets versions access latest \
|
gcloud secrets versions access latest \
|
||||||
--secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
|
--secret=STAGING_KNOWN_HOSTS --project="$PROJECT" | base64 -d \
|
||||||
| base64 -d > ~/.ssh/known_hosts
|
> ~/.ssh/known_hosts
|
||||||
chmod 644 ~/.ssh/known_hosts
|
chmod 644 ~/.ssh/known_hosts
|
||||||
|
|
||||||
gcloud secrets versions access latest \
|
gcloud secrets versions access latest \
|
||||||
--secret=STAGING_SSH_KEY --project=aptivaai-dev \
|
--secret=STAGING_SSH_KEY --project="$PROJECT" | base64 -d \
|
||||||
| base64 -d > ~/.ssh/id_ed25519
|
> ~/.ssh/id_ed25519
|
||||||
chmod 600 ~/.ssh/id_ed25519
|
chmod 600 ~/.ssh/id_ed25519
|
||||||
|
|
||||||
echo "🔑 SSH prerequisites installed"
|
echo "🔑 SSH key & known‑hosts installed"
|
||||||
|
|
||||||
# ── SSH into staging and deploy ──────────────────────────────────
|
#####################################################################
|
||||||
ssh -o StrictHostKeyChecking=yes \
|
# 3) Build the remote export block #
|
||||||
-i ~/.ssh/id_ed25519 \
|
#####################################################################
|
||||||
jcoakley@10.128.0.12 \
|
export_block="PROJECT=${PROJECT}; ENV=${ENV}; "
|
||||||
'set -euo pipefail; \
|
export_block+="IMG_TAG=\$(gcloud secrets versions access latest \
|
||||||
PROJECT=aptivaai-dev; \
|
--secret=IMG_TAG --project=\${PROJECT}); export IMG_TAG; "
|
||||||
ENV=dev; \
|
|
||||||
IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
|
|
||||||
export IMG_TAG; \
|
|
||||||
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_dev --project=$PROJECT); \
|
|
||||||
export JWT_SECRET; \
|
|
||||||
OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_dev --project=$PROJECT); \
|
|
||||||
export OPENAI_API_KEY; \
|
|
||||||
ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_dev --project=$PROJECT); \
|
|
||||||
export ONET_USERNAME; \
|
|
||||||
ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_dev --project=$PROJECT); \
|
|
||||||
export ONET_PASSWORD; \
|
|
||||||
STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_dev --project=$PROJECT); \
|
|
||||||
export STRIPE_SECRET_KEY; \
|
|
||||||
STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_dev --project=$PROJECT); \
|
|
||||||
export STRIPE_PUBLISHABLE_KEY; \
|
|
||||||
STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_dev --project=$PROJECT); \
|
|
||||||
export STRIPE_WH_SECRET; \
|
|
||||||
STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_dev --project=$PROJECT); \
|
|
||||||
export STRIPE_PRICE_PREMIUM_MONTH; \
|
|
||||||
STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_dev --project=$PROJECT); \
|
|
||||||
export STRIPE_PRICE_PREMIUM_YEAR; \
|
|
||||||
STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_dev --project=$PROJECT); \
|
|
||||||
export STRIPE_PRICE_PRO_MONTH; \
|
|
||||||
STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_dev --project=$PROJECT); \
|
|
||||||
export STRIPE_PRICE_PRO_YEAR; \
|
|
||||||
DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_dev --project=$PROJECT); \
|
|
||||||
export DB_NAME;
|
|
||||||
DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_dev --project=$PROJECT); \
|
|
||||||
export DB_HOST; \
|
|
||||||
DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_dev --project=$PROJECT); \
|
|
||||||
export DB_PORT; \
|
|
||||||
DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_dev --project=$PROJECT); \
|
|
||||||
export DB_USER; \
|
|
||||||
DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_dev --project=$PROJECT); \
|
|
||||||
export DB_PASSWORD; \
|
|
||||||
DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_dev --project=$PROJECT); \
|
|
||||||
export DB_SSL_CA; \
|
|
||||||
DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_dev --project=$PROJECT); \
|
|
||||||
export DB_SSL_CERT; \
|
|
||||||
DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_dev --project=$PROJECT); \
|
|
||||||
export DB_SSL_KEY; \
|
|
||||||
TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_dev --project=$PROJECT); \
|
|
||||||
export TWILIO_ACCOUNT_SID; \
|
|
||||||
TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_dev --project=$PROJECT); \
|
|
||||||
export TWILIO_AUTH_TOKEN; \
|
|
||||||
TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_dev --project=$PROJECT); \
|
|
||||||
export TWILIO_MESSAGING_SERVICE_SID; \
|
|
||||||
export FROM_SECRETS_MANAGER=true; \
|
|
||||||
cd /home/jcoakley/aptiva-staging-app; \
|
|
||||||
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID \
|
|
||||||
docker compose pull; \
|
|
||||||
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID \
|
|
||||||
docker compose up -d --force-recreate --remove-orphans; \
|
|
||||||
echo "✅ Staging stack refreshed with tag $IMG_TAG"'
|
|
||||||
|
|
||||||
|
for S in "${SECRETS[@]}"; do
|
||||||
|
export_block+="${S}=\$(gcloud secrets versions access latest \
|
||||||
|
--secret=${S}_${ENV} --project=\${PROJECT}); export ${S}; "
|
||||||
|
done
|
||||||
|
|
||||||
|
export_block+="export FROM_SECRETS_MANAGER=true; "
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# 4) Remote docker‑compose update #
|
||||||
|
#####################################################################
|
||||||
|
export_block+="cd /home/${SSH_USER}/aptiva-staging-app; "
|
||||||
|
# Include every exported var in --preserve-env
|
||||||
|
preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]})
|
||||||
|
export_block+="sudo --preserve-env=${preserve} docker compose pull; "
|
||||||
|
export_block+="sudo --preserve-env=${preserve} \
|
||||||
|
docker compose up -d --force-recreate --remove-orphans; "
|
||||||
|
export_block+="echo '✅ Staging stack refreshed with tag \$IMG_TAG';"
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# 5) Execute over SSH #
|
||||||
|
#####################################################################
|
||||||
|
ssh -o StrictHostKeyChecking=yes -i ~/.ssh/id_ed25519 \
|
||||||
|
"${SSH_USER}@${HOST}" "${export_block}"
|
||||||
secrets:
|
secrets:
|
||||||
- STAGING_SSH_KEY
|
- STAGING_SSH_KEY
|
||||||
- STAGING_KNOWN_HOSTS
|
- STAGING_KNOWN_HOSTS
|
||||||
|
|
||||||
when:
|
|
||||||
event:
|
|
||||||
- push
|
|
||||||
|
|||||||
@ -24,6 +24,11 @@ const MAGIC = 'gcm:'; // prefix to mark ciphertext
|
|||||||
const KMS_KEY = (process.env.KMS_KEY_NAME || '').trim(); // projects/*/locations/*/keyRings/*/cryptoKeys/*
|
const KMS_KEY = (process.env.KMS_KEY_NAME || '').trim(); // projects/*/locations/*/keyRings/*/cryptoKeys/*
|
||||||
const EDEK_PATH = (process.env.DEK_PATH || '').trim(); // e.g. /run/secrets/dev/dek.enc
|
const EDEK_PATH = (process.env.DEK_PATH || '').trim(); // e.g. /run/secrets/dev/dek.enc
|
||||||
|
|
||||||
|
if (!EDEK_PATH) {
|
||||||
|
console.error('FATAL: DEK_PATH env var is unset — check deploy script');
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
let dek; // in‑memory data‑encryption‑key
|
let dek; // in‑memory data‑encryption‑key
|
||||||
let initPromise = null;
|
let initPromise = null;
|
||||||
|
|
||||||
|
|||||||
@ -1,10 +1,22 @@
|
|||||||
# ───────────────────────── config ─────────────────────────
|
# ───────────────────────── config ─────────────────────────
|
||||||
ENV=dev
|
#!/usr/bin/env bash
|
||||||
PROJECT=aptivaai-dev
|
set -euo pipefail # fail fast, surfacing missing vars
|
||||||
ROOT=/home/jcoakley/aptiva-dev1-app
|
|
||||||
REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo
|
|
||||||
|
|
||||||
|
# Accept priority: 1) CLI arg 2) exported variable 3) default 'dev'
|
||||||
|
ENV="${1:-${ENV:-dev}}"
|
||||||
|
|
||||||
|
case "$ENV" in dev|staging|prod) ;; # sanity guard
|
||||||
|
*) echo "❌ Unknown ENV='$ENV'"; exit 1 ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
PROJECT="aptivaai-${ENV}" # adjust if prod lives elsewhere
|
||||||
|
REG="us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo"
|
||||||
|
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||||
ENV_FILE="${ROOT}/.env"
|
ENV_FILE="${ROOT}/.env"
|
||||||
|
|
||||||
|
echo "🔧 Deploying environment: $ENV (GCP: $PROJECT)"
|
||||||
|
|
||||||
|
|
||||||
SECRETS=(
|
SECRETS=(
|
||||||
JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
|
JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
|
||||||
STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET \
|
STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET \
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user