This commit is contained in:
parent
a9a1914d5a
commit
ed5a9e71d6
@ -129,20 +129,27 @@ steps:
|
||||
echo "🔑 SSH prerequisites installed"
|
||||
|
||||
# ── SSH into PROD and deploy (NO DEK SYNC) ────────────────────────
|
||||
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"; export IMG_TAG; \
|
||||
ssh -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
|
||||
--project=aptivaai-prod --zone=us-central1-a \
|
||||
--listen-on-stdin --verbosity=error" \
|
||||
-o StrictHostKeyChecking=accept-new -i ~/.ssh/id_ed25519 \
|
||||
"$PROD_SSH_TARGET" bash -s -- "$IMG_TAG" \
|
||||
"$PROD_SSH_TARGET" bash -s \
|
||||
set -euo pipefail; \
|
||||
IMG_TAG="${1:?IMG_TAG arg missing}"; export IMG_TAG
|
||||
PROJECT=aptivaai-prod; \
|
||||
export PROJECT; \
|
||||
ENV=prod; \
|
||||
# sanity: ensure prod SM matches the single source (dev) before pull
|
||||
prod_val=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
|
||||
[ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }; \
|
||||
\
|
||||
|
||||
# dev tag injected from CI at script-generation time
|
||||
IMG_TAG_DEV="$IMG_TAG_DEV"
|
||||
echo "🔖 Using DEV IMG_TAG=\$IMG_TAG_DEV"
|
||||
|
||||
# read prod tag on the VM and enforce parity
|
||||
IMG_TAG_PROD="$(gcloud secrets versions access latest --secret=IMG_TAG --project="\$PROJECT")"
|
||||
[ "\$IMG_TAG_PROD" = "\$IMG_TAG_DEV" ] || { echo "❌ Tag mismatch on VM: dev=\$IMG_TAG_DEV prod=\$IMG_TAG_PROD"; exit 1; }
|
||||
IMG_TAG="\$IMG_TAG_DEV"; export IMG_TAG
|
||||
echo "✅ Tag parity ok (\$IMG_TAG)"
|
||||
|
||||
# Pull all runtime secrets from aptivaai-prod
|
||||
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \
|
||||
OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY; \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user