jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

GPT rewrite of deploy-staging

Browse Source
This commit is contained in:
Josh 2025-08-09 18:38:44 +00:00
parent 33b5dae4a7
commit f8e97c9e72
1 changed files with 67 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
.woodpecker.yml
View File

@ -28,7 +28,7 @@ steps:
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG
- name: staging-deploy - name: staging-deploy
image: google/cloud-sdk:latest image: google/cloud-sdk:latest
entrypoint: entrypoint:
- bash - bash
@ -38,7 +38,7 @@ steps:
mkdir -p ~/.ssh mkdir -p ~/.ssh
# ── Inject known-hosts and SSH key ─────────────────────────────── # known_hosts + key
gcloud secrets versions access latest \ gcloud secrets versions access latest \
--secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \ --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
| base64 -d > ~/.ssh/known_hosts | base64 -d > ~/.ssh/known_hosts
@ -49,97 +49,75 @@ steps:
| base64 -d > ~/.ssh/id_ed25519 | base64 -d > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519
echo "🔑 SSH prerequisites installed" # --- Run a real bash on the remote and feed it a literal script
# ── SSH into staging and deploy ──────────────────────────────────
ssh -o StrictHostKeyChecking=yes \ ssh -o StrictHostKeyChecking=yes \
-i ~/.ssh/id_ed25519 \ -i ~/.ssh/id_ed25519 \
jcoakley@10.128.0.12 \ jcoakley@10.128.0.12 \
'set -euo pipefail; \ bash -seuo pipefail <<'REMOTE'
PROJECT=aptivaai-dev; \
ENV=staging; \ set -Eeuo pipefail
IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
export IMG_TAG; \ PROJECT=aptivaai-dev
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); \ ENV=staging
export JWT_SECRET; \ REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo
OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); \ DEK_VOL=aptiva_dek_staging # adjust if your staging volume has a different name
export OPENAI_API_KEY; \
ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project=$PROJECT); \ # helper: fetch a secret value for this ENV
export ONET_USERNAME; \ get() { gcloud secrets versions access latest --secret="${1}_${ENV}" --project="${PROJECT}"; }
ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project=$PROJECT); \
export ONET_PASSWORD; \ # read the image tag (no suffix)
STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project=$PROJECT); \ IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project="${PROJECT}")"
export STRIPE_SECRET_KEY; \ export IMG_TAG FROM_SECRETS_MANAGER=true PROJECT ENV_NAME="${ENV}"
STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project=$PROJECT); \
export STRIPE_PUBLISHABLE_KEY; \ # export all env the compose needs
STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project=$PROJECT); \ export JWT_SECRET="$(get JWT_SECRET)"
export STRIPE_WH_SECRET; \ export OPENAI_API_KEY="$(get OPENAI_API_KEY)"
STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project=$PROJECT); \ export ONET_USERNAME="$(get ONET_USERNAME)"
export STRIPE_PRICE_PREMIUM_MONTH; \ export ONET_PASSWORD="$(get ONET_PASSWORD)"
STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project=$PROJECT); \ export STRIPE_SECRET_KEY="$(get STRIPE_SECRET_KEY)"
export STRIPE_PRICE_PREMIUM_YEAR; \ export STRIPE_PUBLISHABLE_KEY="$(get STRIPE_PUBLISHABLE_KEY)"
STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project=$PROJECT); \ export STRIPE_WH_SECRET="$(get STRIPE_WH_SECRET)"
export STRIPE_PRICE_PRO_MONTH; \ export STRIPE_PRICE_PREMIUM_MONTH="$(get STRIPE_PRICE_PREMIUM_MONTH)"
STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project=$PROJECT); \ export STRIPE_PRICE_PREMIUM_YEAR="$(get STRIPE_PRICE_PREMIUM_YEAR)"
export STRIPE_PRICE_PRO_YEAR; \ export STRIPE_PRICE_PRO_MONTH="$(get STRIPE_PRICE_PRO_MONTH)"
DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project=$PROJECT); \ export STRIPE_PRICE_PRO_YEAR="$(get STRIPE_PRICE_PRO_YEAR)"
export DB_NAME; \ export DB_NAME="$(get DB_NAME)"
DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project=$PROJECT); \ export DB_HOST="$(get DB_HOST)"
export DB_HOST; \ export DB_PORT="$(get DB_PORT)"
DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project=$PROJECT); \ export DB_USER="$(get DB_USER)"
export DB_PORT; \ export DB_PASSWORD="$(get DB_PASSWORD)"
DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project=$PROJECT); \ export DB_SSL_CA="$(get DB_SSL_CA)"
export DB_USER; \ export DB_SSL_CERT="$(get DB_SSL_CERT)"
DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project=$PROJECT); \ export DB_SSL_KEY="$(get DB_SSL_KEY)"
export DB_PASSWORD; \ export TWILIO_ACCOUNT_SID="$(get TWILIO_ACCOUNT_SID)"
DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project=$PROJECT); \ export TWILIO_AUTH_TOKEN="$(get TWILIO_AUTH_TOKEN)"
export DB_SSL_CA; \ export TWILIO_MESSAGING_SERVICE_SID="$(get TWILIO_MESSAGING_SERVICE_SID)"
DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project=$PROJECT); \ export KMS_KEY_NAME="$(get KMS_KEY_NAME)"
export DB_SSL_CERT; \ export DEK_PATH="$(get DEK_PATH)"
DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project=$PROJECT); \
export DB_SSL_KEY; \ cd /home/jcoakley/aptiva-staging-app
TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project=$PROJECT); \
export TWILIO_ACCOUNT_SID; \ # Optional safety net: if WRAPPED_DEK_staging has no versions, escrow the current EDEK
TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project=$PROJECT); \ if ! gcloud secrets describe "WRAPPED_DEK_${ENV}" --project="${PROJECT}" >/dev/null 2>&1; then
export TWILIO_AUTH_TOKEN; \ gcloud secrets create "WRAPPED_DEK_${ENV}" --replication-policy=automatic --project="${PROJECT}"
TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project=$PROJECT); \ fi
export TWILIO_MESSAGING_SERVICE_SID; \ if ! gcloud secrets versions list "WRAPPED_DEK_${ENV}" --project="${PROJECT}" --format='value(name)' | grep -q .; then
KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project=$PROJECT); \ # read dek.enc out of the staging volume and push to Secret Manager
export KMS_KEY_NAME; \ docker run --rm -v "${DEK_VOL}:/run/secrets" busybox \
DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); \ cat "${DEK_PATH}" \
export DEK_PATH; \ | gcloud secrets versions add "WRAPPED_DEK_${ENV}" --data-file=- --project="${PROJECT}"
export FROM_SECRETS_MANAGER=true; \ echo "Escrowed EDEK to Secret Manager as WRAPPED_DEK_${ENV}"
\ fi
# ── NEW: sync dev DEK into staging volume (uses Secret Manager) ── \
if gcloud secrets describe WRAPPED_DEK_dev --project=$PROJECT >/dev/null 2>&1; then \ # Pull & restart with all env preserved
echo \"🔁 Syncing dev DEK into staging volume\"; \ PRESERVE="IMG_TAG,FROM_SECRETS_MANAGER,ENV_NAME,PROJECT,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH"
gcloud secrets versions access latest --secret=WRAPPED_DEK_dev --project=$PROJECT > /tmp/dev_dek.enc; \
if [ -s /tmp/dev_dek.enc ]; then \ sudo --preserve-env="${PRESERVE}" docker compose pull
docker volume ls -q | grep -qx aptiva_dek_staging || docker volume create aptiva_dek_staging >/dev/null; \ sudo --preserve-env="${PRESERVE}" docker compose up -d --force-recreate --remove-orphans
sudo docker run --rm -v aptiva_dek_staging:/v -v /tmp:/host busybox sh -lc \" \
set -e; \ echo "✅ Staging stack refreshed with tag ${IMG_TAG}"
mkdir -p /v/staging; \ REMOTE
cp -f /host/dev_dek.enc /v/staging/dek.enc; \
chown 1000:1000 /v/staging/dek.enc; \
chmod 400 /v/staging/dek.enc; \
rm -f /v/staging/dek.fpr; \
echo -n staging dek.enc bytes: ; wc -c </v/staging/dek.enc;
ls -l /v/staging; \
\"; \
else \
echo \"⚠️ WRAPPED_DEK_dev returned empty; skipping copy\"; \
fi; \
else \
echo \" WRAPPED_DEK_dev not found; leaving existing staging DEK alone\"; \
fi; \
\
cd /home/jcoakley/aptiva-staging-app; \
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH \
docker compose pull; \
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH \
docker compose up -d --force-recreate --remove-orphans; \
echo \"✅ Staging stack refreshed with tag $IMG_TAG\"'
secrets: secrets: