Compare commits
2 Commits
0d6b3c2e5b
...
7a423b909c
| Author | SHA1 | Date | |
|---|---|---|---|
| 7a423b909c | |||
| 5a1817e4f5 |
2
.env
2
.env
@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
|
||||
SERVER1_PORT=5000
|
||||
SERVER2_PORT=5001
|
||||
SERVER3_PORT=5002
|
||||
IMG_TAG=202507301457
|
||||
IMG_TAG=202507311547
|
||||
@ -1,52 +1,43 @@
|
||||
steps:
|
||||
ssh-test:
|
||||
image: google/cloud-sdk:latest
|
||||
entrypoint:
|
||||
- bash
|
||||
- -c
|
||||
- |
|
||||
set -euo pipefail
|
||||
- name: ssh-test
|
||||
image: google/cloud-sdk:latest
|
||||
entrypoint:
|
||||
- bash
|
||||
- -c
|
||||
- |
|
||||
set -euo pipefail
|
||||
|
||||
mkdir -p ~/.ssh
|
||||
mkdir -p ~/.ssh
|
||||
|
||||
# ── Inject known-hosts and SSH key ──────────────────────────────
|
||||
gcloud secrets versions access latest \
|
||||
--secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
|
||||
| base64 -d > ~/.ssh/known_hosts
|
||||
chmod 644 ~/.ssh/known_hosts
|
||||
# ── Inject known-hosts and SSH key ───────────────────────────────
|
||||
gcloud secrets versions access latest \
|
||||
--secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
|
||||
| base64 -d > ~/.ssh/known_hosts
|
||||
chmod 644 ~/.ssh/known_hosts
|
||||
|
||||
gcloud secrets versions access latest \
|
||||
--secret=STAGING_SSH_KEY --project=aptivaai-dev \
|
||||
| base64 -d > ~/.ssh/id_ed25519
|
||||
chmod 600 ~/.ssh/id_ed25519
|
||||
gcloud secrets versions access latest \
|
||||
--secret=STAGING_SSH_KEY --project=aptivaai-dev \
|
||||
| base64 -d > ~/.ssh/id_ed25519
|
||||
chmod 600 ~/.ssh/id_ed25519
|
||||
|
||||
echo "🔑 SSH prerequisites installed"
|
||||
echo "🔑 SSH prerequisites installed"
|
||||
|
||||
# ── Grab full commit SHA and slice tag ──────────────────────────
|
||||
echo "📦 CI_COMMIT_SHA: ${CI_COMMIT_SHA:-unset}"
|
||||
TAG="${CI_COMMIT_SHA:-}"
|
||||
if [ -z "$TAG" ]; then
|
||||
echo "❌ CI_COMMIT_SHA is blank. Aborting."
|
||||
exit 1
|
||||
fi
|
||||
TAG=$(echo "$TAG" | head -c 8)
|
||||
echo "🚀 Deploying tag ${TAG} to staging"
|
||||
# ── Fetch canonical IMG_TAG ──────────────────────────────────────
|
||||
IMG_TAG=$(gcloud secrets versions access latest \
|
||||
--secret=IMG_TAG --project=aptivaai-dev)
|
||||
echo "📦 IMG_TAG=${IMG_TAG}"
|
||||
|
||||
# ── SSH into staging and refresh the stack ──────────────────────
|
||||
ssh -o StrictHostKeyChecking=yes \
|
||||
-i ~/.ssh/id_ed25519 \
|
||||
jcoakley@10.128.0.12 \
|
||||
"export IMG_TAG=${TAG}; \
|
||||
cd /home/jcoakley/aptiva-staging-app; \
|
||||
echo 'IMG_TAG = ${IMG_TAG}'; \
|
||||
echo '→ Pulling containers'; \
|
||||
docker compose pull; \
|
||||
echo '→ Recreating services'; \
|
||||
docker compose up -d --force-recreate --remove-orphans; \
|
||||
echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"
|
||||
# ── SSH into staging and deploy ──────────────────────────────────
|
||||
ssh -o StrictHostKeyChecking=yes \
|
||||
-i ~/.ssh/id_ed25519 \
|
||||
jcoakley@10.128.0.12 \
|
||||
"export IMG_TAG=${IMG_TAG}; \
|
||||
cd /home/jcoakley/aptiva-staging-app; \
|
||||
echo 'IMG_TAG = ${IMG_TAG}'; \
|
||||
docker compose pull; \
|
||||
docker compose up -d --force-recreate --remove-orphans; \
|
||||
echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"
|
||||
|
||||
environment:
|
||||
CI_COMMIT_SHA: ${CI_COMMIT_SHA}
|
||||
secrets: [ STAGING_SSH_KEY, STAGING_KNOWN_HOSTS ]
|
||||
|
||||
when:
|
||||
event:
|
||||
|
||||
@ -2,14 +2,14 @@
|
||||
set -euo pipefail
|
||||
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# CONFIG – adjust only the 4 lines below if you change projects
|
||||
# CONFIG – adjust only these 4 if needed
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
ENV=dev # secret suffix, e.g. JWT_SECRET_staging
|
||||
ENV=dev
|
||||
PROJECT=aptivaai-dev
|
||||
ROOT=/home/jcoakley/aptiva-dev1-app
|
||||
REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo
|
||||
|
||||
ENV_FILE="${ROOT}/.env" # ← holds NON‑sensitive values only
|
||||
ENV_FILE="${ROOT}/.env"
|
||||
SECRETS=(
|
||||
JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
|
||||
STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
|
||||
@ -19,21 +19,20 @@ SECRETS=(
|
||||
|
||||
cd "$ROOT"
|
||||
echo "🛠 Building front‑end bundle"
|
||||
npm ci --silent # installs if node_modules is missing/old
|
||||
npm ci --silent
|
||||
npm run build
|
||||
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# 1. Build ➔ Push ➔ Bump IMG_TAG in .env
|
||||
# 1. Build → Push → Stamp .env
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
TAG=$(date -u +%Y%m%d%H%M)
|
||||
echo "🔨 Building & pushing containers (tag = ${TAG})"
|
||||
echo "🔨 Building & pushing containers (tag = ${TAG})"
|
||||
|
||||
for svc in server1 server2 server3; do
|
||||
docker build -f Dockerfile."$svc" -t "${REG}/${svc}:${TAG}" .
|
||||
docker push "${REG}/${svc}:${TAG}"
|
||||
done
|
||||
|
||||
# keep .env for static, non‑sensitive keys (ports, API_BASE…)
|
||||
if grep -q '^IMG_TAG=' "$ENV_FILE"; then
|
||||
sed -i "s/^IMG_TAG=.*/IMG_TAG=${TAG}/" "$ENV_FILE"
|
||||
else
|
||||
@ -42,27 +41,30 @@ fi
|
||||
echo "✅ .env updated with IMG_TAG=${TAG}"
|
||||
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# 2. Export secrets straight from Secret Manager
|
||||
# (they live only in this shell, never on disk)
|
||||
# 1a. Publish IMG_TAG to Secret Manager (single source of truth)
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
echo "🔐 Pulling ${ENV} secrets from Secret Manager"
|
||||
printf "%s" "${TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="$PROJECT"
|
||||
|
||||
echo "📦 IMG_TAG pushed to Secret Manager (no suffix)"
|
||||
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# 2. Pull secrets into runtime (never written to disk)
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
echo "🔐 Pulling secrets from Secret Manager"
|
||||
for S in "${SECRETS[@]}"; do
|
||||
export "$S"="$(gcloud secrets versions access latest \
|
||||
--secret="${S}_${ENV}" \
|
||||
--project="$PROJECT")"
|
||||
done
|
||||
|
||||
# A flag so we can see in the container env where they came from
|
||||
export FROM_SECRETS_MANAGER=true
|
||||
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# 3. Re‑create the stack
|
||||
# 3. Re-create the container stack
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# Preserve only the variables docker‑compose needs for expansion
|
||||
preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}")
|
||||
|
||||
|
||||
echo "🚀 docker compose up -d (with preserved env: $preserve)"
|
||||
echo "🚀 docker compose up -d (env: $preserve)"
|
||||
sudo --preserve-env="$preserve" docker compose up -d --force-recreate 2> >(grep -v 'WARN
|
||||
|
||||
\[0000\]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user