Compare commits
2 Commits
666427a7c9
...
3007f15a0c
| Author | SHA1 | Date | |
|---|---|---|---|
| 3007f15a0c | |||
| f93b7e4d31 |
@ -114,25 +114,25 @@ steps:
|
||||
GOOGLE_MAPS_API_KEY=$(gcloud secrets versions access latest --secret=GOOGLE_MAPS_API_KEY_$ENV --project=$PROJECT); \
|
||||
export GOOGLE_MAPS_API_KEY; \
|
||||
SERVER1_PORT=$(gcloud secrets versions access latest --secret=SERVER1_PORT_$ENV --project=$PROJECT); \
|
||||
export SERVER1_PORT
|
||||
export SERVER1_PORT; \
|
||||
SERVER2_PORT=$(gcloud secrets versions access latest --secret=SERVER2_PORT_$ENV --project=$PROJECT); \
|
||||
export SERVER2_PORT
|
||||
export SERVER2_PORT; \
|
||||
SERVER3_PORT=$(gcloud secrets versions access latest --secret=SERVER3_PORT_$ENV --project=$PROJECT); \
|
||||
export SERVER3_PORT
|
||||
export SERVER3_PORT; \
|
||||
ENV_NAME=$(gcloud secrets versions access latest --secret=ENV_NAME_$ENV --project=$PROJECT); \
|
||||
export ENV_NAME
|
||||
export ENV_NAME; \
|
||||
CORS_ALLOWED_ORIGINS=$(gcloud secrets versions access latest --secret=CORS_ALLOWED_ORIGINS_$ENV --project=$PROJECT); \
|
||||
export CORS_ALLOWED_ORIGINS
|
||||
export CORS_ALLOWED_ORIGINS; \
|
||||
APTIVA_API_BASE=$(gcloud secrets versions access latest --secret=APTIVA_API_BASE_$ENV --project=$PROJECT); \
|
||||
export APTIVA_API_BASE
|
||||
export APTIVA_API_BASE; \
|
||||
TOKEN_MAX_AGE_MS=$(gcloud secrets versions access latest --secret=TOKEN_MAX_AGE_MS_$ENV --project=$PROJECT); \
|
||||
export TOKEN_MAX_AGE_MS
|
||||
export TOKEN_MAX_AGE_MS; \
|
||||
COOKIE_SECURE=$(gcloud secrets versions access latest --secret=COOKIE_SECURE_$ENV --project=$PROJECT); \
|
||||
export COOKIE_SECURE
|
||||
export COOKIE_SECURE; \
|
||||
COOKIE_SAMESITE=$(gcloud secrets versions access latest --secret=COOKIE_SAMESITE_$ENV --project=$PROJECT); \
|
||||
export COOKIE_SAMESITE
|
||||
export COOKIE_SAMESITE; \
|
||||
ACCESS_COOKIE_NAME=$(gcloud secrets versions access latest --secret=ACCESS_COOKIE_NAME_$ENV --project=$PROJECT); \
|
||||
export ACCESS_COOKIE_NAME
|
||||
export ACCESS_COOKIE_NAME; \
|
||||
|
||||
export FROM_SECRETS_MANAGER=true; \
|
||||
\
|
||||
@ -175,7 +175,58 @@ type: docker
|
||||
name: prod-promotion
|
||||
|
||||
steps:
|
||||
- name: promote-tag-and-mirror
|
||||
image: google/cloud-sdk:latest
|
||||
entrypoint:
|
||||
- bash
|
||||
- -c
|
||||
- |
|
||||
set -euo pipefail
|
||||
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
||||
|
||||
# Dev is the single source of truth for IMG_TAG
|
||||
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
||||
SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
|
||||
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
|
||||
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq docker.io
|
||||
gcloud auth configure-docker us-central1-docker.pkg.dev -q
|
||||
|
||||
for svc in server1 server2 server3 nginx; do
|
||||
docker pull "$SRC/$svc:$IMG_TAG"
|
||||
docker tag "$SRC/$svc:$IMG_TAG" "$DST/$svc:$IMG_TAG"
|
||||
docker push "$DST/$svc:$IMG_TAG"
|
||||
done
|
||||
|
||||
# Publish the exact tag to prod SM so deploy & scan read the same value
|
||||
printf "%s" "${IMG_TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="aptivaai-prod" >/dev/null
|
||||
echo "🏷 Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
|
||||
|
||||
- name: verify-sync
|
||||
depends_on: [promote-tag-and-mirror]
|
||||
image: google/cloud-sdk:latest
|
||||
entrypoint:
|
||||
- bash
|
||||
- -c
|
||||
- |
|
||||
set -euo pipefail
|
||||
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
||||
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
||||
prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
|
||||
[[ "$IMG_TAG" == "$prod_val" ]] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$prod_val"; exit 1; }
|
||||
echo "✅ Tag parity confirmed: $IMG_TAG"
|
||||
# Ensure images truly exist in PROD AR
|
||||
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
|
||||
apt-get update -qq && apt-get install -y -qq docker.io
|
||||
gcloud auth configure-docker us-central1-docker.pkg.dev -q
|
||||
for svc in server1 server2 server3 nginx; do
|
||||
docker pull "$DST/$svc:$IMG_TAG" >/dev/null
|
||||
done
|
||||
echo "✅ Prod AR has all images at :$IMG_TAG"
|
||||
|
||||
- name: security-scan
|
||||
depends_on: [verify-sync]
|
||||
image: google/cloud-sdk:latest
|
||||
entrypoint:
|
||||
- bash
|
||||
@ -223,8 +274,9 @@ steps:
|
||||
|
||||
PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)"
|
||||
|
||||
# Use the IMG_TAG stored in PROD (the exact one mirrored there)
|
||||
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
|
||||
# single source of truth for deploy as well
|
||||
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
||||
|
||||
|
||||
echo "🔑 SSH prerequisites installed"
|
||||
|
||||
@ -238,6 +290,9 @@ steps:
|
||||
PROJECT=aptivaai-prod; \
|
||||
ENV=prod; \
|
||||
export IMG_TAG='"$IMG_TAG"'; \
|
||||
# sanity: ensure prod SM matches the single source (dev) before pull
|
||||
prod_val=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
|
||||
[ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }; \
|
||||
\
|
||||
# Pull all runtime secrets from aptivaai-prod
|
||||
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user