--- kind: pipeline type: docker name: prod-promotion steps: - name: promote-tag-and-mirror image: google/cloud-sdk:latest entrypoint: - bash - -lc - | set -euo pipefail if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo" DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" [ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG empty"; exit 2; } apt-get update -qq && apt-get install -y -qq skopeo TOKEN="$(gcloud auth print-access-token)" # Check which images already exist in PROD (so we don't try to push them) MISSING="" for s in server1 server2 server3 nginx; do REF="docker://$DST/$s:$IMG_TAG" if ! skopeo inspect --creds "oauth2accesstoken:$TOKEN" "$REF" >/dev/null 2>&1; then MISSING="$MISSING $s" fi done if [ -z "$MISSING" ]; then echo "✅ All images present in PROD for :$IMG_TAG — skipping mirror" else echo "🔁 Mirroring to PROD:$MISSING" for s in $MISSING; do SRC_REF="docker://$SRC/$s:$IMG_TAG" DST_REF="docker://$DST/$s:$IMG_TAG" echo "copy $SRC_REF → $DST_REF" skopeo copy --insecure-policy \ --src-creds "oauth2accesstoken:$TOKEN" \ --dest-creds "oauth2accesstoken:$TOKEN" \ "$SRC_REF" "$DST_REF" done fi printf '%s' "$IMG_TAG" | gcloud secrets versions add IMG_TAG --data-file=- --project=aptivaai-prod >/dev/null echo "🏷 promoted IMG_TAG=$IMG_TAG" - name: verify-sync depends_on: [promote-tag-and-mirror] image: google/cloud-sdk:latest entrypoint: - bash - -lc - | set -euo pipefail if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)" [ "$IMG_TAG" = "$PROD_TAG" ] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$PROD_TAG"; exit 1; } echo "✅ Tag parity confirmed: $IMG_TAG" DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" apt-get update -qq && apt-get install -y -qq skopeo TOKEN="$(gcloud auth print-access-token)" for s in server1 server2 server3 nginx; do REF="docker://$DST/$s:$IMG_TAG" echo "🔎 verify $REF" skopeo inspect --creds "oauth2accesstoken:$TOKEN" "$REF" >/dev/null done echo "✅ Prod AR has all images at :$IMG_TAG" - name: security-scan depends_on: [verify-sync] image: google/cloud-sdk:latest entrypoint: - bash - -lc - | set -euo pipefail if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" apt-get update -qq apt-get install -y -qq gnupg apt-transport-https curl ca-certificates curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash export PATH="$PATH:$(pwd)/bin" TOKEN="$(gcloud auth print-access-token)" for s in server1 server2 server3 nginx; do REF="$REG/$s:$IMG_TAG" echo "🛡 scan $REF" trivy image --username oauth2accesstoken --password "$TOKEN" \ --scanners vuln --ignore-unfixed --ignorefile .trivyignore \ --exit-code 1 --severity CRITICAL "$REF" done - name: prod-deploy depends_on: [security-scan] image: google/cloud-sdk:latest entrypoint: - bash - -lc - | set -euo pipefail [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; } mkdir -p ~/.ssh gcloud secrets versions access latest \ --secret=PROD_SSH_KEY --project=aptivaai-dev \ | base64 -d > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)" # Always: get tag from dev IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" [ -n "$IMG_TAG" ] || { echo "❌ dev IMG_TAG empty"; exit 2; } echo "🚀 Deploying tag: $IMG_TAG" # Pipe script into SSH, pass IMG_TAG as $1 cat <<'EOSSH' | ssh -T \ -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \ --project=aptivaai-prod --zone=us-central1-a \ --listen-on-stdin --verbosity=error" \ -o StrictHostKeyChecking=accept-new \ -i ~/.ssh/id_ed25519 \ "$PROD_SSH_TARGET" bash -s -- "$IMG_TAG" set -euo pipefail IMG_TAG="${1:?missing tag}"; export IMG_TAG PROJECT=aptivaai-prod ENV=prod export PROJECT ENV # Pull runtime secrets (unchanged list) JWT_SECRET="$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project="$PROJECT")"; export JWT_SECRET OPENAI_API_KEY="$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project="$PROJECT")"; export OPENAI_API_KEY ONET_USERNAME="$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project="$PROJECT")"; export ONET_USERNAME ONET_PASSWORD="$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project="$PROJECT")"; export ONET_PASSWORD STRIPE_SECRET_KEY="$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project="$PROJECT")"; export STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY="$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project="$PROJECT")"; export STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET="$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project="$PROJECT")"; export STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH="$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project="$PROJECT")"; export STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR="$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project="$PROJECT")"; export STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH="$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project="$PROJECT")"; export STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR="$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project="$PROJECT")"; export STRIPE_PRICE_PRO_YEAR DB_NAME="$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project="$PROJECT")"; export DB_NAME DB_HOST="$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project="$PROJECT")"; export DB_HOST DB_PORT="$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project="$PROJECT")"; export DB_PORT DB_USER="$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project="$PROJECT")"; export DB_USER DB_PASSWORD="$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project="$PROJECT")"; export DB_PASSWORD DB_SSL_CA="$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project="$PROJECT")"; export DB_SSL_CA DB_SSL_CERT="$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project="$PROJECT")"; export DB_SSL_CERT DB_SSL_KEY="$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project="$PROJECT")"; export DB_SSL_KEY EMAIL_INDEX_SECRET="$(gcloud secrets versions access latest --secret=EMAIL_INDEX_SECRET_$ENV --project="$PROJECT")"; export EMAIL_INDEX_SECRET TWILIO_ACCOUNT_SID="$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project="$PROJECT")"; export TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN="$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project="$PROJECT")"; export TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID="$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project="$PROJECT")"; export TWILIO_MESSAGING_SERVICE_SID KMS_KEY_NAME="$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project="$PROJECT")"; export KMS_KEY_NAME DEK_PATH="$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project="$PROJECT")"; export DEK_PATH SUPPORT_SENDGRID_API_KEY="$(gcloud secrets versions access latest --secret=SUPPORT_SENDGRID_API_KEY_$ENV --project="$PROJECT")"; export SUPPORT_SENDGRID_API_KEY GOOGLE_MAPS_API_KEY="$(gcloud secrets versions access latest --secret=GOOGLE_MAPS_API_KEY_$ENV --project="$PROJECT")"; export GOOGLE_MAPS_API_KEY SERVER1_PORT="$(gcloud secrets versions access latest --secret=SERVER1_PORT_$ENV --project="$PROJECT")"; export SERVER1_PORT SERVER2_PORT="$(gcloud secrets versions access latest --secret=SERVER2_PORT_$ENV --project="$PROJECT")"; export SERVER2_PORT SERVER3_PORT="$(gcloud secrets versions access latest --secret=SERVER3_PORT_$ENV --project="$PROJECT")"; export SERVER3_PORT ENV_NAME="$(gcloud secrets versions access latest --secret=ENV_NAME_$ENV --project="$PROJECT")"; export ENV_NAME CORS_ALLOWED_ORIGINS="$(gcloud secrets versions access latest --secret=CORDS_ALLOWED_ORIGINS_$ENV --project="$PROJECT" 2>/dev/null || true)"; export CORS_ALLOWED_ORIGINS="${CORS_ALLOWED_ORIGINS:-}" APTIVA_API_BASE="$(gcloud secrets versions access latest --secret=APTIVA_API_BASE_$ENV --project="$PROJECT")"; export APTIVA_API_BASE TOKEN_MAX_AGE_MS="$(gcloud secrets versions access latest --secret=TOKEN_MAX_AGE_MS_$ENV --project="$PROJECT")"; export TOKEN_MAX_AGE_MS COOKIE_SECURE="$(gcloud secrets versions access latest --secret=COOKIE_SECURE_$ENV --project="$PROJECT")"; export COOKIE_SECURE COOKIE_SAMESITE="$(gcloud secrets versions access latest --secret=COOKIE_SAMESITE_$ENV --project="$PROJECT")"; export COOKIE_SAMESITE ACCESS_COOKIE_NAME="$(gcloud secrets versions access latest --secret=ACCESS_COOKIE_NAME_$ENV --project="$PROJECT")"; export ACCESS_COOKIE_NAME export FROM_SECRETS_MANAGER=true APP_DIR="/home/jcoakley_aptivaai_com" cd "$APP_DIR" # Make Artifact Registry creds available to root (docker compose runs under sudo) gcloud auth configure-docker us-central1-docker.pkg.dev -q sudo gcloud auth configure-docker us-central1-docker.pkg.dev -q sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME,EMAIL_INDEX_SECRET \ docker compose pull sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME,EMAIL_INDEX_SECRET \ docker compose up -d --force-recreate --remove-orphans echo "✅ Prod stack refreshed with tag $IMG_TAG" EOSSH secrets: - PROD_SSH_KEY - PROD_SSH_TARGET when: event: - manual branch: - master