--- kind: pipeline type: docker name: ssh-test steps: - name: security-scan image: google/cloud-sdk:latest entrypoint: - bash - -c - | set -euo pipefail IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev) REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo apt-get update -qq apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash export PATH="$PATH:$(pwd)/bin" gcloud auth configure-docker us-central1-docker.pkg.dev -q trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server1:$IMG_TAG trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server2:$IMG_TAG trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server3:$IMG_TAG trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG - name: staging-deploy image: google/cloud-sdk:latest entrypoint: - bash - -c - | set -euo pipefail mkdir -p ~/.ssh # ── Inject known-hosts and SSH key ─────────────────────────────── gcloud secrets versions access latest \ --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \ | base64 -d > ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts gcloud secrets versions access latest \ --secret=STAGING_SSH_KEY --project=aptivaai-dev \ | base64 -d > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 echo "🔑 SSH prerequisites installed" # ── SSH into staging and deploy ────────────────────────────────── ssh -o StrictHostKeyChecking=yes \ -i ~/.ssh/id_ed25519 \ jcoakley@10.128.0.12 \ 'set -euo pipefail; \ PROJECT=aptivaai-dev; \ ENV=staging; \ IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \ export IMG_TAG; \ JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); \ export JWT_SECRET; \ OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); \ export OPENAI_API_KEY; \ ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project=$PROJECT); \ export ONET_USERNAME; \ ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project=$PROJECT); \ export ONET_PASSWORD; \ STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project=$PROJECT); \ export STRIPE_SECRET_KEY; \ STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project=$PROJECT); \ export STRIPE_PUBLISHABLE_KEY; \ STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project=$PROJECT); \ export STRIPE_WH_SECRET; \ STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project=$PROJECT); \ export STRIPE_PRICE_PREMIUM_MONTH; \ STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project=$PROJECT); \ export STRIPE_PRICE_PREMIUM_YEAR; \ STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project=$PROJECT); \ export STRIPE_PRICE_PRO_MONTH; \ STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project=$PROJECT); \ export STRIPE_PRICE_PRO_YEAR; \ DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project=$PROJECT); \ export DB_NAME; \ DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project=$PROJECT); \ export DB_HOST; \ DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project=$PROJECT); \ export DB_PORT; \ DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project=$PROJECT); \ export DB_USER; \ DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project=$PROJECT); \ export DB_PASSWORD; \ DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project=$PROJECT); \ export DB_SSL_CA; \ DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project=$PROJECT); \ export DB_SSL_CERT; \ DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project=$PROJECT); \ export DB_SSL_KEY; \ TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project=$PROJECT); \ export TWILIO_ACCOUNT_SID; \ TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project=$PROJECT); \ export TWILIO_AUTH_TOKEN; \ TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project=$PROJECT); \ export TWILIO_MESSAGING_SERVICE_SID; \ KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project=$PROJECT); \ export KMS_KEY_NAME; \ DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); \ export DEK_PATH; \ export FROM_SECRETS_MANAGER=true; \ # ── NEW: sync dev DEK into staging volume (uses Secret Manager) ── \ if gcloud secrets describe WRAPPED_DEK_dev --project=$PROJECT >/dev/null 2>&1; then \ echo \"🔁 Syncing dev DEK into staging volume\"; \ gcloud secrets versions access latest --secret=WRAPPED_DEK_dev --project=$PROJECT > /tmp/dev_dek.enc; \ if [ -s /tmp/dev_dek.enc ]; then \ docker volume ls -q | grep -qx aptiva_dek_staging || docker volume create aptiva_dek_staging >/dev/null; \ sudo docker run --rm -v aptiva_dek_staging:/v -v /tmp:/host busybox sh -c 'set -e; mkdir -p /v/staging; cp -f /host/dev_dek.enc /v/staging/dek.enc; chown 1000:1000 /v/staging/dek.enc; chmod 400 /v/staging/dek.enc; rm -f /v/staging/dek.fpr; echo -n "staging dek.enc bytes: "; wc -c