184 lines
12 KiB
YAML
184 lines
12 KiB
YAML
---
|
|
kind: pipeline
|
|
type: docker
|
|
name: prod-promotion
|
|
|
|
steps:
|
|
- name: promote-tag-and-mirror
|
|
image: google/cloud-sdk:latest
|
|
entrypoint:
|
|
- bash
|
|
- -c
|
|
- |
|
|
set -euo pipefail
|
|
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
|
|
|
# Dev is the single source of truth for IMG_TAG
|
|
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
|
SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
|
|
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
|
|
|
|
apt-get update -qq
|
|
apt-get install -y -qq docker.io
|
|
gcloud auth configure-docker us-central1-docker.pkg.dev -q
|
|
|
|
for svc in server1 server2 server3 nginx; do
|
|
docker pull "$SRC/$svc:$IMG_TAG"
|
|
docker tag "$SRC/$svc:$IMG_TAG" "$DST/$svc:$IMG_TAG"
|
|
docker push "$DST/$svc:$IMG_TAG"
|
|
done
|
|
|
|
# Publish the exact tag to prod SM so deploy & scan read the same value
|
|
printf "%s" "${IMG_TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="aptivaai-prod" >/dev/null
|
|
echo "🏷 Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
|
|
|
|
- name: verify-sync
|
|
depends_on: [promote-tag-and-mirror]
|
|
image: google/cloud-sdk:latest
|
|
entrypoint:
|
|
- bash
|
|
- -c
|
|
- |
|
|
set -euo pipefail
|
|
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
|
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
|
prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
|
|
[[ "$IMG_TAG" == "$prod_val" ]] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$prod_val"; exit 1; }
|
|
echo "✅ Tag parity confirmed: $IMG_TAG"
|
|
# Ensure images truly exist in PROD AR
|
|
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
|
|
apt-get update -qq && apt-get install -y -qq docker.io
|
|
gcloud auth configure-docker us-central1-docker.pkg.dev -q
|
|
for svc in server1 server2 server3 nginx; do
|
|
docker pull "$DST/$svc:$IMG_TAG" >/dev/null
|
|
done
|
|
echo "✅ Prod AR has all images at :$IMG_TAG"
|
|
|
|
- name: security-scan
|
|
depends_on: [verify-sync]
|
|
image: google/cloud-sdk:latest
|
|
entrypoint:
|
|
- bash
|
|
- -c
|
|
- |
|
|
set -euo pipefail
|
|
# Guard so this file doesn't run unless you explicitly set PROMOTE=prod in the UI
|
|
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
|
|
|
# Scan the images that WILL be deployed: pull IMG_TAG from PROD
|
|
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
|
REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
|
|
|
|
apt-get update -qq
|
|
apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io
|
|
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
|
|
export PATH="$PATH:$(pwd)/bin"
|
|
|
|
gcloud auth configure-docker us-central1-docker.pkg.dev -q
|
|
|
|
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG"
|
|
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG"
|
|
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG"
|
|
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG"
|
|
|
|
- name: prod-deploy
|
|
depends_on: [security-scan]
|
|
image: google/cloud-sdk:latest
|
|
entrypoint:
|
|
- bash
|
|
- -c
|
|
- |
|
|
set -euo pipefail
|
|
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
|
|
|
mkdir -p ~/.ssh
|
|
|
|
gcloud secrets versions access latest \
|
|
--secret=PROD_SSH_KEY --project=aptivaai-dev \
|
|
| base64 -d > ~/.ssh/id_ed25519
|
|
chmod 600 ~/.ssh/id_ed25519
|
|
|
|
PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)"
|
|
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
|
|
|
echo "🔑 SSH prerequisites installed"
|
|
|
|
echo '
|
|
set -euo pipefail
|
|
IMG_TAG="${1:?IMG_TAG arg missing}"
|
|
export IMG_TAG
|
|
|
|
PROJECT=aptivaai-prod
|
|
ENV=prod
|
|
export PROJECT ENV
|
|
|
|
# Optional sanity check
|
|
prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT)"
|
|
[ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }
|
|
|
|
# Pull all runtime secrets from aptivaai-prod
|
|
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \
|
|
OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY; \
|
|
ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project=$PROJECT); export ONET_USERNAME; \
|
|
ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project=$PROJECT); export ONET_PASSWORD; \
|
|
STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project=$PROJECT); export STRIPE_SECRET_KEY; \
|
|
STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project=$PROJECT); export STRIPE_PUBLISHABLE_KEY; \
|
|
STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project=$PROJECT); export STRIPE_WH_SECRET; \
|
|
STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project=$PROJECT); export STRIPE_PRICE_PREMIUM_MONTH; \
|
|
STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project=$PROJECT); export STRIPE_PRICE_PREMIUM_YEAR; \
|
|
STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project=$PROJECT); export STRIPE_PRICE_PRO_MONTH; \
|
|
STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project=$PROJECT); export STRIPE_PRICE_PRO_YEAR; \
|
|
DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project=$PROJECT); export DB_NAME; \
|
|
DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project=$PROJECT); export DB_HOST; \
|
|
DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project=$PROJECT); export DB_PORT; \
|
|
DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project=$PROJECT); export DB_USER; \
|
|
DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project=$PROJECT); export DB_PASSWORD; \
|
|
DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project=$PROJECT); export DB_SSL_CA; \
|
|
DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project=$PROJECT); export DB_SSL_CERT; \
|
|
DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project=$PROJECT); export DB_SSL_KEY; \
|
|
TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project=$PROJECT); export TWILIO_ACCOUNT_SID; \
|
|
TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project=$PROJECT); export TWILIO_AUTH_TOKEN; \
|
|
TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project=$PROJECT); export TWILIO_MESSAGING_SERVICE_SID; \
|
|
KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project=$PROJECT); export KMS_KEY_NAME; \
|
|
DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); export DEK_PATH; \
|
|
SUPPORT_SENDGRID_API_KEY=$(gcloud secrets versions access latest --secret=SUPPORT_SENDGRID_API_KEY_$ENV --project=$PROJECT); export SUPPORT_SENDGRID_API_KEY; \
|
|
GOOGLE_MAPS_API_KEY=$(gcloud secrets versions access latest --secret=GOOGLE_MAPS_API_KEY_$ENV --project=$PROJECT); export GOOGLE_MAPS_API_KEY; \
|
|
SERVER1_PORT=$(gcloud secrets versions access latest --secret=SERVER1_PORT_$ENV --project=$PROJECT); export SERVER1_PORT; \
|
|
SERVER2_PORT=$(gcloud secrets versions access latest --secret=SERVER2_PORT_$ENV --project=$PROJECT); export SERVER2_PORT; \
|
|
SERVER3_PORT=$(gcloud secrets versions access latest --secret=SERVER3_PORT_$ENV --project=$PROJECT); export SERVER3_PORT; \
|
|
ENV_NAME=$(gcloud secrets versions access latest --secret=ENV_NAME_$ENV --project=$PROJECT); export ENV_NAME; \
|
|
CORS_ALLOWED_ORIGINS=$(gcloud secrets versions access latest --secret=CORS_ALLOWED_ORIGINS_$ENV --project=$PROJECT); export CORS_ALLOWED_ORIGINS; \
|
|
APTIVA_API_BASE=$(gcloud secrets versions access latest --secret=APTIVA_API_BASE_$ENV --project=$PROJECT); export APTIVA_API_BASE; \
|
|
TOKEN_MAX_AGE_MS=$(gcloud secrets versions access latest --secret=TOKEN_MAX_AGE_MS_$ENV --project=$PROJECT); export TOKEN_MAX_AGE_MS; \
|
|
COOKIE_SECURE=$(gcloud secrets versions access latest --secret=COOKIE_SECURE_$ENV --project=$PROJECT); export COOKIE_SECURE; \
|
|
COOKIE_SAMESITE=$(gcloud secrets versions access latest --secret=COOKIE_SAMESITE_$ENV --project=$PROJECT); export COOKIE_SAMESITE; \
|
|
ACCESS_COOKIE_NAME=$(gcloud secrets versions access latest --secret=ACCESS_COOKIE_NAME_$ENV --project=$PROJECT); export ACCESS_COOKIE_NAME; \
|
|
export FROM_SECRETS_MANAGER=true; \
|
|
\
|
|
APP_DIR="/home/jcoakley_aptivaai_com"; \
|
|
cd "$APP_DIR"; \
|
|
cloud auth configure-docker us-central1-docker.pkg.dev -q; \
|
|
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
|
|
docker compose pull; \
|
|
sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
|
|
docker compose up -d --force-recreate --remove-orphans; \
|
|
echo "✅ Prod stack refreshed with tag $IMG_TAG"
|
|
' | ssh -T \
|
|
-o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
|
|
--project=aptivaai-prod --zone=us-central1-a \
|
|
--listen-on-stdin --verbosity=error" \
|
|
-o StrictHostKeyChecking=accept-new \
|
|
-i ~/.ssh/id_ed25519 \
|
|
"$PROD_SSH_TARGET" bash -s -- "$IMG_TAG"
|
|
|
|
secrets:
|
|
- PROD_SSH_KEY
|
|
- PROD_SSH_TARGET
|
|
|
|
when:
|
|
event:
|
|
- manual
|
|
branch:
|
|
- master
|