tech/sendico
2
0
Fork 0
Code Issues 22 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

vault app_role secrets pass
Some checks failed
ci/woodpecker/push/db Pipeline failed
Details

Browse Source
This commit is contained in:
Stephan D
2025-11-07 11:15:57 +01:00
parent 385c98939a
commit 0bb32ccabd
3 changed files with 51 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.woodpecker/db.yml
View File

@@ -6,6 +6,7 @@ steps:
- name: version
image: alpine:latest
commands:
- set -euo pipefail
- apk add --no-cache git
- GIT_REV="$(git rev-parse --short HEAD)"
- BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
@@ -16,17 +17,22 @@ steps:
image: alpine:latest
depends_on: [ version ]
environment:
# Vault access for CI (AppRole for CI itself, NOT the app AppRole)
VAULT_ADDR: https://vault.sendico.io
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE }
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE } # CI's AppRole role_id
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID } # CI's AppRole secret_id
commands:
- set -euo pipefail
- apk add --no-cache curl bash coreutils sed python3 openssh-keygen
- mkdir -p secrets
# fetch SSH private key for deploy (base64-encoded) and decode
# Fetch SSH private key for deploy (base64-encoded) and decode
- ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
- base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
- chmod 600 secrets/SSH_KEY
- ssh-keygen -y -f secrets/SSH_KEY >/dev/null
# Fetch AppRole creds for Vault Agent (adjust the KV path if different)
- ./ci/vlt kv_to_file kv ops/vault/approle/sendico-db role_id secrets/ROLE_ID 600
- ./ci/vlt kv_to_file kv ops/vault/approle/sendico-db secret_id secrets/SECRET_ID 600
- name: deploy
image: alpine:latest
@@ -36,14 +42,11 @@ steps:
- apk add --no-cache bash openssh-client rsync coreutils
- mkdir -p /root/.ssh
- install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
# Normalize CRLF if any, then export runtime env (Compose variables)
- sed -i 's/\r$//' ./ci/prod/.env.runtime
- set -a
- . ./ci/prod/.env.runtime
- . ./.env.version
- set +a
# Run external deploy script (quiet by default; set DEBUG_DEPLOY=1 to debug)
- bash ci/prod/scripts/deploy-db.sh