[infra] vault + chsettle + aurora for dev

.woodpecker/gateway_aurora.yml

@@ -0,0 +1,99 @@
+matrix:
+  include:
+    - AURORA_GATEWAY_IMAGE_PATH: gateway/aurora
+      AURORA_GATEWAY_DOCKERFILE: ci/prod/compose/aurora_gateway.dockerfile
+      AURORA_GATEWAY_MONGO_SECRET_PATH: sendico/db
+      AURORA_GATEWAY_NATS_SECRET_PATH: sendico/nats
+
+labels:
+  platform: linux/amd64
+
+when:
+  - event: push
+    branch: main
+    path:
+      include:
+        - api/gateway/aurora/**
+        - api/gateway/common/**
+        - api/proto/**
+        - api/pkg/**
+        - ci/**
+        - .woodpecker/gateway_aurora.yml
+
+steps:
+  - name: version
+    image: alpine:latest
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - apk add --no-cache git
+      - GIT_REV="$(git rev-parse --short HEAD)"
+      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+      - APP_V="$(cat version)"
+      - BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+      - BUILD_USER="${WOODPECKER_MACHINE:-woodpecker}"
+      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\nBUILD_DATE=%s\nBUILD_USER=%s\n" \
+          "$GIT_REV" "$BUILD_BRANCH" "$APP_V" "$BUILD_DATE" "$BUILD_USER" | tee .env.version
+
+  - name: proto
+    image: golang:alpine
+    depends_on: [ version ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base protoc protobuf-dev
+      - go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+      - go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - bash ci/scripts/proto/generate.sh
+
+  - name: backend-lint
+    image: golang:alpine
+    depends_on: [ proto ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base
+      - CGO_ENABLED=0 go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - sh ci/scripts/common/run_backend_lint.sh gateway_aurora
+
+  - name: backend-tests
+    image: golang:alpine
+    depends_on: [ proto ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base
+      - sh ci/scripts/common/run_backend_tests.sh gateway_aurora
+
+  - name: secrets
+    image: alpine:latest
+    depends_on: [ version ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
+      - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
+      - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor:debug
+    depends_on: [ backend-lint, backend-tests, secrets ]
+    commands:
+      - '[ "$(uname -m)" = "x86_64" ] || { echo "image build requires an amd64 runner"; exit 1; }'
+      - sh ci/scripts/aurora/build-image.sh
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets, build-image ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - sh ci/scripts/aurora/deploy.sh

.woodpecker/gateway_chsettle.yml

@@ -0,0 +1,99 @@
+matrix:
+  include:
+    - CHSETTLE_GATEWAY_IMAGE_PATH: gateway/chsettle
+      CHSETTLE_GATEWAY_DOCKERFILE: ci/prod/compose/chsettle_gateway.dockerfile
+      CHSETTLE_GATEWAY_MONGO_SECRET_PATH: sendico/db
+      CHSETTLE_GATEWAY_NATS_SECRET_PATH: sendico/nats
+
+labels:
+  platform: linux/amd64
+
+when:
+  - event: push
+    branch: main
+    path:
+      include:
+        - api/gateway/chsettle/**
+        - api/gateway/common/**
+        - api/proto/**
+        - api/pkg/**
+        - ci/**
+        - .woodpecker/gateway_chsettle.yml
+
+steps:
+  - name: version
+    image: alpine:latest
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - apk add --no-cache git
+      - GIT_REV="$(git rev-parse --short HEAD)"
+      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+      - APP_V="$(cat version)"
+      - BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+      - BUILD_USER="${WOODPECKER_MACHINE:-woodpecker}"
+      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\nBUILD_DATE=%s\nBUILD_USER=%s\n" \
+          "$GIT_REV" "$BUILD_BRANCH" "$APP_V" "$BUILD_DATE" "$BUILD_USER" | tee .env.version
+
+  - name: proto
+    image: golang:alpine
+    depends_on: [ version ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base protoc protobuf-dev
+      - go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+      - go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - bash ci/scripts/proto/generate.sh
+
+  - name: backend-lint
+    image: golang:alpine
+    depends_on: [ proto ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base
+      - CGO_ENABLED=0 go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - sh ci/scripts/common/run_backend_lint.sh gateway_chsettle
+
+  - name: backend-tests
+    image: golang:alpine
+    depends_on: [ proto ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base
+      - sh ci/scripts/common/run_backend_tests.sh gateway_chsettle
+
+  - name: secrets
+    image: alpine:latest
+    depends_on: [ version ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
+      - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
+      - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor:debug
+    depends_on: [ backend-lint, backend-tests, secrets ]
+    commands:
+      - '[ "$(uname -m)" = "x86_64" ] || { echo "image build requires an amd64 runner"; exit 1; }'
+      - sh ci/scripts/chsettle/build-image.sh
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets, build-image ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - sh ci/scripts/chsettle/deploy.sh

.woodpecker/gateway_mntx.yml

@@ -69,6 +69,8 @@ steps:
   - name: secrets
     image: alpine:latest
     depends_on: [ version ]
+    when:
+      - event: tag
     environment:
       VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
@@ -83,6 +85,8 @@ steps:
   - name: build-image
     image: gcr.io/kaniko-project/executor:debug
     depends_on: [ backend-lint, backend-tests, secrets ]
+    when:
+      - event: tag
     commands:
       - '[ "$(uname -m)" = "x86_64" ] || { echo "image build requires an amd64 runner"; exit 1; }'
       - sh ci/scripts/mntx/build-image.sh
@@ -90,6 +94,8 @@ steps:
   - name: deploy
     image: alpine:latest
     depends_on: [ secrets, build-image ]
+    when:
+      - event: tag
     environment:
       VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }

.woodpecker/gateway_tgsettle.yml

@@ -67,6 +67,8 @@ steps:
   - name: secrets
     image: alpine:latest
     depends_on: [ version ]
+    when:
+      - event: tag
     environment:
       VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
@@ -81,6 +83,8 @@ steps:
   - name: build-image
     image: gcr.io/kaniko-project/executor:debug
     depends_on: [ backend-lint, backend-tests, secrets ]
+    when:
+      - event: tag
     commands:
       - '[ "$(uname -m)" = "x86_64" ] || { echo "image build requires an amd64 runner"; exit 1; }'
       - sh ci/scripts/tgsettle/build-image.sh
@@ -88,6 +92,8 @@ steps:
   - name: deploy
     image: alpine:latest
     depends_on: [ secrets, build-image ]
+    when:
+      - event: tag
     environment:
       VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }

.woodpecker/vault.yml

@@ -0,0 +1,31 @@
+when:
+  - event: push
+    branch: main
+    path:
+      exclude: ['**']
+      ignore_message: '[infra]'
+
+steps:
+  - name: secrets
+    image: alpine:latest
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets ]
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - . ./ci/scripts/common/runtime_env.sh
+      - load_runtime_env_bundle "$(resolve_runtime_env_name)"
+      - bash ci/prod/scripts/bootstrap/network.sh
+      - sh ci/scripts/vault/deploy.sh