dev cicd + tron + docs

2026-01-30 16:58:02 +01:00
parent 51f5b0804a
commit c1596296d1
52 changed files with 3695 additions and 0 deletions
--- a/ci/dev/scripts/mongo-entrypoint.sh
+++ b/ci/dev/scripts/mongo-entrypoint.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+# MongoDB entrypoint wrapper for dev environment
+# Reads credentials from Vault secrets and initializes MongoDB
+set -euo pipefail
+
+# Read credentials from Vault Agent-rendered files
+if [ -s /vault/secrets/MONGO_ROOT_USER ] && [ -s /vault/secrets/MONGO_ROOT_PASSWORD ]; then
+  export MONGO_INITDB_ROOT_USERNAME="$(cat /vault/secrets/MONGO_ROOT_USER)"
+  export MONGO_INITDB_ROOT_PASSWORD="$(cat /vault/secrets/MONGO_ROOT_PASSWORD)"
+fi
+
+# Execute original MongoDB entrypoint
+exec docker-entrypoint.sh "$@"
--- a/ci/dev/scripts/nats-entrypoint.sh
+++ b/ci/dev/scripts/nats-entrypoint.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# NATS entrypoint wrapper for dev environment
+# Reads credentials from Vault secrets and starts NATS
+set -euo pipefail
+
+# Read NATS credentials from Vault Agent-rendered files
+NATS_USER="$(cat /vault/secrets/NATS_USER)"
+NATS_PASSWORD="$(cat /vault/secrets/NATS_PASSWORD)"
+
+# Start NATS with JetStream
+exec nats-server \
+  --jetstream \
+  --store_dir=/data \
+  --http_port=8222 \
+  --port=4222 \
+  --server_name=dev-nats \
+  --user="${NATS_USER}" \
+  --pass="${NATS_PASSWORD}"
--- a/ci/dev/scripts/vault-setup.sh
+++ b/ci/dev/scripts/vault-setup.sh
@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+# Vault Setup Script for Development Environment
+# Creates AppRole, policies, and secrets for dev services
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+
+# Source the vlt helper
+VLT="${REPO_ROOT}/ci/vlt"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+log() { echo -e "${GREEN}[vault-setup]${NC} $*"; }
+warn() { echo -e "${YELLOW}[vault-setup]${NC} $*"; }
+error() { echo -e "${RED}[vault-setup]${NC} $*" >&2; }
+
+# Check prerequisites
+if [ ! -f "$VLT" ]; then
+  error "Vault helper not found at $VLT"
+  exit 1
+fi
+
+if [ -z "${VAULT_ADDR:-}" ]; then
+  error "VAULT_ADDR is not set"
+  error "Please ensure Vault is running: cd infra/vault && docker compose up -d"
+  exit 1
+fi
+
+log "Checking Vault connection..."
+if ! curl -sf "${VAULT_ADDR}/v1/sys/health" > /dev/null; then
+  error "Cannot connect to Vault at ${VAULT_ADDR}"
+  error "Please ensure Vault is running: cd infra/vault && docker compose up -d"
+  exit 1
+fi
+
+log "✓ Vault is reachable at ${VAULT_ADDR}"
+
+# You need to be authenticated to Vault to run this script
+# Either set VAULT_TOKEN or VAULT_ROLE_ID + VAULT_SECRET_ID
+if [ -z "${VAULT_TOKEN:-}" ]; then
+  warn "VAULT_TOKEN not set. Attempting AppRole login..."
+  if [ -z "${VAULT_ROLE_ID:-}" ] || [ -z "${VAULT_SECRET_ID:-}" ]; then
+    error "Neither VAULT_TOKEN nor VAULT_ROLE_ID/VAULT_SECRET_ID are set"
+    error "Please authenticate to Vault first:"
+    error "  export VAULT_TOKEN=<your-vault-token>"
+    error "Or use AppRole:"
+    error "  export VAULT_ROLE_ID=<role-id>"
+    error "  export VAULT_SECRET_ID=<secret-id>"
+    exit 1
+  fi
+  "${VLT}" login
+  VAULT_TOKEN="$(cat .vault_token)"
+  export VAULT_TOKEN
+fi
+
+log "Creating dev environment policy..."
+cat <<'EOF' | curl -sf -X PUT -H "X-Vault-Token: ${VAULT_TOKEN}" \
+  --data-binary @- "${VAULT_ADDR}/v1/sys/policy/dev-services" > /dev/null
+{
+  "policy": "path \"kv/data/sendico/dev\" { capabilities = [\"read\"] }"
+}
+EOF
+
+log "Creating dev-services AppRole..."
+curl -sf -X POST -H "X-Vault-Token: ${VAULT_TOKEN}" \
+  -d '{"policies": ["dev-services"], "bind_secret_id": true, "token_ttl": "24h", "token_max_ttl": "720h"}' \
+  "${VAULT_ADDR}/v1/auth/approle/role/dev-services" > /dev/null
+
+log "Fetching AppRole credentials..."
+ROLE_ID=$(curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
+  "${VAULT_ADDR}/v1/auth/approle/role/dev-services/role-id" | \
+  grep -o '"role_id":"[^"]*' | cut -d'"' -f4)
+
+SECRET_ID=$(curl -sf -X POST -H "X-Vault-Token: ${VAULT_TOKEN}" \
+  "${VAULT_ADDR}/v1/auth/approle/role/dev-services/secret-id" | \
+  grep -o '"secret_id":"[^"]*' | cut -d'"' -f4)
+
+log "Creating/updating dev secrets in Vault..."
+
+# Generate random credentials if they don't exist
+MONGO_USER="sendico_dev"
+MONGO_PASSWORD="$(openssl rand -base64 32 | tr -d '/+=' | cut -c1-24)"
+MONGO_KEYFILE="$(openssl rand -base64 756 | tr -d '\n')"
+NATS_USER="sendico_dev"
+NATS_PASSWORD="$(openssl rand -base64 32 | tr -d '/+=' | cut -c1-24)"
+
+curl -sf -X POST -H "X-Vault-Token: ${VAULT_TOKEN}" \
+  -d "{
+    \"data\": {
+      \"mongo_user\": \"${MONGO_USER}\",
+      \"mongo_password\": \"${MONGO_PASSWORD}\",
+      \"mongo_keyfile\": \"${MONGO_KEYFILE}\",
+      \"nats_user\": \"${NATS_USER}\",
+      \"nats_password\": \"${NATS_PASSWORD}\"
+    }
+  }" \
+  "${VAULT_ADDR}/v1/kv/data/sendico/dev" > /dev/null
+
+log "✅ Vault setup complete!"
+echo ""
+log "AppRole Credentials (add these to .env.dev):"
+echo ""
+echo "VAULT_ROLE_ID=${ROLE_ID}"
+echo "VAULT_SECRET_ID=${SECRET_ID}"
+echo ""
+warn "IMPORTANT: Save these credentials in .env.dev"
+warn "They will be needed to start the dev environment"