tech/sendico
2
0
Fork 0
Code Issues 22 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

vault app_role secrets pass
Some checks failed
ci/woodpecker/push/db Pipeline failed
Details

Browse Source
This commit is contained in:
Stephan D
2025-11-07 11:31:32 +01:00
parent 0bb32ccabd
commit ca76eb5bf9
3 changed files with 39 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.woodpecker/db.yml
View File

@@ -17,36 +17,35 @@ steps:
image: alpine:latest
depends_on: [ version ]
environment:
# Vault access for CI (AppRole for CI itself, NOT the app AppRole)
# CI's own AppRole creds for accessing Vault to fetch the SSH key (existing names)
VAULT_ADDR: https://vault.sendico.io
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE } # CI's AppRole role_id
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID } # CI's AppRole secret_id
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE }
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
commands:
- set -euo pipefail
- apk add --no-cache curl bash coreutils sed python3 openssh-keygen
- apk add --no-cache bash coreutils openssh-keygen curl sed
- mkdir -p secrets
# Fetch SSH private key for deploy (base64-encoded) and decode
# Retrieve SSH private key for deploy (existing helper)
- ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
- base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
- chmod 600 secrets/SSH_KEY
- ssh-keygen -y -f secrets/SSH_KEY >/dev/null
# Fetch AppRole creds for Vault Agent (adjust the KV path if different)
- ./ci/vlt kv_to_file kv ops/vault/approle/sendico-db role_id secrets/ROLE_ID 600
- ./ci/vlt kv_to_file kv ops/vault/approle/sendico-db secret_id secrets/SECRET_ID 600
- name: deploy
image: alpine:latest
depends_on: [ secrets ]
# Reuse the SAME Woodpecker secrets to pass AppRole to the Vault Agent at runtime
environment:
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE }
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
commands:
- set -euo pipefail
- apk add --no-cache bash openssh-client rsync coreutils
- mkdir -p /root/.ssh
- install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
# Normalize CRLF if any, then export runtime env (Compose variables)
- sed -i 's/\r$//' ./ci/prod/.env.runtime
- set -a
- . ./ci/prod/.env.runtime
- . ./.env.version
- set +a
# Run external deploy script (quiet by default; set DEBUG_DEPLOY=1 to debug)
- bash ci/prod/scripts/deploy-db.sh