tech/sendico
2
0
Fork 0
Code Issues 22 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

vault app_role secrets pass
Some checks failed
ci/woodpecker/push/db Pipeline failed
Details

Browse Source
This commit is contained in:
Stephan D
2025-11-07 11:31:32 +01:00
parent 0bb32ccabd
commit ca76eb5bf9
3 changed files with 39 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
ci/prod/scripts/deploy-db.sh
View File

@@ -1,14 +1,17 @@
#!/usr/bin/env bash
set -euo pipefail
# Enable verbose mode only when DEBUG_DEPLOY=1
# Enable verbose logs only when DEBUG_DEPLOY=1
[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && set -x
trap 'echo "[deploy-db] error at line $LINENO" >&2' ERR
# Required env (exported by CI step from .env.runtime)
# Required env exported by CI
: "${REMOTE_BASE:?missing REMOTE_BASE}"
: "${DB_DIR:?missing DB_DIR}"
: "${SSH_USER:?missing SSH_USER}"
: "${SSH_HOST:?missing SSH_HOST}"
# Pass-through AppRole creds for Vault Agent (provided by Woodpecker secrets with existing names)
: "${VAULT_ROLE_ID:?missing VAULT_ROLE_ID}"
: "${VAULT_SECRET_ID:?missing VAULT_SECRET_ID}"
REMOTE_DIR="${REMOTE_BASE%/}/${DB_DIR}"
REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
@@ -29,19 +32,15 @@ fi
RSYNC_FLAGS=(-az --delete)
[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && RSYNC_FLAGS=(-avz --delete)
# AppRole creds for Vault Agent, fetched in the previous pipeline step
VAULT_ROLE_ID="$(cat secrets/ROLE_ID)"
VAULT_SECRET_ID="$(cat secrets/SECRET_ID)"
# Create remote directory structure
# Prepare remote filesystem
ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
# Sync compose bundle and runtime env to the remote host
rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/.env.runtime "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/.env.runtime "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
# Deploy on remote: export AppRole creds ONLY to the compose commands.
# The vault-agent container will read them, write to tmpfs, unset, and exec.
# Deploy on remote: pass AppRole creds ONLY to compose invocations.
# The vault-agent container writes them into tmpfs and unsets them internally.
ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
REMOTE_DIR="$REMOTE_DIR" \
VAULT_ROLE_ID="$VAULT_ROLE_ID" \
@@ -51,7 +50,7 @@ set -euo pipefail
cd "${REMOTE_DIR}/compose"
set -a; . ../env/.env.runtime; set +a
# Pull and start with ephemeral AppRole env present only for these invocations
# Run with ephemeral AppRole env (scoped only to these commands)
VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f db.yml pull --quiet 2>/dev/null || \
VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f db.yml pull