+ fx

.woodpecker/db.yml

@@ -18,7 +18,7 @@ steps:
     depends_on: [ version ]
     environment:
       # CI's own AppRole creds for accessing Vault to fetch the SSH key (existing names)
-      VAULT_ADDR: https://vault.sendico.io
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
       VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
     commands:

.woodpecker/fx_ingestor.yml

@@ -0,0 +1,100 @@
+when:
+  - event: push
+    branch: main
+
+steps:
+  - name: version
+    image: alpine:latest
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - apk add --no-cache git
+      - GIT_REV="$(git rev-parse --short HEAD)"
+      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+      - APP_V="$(cat version)"
+      - BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+      - BUILD_USER="${WOODPECKER_MACHINE:-woodpecker}"
+      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\nBUILD_DATE=%s\nBUILD_USER=%s\n" \
+          "$GIT_REV" "$BUILD_BRANCH" "$APP_V" "$BUILD_DATE" "$BUILD_USER" | tee .env.version
+
+  - name: secrets
+    image: alpine:latest
+    depends_on: [ version ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - mkdir -p secrets
+      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
+      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
+      - chmod 600 secrets/SSH_KEY
+      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
+      - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
+      - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor:debug
+    depends_on: [ secrets ]
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - sed -i 's/\r$//' ./ci/prod/.env.runtime
+      - sed -i 's/\r$//' ./.env.version
+      - set -a
+      - . ./ci/prod/.env.runtime
+      - . ./.env.version
+      - set +a
+      - FX_GO_VERSION="${FX_GO_VERSION:-1.22}"
+      - ": \"${REGISTRY_URL:?missing REGISTRY_URL}\""
+      - ": \"${APP_V:?missing APP_V}\""
+      - REGISTRY_HOST="${REGISTRY_URL#http://}"
+      - REGISTRY_HOST="${REGISTRY_HOST#https://}"
+      - REGISTRY_USER="$(cat secrets/REGISTRY_USER)"
+      - REGISTRY_PASSWORD="$(cat secrets/REGISTRY_PASSWORD)"
+      - ": \"${REGISTRY_USER:?missing registry user}\""
+      - ": \"${REGISTRY_PASSWORD:?missing registry password}\""
+      - mkdir -p /kaniko/.docker
+      - AUTH_B64="$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_PASSWORD" | base64 | tr -d '\n')"
+      - |
+        cat <<EOF >/kaniko/.docker/config.json
+        {
+          "auths": {
+            "https://${REGISTRY_HOST}": { "auth": "${AUTH_B64}" }
+          }
+        }
+        EOF
+      - |
+        /kaniko/executor \
+          --context "${PWD}" \
+          --dockerfile ci/prod/compose/fx_ingestor.dockerfile \
+          --destination "${REGISTRY_URL}/fx/ingestor:${APP_V}" \
+          --build-arg APP_VERSION="${APP_V}" \
+          --build-arg GIT_REV="${GIT_REV}" \
+          --build-arg BUILD_BRANCH="${BUILD_BRANCH}" \
+          --build-arg BUILD_DATE="${BUILD_DATE}" \
+          --build-arg BUILD_USER="${BUILD_USER}" \
+          --build-arg GO_VERSION="${FX_GO_VERSION}" \
+          --single-snapshot
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets, build-image ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - sed -i 's/\r$//' ./ci/prod/.env.runtime
+      - set -a
+      - . ./ci/prod/.env.runtime
+      - . ./.env.version
+      - set +a
+      - export FX_MONGO_USER="$(./ci/vlt kv_get kv sendico/db user)"
+      - export FX_MONGO_PASSWORD="$(./ci/vlt kv_get kv sendico/db password)"
+      - bash ci/prod/scripts/bootstrap/network.sh
+      - bash ci/prod/scripts/deploy/fx.sh ingestor

.woodpecker/fx_oracle.yml

@@ -0,0 +1,103 @@
+when:
+  - event: push
+    branch: main
+
+steps:
+  - name: version
+    image: alpine:latest
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - apk add --no-cache git
+      - GIT_REV="$(git rev-parse --short HEAD)"
+      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+      - APP_V="$(cat version)"
+      - BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+      - BUILD_USER="${WOODPECKER_MACHINE:-woodpecker}"
+      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\nBUILD_DATE=%s\nBUILD_USER=%s\n" \
+          "$GIT_REV" "$BUILD_BRANCH" "$APP_V" "$BUILD_DATE" "$BUILD_USER" | tee .env.version
+
+  - name: secrets
+    image: alpine:latest
+    depends_on: [ version ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - mkdir -p secrets
+      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
+      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
+      - chmod 600 secrets/SSH_KEY
+      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
+      - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
+      - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor:debug
+    depends_on: [ secrets ]
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - sed -i 's/\r$//' ./ci/prod/.env.runtime
+      - sed -i 's/\r$//' ./.env.version
+      - set -a
+      - . ./ci/prod/.env.runtime
+      - . ./.env.version
+      - set +a
+      - FX_GO_VERSION="${FX_GO_VERSION:-1.22}"
+      - ": \"${REGISTRY_URL:?missing REGISTRY_URL}\""
+      - ": \"${APP_V:?missing APP_V}\""
+      - REGISTRY_HOST="${REGISTRY_URL#http://}"
+      - REGISTRY_HOST="${REGISTRY_HOST#https://}"
+      - REGISTRY_USER="$(cat secrets/REGISTRY_USER)"
+      - REGISTRY_PASSWORD="$(cat secrets/REGISTRY_PASSWORD)"
+      - ": \"${REGISTRY_USER:?missing registry user}\""
+      - ": \"${REGISTRY_PASSWORD:?missing registry password}\""
+      - mkdir -p /kaniko/.docker
+      - AUTH_B64="$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_PASSWORD" | base64 | tr -d '\n')"
+      - |
+        cat <<EOF >/kaniko/.docker/config.json
+        {
+          "auths": {
+            "https://${REGISTRY_HOST}": { "auth": "${AUTH_B64}" }
+          }
+        }
+        EOF
+      - |
+        /kaniko/executor \
+          --context "${PWD}" \
+          --dockerfile ci/prod/compose/fx_oracle.dockerfile \
+          --destination "${REGISTRY_URL}/fx/oracle:${APP_V}" \
+          --build-arg APP_VERSION="${APP_V}" \
+          --build-arg GIT_REV="${GIT_REV}" \
+          --build-arg BUILD_BRANCH="${BUILD_BRANCH}" \
+          --build-arg BUILD_DATE="${BUILD_DATE}" \
+          --build-arg BUILD_USER="${BUILD_USER}" \
+          --build-arg GO_VERSION="${FX_GO_VERSION}" \
+          --single-snapshot
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets, build-image ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - sed -i 's/\r$//' ./ci/prod/.env.runtime
+      - set -a
+      - . ./ci/prod/.env.runtime
+      - . ./.env.version
+      - set +a
+      - export FX_MONGO_USER="$(./ci/vlt kv_get kv sendico/db user)"
+      - export FX_MONGO_PASSWORD="$(./ci/vlt kv_get kv sendico/db password)"
+      - export NATS_USER="$(./ci/vlt kv_get kv sendico/nats user)"
+      - export NATS_PASSWORD="$(./ci/vlt kv_get kv sendico/nats password)"
+      - export FX_NATS_URL="nats://${NATS_USER}:${NATS_PASSWORD}@${NATS_HOST}:${NATS_PORT}"
+      - bash ci/prod/scripts/bootstrap/network.sh
+      - bash ci/prod/scripts/deploy/fx.sh oracle

.woodpecker/nats.yml

@@ -17,7 +17,7 @@ steps:
     image: alpine:latest
     depends_on: [ version ]
     environment:
-      VAULT_ADDR: https://vault.sendico.io
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
       VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
     commands:
@@ -33,7 +33,7 @@ steps:
     image: alpine:latest
     depends_on: [ secrets ]
     environment:
-      VAULT_ADDR: https://vault.sendico.io
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
       VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
     commands: