tech/sendico
2
0
Fork 0
Code Issues 34 Pull Requests Actions Packages Projects Releases Wiki Activity

ci: deploy dev infra [rebuild] #759

Merged
tech merged 1 commits from codex/infra-only into main 2026-03-17 00:22:04 +00:00
Conversation 0 Commits 1 Files Changed 43 +390 -105
43 changed files with 390 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 9e91a9f90c - Show all commits

3
.woodpecker/bff.yml
View File

@@ -81,8 +81,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/billing_documents.yml
View File

@@ -76,8 +76,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/billing_fees.yml
View File

@@ -76,8 +76,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/callbacks.yml
View File

@@ -77,8 +77,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/discovery.yml
View File

@@ -75,8 +75,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/frontend.yml
View File

@@ -49,8 +49,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: frontend-tests
image: ghcr.io/cirruslabs/flutter:stable

3
.woodpecker/fx_ingestor.yml
View File

@@ -81,8 +81,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/fx_oracle.yml
View File

@@ -82,8 +82,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/gateway_aurora.yml
View File

@@ -76,8 +76,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/gateway_chain.yml
View File

@@ -80,8 +80,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/gateway_chsettle.yml
View File

@@ -76,8 +76,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/gateway_mntx.yml
View File

@@ -69,8 +69,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/gateway_tgsettle.yml
View File

@@ -67,8 +67,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/gateway_tron.yml
View File

@@ -80,8 +80,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/ledger.yml
View File

@@ -76,8 +76,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

4
.woodpecker/nats.yml
View File

@@ -43,7 +43,7 @@ steps:
- install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
- . ./ci/scripts/common/runtime_env.sh
- load_runtime_env_bundle "$(resolve_runtime_env_name)"
- export NATS_USER="$(./ci/vlt kv_get kv sendico/nats user)"
- export NATS_PASSWORD="$(./ci/vlt kv_get kv sendico/nats password)"
- export NATS_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv sendico/nats user 2>/dev/null || CI_VAULT_SOURCE=external ./ci/vlt kv_get kv sendico/nats user)"
- export NATS_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv sendico/nats password 2>/dev/null || CI_VAULT_SOURCE=external ./ci/vlt kv_get kv sendico/nats password)"
- bash ci/prod/scripts/bootstrap/network.sh
- bash ci/prod/scripts/deploy/nats.sh

3
.woodpecker/notification.yml
View File

@@ -79,8 +79,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/payments_methods.yml
View File

@@ -77,8 +77,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/payments_orchestrator.yml
View File

@@ -77,8 +77,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

3
.woodpecker/payments_quotation.yml
View File

@@ -77,8 +77,7 @@ steps:
- set -euo pipefail
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
- ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
- ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
- sh ci/scripts/common/fetch_registry_creds.sh
- name: build-image
image: gcr.io/kaniko-project/executor:debug

4
.woodpecker/vault.yml
View File

@@ -31,6 +31,10 @@ steps:
- name: deploy
image: alpine:latest
depends_on: [ secrets ]
environment:
VAULT_ADDR: { from_secret: VAULT_ADDR }
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE }
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
commands:
- set -euo pipefail
- apk add --no-cache bash openssh-client rsync coreutils curl sed python3

5
README.md
View File

@@ -124,6 +124,11 @@ First-time dev bootstrap:
# after infra is green, merge normal app changes to main
```
Dev secret source:
- After the dev Vault bootstrap runs, dev build/deploy secrets are read from the dev Vault on the dev host.
- The dev SSH deploy key remains an external bootstrap secret because CI needs it before it can reach the dev host.
Recommended release preparation:
```bash

48
ci/prod/scripts/deploy/db.sh
View File

@@ -9,9 +9,11 @@ trap 'echo "[deploy-db] error at line $LINENO" >&2' ERR
: "${DB_DIR:?missing DB_DIR}"
: "${SSH_USER:?missing SSH_USER}"
: "${SSH_HOST:?missing SSH_HOST}"
# Pass-through AppRole creds for Vault Agent (provided by Woodpecker secrets with existing names)
: "${VAULT_ROLE_ID:?missing VAULT_ROLE_ID}"
: "${VAULT_SECRET_ID:?missing VAULT_SECRET_ID}"
if [[ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]]; then
# Pass-through AppRole creds for the prod Vault Agent.
: "${VAULT_ROLE_ID:?missing VAULT_ROLE_ID}"
: "${VAULT_SECRET_ID:?missing VAULT_SECRET_ID}"
fi
REMOTE_DIR="${REMOTE_BASE%/}/${DB_DIR}"
REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
@@ -49,19 +51,45 @@ rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE
ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
REMOTE_DIR="$REMOTE_DIR" \
COMPOSE_FILE="$COMPOSE_FILE" \
VAULT_ROLE_ID="$VAULT_ROLE_ID" \
VAULT_SECRET_ID="$VAULT_SECRET_ID" \
VAULT_ROLE_ID="${VAULT_ROLE_ID:-}" \
VAULT_SECRET_ID="${VAULT_SECRET_ID:-}" \
bash -s <<'EOSSH'
set -euo pipefail
cd "${REMOTE_DIR}/compose"
set -a; . ../env/.env.runtime; set +a
load_kv_file() {
local file="$1"
while IFS= read -r line || [ -n "$line" ]; do
case "$line" in
''|\#*) continue ;;
esac
if printf '%s' "$line" | grep -Eq '^[[:alpha:]_][[:alnum:]_]*='; then
local key="${line%%=*}"
local value="${line#*=}"
key="$(printf '%s' "$key" | tr -d '[:space:]')"
value="${value#"${value%%[![:space:]]*}"}"
value="${value%"${value##*[![:space:]]}"}"
if [[ -n "$key" ]]; then
export "$key=$value"
fi
fi
done <"$file"
}
set -a
. ../env/.env.runtime
if [[ -f ../env/vault.env ]]; then
load_kv_file ../env/vault.env
fi
set +a
COMPOSE_PROJECT_NAME="${DB_COMPOSE_PROJECT:-sendico-db}"
export COMPOSE_PROJECT_NAME
# Run with ephemeral AppRole env (scoped only to these commands)
VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" pull --quiet 2>/dev/null || \
VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" pull
: "${VAULT_ADDR:?missing VAULT_ADDR}"
: "${VAULT_ROLE_ID:?missing VAULT_ROLE_ID}"
: "${VAULT_SECRET_ID:?missing VAULT_SECRET_ID}"
VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" up -d --remove-orphans
VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" VAULT_ADDR="${VAULT_ADDR}" docker compose -f "${COMPOSE_FILE}" pull --quiet 2>/dev/null || \
VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" VAULT_ADDR="${VAULT_ADDR}" docker compose -f "${COMPOSE_FILE}" pull
VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" VAULT_ADDR="${VAULT_ADDR}" docker compose -f "${COMPOSE_FILE}" up -d --remove-orphans
docker compose -f "${COMPOSE_FILE}" ps
date -Is > .last_deploy

78
ci/prod/scripts/deploy/vault.sh
View File

@@ -13,6 +13,7 @@ REMOTE_DIR="${REMOTE_BASE%/}/${VAULT_DIR}"
REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
COMPOSE_FILE="vault.yml"
SEED_ENV_FILE="${DEV_VAULT_SEED_FILE:-}"
SSH_OPTS=(
-i /root/.ssh/id_rsa
@@ -35,6 +36,9 @@ ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
if [[ -n "${SEED_ENV_FILE}" && -f "${SEED_ENV_FILE}" ]]; then
rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${SEED_ENV_FILE}" "$REMOTE_TARGET:${REMOTE_DIR}/env/dev-vault-seed.env"
fi
ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
REMOTE_BASE="$REMOTE_BASE" \
@@ -52,6 +56,21 @@ set +a
COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
export COMPOSE_PROJECT_NAME
if base64 -d >/dev/null 2>&1 <<<'AA=='; then
BASE64_DECODE_FLAG='-d'
else
BASE64_DECODE_FLAG='--decode'
fi
decode_b64() {
val="$1"
if [[ -z "$val" ]]; then
printf ''
return
fi
printf '%s' "$val" | base64 "${BASE64_DECODE_FLAG}"
}
docker compose -f "$COMPOSE_FILE" pull --quiet 2>/dev/null || docker compose -f "$COMPOSE_FILE" pull
docker compose -f "$COMPOSE_FILE" up -d --remove-orphans
@@ -97,6 +116,63 @@ fi
docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault auth list -format=json | grep -q '\"approle/\"' || vault auth enable approle >/dev/null"
docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault secrets list -format=json | grep -q '\"kv/\"' || vault secrets enable -path=kv kv-v2 >/dev/null"
if [[ -f ../env/dev-vault-seed.env ]]; then
set -a
. ../env/dev-vault-seed.env
set +a
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv registry \
user="$(decode_b64 "${REGISTRY_USER_B64:-}")" \
password="$(decode_b64 "${REGISTRY_PASSWORD_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/db \
user="$(decode_b64 "${SENDICO_DB_USER_B64:-}")" \
password="$(decode_b64 "${SENDICO_DB_PASSWORD_B64:-}")" \
key="$(decode_b64 "${SENDICO_DB_KEY_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/nats \
user="$(decode_b64 "${SENDICO_NATS_USER_B64:-}")" \
password="$(decode_b64 "${SENDICO_NATS_PASSWORD_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/api/endpoint \
secret="$(decode_b64 "${SENDICO_API_ENDPOINT_SECRET_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/notification/mail \
user="$(decode_b64 "${NOTIFICATION_MAIL_USER_B64:-}")" \
password="$(decode_b64 "${NOTIFICATION_MAIL_PASSWORD_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/notification/telegram \
bot_token="$(decode_b64 "${NOTIFICATION_TELEGRAM_BOT_TOKEN_B64:-}")" \
chat_id="$(decode_b64 "${NOTIFICATION_TELEGRAM_CHAT_ID_B64:-}")" \
thread_id="$(decode_b64 "${NOTIFICATION_TELEGRAM_THREAD_ID_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/gateway/chain \
arbitrum_rpc_url="$(decode_b64 "${CHAIN_GATEWAY_RPC_URL_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/gateway/chain/wallet \
private_key="$(decode_b64 "${CHAIN_GATEWAY_WALLET_PRIVATE_KEY_B64:-}")" \
address="$(decode_b64 "${CHAIN_GATEWAY_WALLET_ADDRESS_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/gateway/tron \
rpc_url="$(decode_b64 "${TRON_GATEWAY_RPC_URL_B64:-}")" \
grpc_url="$(decode_b64 "${TRON_GATEWAY_GRPC_URL_B64:-}")" \
grpc_token="$(decode_b64 "${TRON_GATEWAY_GRPC_TOKEN_B64:-}")" >/dev/null
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="${ROOT_TOKEN}" dev-vault \
vault kv put -mount=kv sendico/gateway/tron/wallet \
private_key="$(decode_b64 "${TRON_GATEWAY_WALLET_PRIVATE_KEY_B64:-}")" \
address="$(decode_b64 "${TRON_GATEWAY_WALLET_ADDRESS_B64:-}")" >/dev/null
fi
docker exec -i dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault policy write sendico-dev-apps -" <<'EOF'
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
@@ -124,12 +200,14 @@ write_vault_env() {
local env_dir="${REMOTE_BASE%/}/${service_dir}/env"
mkdir -p "$env_dir"
cat >"${env_dir}/vault.env" <<EOF
VAULT_ADDR=${APP_VAULT_ADDR:-http://dev-vault:8200}
${role_var}=${APPROLE_ROLE_ID}
${secret_var}=${APPROLE_SECRET_ID}
EOF
chmod 600 "${env_dir}/vault.env"
}
write_vault_env "${DB_DIR}" "VAULT_ROLE_ID" "VAULT_SECRET_ID"
write_vault_env "${BFF_DIR}" "BFF_VAULT_ROLE_ID" "BFF_VAULT_SECRET_ID"
write_vault_env "${CALLBACKS_DIR}" "CALLBACKS_VAULT_ROLE_ID" "CALLBACKS_VAULT_SECRET_ID"
write_vault_env "${CHAIN_GATEWAY_DIR}" "CHAIN_GATEWAY_VAULT_ROLE_ID" "CHAIN_GATEWAY_VAULT_SECRET_ID"

4
ci/scripts/aurora/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${AURORA_GATEWAY_ENV_NAME}"
AURORA_GATEWAY_MONGO_SECRET_PATH="${AURORA_GATEWAY_MONGO_SECRET_PATH:?missing AURORA_GATEWAY_MONGO_SECRET_PATH}"
AURORA_GATEWAY_NATS_SECRET_PATH="${AURORA_GATEWAY_NATS_SECRET_PATH:-sendico/nats}"
export AURORA_GATEWAY_MONGO_USER="$(./ci/vlt kv_get kv "${AURORA_GATEWAY_MONGO_SECRET_PATH}" user)"
export AURORA_GATEWAY_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${AURORA_GATEWAY_MONGO_SECRET_PATH}" password)"
export AURORA_GATEWAY_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${AURORA_GATEWAY_MONGO_SECRET_PATH}" user)"
export AURORA_GATEWAY_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${AURORA_GATEWAY_MONGO_SECRET_PATH}" password)"
NATS_SECRET_PATH="${AURORA_GATEWAY_NATS_SECRET_PATH}" load_nats_env

10
ci/scripts/bff/deploy.sh
View File

@@ -42,13 +42,13 @@ BFF_MONGO_SECRET_PATH="${BFF_MONGO_SECRET_PATH:?missing BFF_MONGO_SECRET_PATH}"
BFF_API_SECRET_PATH="${BFF_API_SECRET_PATH:?missing BFF_API_SECRET_PATH}"
BFF_VAULT_SECRET_PATH="${BFF_VAULT_SECRET_PATH:?missing BFF_VAULT_SECRET_PATH}"
export MONGO_USER="$(./ci/vlt kv_get kv "${BFF_MONGO_SECRET_PATH}" user)"
export MONGO_PASSWORD="$(./ci/vlt kv_get kv "${BFF_MONGO_SECRET_PATH}" password)"
export MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${BFF_MONGO_SECRET_PATH}" user)"
export MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${BFF_MONGO_SECRET_PATH}" password)"
export API_ENDPOINT_SECRET="$(./ci/vlt kv_get kv "${BFF_API_SECRET_PATH}" secret)"
export API_ENDPOINT_SECRET="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${BFF_API_SECRET_PATH}" secret)"
if [ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]; then
export BFF_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${BFF_VAULT_SECRET_PATH}" role_id)"
export BFF_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${BFF_VAULT_SECRET_PATH}" secret_id)"
export BFF_VAULT_ROLE_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${BFF_VAULT_SECRET_PATH}" role_id)"
export BFF_VAULT_SECRET_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${BFF_VAULT_SECRET_PATH}" secret_id)"
if [ -z "${BFF_VAULT_ROLE_ID}" ] || [ -z "${BFF_VAULT_SECRET_ID}" ]; then
echo "[bff-deploy] vault approle creds are empty for path ${BFF_VAULT_SECRET_PATH}" >&2
exit 1

4
ci/scripts/billing_documents/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${DOCUMENTS_ENV_NAME}"
DOCUMENTS_MONGO_SECRET_PATH="${DOCUMENTS_MONGO_SECRET_PATH:?missing DOCUMENTS_MONGO_SECRET_PATH}"
export DOCUMENTS_MONGO_USER="$(./ci/vlt kv_get kv "${DOCUMENTS_MONGO_SECRET_PATH}" user)"
export DOCUMENTS_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${DOCUMENTS_MONGO_SECRET_PATH}" password)"
export DOCUMENTS_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${DOCUMENTS_MONGO_SECRET_PATH}" user)"
export DOCUMENTS_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${DOCUMENTS_MONGO_SECRET_PATH}" password)"
load_nats_env

4
ci/scripts/billing_fees/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${FEES_ENV_NAME}"
FEES_MONGO_SECRET_PATH="${FEES_MONGO_SECRET_PATH:?missing FEES_MONGO_SECRET_PATH}"
export FEES_MONGO_USER="$(./ci/vlt kv_get kv "${FEES_MONGO_SECRET_PATH}" user)"
export FEES_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${FEES_MONGO_SECRET_PATH}" password)"
export FEES_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${FEES_MONGO_SECRET_PATH}" user)"
export FEES_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${FEES_MONGO_SECRET_PATH}" password)"
load_nats_env

8
ci/scripts/callbacks/deploy.sh
View File

@@ -41,11 +41,11 @@ load_runtime_env_bundle "${CALLBACKS_ENV_NAME}"
CALLBACKS_MONGO_SECRET_PATH="${CALLBACKS_MONGO_SECRET_PATH:?missing CALLBACKS_MONGO_SECRET_PATH}"
CALLBACKS_VAULT_SECRET_PATH="${CALLBACKS_VAULT_SECRET_PATH:?missing CALLBACKS_VAULT_SECRET_PATH}"
export CALLBACKS_MONGO_USER="$(./ci/vlt kv_get kv "${CALLBACKS_MONGO_SECRET_PATH}" user)"
export CALLBACKS_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${CALLBACKS_MONGO_SECRET_PATH}" password)"
export CALLBACKS_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CALLBACKS_MONGO_SECRET_PATH}" user)"
export CALLBACKS_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CALLBACKS_MONGO_SECRET_PATH}" password)"
if [ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]; then
export CALLBACKS_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${CALLBACKS_VAULT_SECRET_PATH}" role_id)"
export CALLBACKS_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${CALLBACKS_VAULT_SECRET_PATH}" secret_id)"
export CALLBACKS_VAULT_ROLE_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CALLBACKS_VAULT_SECRET_PATH}" role_id)"
export CALLBACKS_VAULT_SECRET_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CALLBACKS_VAULT_SECRET_PATH}" secret_id)"
if [ -z "${CALLBACKS_VAULT_ROLE_ID}" ] || [ -z "${CALLBACKS_VAULT_SECRET_ID}" ]; then
echo "[callbacks-deploy] vault approle creds are empty for path ${CALLBACKS_VAULT_SECRET_PATH}" >&2
exit 1

14
ci/scripts/chain_gateway/deploy.sh
View File

@@ -43,17 +43,17 @@ CHAIN_GATEWAY_RPC_SECRET_PATH="${CHAIN_GATEWAY_RPC_SECRET_PATH:?missing CHAIN_GA
CHAIN_GATEWAY_WALLET_SECRET_PATH="${CHAIN_GATEWAY_WALLET_SECRET_PATH:?missing CHAIN_GATEWAY_WALLET_SECRET_PATH}"
CHAIN_GATEWAY_VAULT_SECRET_PATH="${CHAIN_GATEWAY_VAULT_SECRET_PATH:?missing CHAIN_GATEWAY_VAULT_SECRET_PATH}"
export CHAIN_GATEWAY_MONGO_USER="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_MONGO_SECRET_PATH}" user)"
export CHAIN_GATEWAY_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_MONGO_SECRET_PATH}" password)"
export CHAIN_GATEWAY_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHAIN_GATEWAY_MONGO_SECRET_PATH}" user)"
export CHAIN_GATEWAY_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHAIN_GATEWAY_MONGO_SECRET_PATH}" password)"
export CHAIN_GATEWAY_RPC_URL="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_RPC_SECRET_PATH}" arbitrum_rpc_url)"
export CHAIN_GATEWAY_RPC_URL="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHAIN_GATEWAY_RPC_SECRET_PATH}" arbitrum_rpc_url)"
export CHAIN_GATEWAY_SERVICE_WALLET_KEY="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_WALLET_SECRET_PATH}" private_key)"
export CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_WALLET_SECRET_PATH}" address || true)"
export CHAIN_GATEWAY_SERVICE_WALLET_KEY="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHAIN_GATEWAY_WALLET_SECRET_PATH}" private_key)"
export CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHAIN_GATEWAY_WALLET_SECRET_PATH}" address || true)"
if [ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]; then
export CHAIN_GATEWAY_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_VAULT_SECRET_PATH}" role_id)"
export CHAIN_GATEWAY_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_VAULT_SECRET_PATH}" secret_id)"
export CHAIN_GATEWAY_VAULT_ROLE_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHAIN_GATEWAY_VAULT_SECRET_PATH}" role_id)"
export CHAIN_GATEWAY_VAULT_SECRET_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHAIN_GATEWAY_VAULT_SECRET_PATH}" secret_id)"
if [ -z "${CHAIN_GATEWAY_VAULT_ROLE_ID}" ] || [ -z "${CHAIN_GATEWAY_VAULT_SECRET_ID}" ]; then
echo "[chain-gateway-deploy] vault approle creds are empty for path ${CHAIN_GATEWAY_VAULT_SECRET_PATH}" >&2
exit 1

4
ci/scripts/chsettle/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${CHSETTLE_GATEWAY_ENV_NAME}"
CHSETTLE_GATEWAY_MONGO_SECRET_PATH="${CHSETTLE_GATEWAY_MONGO_SECRET_PATH:?missing CHSETTLE_GATEWAY_MONGO_SECRET_PATH}"
CHSETTLE_GATEWAY_NATS_SECRET_PATH="${CHSETTLE_GATEWAY_NATS_SECRET_PATH:-sendico/nats}"
export CHSETTLE_GATEWAY_MONGO_USER="$(./ci/vlt kv_get kv "${CHSETTLE_GATEWAY_MONGO_SECRET_PATH}" user)"
export CHSETTLE_GATEWAY_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${CHSETTLE_GATEWAY_MONGO_SECRET_PATH}" password)"
export CHSETTLE_GATEWAY_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHSETTLE_GATEWAY_MONGO_SECRET_PATH}" user)"
export CHSETTLE_GATEWAY_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${CHSETTLE_GATEWAY_MONGO_SECRET_PATH}" password)"
NATS_SECRET_PATH="${CHSETTLE_GATEWAY_NATS_SECRET_PATH}" load_nats_env

9
ci/scripts/common/fetch_registry_creds.sh Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
set -eu
REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
cd "${REPO_ROOT}"
mkdir -p secrets
sh ci/scripts/common/runtime_kv_get.sh kv_get kv registry user > secrets/REGISTRY_USER
sh ci/scripts/common/runtime_kv_get.sh kv_get kv registry password > secrets/REGISTRY_PASSWORD

4
ci/scripts/common/nats_env.sh
View File

@@ -4,8 +4,8 @@ load_nats_env() {
: "${NATS_PORT:?missing NATS_PORT}"
nats_secret_path="${NATS_SECRET_PATH:-sendico/nats}"
export NATS_USER="$(./ci/vlt kv_get kv "${nats_secret_path}" user)"
export NATS_PASSWORD="$(./ci/vlt kv_get kv "${nats_secret_path}" password)"
export NATS_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${nats_secret_path}" user)"
export NATS_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${nats_secret_path}" password)"
nats_url_var="${NATS_URL_VAR:-NATS_URL}"
nats_url_scheme="${NATS_URL_SCHEME:-nats}"

131
ci/scripts/common/runtime_kv_get.sh Normal file
View File

@@ -0,0 +1,131 @@
#!/bin/sh
set -eu
if ! set -o pipefail 2>/dev/null; then
:
fi
REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
cd "${REPO_ROOT}"
usage() {
echo "usage: runtime_kv_get.sh kv_get <mount> <path> <field>" >&2
exit 64
}
[ "${1:-}" = "kv_get" ] || usage
[ $# -eq 4 ] || usage
MOUNT="$2"
SECRET_PATH="$3"
FIELD="$4"
. ci/scripts/common/runtime_env.sh
runtime_env_name="${CI_TARGET_ENV:-${CI_RUNTIME_ENV_NAME:-$(resolve_runtime_env_name)}}"
vault_source="${CI_VAULT_SOURCE:-runtime}"
if [ "${vault_source}" = "external" ] || [ "${runtime_env_name}" != "devserver" ]; then
exec ./ci/vlt kv_get "${MOUNT}" "${SECRET_PATH}" "${FIELD}"
fi
runtime_file="$(resolve_runtime_env_file "${runtime_env_name}")"
cleanup_runtime_file=0
case "${runtime_file}" in
./.runtime.*.merged.*)
cleanup_runtime_file=1
;;
esac
cleanup() {
if [ "${cleanup_runtime_file}" -eq 1 ]; then
rm -f "${runtime_file}"
fi
}
trap cleanup EXIT INT TERM
normalize_env_file "${runtime_file}"
load_env_file "${runtime_file}"
: "${SSH_USER:?missing SSH_USER}"
: "${SSH_HOST:?missing SSH_HOST}"
: "${REMOTE_BASE:?missing REMOTE_BASE}"
: "${VAULT_DIR:?missing VAULT_DIR}"
SSH_KEY_FILE="${SSH_KEY_FILE:-}"
if [ -z "${SSH_KEY_FILE}" ] || [ ! -f "${SSH_KEY_FILE}" ]; then
for candidate in /root/.ssh/id_rsa secrets/SSH_KEY; do
if [ -f "${candidate}" ]; then
SSH_KEY_FILE="${candidate}"
break
fi
done
fi
if [ -z "${SSH_KEY_FILE}" ] || [ ! -f "${SSH_KEY_FILE}" ]; then
echo "[runtime-kv-get] ssh key not found; expected /root/.ssh/id_rsa or secrets/SSH_KEY" >&2
exit 65
fi
b64enc() {
printf '%s' "$1" | base64 | tr -d '\n'
}
MOUNT_B64="$(b64enc "${MOUNT}")"
SECRET_PATH_B64="$(b64enc "${SECRET_PATH}")"
FIELD_B64="$(b64enc "${FIELD}")"
REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
SSH_OPTS="
-i ${SSH_KEY_FILE}
-o StrictHostKeyChecking=no
-o UserKnownHostsFile=/dev/null
-o LogLevel=ERROR
-o BatchMode=yes
-o PreferredAuthentications=publickey
-o ConnectTimeout=10
"
ssh ${SSH_OPTS} "${REMOTE_TARGET}" \
REMOTE_BASE="${REMOTE_BASE}" \
VAULT_DIR="${VAULT_DIR}" \
MOUNT_B64="${MOUNT_B64}" \
SECRET_PATH_B64="${SECRET_PATH_B64}" \
FIELD_B64="${FIELD_B64}" \
sh -s <<'EOSSH'
set -eu
if printf 'AA==' | base64 -d >/dev/null 2>&1; then
BASE64_DECODE_FLAG='-d'
else
BASE64_DECODE_FLAG='--decode'
fi
decode_b64() {
printf '%s' "$1" | base64 "${BASE64_DECODE_FLAG}"
}
MOUNT="$(decode_b64 "${MOUNT_B64}")"
SECRET_PATH="$(decode_b64 "${SECRET_PATH_B64}")"
FIELD="$(decode_b64 "${FIELD_B64}")"
INIT_FILE="${REMOTE_BASE%/}/${VAULT_DIR}/env/vault-init.json"
if [ ! -s "${INIT_FILE}" ]; then
echo "[runtime-kv-get] dev vault init file not found: ${INIT_FILE}" >&2
exit 66
fi
INIT_JSON_COMPACT="$(tr -d '\r\n\t ' <"${INIT_FILE}")"
ROOT_TOKEN="$(printf '%s' "${INIT_JSON_COMPACT}" | sed -n 's/.*"root_token":"\([^"]*\)".*/\1/p')"
if [ -z "${ROOT_TOKEN}" ]; then
echo "[runtime-kv-get] failed to extract dev vault root token from ${INIT_FILE}" >&2
exit 67
fi
docker exec \
-e VAULT_ADDR=http://127.0.0.1:8200 \
-e VAULT_TOKEN="${ROOT_TOKEN}" \
dev-vault \
vault kv get -mount="${MOUNT}" -field="${FIELD}" "${SECRET_PATH}"
EOSSH

4
ci/scripts/fx/deploy.sh
View File

@@ -49,8 +49,8 @@ if [ -z "${FX_NEEDS_NATS}" ]; then
esac
fi
export FX_MONGO_USER="$(./ci/vlt kv_get kv "${FX_MONGO_SECRET_PATH}" user)"
export FX_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${FX_MONGO_SECRET_PATH}" password)"
export FX_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${FX_MONGO_SECRET_PATH}" user)"
export FX_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${FX_MONGO_SECRET_PATH}" password)"
if [ "${FX_NEEDS_NATS}" = "true" ]; then
NATS_URL_VAR=FX_NATS_URL load_nats_env

4
ci/scripts/ledger/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${LEDGER_ENV_NAME}"
LEDGER_MONGO_SECRET_PATH="${LEDGER_MONGO_SECRET_PATH:?missing LEDGER_MONGO_SECRET_PATH}"
export LEDGER_MONGO_USER="$(./ci/vlt kv_get kv "${LEDGER_MONGO_SECRET_PATH}" user)"
export LEDGER_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${LEDGER_MONGO_SECRET_PATH}" password)"
export LEDGER_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${LEDGER_MONGO_SECRET_PATH}" user)"
export LEDGER_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${LEDGER_MONGO_SECRET_PATH}" password)"
load_nats_env

16
ci/scripts/notification/deploy.sh
View File

@@ -43,18 +43,18 @@ NOTIFICATION_MAIL_SECRET_PATH="${NOTIFICATION_MAIL_SECRET_PATH:?missing NOTIFICA
NOTIFICATION_API_SECRET_PATH="${NOTIFICATION_API_SECRET_PATH:?missing NOTIFICATION_API_SECRET_PATH}"
NOTIFICATION_TELEGRAM_SECRET_PATH="${NOTIFICATION_TELEGRAM_SECRET_PATH:?missing NOTIFICATION_TELEGRAM_SECRET_PATH}"
export MONGO_USER="$(./ci/vlt kv_get kv "${NOTIFICATION_MONGO_SECRET_PATH}" user)"
export MONGO_PASSWORD="$(./ci/vlt kv_get kv "${NOTIFICATION_MONGO_SECRET_PATH}" password)"
export MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${NOTIFICATION_MONGO_SECRET_PATH}" user)"
export MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${NOTIFICATION_MONGO_SECRET_PATH}" password)"
export MAIL_USER="$(./ci/vlt kv_get kv "${NOTIFICATION_MAIL_SECRET_PATH}" user)"
export MAIL_SECRET="$(./ci/vlt kv_get kv "${NOTIFICATION_MAIL_SECRET_PATH}" password)"
export MAIL_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${NOTIFICATION_MAIL_SECRET_PATH}" user)"
export MAIL_SECRET="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${NOTIFICATION_MAIL_SECRET_PATH}" password)"
export API_ENDPOINT_SECRET="$(./ci/vlt kv_get kv "${NOTIFICATION_API_SECRET_PATH}" secret)"
export API_ENDPOINT_SECRET="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${NOTIFICATION_API_SECRET_PATH}" secret)"
export TELEGRAM_BOT_TOKEN="$(./ci/vlt kv_get kv "${NOTIFICATION_TELEGRAM_SECRET_PATH}" bot_token)"
export TELEGRAM_CHAT_ID="$(./ci/vlt kv_get kv "${NOTIFICATION_TELEGRAM_SECRET_PATH}" chat_id)"
export TELEGRAM_BOT_TOKEN="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${NOTIFICATION_TELEGRAM_SECRET_PATH}" bot_token)"
export TELEGRAM_CHAT_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${NOTIFICATION_TELEGRAM_SECRET_PATH}" chat_id)"
TELEGRAM_THREAD_ID=""
if TELEGRAM_THREAD_ID_VALUE="$(./ci/vlt kv_get kv "${NOTIFICATION_TELEGRAM_SECRET_PATH}" thread_id 2>/dev/null)"; then
if TELEGRAM_THREAD_ID_VALUE="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${NOTIFICATION_TELEGRAM_SECRET_PATH}" thread_id 2>/dev/null)"; then
TELEGRAM_THREAD_ID="$TELEGRAM_THREAD_ID_VALUE"
fi
export TELEGRAM_THREAD_ID

4
ci/scripts/payments_methods/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${PAYMENTS_METHODS_ENV_NAME}"
PAYMENTS_METHODS_MONGO_SECRET_PATH="${PAYMENTS_METHODS_MONGO_SECRET_PATH:?missing PAYMENTS_METHODS_MONGO_SECRET_PATH}"
export PAYMENTS_MONGO_USER="$(./ci/vlt kv_get kv "${PAYMENTS_METHODS_MONGO_SECRET_PATH}" user)"
export PAYMENTS_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${PAYMENTS_METHODS_MONGO_SECRET_PATH}" password)"
export PAYMENTS_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${PAYMENTS_METHODS_MONGO_SECRET_PATH}" user)"
export PAYMENTS_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${PAYMENTS_METHODS_MONGO_SECRET_PATH}" password)"
load_nats_env

4
ci/scripts/payments_orchestrator/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${PAYMENTS_ENV_NAME}"
PAYMENTS_MONGO_SECRET_PATH="${PAYMENTS_MONGO_SECRET_PATH:?missing PAYMENTS_MONGO_SECRET_PATH}"
export PAYMENTS_MONGO_USER="$(./ci/vlt kv_get kv "${PAYMENTS_MONGO_SECRET_PATH}" user)"
export PAYMENTS_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${PAYMENTS_MONGO_SECRET_PATH}" password)"
export PAYMENTS_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${PAYMENTS_MONGO_SECRET_PATH}" user)"
export PAYMENTS_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${PAYMENTS_MONGO_SECRET_PATH}" password)"
load_nats_env

4
ci/scripts/payments_quotation/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${PAYMENTS_QUOTATION_ENV_NAME}"
PAYMENTS_QUOTATION_MONGO_SECRET_PATH="${PAYMENTS_QUOTATION_MONGO_SECRET_PATH:?missing PAYMENTS_QUOTATION_MONGO_SECRET_PATH}"
export PAYMENTS_MONGO_USER="$(./ci/vlt kv_get kv "${PAYMENTS_QUOTATION_MONGO_SECRET_PATH}" user)"
export PAYMENTS_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${PAYMENTS_QUOTATION_MONGO_SECRET_PATH}" password)"
export PAYMENTS_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${PAYMENTS_QUOTATION_MONGO_SECRET_PATH}" user)"
export PAYMENTS_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${PAYMENTS_QUOTATION_MONGO_SECRET_PATH}" password)"
load_nats_env

4
ci/scripts/tgsettle/deploy.sh
View File

@@ -40,8 +40,8 @@ load_runtime_env_bundle "${TGSETTLE_GATEWAY_ENV_NAME}"
TGSETTLE_GATEWAY_MONGO_SECRET_PATH="${TGSETTLE_GATEWAY_MONGO_SECRET_PATH:?missing TGSETTLE_GATEWAY_MONGO_SECRET_PATH}"
export TGSETTLE_GATEWAY_MONGO_USER="$(./ci/vlt kv_get kv "${TGSETTLE_GATEWAY_MONGO_SECRET_PATH}" user)"
export TGSETTLE_GATEWAY_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${TGSETTLE_GATEWAY_MONGO_SECRET_PATH}" password)"
export TGSETTLE_GATEWAY_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TGSETTLE_GATEWAY_MONGO_SECRET_PATH}" user)"
export TGSETTLE_GATEWAY_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TGSETTLE_GATEWAY_MONGO_SECRET_PATH}" password)"
load_nats_env

18
ci/scripts/tron_gateway/deploy.sh
View File

@@ -43,19 +43,19 @@ TRON_GATEWAY_RPC_SECRET_PATH="${TRON_GATEWAY_RPC_SECRET_PATH:?missing TRON_GATEW
TRON_GATEWAY_WALLET_SECRET_PATH="${TRON_GATEWAY_WALLET_SECRET_PATH:?missing TRON_GATEWAY_WALLET_SECRET_PATH}"
TRON_GATEWAY_VAULT_SECRET_PATH="${TRON_GATEWAY_VAULT_SECRET_PATH:?missing TRON_GATEWAY_VAULT_SECRET_PATH}"
export TRON_GATEWAY_MONGO_USER="$(./ci/vlt kv_get kv "${TRON_GATEWAY_MONGO_SECRET_PATH}" user)"
export TRON_GATEWAY_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${TRON_GATEWAY_MONGO_SECRET_PATH}" password)"
export TRON_GATEWAY_MONGO_USER="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_MONGO_SECRET_PATH}" user)"
export TRON_GATEWAY_MONGO_PASSWORD="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_MONGO_SECRET_PATH}" password)"
export TRON_GATEWAY_RPC_URL="$(./ci/vlt kv_get kv "${TRON_GATEWAY_RPC_SECRET_PATH}" rpc_url)"
export TRON_GATEWAY_GRPC_URL="$(./ci/vlt kv_get kv "${TRON_GATEWAY_RPC_SECRET_PATH}" grpc_url || true)"
export TRON_GATEWAY_GRPC_TOKEN="$(./ci/vlt kv_get kv "${TRON_GATEWAY_RPC_SECRET_PATH}" grpc_token || true)"
export TRON_GATEWAY_RPC_URL="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_RPC_SECRET_PATH}" rpc_url)"
export TRON_GATEWAY_GRPC_URL="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_RPC_SECRET_PATH}" grpc_url || true)"
export TRON_GATEWAY_GRPC_TOKEN="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_RPC_SECRET_PATH}" grpc_token || true)"
export TRON_GATEWAY_SERVICE_WALLET_KEY="$(./ci/vlt kv_get kv "${TRON_GATEWAY_WALLET_SECRET_PATH}" private_key)"
export TRON_GATEWAY_SERVICE_WALLET_ADDRESS="$(./ci/vlt kv_get kv "${TRON_GATEWAY_WALLET_SECRET_PATH}" address || true)"
export TRON_GATEWAY_SERVICE_WALLET_KEY="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_WALLET_SECRET_PATH}" private_key)"
export TRON_GATEWAY_SERVICE_WALLET_ADDRESS="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_WALLET_SECRET_PATH}" address || true)"
if [ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]; then
export TRON_GATEWAY_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${TRON_GATEWAY_VAULT_SECRET_PATH}" role_id)"
export TRON_GATEWAY_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${TRON_GATEWAY_VAULT_SECRET_PATH}" secret_id)"
export TRON_GATEWAY_VAULT_ROLE_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_VAULT_SECRET_PATH}" role_id)"
export TRON_GATEWAY_VAULT_SECRET_ID="$(sh ci/scripts/common/runtime_kv_get.sh kv_get kv "${TRON_GATEWAY_VAULT_SECRET_PATH}" secret_id)"
if [ -z "${TRON_GATEWAY_VAULT_ROLE_ID}" ] || [ -z "${TRON_GATEWAY_VAULT_SECRET_ID}" ]; then
echo "[tron-gateway-deploy] vault approle creds are empty for path ${TRON_GATEWAY_VAULT_SECRET_PATH}" >&2
exit 1

49
ci/scripts/vault/deploy.sh
View File

@@ -35,4 +35,53 @@ load_env_file() {
VAULT_ENV_NAME="${VAULT_ENV:-$(resolve_runtime_env_name)}"
load_runtime_env_bundle "${VAULT_ENV_NAME}"
SEED_FILE=".dev-vault-seed.env"
cleanup() {
rm -f "${SEED_FILE}"
}
trap cleanup EXIT INT TERM
seed_field() {
var_name="$1"
secret_path="$2"
field_name="$3"
optional="${4:-0}"
if [ "${optional}" = "1" ]; then
value="$(CI_VAULT_SOURCE=external ./ci/vlt kv_get kv "${secret_path}" "${field_name}" 2>/dev/null || true)"
else
value="$(CI_VAULT_SOURCE=external ./ci/vlt kv_get kv "${secret_path}" "${field_name}")"
fi
printf '%s=%s\n' "${var_name}" "$(printf '%s' "${value}" | base64 | tr -d '\n')" >> "${SEED_FILE}"
}
: > "${SEED_FILE}"
chmod 600 "${SEED_FILE}"
seed_field REGISTRY_USER_B64 registry user
seed_field REGISTRY_PASSWORD_B64 registry password
seed_field SENDICO_DB_USER_B64 sendico/db user
seed_field SENDICO_DB_PASSWORD_B64 sendico/db password
seed_field SENDICO_DB_KEY_B64 sendico/db key
seed_field SENDICO_NATS_USER_B64 sendico/nats user
seed_field SENDICO_NATS_PASSWORD_B64 sendico/nats password
seed_field SENDICO_API_ENDPOINT_SECRET_B64 sendico/api/endpoint secret
seed_field NOTIFICATION_MAIL_USER_B64 sendico/notification/mail user
seed_field NOTIFICATION_MAIL_PASSWORD_B64 sendico/notification/mail password
seed_field NOTIFICATION_TELEGRAM_BOT_TOKEN_B64 sendico/notification/telegram bot_token
seed_field NOTIFICATION_TELEGRAM_CHAT_ID_B64 sendico/notification/telegram chat_id
seed_field NOTIFICATION_TELEGRAM_THREAD_ID_B64 sendico/notification/telegram thread_id 1
seed_field CHAIN_GATEWAY_RPC_URL_B64 sendico/gateway/chain arbitrum_rpc_url
seed_field CHAIN_GATEWAY_WALLET_PRIVATE_KEY_B64 sendico/gateway/chain/wallet private_key
seed_field CHAIN_GATEWAY_WALLET_ADDRESS_B64 sendico/gateway/chain/wallet address 1
seed_field TRON_GATEWAY_RPC_URL_B64 sendico/gateway/tron rpc_url
seed_field TRON_GATEWAY_GRPC_URL_B64 sendico/gateway/tron grpc_url 1
seed_field TRON_GATEWAY_GRPC_TOKEN_B64 sendico/gateway/tron grpc_token 1
seed_field TRON_GATEWAY_WALLET_PRIVATE_KEY_B64 sendico/gateway/tron/wallet private_key
seed_field TRON_GATEWAY_WALLET_ADDRESS_B64 sendico/gateway/tron/wallet address 1
export DEV_VAULT_SEED_FILE="${SEED_FILE}"
bash ci/prod/scripts/deploy/vault.sh