tech/sendico
2
0
Fork 0
Code Issues 22 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
0bb32ccabdead61d16c55b2fd8e02b958fe9f5eb
sendico/.woodpecker/db.yml
Stephan D 0bb32ccabd
Some checks failed
ci/woodpecker/push/db Pipeline failed
Details
vault app_role secrets pass
2025-11-07 11:15:57 +01:00

53 lines
2.0 KiB
YAML
Raw Blame History

when:
- event: push
branch: main
steps:
- name: version
image: alpine:latest
commands:
- set -euo pipefail
- apk add --no-cache git
- GIT_REV="$(git rev-parse --short HEAD)"
- BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
- APP_V="$(cat version)"
- printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\n" "$GIT_REV" "$BUILD_BRANCH" "$APP_V" | tee .env.version
- name: secrets
image: alpine:latest
depends_on: [ version ]
environment:
# Vault access for CI (AppRole for CI itself, NOT the app AppRole)
VAULT_ADDR: https://vault.sendico.io
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE } # CI's AppRole role_id
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID } # CI's AppRole secret_id
commands:
- set -euo pipefail
- apk add --no-cache curl bash coreutils sed python3 openssh-keygen
- mkdir -p secrets
# Fetch SSH private key for deploy (base64-encoded) and decode
- ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
- base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
- chmod 600 secrets/SSH_KEY
- ssh-keygen -y -f secrets/SSH_KEY >/dev/null
# Fetch AppRole creds for Vault Agent (adjust the KV path if different)
- ./ci/vlt kv_to_file kv ops/vault/approle/sendico-db role_id secrets/ROLE_ID 600
- ./ci/vlt kv_to_file kv ops/vault/approle/sendico-db secret_id secrets/SECRET_ID 600
- name: deploy
image: alpine:latest
depends_on: [ secrets ]
commands:
- set -euo pipefail
- apk add --no-cache bash openssh-client rsync coreutils
- mkdir -p /root/.ssh
- install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
# Normalize CRLF if any, then export runtime env (Compose variables)
- sed -i 's/\r$//' ./ci/prod/.env.runtime
- set -a
- . ./ci/prod/.env.runtime
- . ./.env.version
- set +a
# Run external deploy script (quiet by default; set DEBUG_DEPLOY=1 to debug)
- bash ci/prod/scripts/deploy-db.sh
Reference in New Issue View Git Blame Copy Permalink