From 0cba0a3593d1074f3202b15744c3d385981305da Mon Sep 17 00:00:00 2001 From: continuist Date: Mon, 8 Sep 2025 21:18:14 -0400 Subject: [PATCH] Add correct secrets to CI pipeline --- .forgejo/workflows/ci.yml | 70 ++++++++++++++++++++++++++++------- CI_CD_PIPELINE_SETUP_GUIDE.md | 32 ++++++---------- deploy/prod-pod.yml | 35 +++++++----------- 3 files changed, 81 insertions(+), 56 deletions(-) diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index c0bcd83..280cc02 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -11,6 +11,14 @@ env: APP_NAME: ${{ secrets.APP_NAME }} IMAGE_TAG: ${{ github.sha }} RUN_ID: ${{ github.run_id }} + POSTGRES_USERNAME: ${{ secrets.PROD_DB_USERNAME }} + POSTGRES_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }} + POSTGRES_HOST: ${{ secrets.PROD_DB_HOST }} + POSTGRES_PORT: ${{ secrets.PROD_DB_PORT }} + POSTGRES_DATABASE_NAME: ${{ secrets.PROD_DB_DATABASE_NAME }} + PROD_BACKEND_HOST: ${{ secrets.PROD_BACKEND_HOST }} + PROD_BACKEND_PORT: ${{ secrets.PROD_BACKEND_PORT }} + PROD_FRONTEND_PORT: ${{ secrets.PROD_FRONTEND_PORT }} # Required pinned digests (fail if missing) RUST_IMG_DIGEST: ${{ secrets.RUST_IMG_DIGEST }} # e.g., docker.io/library/rust@sha256:... NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }} # e.g., docker.io/library/node@sha256:... @@ -44,16 +52,9 @@ jobs: chmod +x ./pip_ready.sh ./pip_ready.sh - - name: Setup SSH with pinned known_hosts (per-step) - env: - GIT_SSH_COMMAND: 'ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts' + - name: Configure Git for token-based authentication run: | - mkdir -p ~/.ssh && chmod 700 ~/.ssh - install -m 600 /dev/null ~/.ssh/id_ed25519 - printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519 - install -m 644 /dev/null ~/.ssh/known_hosts - printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts - # git commands in this step will use $GIT_SSH_COMMAND + git config --global url."https://${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_TOKEN }}@${{ env.REGISTRY }}".insteadOf "https://${{ env.REGISTRY }}" - name: Create internal integration network run: podman exec ci-pip-${{ env.RUN_ID }} podman network create --internal integ-${{ env.RUN_ID }} @@ -63,15 +64,15 @@ jobs: podman exec ci-pip-${{ env.RUN_ID }} podman run -d \ --name test-postgres \ --network integ-${{ env.RUN_ID }} \ - -e POSTGRES_PASSWORD=testpassword \ - -e POSTGRES_USER=testuser \ - -e POSTGRES_DB=testdb \ + -e POSTGRES_PASSWORD=password \ + -e POSTGRES_USER=postgres \ + -e POSTGRES_DB=sharenet_test \ "${POSTGRES_IMG_DIGEST}" - name: Wait for PostgreSQL to be ready run: | podman exec ci-pip-${{ env.RUN_ID }} sh -lc ' - i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U testuser >/dev/null 2>&1; do + i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U postgres >/dev/null 2>&1; do i=$((i+1)); [ $i -gt 60 ] && { echo "pg not ready"; exit 1; }; sleep 1 done' @@ -252,4 +253,45 @@ jobs: - name: Per-job cleanup (PiP container) if: always() - run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true \ No newline at end of file + run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true + + deploy-prod: + runs-on: [self-hosted, prod] + needs: [build-backend, build-frontend] + if: success() + steps: + - uses: actions/checkout@v4 + + - name: Deploy to production + env: + REGISTRY_HOST: ${{ env.REGISTRY }} + APP_NAME: ${{ env.APP_NAME }} + IMAGE_TAG: ${{ env.IMAGE_TAG }} + POSTGRES_USERNAME: ${{ env.POSTGRES_USERNAME }} + POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }} + POSTGRES_HOST: ${{ env.POSTGRES_HOST }} + POSTGRES_PORT: ${{ env.POSTGRES_PORT }} + POSTGRES_DATABASE_NAME: ${{ env.POSTGRES_DATABASE_NAME }} + PROD_BACKEND_HOST: ${{ env.PROD_BACKEND_HOST }} + PROD_BACKEND_PORT: ${{ env.PROD_BACKEND_PORT }} + PROD_FRONTEND_PORT: ${{ env.PROD_FRONTEND_PORT }} + run: | + # Install envsubst if not available (gettext package) + command -v envsubst >/dev/null 2>&1 || { + if command -v apt-get >/dev/null 2>&1; then + sudo apt-get update && sudo apt-get install -y gettext-base + elif command -v yum >/dev/null 2>&1; then + sudo yum install -y gettext + elif command -v apk >/dev/null 2>&1; then + sudo apk add gettext + fi + } + + # Substitute environment variables in prod-pod.yml + envsubst < deploy/prod-pod.yml > prod-pod-deploy.yml + + # Deploy the pod (replace existing if it exists) + podman play kube --replace prod-pod-deploy.yml + + # Clean up generated file + rm -f prod-pod-deploy.yml \ No newline at end of file diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 9608251..b9aa5c0 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -1199,9 +1199,9 @@ podman exec ci-pip-local podman version # Start PostgreSQL for integration tests podman exec ci-pip-local podman run -d \ --name test-postgres \ - -e POSTGRES_PASSWORD=testpassword \ - -e POSTGRES_USER=testuser \ - -e POSTGRES_DB=testdb \ + -e POSTGRES_PASSWORD=password \ + -e POSTGRES_USER=postgres \ + -e POSTGRES_DB=sharenet_test \ -p 5432:5432 \ "${POSTGRES_IMG_DIGEST}" @@ -1964,12 +1964,18 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an - `REGISTRY_HOST`: Your Forgejo instance's registry URL - `REGISTRY_USERNAME`: Your Forgejo username for registry authentication - `REGISTRY_TOKEN`: Personal Access Token with `write:packages` scope for registry pushes -- `SSH_PRIVATE_KEY`: SSH private key for production deployment access -- `SSH_KNOWN_HOSTS`: SSH known_hosts entry for production server - `PODMAN_CLIENT_IMG_DIGEST`: Pinned Podman client image digest (e.g., `quay.io/podman/stable@sha256:...`) - `RUST_IMG_DIGEST`: Pinned Rust image digest (e.g., `docker.io/library/rust@sha256:...`) - `NODE_IMG_DIGEST`: Pinned Node.js image digest (e.g., `docker.io/library/node@sha256:...`) - `POSTGRES_IMG_DIGEST`: Pinned PostgreSQL image digest (e.g., `docker.io/library/postgres@sha256:...`) +- `PROD_BACKEND_HOST` +- `PROD_BACKEND_PORT` +- `PROD_DB_USERNAME` +- `PROD_DB_PASSWORD` +- `PROD_DB_HOST` +- `PROD_DB_PORT` +- `PROD_DB_DATABASE_NAME` +- `PROD_FRONTEND_PORT` #### How to Obtain Each Secret (with Purpose and Commands): @@ -2011,22 +2017,6 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an # Result: POSTGRES_IMG_DIGEST=docker.io/library/postgres@sha256:16508ad37e81dd63a94cdc620b0cfa1b771c4176b4e0f1cbc3a670431643e3ed ``` -**2. SSH Keys (Secure Deployment Access):** - -- **`SSH_PRIVATE_KEY`**: Private key for CI to deploy to production server - ```bash - # Generate SSH key pair (if you don't have one) - ssh-keygen -t ed25519 -f ~/.ssh/ci_deploy_key -N "" - # Use content of: cat ~/.ssh/ci_deploy_key - ``` - -- **`SSH_KNOWN_HOSTS`**: Prevents MITM attacks during SSH deployment - ```bash - # Get production server's SSH fingerprint - ssh-keyscan -H YOUR_PRODUCTION_IP > known_hosts - # Use content of known_hosts file - ``` - **3. Forgejo Registry Credentials (Image Storage):** - **`REGISTRY_HOST`**: Your Forgejo instance hostname (e.g., `git.example.com`) diff --git a/deploy/prod-pod.yml b/deploy/prod-pod.yml index 029e1bb..feeb599 100644 --- a/deploy/prod-pod.yml +++ b/deploy/prod-pod.yml @@ -26,16 +26,13 @@ spec: drop: ["ALL"] env: - name: POSTGRES_DB - value: sharenet + value: ${POSTGRES_DATABASE_NAME} - name: POSTGRES_USER - value: sharenet + value: ${POSTGRES_USERNAME} - name: PGDATA value: /var/lib/postgresql/data/pgdata - envFrom: - - secretRef: - name: postgres-secrets ports: - - containerPort: 5432 + - containerPort: ${POSTGRES_PORT} protocol: TCP volumeMounts: - name: pgdata @@ -74,20 +71,17 @@ spec: drop: ["ALL"] env: - name: DATABASE_URL - value: postgres://sharenet:${POSTGRES_PASSWORD}@localhost:5432/sharenet + value: postgres://${POSTGRES_USERNAME}:${POSTGRES_PASSWORD}@{POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DATABASE_NAME}?sslmode=disable - name: PORT - value: "3001" - envFrom: - - secretRef: - name: backend-secrets + value: ${PROD_BACKEND_PORT} ports: - - containerPort: 3001 + - containerPort: ${PROD_BACKEND_PORT} protocol: TCP # Health checks livenessProbe: httpGet: path: /health - port: 3001 + port: ${PROD_BACKEND_PORT} scheme: HTTP initialDelaySeconds: 30 periodSeconds: 30 @@ -96,7 +90,7 @@ spec: readinessProbe: httpGet: path: /health - port: 3001 + port: ${PROD_BACKEND_PORT} scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 @@ -119,15 +113,14 @@ spec: capabilities: drop: ["ALL"] env: - - name: NEXT_PUBLIC_API_URL - value: http://localhost:3001 + - name: NEXT_PUBLIC_API_HOST + value: ${PROD_BACKEND_HOST} + - name: NEXT_PUBLIC_API_PORT + value: ${PROD_BACKEND_PORT} - name: PORT - value: "3000" - envFrom: - - secretRef: - name: frontend-secrets + value: ${PROD_FRONTEND_PORT} ports: - - containerPort: 3000 + - containerPort: ${PROD_FRONTEND_PORT} protocol: TCP # Resource limits resources: