Add correct secrets to CI pipeline

2025-09-08 21:18:14 -04:00 · 2025-09-08 21:18:14 -04:00 · 0cba0a3593
commit 0cba0a3593
parent 7d265c886a
3 changed files with 81 additions and 56 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -11,6 +11,14 @@ env:
  APP_NAME: ${{ secrets.APP_NAME }}
  IMAGE_TAG: ${{ github.sha }}
  RUN_ID: ${{ github.run_id }}
+  POSTGRES_USERNAME: ${{ secrets.PROD_DB_USERNAME }}
+  POSTGRES_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
+  POSTGRES_HOST: ${{ secrets.PROD_DB_HOST }}
+  POSTGRES_PORT: ${{ secrets.PROD_DB_PORT }}
+  POSTGRES_DATABASE_NAME: ${{ secrets.PROD_DB_DATABASE_NAME }}
+  PROD_BACKEND_HOST: ${{ secrets.PROD_BACKEND_HOST }}
+  PROD_BACKEND_PORT: ${{ secrets.PROD_BACKEND_PORT }}
+  PROD_FRONTEND_PORT: ${{ secrets.PROD_FRONTEND_PORT }}
  # Required pinned digests (fail if missing)
  RUST_IMG_DIGEST: ${{ secrets.RUST_IMG_DIGEST }}         # e.g., docker.io/library/rust@sha256:...
  NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }}         # e.g., docker.io/library/node@sha256:...
@ -44,16 +52,9 @@ jobs:
          chmod +x ./pip_ready.sh
          ./pip_ready.sh

-      - name: Setup SSH with pinned known_hosts (per-step)
-        env:
-          GIT_SSH_COMMAND: 'ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts'
+      - name: Configure Git for token-based authentication
        run: |
-          mkdir -p ~/.ssh && chmod 700 ~/.ssh
-          install -m 600 /dev/null ~/.ssh/id_ed25519
-          printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
-          install -m 644 /dev/null ~/.ssh/known_hosts
-          printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
-          # git commands in this step will use $GIT_SSH_COMMAND
+          git config --global url."https://${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_TOKEN }}@${{ env.REGISTRY }}".insteadOf "https://${{ env.REGISTRY }}"

      - name: Create internal integration network
        run: podman exec ci-pip-${{ env.RUN_ID }} podman network create --internal integ-${{ env.RUN_ID }}
@ -63,15 +64,15 @@ jobs:
          podman exec ci-pip-${{ env.RUN_ID }} podman run -d \
            --name test-postgres \
            --network integ-${{ env.RUN_ID }} \
-            -e POSTGRES_PASSWORD=testpassword \
-            -e POSTGRES_USER=testuser \
-            -e POSTGRES_DB=testdb \
+            -e POSTGRES_PASSWORD=password \
+            -e POSTGRES_USER=postgres \
+            -e POSTGRES_DB=sharenet_test \
            "${POSTGRES_IMG_DIGEST}"

      - name: Wait for PostgreSQL to be ready
        run: |
          podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
-            i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U testuser >/dev/null 2>&1; do
+            i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U postgres >/dev/null 2>&1; do
              i=$((i+1)); [ $i -gt 60 ] && { echo "pg not ready"; exit 1; }; sleep 1
            done'

@ -252,4 +253,45 @@ jobs:

      - name: Per-job cleanup (PiP container)
        if: always()
-        run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
+        run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
+
+  deploy-prod:
+    runs-on: [self-hosted, prod]
+    needs: [build-backend, build-frontend]
+    if: success()
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Deploy to production
+        env:
+          REGISTRY_HOST: ${{ env.REGISTRY }}
+          APP_NAME: ${{ env.APP_NAME }}
+          IMAGE_TAG: ${{ env.IMAGE_TAG }}
+          POSTGRES_USERNAME: ${{ env.POSTGRES_USERNAME }}
+          POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
+          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
+          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
+          POSTGRES_DATABASE_NAME: ${{ env.POSTGRES_DATABASE_NAME }}
+          PROD_BACKEND_HOST: ${{ env.PROD_BACKEND_HOST }}
+          PROD_BACKEND_PORT: ${{ env.PROD_BACKEND_PORT }}
+          PROD_FRONTEND_PORT: ${{ env.PROD_FRONTEND_PORT }}
+        run: |
+          # Install envsubst if not available (gettext package)
+          command -v envsubst >/dev/null 2>&1 || { 
+            if command -v apt-get >/dev/null 2>&1; then
+              sudo apt-get update && sudo apt-get install -y gettext-base
+            elif command -v yum >/dev/null 2>&1; then
+              sudo yum install -y gettext
+            elif command -v apk >/dev/null 2>&1; then
+              sudo apk add gettext
+            fi
+          }
+          
+          # Substitute environment variables in prod-pod.yml
+          envsubst < deploy/prod-pod.yml > prod-pod-deploy.yml
+          
+          # Deploy the pod (replace existing if it exists)
+          podman play kube --replace prod-pod-deploy.yml
+          
+          # Clean up generated file
+          rm -f prod-pod-deploy.yml
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -1199,9 +1199,9 @@ podman exec ci-pip-local podman version
 # Start PostgreSQL for integration tests
 podman exec ci-pip-local podman run -d \
  --name test-postgres \
-  -e POSTGRES_PASSWORD=testpassword \
-  -e POSTGRES_USER=testuser \
-  -e POSTGRES_DB=testdb \
+  -e POSTGRES_PASSWORD=password \
+  -e POSTGRES_USER=postgres \
+  -e POSTGRES_DB=sharenet_test \
  -p 5432:5432 \
  "${POSTGRES_IMG_DIGEST}"

@ -1964,12 +1964,18 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
 - `REGISTRY_HOST`: Your Forgejo instance's registry URL
 - `REGISTRY_USERNAME`: Your Forgejo username for registry authentication
 - `REGISTRY_TOKEN`: Personal Access Token with `write:packages` scope for registry pushes
- `SSH_PRIVATE_KEY`: SSH private key for production deployment access
- `SSH_KNOWN_HOSTS`: SSH known_hosts entry for production server
 - `PODMAN_CLIENT_IMG_DIGEST`: Pinned Podman client image digest (e.g., `quay.io/podman/stable@sha256:...`)
 - `RUST_IMG_DIGEST`: Pinned Rust image digest (e.g., `docker.io/library/rust@sha256:...`)
 - `NODE_IMG_DIGEST`: Pinned Node.js image digest (e.g., `docker.io/library/node@sha256:...`)
 - `POSTGRES_IMG_DIGEST`: Pinned PostgreSQL image digest (e.g., `docker.io/library/postgres@sha256:...`)
+- `PROD_BACKEND_HOST`
+- `PROD_BACKEND_PORT`
+- `PROD_DB_USERNAME`
+- `PROD_DB_PASSWORD`
+- `PROD_DB_HOST`
+- `PROD_DB_PORT`
+- `PROD_DB_DATABASE_NAME`
+- `PROD_FRONTEND_PORT`

 #### How to Obtain Each Secret (with Purpose and Commands):

@ -2011,22 +2017,6 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
  # Result: POSTGRES_IMG_DIGEST=docker.io/library/postgres@sha256:16508ad37e81dd63a94cdc620b0cfa1b771c4176b4e0f1cbc3a670431643e3ed
  ```

-**2. SSH Keys (Secure Deployment Access):**
-
- **`SSH_PRIVATE_KEY`**: Private key for CI to deploy to production server
-  ```bash
-  # Generate SSH key pair (if you don't have one)
-  ssh-keygen -t ed25519 -f ~/.ssh/ci_deploy_key -N ""
-  # Use content of: cat ~/.ssh/ci_deploy_key
-  ```
-
- **`SSH_KNOWN_HOSTS`**: Prevents MITM attacks during SSH deployment
-  ```bash
-  # Get production server's SSH fingerprint
-  ssh-keyscan -H YOUR_PRODUCTION_IP > known_hosts
-  # Use content of known_hosts file
-  ```
-
 **3. Forgejo Registry Credentials (Image Storage):**

 - **`REGISTRY_HOST`**: Your Forgejo instance hostname (e.g., `git.example.com`)
--- a/deploy/prod-pod.yml
+++ b/deploy/prod-pod.yml
@ -26,16 +26,13 @@ spec:
        drop: ["ALL"]
    env:
    - name: POSTGRES_DB
-      value: sharenet
+      value: ${POSTGRES_DATABASE_NAME}
    - name: POSTGRES_USER
-      value: sharenet
+      value: ${POSTGRES_USERNAME}
    - name: PGDATA
      value: /var/lib/postgresql/data/pgdata
-    envFrom:
-    - secretRef:
-        name: postgres-secrets
    ports:
-    - containerPort: 5432
+    - containerPort: ${POSTGRES_PORT}
      protocol: TCP
    volumeMounts:
    - name: pgdata
@ -74,20 +71,17 @@ spec:
        drop: ["ALL"]
    env:
    - name: DATABASE_URL
-      value: postgres://sharenet:${POSTGRES_PASSWORD}@localhost:5432/sharenet
+      value: postgres://${POSTGRES_USERNAME}:${POSTGRES_PASSWORD}@{POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DATABASE_NAME}?sslmode=disable
    - name: PORT
-      value: "3001"
-    envFrom:
-    - secretRef:
-        name: backend-secrets
+      value: ${PROD_BACKEND_PORT}
    ports:
-    - containerPort: 3001
+    - containerPort: ${PROD_BACKEND_PORT}
      protocol: TCP
    # Health checks
    livenessProbe:
      httpGet:
        path: /health
-        port: 3001
+        port: ${PROD_BACKEND_PORT}
        scheme: HTTP
      initialDelaySeconds: 30
      periodSeconds: 30
@ -96,7 +90,7 @@ spec:
    readinessProbe:
      httpGet:
        path: /health
-        port: 3001
+        port: ${PROD_BACKEND_PORT}
        scheme: HTTP
      initialDelaySeconds: 10
      periodSeconds: 10
@ -119,15 +113,14 @@ spec:
      capabilities:
        drop: ["ALL"]
    env:
-    - name: NEXT_PUBLIC_API_URL
-      value: http://localhost:3001
+    - name: NEXT_PUBLIC_API_HOST
+      value: ${PROD_BACKEND_HOST}
+    - name: NEXT_PUBLIC_API_PORT
+      value: ${PROD_BACKEND_PORT}
    - name: PORT
-      value: "3000"
-    envFrom:
-    - secretRef:
-        name: frontend-secrets
+      value: ${PROD_FRONTEND_PORT}
    ports:
-    - containerPort: 3000
+    - containerPort: ${PROD_FRONTEND_PORT}
      protocol: TCP
    # Resource limits
    resources: