feat: add Docker secrets recreation to production deployment - Remove old stack and secrets before deployment - Recreate all secrets with current CI environment values - Ensures immutable secrets are always up-to-date
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/push/woodpecker Pipeline was successful
Details
This commit is contained in:
Your Name
parent
767b996c29
commit
fc9be0d7c7
|
|
@ -207,6 +207,33 @@ steps:
|
||||||
commands:
|
commands:
|
||||||
- echo "Deploying to production environment"
|
- echo "Deploying to production environment"
|
||||||
- echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us
|
- echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us
|
||||||
|
- echo "Removing old stack to release secrets"
|
||||||
|
- docker stack rm $${CI_REPO_NAME} || true
|
||||||
|
- echo "Waiting for stack removal to complete"
|
||||||
|
- sleep 30
|
||||||
|
- echo "Removing old Docker secrets"
|
||||||
|
- docker secret rm AUTHENTICATION_BACKEND_LDAP_PASSWORD || true
|
||||||
|
- docker secret rm IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET || true
|
||||||
|
- docker secret rm STORAGE_ENCRYPTION_KEY || true
|
||||||
|
- docker secret rm SESSION_SECRET || true
|
||||||
|
- docker secret rm NOTIFIER_SMTP_PASSWORD || true
|
||||||
|
- docker secret rm IDENTITY_PROVIDERS_OIDC_HMAC_SECRET || true
|
||||||
|
- docker secret rm IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY || true
|
||||||
|
- docker secret rm IDENTITY_PROVIDERS_OIDC_JWKS_KEY || true
|
||||||
|
- docker secret rm CLIENT_SECRET_HEADSCALE || true
|
||||||
|
- docker secret rm CLIENT_SECRET_HEADADMIN || true
|
||||||
|
- echo "Creating new Docker secrets with updated values"
|
||||||
|
- echo "$${AUTHENTICATION_BACKEND_LDAP_PASSWORD}" | docker secret create AUTHENTICATION_BACKEND_LDAP_PASSWORD -
|
||||||
|
- echo "$${IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET}" | docker secret create IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET -
|
||||||
|
- echo "$${STORAGE_ENCRYPTION_KEY}" | docker secret create STORAGE_ENCRYPTION_KEY -
|
||||||
|
- echo "$${SESSION_SECRET}" | docker secret create SESSION_SECRET -
|
||||||
|
- echo "$${NOTIFIER_SMTP_PASSWORD}" | docker secret create NOTIFIER_SMTP_PASSWORD -
|
||||||
|
- echo "$${IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}" | docker secret create IDENTITY_PROVIDERS_OIDC_HMAC_SECRET -
|
||||||
|
- echo "$${IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY}" | docker secret create IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY -
|
||||||
|
- echo "$${IDENTITY_PROVIDERS_OIDC_JWKS_KEY}" | docker secret create IDENTITY_PROVIDERS_OIDC_JWKS_KEY -
|
||||||
|
- echo "$${CLIENT_SECRET_HEADSCALE}" | docker secret create CLIENT_SECRET_HEADSCALE -
|
||||||
|
- echo "$${CLIENT_SECRET_HEADADMIN}" | docker secret create CLIENT_SECRET_HEADADMIN -
|
||||||
|
- echo "Deploying new stack with fresh secrets"
|
||||||
- docker stack deploy --with-registry-auth -c ./stack.production.yml $${CI_REPO_NAME}
|
- docker stack deploy --with-registry-auth -c ./stack.production.yml $${CI_REPO_NAME}
|
||||||
when:
|
when:
|
||||||
branch: main
|
branch: main
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue