iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/test-env/02-godaddy-credentials.md
Murat ÖZDEMİR 81c38e8d39 initial commit
2026-05-09 16:26:06 +03:00

2.4 KiB
Raw Blame History

02 — GoDaddy DNS Credentials for SWAG (Test)

Context

SWAG uses certbot with certbot-dns-godaddy plugin to obtain and auto-renew the *.iklim.co wildcard certificate via DNS-01 challenge. GoDaddy API credentials must be available at deploy time.

⚠️ Security — Rotate credentials before use

If credentials were shared in any chat log, Slack message, or email, revoke them immediately:

  1. Go to: https://developer.godaddy.com/keys
  2. Revoke the exposed key
  3. Create a new Production key pair
  4. Use the new Key + Secret everywhere below

Never commit credentials to the repository.

Step 1 — Add credentials to storagebox .env.secrets.swag

Open (or create) the file at storagebox path:

test/secrets/iklim.co/.env.secrets.swag

Add:

GODADDY_KEY=<your-new-api-key>
GODADDY_SECRET=<your-new-api-secret>

These are fetched by the deploy pipeline's Fetch Service Secret Files step and sourced into the environment before further steps run.

Step 2 — Template file in the repo

swag/dns-conf/godaddy.ini.tpl already exists in the repository root:

dns_godaddy_key = ${GODADDY_KEY}
dns_godaddy_secret = ${GODADDY_SECRET}

This template is processed at deploy time (Step 07) with envsubst.

Step 3 — (Handled by pipeline) Write the actual credentials file on the host

The deploy pipeline (see 07-deploy-pipeline-update.md) runs:

mkdir -p /opt/iklimco/swag/dns-conf
envsubst < swag/dns-conf/godaddy.ini.tpl > /opt/iklimco/swag/dns-conf/godaddy.ini
chmod 600 /opt/iklimco/swag/dns-conf/godaddy.ini

GODADDY_KEY and GODADDY_SECRET are already in the environment (sourced from .env.secrets.swag).

The file is bind-mounted into the SWAG container at /config/dns-conf/godaddy.ini (read-only).

Step 4 — Verify (after SWAG is deployed)

Inside the SWAG container:

docker exec $(docker ps -q -f name=iklimco_swag) cat /config/dns-conf/godaddy.ini

Expected output: file with real key/secret values, not ${...} placeholders.

Notes

  • DNSPROPAGATION=90 is configured in SWAG's environment — GoDaddy DNS changes can take up to 90s.
  • SWAG stores the obtained cert at /config/etc/letsencrypt/live/iklim.co/ inside the container (persisted in the swag-vl Docker named volume).
  • cert-reloader service watches this volume and copies renewed certs to /opt/iklimco/ssl/ for Vault (see 06-cert-reloader.md).