iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/test-env/02-godaddy-credentials.md
Murat ÖZDEMİR 81c38e8d39 initial commit
2026-05-09 16:26:06 +03:00

74 lines
2.4 KiB
Markdown
Raw Blame History

# 02 — GoDaddy DNS Credentials for SWAG (Test)
## Context
SWAG uses certbot with `certbot-dns-godaddy` plugin to obtain and auto-renew the
`*.iklim.co` wildcard certificate via DNS-01 challenge.
GoDaddy API credentials must be available at deploy time.
## ⚠️ Security — Rotate credentials before use
If credentials were shared in any chat log, Slack message, or email, **revoke them immediately**:
1. Go to: https://developer.godaddy.com/keys
2. Revoke the exposed key
3. Create a new Production key pair
4. Use the new Key + Secret everywhere below
**Never commit credentials to the repository.**
## Step 1 — Add credentials to storagebox `.env.secrets.swag`
Open (or create) the file at storagebox path:
```
test/secrets/iklim.co/.env.secrets.swag
```
Add:
```bash
GODADDY_KEY=<your-new-api-key>
GODADDY_SECRET=<your-new-api-secret>
```
These are fetched by the deploy pipeline's `Fetch Service Secret Files` step and sourced into the environment before further steps run.
## Step 2 — Template file in the repo
`swag/dns-conf/godaddy.ini.tpl` already exists in the repository root:
```ini
dns_godaddy_key = ${GODADDY_KEY}
dns_godaddy_secret = ${GODADDY_SECRET}
```
This template is processed at deploy time (Step 07) with `envsubst`.
## Step 3 — (Handled by pipeline) Write the actual credentials file on the host
The deploy pipeline (see `07-deploy-pipeline-update.md`) runs:
```bash
mkdir -p /opt/iklimco/swag/dns-conf
envsubst < swag/dns-conf/godaddy.ini.tpl > /opt/iklimco/swag/dns-conf/godaddy.ini
chmod 600 /opt/iklimco/swag/dns-conf/godaddy.ini
```
`GODADDY_KEY` and `GODADDY_SECRET` are already in the environment (sourced from `.env.secrets.swag`).
The file is bind-mounted into the SWAG container at `/config/dns-conf/godaddy.ini` (read-only).
## Step 4 — Verify (after SWAG is deployed)
Inside the SWAG container:
```bash
docker exec $(docker ps -q -f name=iklimco_swag) cat /config/dns-conf/godaddy.ini
```
Expected output: file with real key/secret values, not `${...}` placeholders.
## Notes
- `DNSPROPAGATION=90` is configured in SWAG's environment — GoDaddy DNS changes can take up to 90s.
- SWAG stores the obtained cert at `/config/etc/letsencrypt/live/iklim.co/` inside the container
(persisted in the `swag-vl` Docker named volume).
- cert-reloader service watches this volume and copies renewed certs to `/opt/iklimco/ssl/`
for Vault (see `06-cert-reloader.md`).
Reference in New Issue View Git Blame Copy Permalink