Murat ÖZDEMİR fd6a0b4f46 docs: fix roadmap inconsistencies between test-env and prod-env

Corrects six documentation files to match the actual deployed pipeline
behavior and align test/prod approaches where they share the same code.

prod-env/02-godaddy-credentials.md
- Step 1: correct secret file from .env.secrets.shared to .env.secrets.swag;
  add clarifying note that .env.secrets.shared holds AppRole/DB secrets
  and must not be used for GoDaddy credentials.
- Step 4: document that GoDaddy A records are now managed automatically
  by the pipeline's 'Update DNS Records' step via the GoDaddy API;
  reference the Gitea variable PROD_FLOATING_IP that must be set once.

prod-env/08-deploy-pipeline-update.md
- Add Step 2 documenting the new 'Update DNS Records' pipeline step
  (GoDaddy API, idempotent check-before-update, requires jq and
  vars.PROD_FLOATING_IP).
- Renumber subsequent steps 3-8 to accommodate the new step.
- Fix DB hostnames in Step 7 (Run Database Init Scripts) from
  iklimco_postgresql/iklimco_mongodb to postgresql/mongodb, matching
  how Swarm overlay DNS resolves service names inside iklimco-net.
- Update context block: correct DB hostname description, replace
  outdated storagebox path note with env-var approach, list new steps.
- Update final step order to 24 steps including the DNS step and
  Release Deploy Lock; mark Wait for etcd as NEW.

prod-env/09-verify.md
- Insert check #2 for the precipitation image directory
  (/mnt/storagebox/precipitation/images) and iklimco_image-data volume
  bind mount, mirroring the equivalent check in test-env/08-verify.md.
- Renumber all subsequent checks (3-12) to maintain sequential ordering.

test-env/03-infra-stack-changes.md
- Update SWAG service volume snippet: replace hardcoded paths
  (swag-vl:/config, /opt/iklimco/swag/dns-conf, /opt/iklimco/swag/site-confs)
  with env-var forms (${SWAG_CONFIG_DIR:-swag-vl}, ${SWAG_DNS_CONF_DIR:-...},
  ${SWAG_SITE_CONFS_DIR:-...}) to match docker-stack-infra.yml.
- Update cert-reloader volume snippet: replace swag-vl and /opt/iklimco/ssl
  with ${SWAG_CONFIG_DIR:-swag-vl} and ${SWAG_CERT_DIR:-/opt/iklimco/ssl},
  enabling StorageBox override in prod without changing the base file.

test-env/04-swag-nginx-configs.md
- Replace RESTRICTED_IP_1/RESTRICTED_IP_2 individual env vars with
  RESTRICTED_IPS (comma-separated CIDR list) in the required-vars section,
  matching env-test/.env and the actual pipeline.
- Update all three IP-restricted template examples (apigw, rabbitmq,
  grafana) from allow ${RESTRICTED_IP_1}; allow ${RESTRICTED_IP_2}; to
  ${RESTRICTED_IPS_BLOCK}, matching the actual .conf.tpl files in the repo.
- Rewrite the deploy step section to match the real pipeline: docker run
  alpine for file writing, RESTRICTED_IPS_BLOCK generation via sed, and
  envsubst with explicit SWAG_VARS filter to protect nginx $upstream_* vars.

test-env/07-deploy-pipeline-update.md
- Step 2 (Prepare SWAG Directories): replace sudo-tee approach with the
  actual docker-run-alpine method used in deploy-test.yml; add nginx
  reload block; update notes to reflect RESTRICTED_IPS_BLOCK generation.
- Step 4 (Re-order): correct step numbering to match actual pipeline
  (21 steps); mark 'Wait for etcd' as already present in pipeline rather
  than a new addition; add Bootstrap Vault TLS Placeholder which was
  missing from the documented order.

2026-05-16 16:52:48 +03:00

2.5 KiB

Raw Blame History

02 — GoDaddy DNS Credentials for SWAG (Prod)

Context

Identical to test-env-setup/02, except the storagebox path is prod/ instead of test/.

⚠️ Security — Rotate credentials before use

If credentials were shared in any chat log, Slack message, or email, revoke them immediately:

Go to: https://developer.godaddy.com/keys
Revoke the exposed key
Create a new Production key pair

Never commit credentials to the repository.

Step 1 — Add credentials to storagebox `.env.secrets.swag` (prod path)

Open the file at storagebox path:

prod/secrets/iklim.co/.env.secrets.swag

Add:

GODADDY_KEY=<your-new-api-key>
GODADDY_SECRET=<your-new-api-secret>

.env.secrets.swag contains SWAG/GoDaddy credentials only. .env.secrets.shared contains AppRole IDs, DB passwords, and other runtime secrets — do not mix.

Step 2 — Repo template file

Same file as test: swag/dns-conf/godaddy.ini.tpl (already created in test step 02). No additional action needed in the repo.

Step 3 — (Handled by pipeline) Write credentials file on prod host

The deploy pipeline (see 08-deploy-pipeline-update.md) runs on iklim-app-01:

set -a; . ./.env; set +a
mkdir -p "$SWAG_DNS_CONF_DIR"
envsubst < swag/dns-conf/godaddy.ini.tpl > "$SWAG_DNS_CONF_DIR/godaddy.ini"
chmod 600 "$SWAG_DNS_CONF_DIR/godaddy.ini"

Step 4 — GoDaddy A records for prod subdomains (handled by pipeline)

The deploy pipeline's Update DNS Records step automatically manages A records via GoDaddy API. It reads the Floating IP from the Gitea variable vars.PROD_FLOATING_IP — set this once in Gitea project settings.

To get the Floating IP: terraform output prod_floating_ip

Record	Value
`api`	`vars.PROD_FLOATING_IP`
`apigw`	`vars.PROD_FLOATING_IP`
`rabbitmq`	`vars.PROD_FLOATING_IP`
`grafana`	`vars.PROD_FLOATING_IP`

Logic: for each record, pipeline queries the current value via GoDaddy API. If already correct, it skips. Otherwise it creates/updates the record.

The Floating IP is assigned to iklim-app-01 (06-prod-terraform-iaac.md — floating_ip.tf). If failover is needed, the Floating IP can be reassigned to another app node; DNS does not change.

Notes

Test and prod SWAG instances both obtain *.iklim.co independently from Let's Encrypt. There is no conflict — they use the same domain, different servers.
DNSPROPAGATION=90 handles GoDaddy's typical 30-90s propagation delay.

2.5 KiB Raw Blame History