Murat ÖZDEMİR
fd6a0b4f46
Corrects six documentation files to match the actual deployed pipeline behavior and align test/prod approaches where they share the same code. prod-env/02-godaddy-credentials.md - Step 1: correct secret file from .env.secrets.shared to .env.secrets.swag; add clarifying note that .env.secrets.shared holds AppRole/DB secrets and must not be used for GoDaddy credentials. - Step 4: document that GoDaddy A records are now managed automatically by the pipeline's 'Update DNS Records' step via the GoDaddy API; reference the Gitea variable PROD_FLOATING_IP that must be set once. prod-env/08-deploy-pipeline-update.md - Add Step 2 documenting the new 'Update DNS Records' pipeline step (GoDaddy API, idempotent check-before-update, requires jq and vars.PROD_FLOATING_IP). - Renumber subsequent steps 3-8 to accommodate the new step. - Fix DB hostnames in Step 7 (Run Database Init Scripts) from iklimco_postgresql/iklimco_mongodb to postgresql/mongodb, matching how Swarm overlay DNS resolves service names inside iklimco-net. - Update context block: correct DB hostname description, replace outdated storagebox path note with env-var approach, list new steps. - Update final step order to 24 steps including the DNS step and Release Deploy Lock; mark Wait for etcd as NEW. prod-env/09-verify.md - Insert check #2 for the precipitation image directory (/mnt/storagebox/precipitation/images) and iklimco_image-data volume bind mount, mirroring the equivalent check in test-env/08-verify.md. - Renumber all subsequent checks (3-12) to maintain sequential ordering. test-env/03-infra-stack-changes.md - Update SWAG service volume snippet: replace hardcoded paths (swag-vl:/config, /opt/iklimco/swag/dns-conf, /opt/iklimco/swag/site-confs) with env-var forms (${SWAG_CONFIG_DIR:-swag-vl}, ${SWAG_DNS_CONF_DIR:-...}, ${SWAG_SITE_CONFS_DIR:-...}) to match docker-stack-infra.yml. - Update cert-reloader volume snippet: replace swag-vl and /opt/iklimco/ssl with ${SWAG_CONFIG_DIR:-swag-vl} and ${SWAG_CERT_DIR:-/opt/iklimco/ssl}, enabling StorageBox override in prod without changing the base file. test-env/04-swag-nginx-configs.md - Replace RESTRICTED_IP_1/RESTRICTED_IP_2 individual env vars with RESTRICTED_IPS (comma-separated CIDR list) in the required-vars section, matching env-test/.env and the actual pipeline. - Update all three IP-restricted template examples (apigw, rabbitmq, grafana) from allow ${RESTRICTED_IP_1}; allow ${RESTRICTED_IP_2}; to ${RESTRICTED_IPS_BLOCK}, matching the actual .conf.tpl files in the repo. - Rewrite the deploy step section to match the real pipeline: docker run alpine for file writing, RESTRICTED_IPS_BLOCK generation via sed, and envsubst with explicit SWAG_VARS filter to protect nginx $upstream_* vars. test-env/07-deploy-pipeline-update.md - Step 2 (Prepare SWAG Directories): replace sudo-tee approach with the actual docker-run-alpine method used in deploy-test.yml; add nginx reload block; update notes to reflect RESTRICTED_IPS_BLOCK generation. - Step 4 (Re-order): correct step numbering to match actual pipeline (21 steps); mark 'Wait for etcd' as already present in pipeline rather than a new addition; add Bootstrap Vault TLS Placeholder which was missing from the documented order.
70 lines
2.5 KiB
Markdown
70 lines
2.5 KiB
Markdown
# 02 — GoDaddy DNS Credentials for SWAG (Prod)
|
|
|
|
## Context
|
|
Identical to test-env-setup/02, except the storagebox path is `prod/` instead of `test/`.
|
|
|
|
## ⚠️ Security — Rotate credentials before use
|
|
|
|
If credentials were shared in any chat log, Slack message, or email, **revoke them immediately**:
|
|
1. Go to: https://developer.godaddy.com/keys
|
|
2. Revoke the exposed key
|
|
3. Create a new Production key pair
|
|
|
|
**Never commit credentials to the repository.**
|
|
|
|
## Step 1 — Add credentials to storagebox `.env.secrets.swag` (prod path)
|
|
|
|
Open the file at storagebox path:
|
|
```
|
|
prod/secrets/iklim.co/.env.secrets.swag
|
|
```
|
|
|
|
Add:
|
|
```bash
|
|
GODADDY_KEY=<your-new-api-key>
|
|
GODADDY_SECRET=<your-new-api-secret>
|
|
```
|
|
|
|
> `.env.secrets.swag` contains SWAG/GoDaddy credentials only.
|
|
> `.env.secrets.shared` contains AppRole IDs, DB passwords, and other runtime secrets — do not mix.
|
|
|
|
## Step 2 — Repo template file
|
|
|
|
Same file as test: `swag/dns-conf/godaddy.ini.tpl` (already created in test step 02).
|
|
No additional action needed in the repo.
|
|
|
|
## Step 3 — (Handled by pipeline) Write credentials file on prod host
|
|
|
|
The deploy pipeline (see `08-deploy-pipeline-update.md`) runs on iklim-app-01:
|
|
|
|
```bash
|
|
set -a; . ./.env; set +a
|
|
mkdir -p "$SWAG_DNS_CONF_DIR"
|
|
envsubst < swag/dns-conf/godaddy.ini.tpl > "$SWAG_DNS_CONF_DIR/godaddy.ini"
|
|
chmod 600 "$SWAG_DNS_CONF_DIR/godaddy.ini"
|
|
```
|
|
|
|
## Step 4 — GoDaddy A records for prod subdomains (handled by pipeline)
|
|
|
|
The deploy pipeline's **Update DNS Records** step automatically manages A records via GoDaddy API.
|
|
It reads the Floating IP from the Gitea variable `vars.PROD_FLOATING_IP` — set this once in Gitea project settings.
|
|
|
|
To get the Floating IP: `terraform output prod_floating_ip`
|
|
|
|
| Record | Value |
|
|
|--------|-------|
|
|
| `api` | `vars.PROD_FLOATING_IP` |
|
|
| `apigw` | `vars.PROD_FLOATING_IP` |
|
|
| `rabbitmq` | `vars.PROD_FLOATING_IP` |
|
|
| `grafana` | `vars.PROD_FLOATING_IP` |
|
|
|
|
Logic: for each record, pipeline queries the current value via GoDaddy API. If already correct, it skips. Otherwise it creates/updates the record.
|
|
|
|
> The Floating IP is assigned to `iklim-app-01` (`06-prod-terraform-iaac.md` — `floating_ip.tf`).
|
|
> If failover is needed, the Floating IP can be reassigned to another app node; DNS does not change.
|
|
|
|
## Notes
|
|
- Test and prod SWAG instances both obtain `*.iklim.co` independently from Let's Encrypt.
|
|
There is no conflict — they use the same domain, different servers.
|
|
- `DNSPROPAGATION=90` handles GoDaddy's typical 30-90s propagation delay.
|