50 lines
1.4 KiB
YAML
50 lines
1.4 KiB
YAML
name: Deploy Vault Stack to Production
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- prod-env
|
|
|
|
concurrency:
|
|
group: vault-prod-deploy
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: prod-runner
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Connect Runner to Overlay Network
|
|
run: docker network connect iklimco-net $(hostname) || true
|
|
|
|
- name: Ensure vault_unseal_key placeholder exists
|
|
run: |
|
|
docker secret ls --format '{{.Name}}' | grep -q '^vault_unseal_key' || \
|
|
echo "bootstrap" | docker secret create vault_unseal_key -
|
|
|
|
- name: Deploy Vault Stack
|
|
run: |
|
|
docker stack deploy \
|
|
--with-registry-auth \
|
|
-c docker-stack-vault.yml \
|
|
iklimco
|
|
|
|
- name: Run Bootstrap
|
|
env:
|
|
SKIP_DEPLOY: "true"
|
|
run: bash vault-bootstrap.sh
|
|
|
|
- name: Verify Vault Cluster Health
|
|
run: |
|
|
SEALED=$(docker run --rm --network iklimco-net hashicorp/vault:2.0.1 \
|
|
sh -c "VAULT_ADDR=https://vault.iklim.co:8200 VAULT_SKIP_VERIFY=true vault status 2>/dev/null" \
|
|
| awk '/^Sealed/{print $2}' || echo "true")
|
|
if [ "$SEALED" = "false" ]; then
|
|
echo "Vault cluster is unsealed and healthy"
|
|
else
|
|
echo "ERROR: Vault cluster is sealed or unreachable"
|
|
exit 1
|
|
fi
|