From 675c2419c50fe840cf5450083d26fabc03b9e169 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Wed, 2 Apr 2025 23:47:55 +0200 Subject: [PATCH 01/19] feat: prune secret --- .github/workflows/main.yml | 39 ++++++++++++++++++++++++++++++++++++++ action.yml | 5 ++++- docker-entrypoint.sh | 2 +- scripts/docker_secrets.sh | 32 +++++++++++++++++++++++++++---- scripts/docker_swarm.sh | 18 ++++++++++++++---- scripts/functions.sh | 14 +++++++++++--- 6 files changed, 97 insertions(+), 13 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ff10d7c..caf1ec2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -400,3 +400,42 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx_4 debug: true + + test5: + runs-on: ubuntu-latest + name: "Secrets" + needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"] + services: + docker-throw-ssh: + image: "ghcr.io/tristiisch/docker_throw_ssh_with_key:test-${{ needs.utils.outputs.short_sha }}" + ports: + - 2222:22 + options: > + --privileged + --tty + -v /sys/fs/cgroup:/sys/fs/cgroup + --cgroupns=host + --cap-add=NET_ADMIN + --cap-add=NET_RAW + --cap-add=SYS_ADMIN + --tmpfs /run + --tmpfs /run/lock + --tmpfs /tmp + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Start Deployment 4 - Secrets + uses: ./ + with: + deployment_mode: docker-swarm + remote_docker_host: "${{ env.CONTAINER_NAME }}" + remote_docker_port: "${{ env.CONTAINER_PORT }}" + remote_docker_username: "${{ env.SSH_USERNAME }}" + ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" + ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" + stack_file_path: ./tests/docker-compose.yml + stack_name: nginx_5 + debug: true + secrets: key1 value1 key2 value2 diff --git a/action.yml b/action.yml index 3675761..e037f5c 100644 --- a/action.yml +++ b/action.yml @@ -18,7 +18,7 @@ inputs: required: true deployment_mode: description: 'Deployment mode: docker-swarm or docker-compose (default: docker-compose)' - default: './docker-compose' + default: 'docker-compose' copy_stack_file: description: 'Copy stack file to remote server and deploy from the server (default: false)' deploy_path: @@ -45,6 +45,9 @@ inputs: default: true secrets: description: 'Update Docker Secret using rotation during Stack Update. Format is service_name secret_name key1 value1 key2 value2 ...' + secrets_prune: + description: 'Remove all unused Docker secrets (default: false).' + default: false args: description: 'Command arguments for deployment' debug: diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a24b4e0..f3a08ba 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -84,7 +84,7 @@ case $INPUT_DEPLOYMENT_MODE in if [ -n "${INPUT_SECRETS+set}" ] && [ -n "$INPUT_SECRETS" ]; then POST_SCRIPTS_FOLDER="/opt/scripts/post" export POST_SCRIPTS_FOLDER - "$WORKDIR/scripts/docker_secrets.sh" "$INPUT_STACK_FILE_PATH" "$INPUT_STACK_NAME" $INPUT_SECRETS + "$WORKDIR/scripts/docker_secrets.sh" "$INPUT_STACK_FILE_PATH" "$INPUT_STACK_NAME" "$INPUT_SECRET_PRUNE" $INPUT_SECRETS fi "$WORKDIR/scripts/docker_swarm.sh" diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 3a84d78..4c3f07f 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -75,12 +75,29 @@ get_secrets_to_preserve() { echo "$secret_to_preserve" } +prune_secrets() { + if ! command -v "jq" >/dev/null 2>&1; then + echo "jq is not installed. Please install it to prune secrets." + exit 1 + fi + debug "all_secrets: $(docker secret ls -q)" + used_secrets=$(docker service ls -q | xargs -I {} docker service inspect {} --format '{{json .Spec.TaskTemplate.ContainerSpec.Secrets}}' | jq -r 'select(. != null) | .[].SecretID' | sort -u) + debug "used_secrets: $used_secrets" + + for secret in $(docker secret ls -q); do + if ! echo "$used_secrets" | grep -qw "$secret"; then + debug "Removing unused secret: $secret" + docker secret rm "$secret" + fi + done +} + if ! command -v yq >/dev/null 2>&1; then echo "yq is needed to use this script." >&2 exit 1 fi -debug "docker_secret.sh $*" +debug "$0 \"$*\"" if [ -z "${1+set}" ] || [ -z "${2+set}" ] || [ -z "${3+set}" ] || [ -z "${4+set}" ]; then echo "Usage: $0 docker-compose.yml stack_name service_name secret_name key1 value1 key2 value2 ..." >&2 @@ -93,14 +110,15 @@ fi docker_compose_file_path=$1 stack_name=$2 -service_name=$3 -secret_name=$4 +secret_prune=$3 +service_name=$4 +secret_name=$5 service_fullname=${stack_name}_${service_name} secret_name_suffix=$(openssl rand -hex 2) secret_name_full="${secret_name}_${secret_name_suffix}" secret_values="" -secret_start_after=4 +secret_start_after=5 secret_label_hash_name="hash" # Check if there are enough arguments for key-value pairs @@ -131,6 +149,12 @@ info "Calculating hash for secrets" dotenv_secret_hash=$(calculate_hash "$dotenv_secret") debug "Result: $dotenv_secret_hash" +debug "secret_prune: $secret_prune" +if [ "$secret_prune" = "true" ]; then + info "Pruning secrets ..." + prune_secrets +fi + # Check if service exists if docker service inspect "$service_fullname" >/dev/null 2>&1; then info "Fetching the current secrets for service $service_fullname" diff --git a/scripts/docker_swarm.sh b/scripts/docker_swarm.sh index 57408e5..6b9d75c 100755 --- a/scripts/docker_swarm.sh +++ b/scripts/docker_swarm.sh @@ -9,10 +9,20 @@ DEPLOYMENT_COMMAND="docker$DOCKER_OPTIONS stack deploy" if [ -n "$INPUT_DOCKER_REMOVE_ORPHANS" ] && [ "$INPUT_DOCKER_REMOVE_ORPHANS" = "true" ] ; then DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --prune" fi -if [ "$INPUT_DEPLOY_FOREGROUND" = "true" ] ; then - DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --detach=false" -elif [ "$INPUT_DEPLOY_FOREGROUND" = "false" ] ; then - DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --detach=true" +if [ "$INPUT_COPY_STACK_FILE" = "true" ] ; then + info "Checking remote docker version" + execute_ssh_raw "docker --version" + docker_version=$(echo "$EXECUTE_SSH_RAW_OUTPUT" | cut -d ' ' -f 3 | cut -d '.' -f 1) + info "Docker version is $docker_version" + if [ "$docker_version" -ge 26 ]; then + if [ "$INPUT_DEPLOY_FOREGROUND" = "true" ] ; then + DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --detach=false" + elif [ "$INPUT_DEPLOY_FOREGROUND" = "false" ] ; then + DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --detach=true" + fi + elif [ "$INPUT_DEPLOY_FOREGROUND" = "true" ]; then + warning "Cannot deploy in foreground, it require Docker version 26, but you use Docker version $docker_version" + fi fi if [ -n "$INPUT_DOCKER_PRUNE" ] && [ "$INPUT_DOCKER_PRUNE" = "true" ] ; then diff --git a/scripts/functions.sh b/scripts/functions.sh index 8d24961..527284d 100755 --- a/scripts/functions.sh +++ b/scripts/functions.sh @@ -22,7 +22,7 @@ setup_ssh() { mkdir -p "$SSH_FOLDER" chmod 700 "$SSH_FOLDER" if is_debug; then - debug "Verify permission on ssh folder" + debug "Checking permissions on SSH folder at $SSH_FOLDER" ls -l "$SSH_FOLDER" fi @@ -30,7 +30,7 @@ setup_ssh() { printf '%s\n' "$INPUT_SSH_PRIVATE_KEY" > "$KEY_PATH" chmod 600 "$KEY_PATH" if is_debug; then - debug "Verify permission on private key" + debug "Checking permissions on private key at $KEY_PATH" ls -l "$KEY_PATH" fi @@ -101,10 +101,18 @@ execute_ssh(){ if is_debug; then verbose_arg="-v" fi - debug "Execute Over SSH : $ $*" + debug "Execute over SSH : $ $*" ssh $verbose_arg -p "$SSH_PORT" "$DOCKER_USER_HOST" "$@" 2>&1 } +execute_ssh_raw(){ + SSH_PORT=$INPUT_REMOTE_DOCKER_PORT + debug "Execute over SSH with raw response : $ $*" + output=$(ssh -p "$SSH_PORT" "$DOCKER_USER_HOST" "$@") + debug "Output : $output" + export EXECUTE_SSH_RAW_OUTPUT="$output" +} + copy_ssh(){ SSH_PORT=$INPUT_REMOTE_DOCKER_PORT verbose_arg="" From 8f9179470ec85aae9619ced153f9054957aaf5ca Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Wed, 2 Apr 2025 23:56:19 +0200 Subject: [PATCH 02/19] fix: secrets_prune name --- docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index f3a08ba..350fd51 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -84,7 +84,7 @@ case $INPUT_DEPLOYMENT_MODE in if [ -n "${INPUT_SECRETS+set}" ] && [ -n "$INPUT_SECRETS" ]; then POST_SCRIPTS_FOLDER="/opt/scripts/post" export POST_SCRIPTS_FOLDER - "$WORKDIR/scripts/docker_secrets.sh" "$INPUT_STACK_FILE_PATH" "$INPUT_STACK_NAME" "$INPUT_SECRET_PRUNE" $INPUT_SECRETS + "$WORKDIR/scripts/docker_secrets.sh" "$INPUT_STACK_FILE_PATH" "$INPUT_STACK_NAME" "$INPUT_SECRETS_PRUNE" $INPUT_SECRETS fi "$WORKDIR/scripts/docker_swarm.sh" From ffb38487d2c74f77192e1a79d7b922fbbaed73f8 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 00:01:42 +0200 Subject: [PATCH 03/19] fix: secrets format --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index caf1ec2..aa68751 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -438,4 +438,4 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx_5 debug: true - secrets: key1 value1 key2 value2 + secrets: web key1 value1 key2 value2 From 1ddff2894df05dfb07b50922d9c99df02edb7759 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 00:04:13 +0200 Subject: [PATCH 04/19] fixup! fix: secrets format --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index aa68751..57e1d2d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -426,7 +426,7 @@ jobs: with: fetch-depth: 1 - - name: Start Deployment 4 - Secrets + - name: Start Deployment 5 - Secrets uses: ./ with: deployment_mode: docker-swarm @@ -438,4 +438,4 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx_5 debug: true - secrets: web key1 value1 key2 value2 + secrets: web nginx_5 key1 value1 key2 value2 From 50bd7277b377a143cbd21a258e74250790da914b Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 00:19:52 +0200 Subject: [PATCH 05/19] feat: add more tests for secrets --- .github/workflows/main.yml | 53 ++++++++++++++++++++++++++++++++++---- scripts/docker_swarm.sh | 27 +++++++++++-------- 2 files changed, 64 insertions(+), 16 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 57e1d2d..96b63d7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -280,7 +280,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Start Deployment 1 - Basic + - name: Deployment 1 - Basic uses: ./ with: deployment_mode: docker-swarm @@ -316,7 +316,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Start Deployment 2 - No pub key + - name: Deployment 2 - No pub key uses: ./ with: deployment_mode: docker-swarm @@ -351,7 +351,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Start Deployment 3 - Background deploy + - name: Deployment 3 - Background deploy uses: ./ with: deployment_mode: docker-swarm @@ -388,7 +388,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Start Deployment 4 - Debug + - name: Deployment 4 - Debug uses: ./ with: deployment_mode: docker-swarm @@ -426,7 +426,7 @@ jobs: with: fetch-depth: 1 - - name: Start Deployment 5 - Secrets + - name: Deployment 5a - Secrets uses: ./ with: deployment_mode: docker-swarm @@ -439,3 +439,46 @@ jobs: stack_name: nginx_5 debug: true secrets: web nginx_5 key1 value1 key2 value2 + + - name: Deployment 5b - Secrets equals + uses: ./ + with: + deployment_mode: docker-swarm + remote_docker_host: "${{ env.CONTAINER_NAME }}" + remote_docker_port: "${{ env.CONTAINER_PORT }}" + remote_docker_username: "${{ env.SSH_USERNAME }}" + ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" + ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" + stack_file_path: ./tests/docker-compose.yml + stack_name: nginx_5 + debug: true + secrets: web nginx_5 key1 value1 key2 value2 + + - name: Deployment 5c - Secrets change + uses: ./ + with: + deployment_mode: docker-swarm + remote_docker_host: "${{ env.CONTAINER_NAME }}" + remote_docker_port: "${{ env.CONTAINER_PORT }}" + remote_docker_username: "${{ env.SSH_USERNAME }}" + ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" + ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" + stack_file_path: ./tests/docker-compose.yml + stack_name: nginx_5 + debug: true + secrets: web nginx_5 key1_b value1_b key2_b value2_b + + - name: Deployment 5d - Secrets prune + uses: ./ + with: + deployment_mode: docker-swarm + remote_docker_host: "${{ env.CONTAINER_NAME }}" + remote_docker_port: "${{ env.CONTAINER_PORT }}" + remote_docker_username: "${{ env.SSH_USERNAME }}" + ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" + ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" + stack_file_path: ./tests/docker-compose.yml + stack_name: nginx_5d + debug: true + secrets: web nginx_5d key1 value1 key2 value2 + secrets_prune: true diff --git a/scripts/docker_swarm.sh b/scripts/docker_swarm.sh index 6b9d75c..f5b81ea 100755 --- a/scripts/docker_swarm.sh +++ b/scripts/docker_swarm.sh @@ -9,11 +9,18 @@ DEPLOYMENT_COMMAND="docker$DOCKER_OPTIONS stack deploy" if [ -n "$INPUT_DOCKER_REMOVE_ORPHANS" ] && [ "$INPUT_DOCKER_REMOVE_ORPHANS" = "true" ] ; then DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --prune" fi + +if [ -n "$INPUT_DOCKER_PRUNE" ] && [ "$INPUT_DOCKER_PRUNE" = "true" ] ; then + info "Cleaning up Docker resources with pruning" + yes | docker "$DOCKER_OPTIONS" system prune -a 2>&1 +fi + +info "Checking remote docker version" +execute_ssh_raw "docker --version" +docker_version=$(echo "$EXECUTE_SSH_RAW_OUTPUT" | cut -d ' ' -f 3 | cut -d '.' -f 1) +info "Remote docker version is $docker_version" + if [ "$INPUT_COPY_STACK_FILE" = "true" ] ; then - info "Checking remote docker version" - execute_ssh_raw "docker --version" - docker_version=$(echo "$EXECUTE_SSH_RAW_OUTPUT" | cut -d ' ' -f 3 | cut -d '.' -f 1) - info "Docker version is $docker_version" if [ "$docker_version" -ge 26 ]; then if [ "$INPUT_DEPLOY_FOREGROUND" = "true" ] ; then DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --detach=false" @@ -23,14 +30,7 @@ if [ "$INPUT_COPY_STACK_FILE" = "true" ] ; then elif [ "$INPUT_DEPLOY_FOREGROUND" = "true" ]; then warning "Cannot deploy in foreground, it require Docker version 26, but you use Docker version $docker_version" fi -fi -if [ -n "$INPUT_DOCKER_PRUNE" ] && [ "$INPUT_DOCKER_PRUNE" = "true" ] ; then - info "Cleaning up Docker resources with pruning" - yes | docker "$DOCKER_OPTIONS" system prune -a 2>&1 -fi - -if [ "$INPUT_COPY_STACK_FILE" = "true" ] ; then STACK_FINAL_PATH="$INPUT_DEPLOY_PATH/$STACK_LOCAL_FILE" DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND -c \"$STACK_FINAL_PATH\"" @@ -51,6 +51,11 @@ if [ "$INPUT_COPY_STACK_FILE" = "true" ] ; then execute_ssh "$DEPLOYMENT_COMMAND $INPUT_STACK_NAME $INPUT_ARGS" 2>&1 else + if [ "$INPUT_DEPLOY_FOREGROUND" = "true" ] ; then + DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --detach=false" + elif [ "$INPUT_DEPLOY_FOREGROUND" = "false" ] ; then + DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND --detach=true" + fi DEPLOYMENT_COMMAND="$DEPLOYMENT_COMMAND -c \"$INPUT_STACK_FILE_PATH\"" info "Executing command on $DOCKER_USER_HOST" From 8df1eb9b797ef7689fc75421a2fb2b87c37087f6 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 00:31:37 +0200 Subject: [PATCH 06/19] fix: docker secrets prune and add debug for post script --- Dockerfile | 2 +- docker-entrypoint.sh | 5 ++++- scripts/docker_secrets.sh | 12 +++++++++--- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 74d49ae..cb0c062 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ LABEL 'com.github.actions.description'='supports docker-compose and Docker Swarm LABEL 'com.github.actions.icon'='send' LABEL 'com.github.actions.color'='green' -RUN apk --no-cache add openssh-client docker-compose yq +RUN apk --no-cache add openssh-client docker-compose jq yq WORKDIR /app diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 350fd51..5ba1cd8 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -98,7 +98,10 @@ esac # Execute post commands if any if [ -n "$POST_SCRIPTS_FOLDER" ] && [ -d "$POST_SCRIPTS_FOLDER" ]; then - find "$POST_SCRIPTS_FOLDER" -type f -executable -exec sh {} \; + find "$POST_SCRIPTS_FOLDER" -type f -executable | while read -r script; do + info "Execute post script $script ..." + sh "$script" + done fi # Delete temp file diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 4c3f07f..af7afb6 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -201,9 +201,15 @@ if [ "$secrets_obsolete" != "" ]; then touch "$post_script_path" chmod 700 "$post_script_path" - for obsolete_secret in $secrets_obsolete; do - echo "docker secret remove \"$obsolete_secret\"" >> "$post_script_path" - done + if [ -n "$secrets_obsolete" ]; then + { + echo "#!/bin/sh" + echo "set -eux" + for obsolete_secret in $secrets_obsolete; do + echo "docker secret remove \"$obsolete_secret\"" + done + } >> "$post_script_path" + fi fi info "Completion of Docker secret rotation" From a0289d944b99afa53f52d76bdafb7f8a775cfda9 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 00:59:51 +0200 Subject: [PATCH 07/19] debug msg --- docker-entrypoint.sh | 1 + scripts/docker_secrets.sh | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 5ba1cd8..4f3b2fb 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -98,6 +98,7 @@ esac # Execute post commands if any if [ -n "$POST_SCRIPTS_FOLDER" ] && [ -d "$POST_SCRIPTS_FOLDER" ]; then + debug "Execute post scripts in $POST_SCRIPTS_FOLDER ..." find "$POST_SCRIPTS_FOLDER" -type f -executable | while read -r script; do info "Execute post script $script ..." sh "$script" diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index af7afb6..ae4388e 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -194,22 +194,22 @@ yq --inplace ".secrets.$secret_name_full.external = true" "$docker_compose_file_ info "Updating the $service_name service within the docker-compose file with the new secret" yq --inplace ".services.$service_name.secrets += [\"$secret_name_full\"]" "$docker_compose_file_path" -if [ "$secrets_obsolete" != "" ]; then +if [ -n "$secrets_obsolete" ]; then info "Implementing post-command to remove previous secrets" + debug "Creating post-script folder $POST_SCRIPTS_FOLDER" mkdir -p "$POST_SCRIPTS_FOLDER" post_script_path="$POST_SCRIPTS_FOLDER\docker_secret_rm.sh" + debug "Creating post-script file $post_script_path" touch "$post_script_path" chmod 700 "$post_script_path" - if [ -n "$secrets_obsolete" ]; then - { - echo "#!/bin/sh" - echo "set -eux" - for obsolete_secret in $secrets_obsolete; do - echo "docker secret remove \"$obsolete_secret\"" - done - } >> "$post_script_path" - fi + { + echo "#!/bin/sh" + echo "set -eux" + for obsolete_secret in $secrets_obsolete; do + echo "docker secret remove \"$obsolete_secret\"" + done + } >> "$post_script_path" fi info "Completion of Docker secret rotation" From 27efea60511cc61a740902cf7c3119871eea4a7f Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 01:17:17 +0200 Subject: [PATCH 08/19] fix: post script write --- .github/workflows/main.yml | 66 +++++++++++++++++--------------------- scripts/docker_secrets.sh | 15 ++++++--- scripts/functions.sh | 12 ++++--- 3 files changed, 49 insertions(+), 44 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 96b63d7..04bbee7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -256,7 +256,7 @@ jobs: ssh -v -i "${{ env.SSH_KEY_PRIVATE_PATH }}" -o 'UserKnownHostsFile=${{ env.KNOWN_HOST_PATH }}' -o 'StrictHostKeyChecking=yes' \ -p "${{ env.CONTAINER_HOST_PORT }}" "${{ env.SSH_USERNAME }}@${{ env.CONTAINER_HOST_NAME}}" docker info - test1: + test_basic: runs-on: ubuntu-latest name: "Basic" needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"] @@ -280,7 +280,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Deployment 1 - Basic + - name: Deployment uses: ./ with: deployment_mode: docker-swarm @@ -288,13 +288,12 @@ jobs: remote_docker_port: "${{ env.CONTAINER_PORT }}" remote_docker_username: "${{ env.SSH_USERNAME }}" ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" - ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" stack_file_path: ./tests/docker-compose.yml - stack_name: nginx_1 + stack_name: nginx - test2: + test_public_key: runs-on: ubuntu-latest - name: "No pub key" + name: "Public key" needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"] services: docker-throw-ssh: @@ -316,7 +315,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Deployment 2 - No pub key + - name: Deployment uses: ./ with: deployment_mode: docker-swarm @@ -324,10 +323,11 @@ jobs: remote_docker_port: "${{ env.CONTAINER_PORT }}" remote_docker_username: "${{ env.SSH_USERNAME }}" ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" + ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" stack_file_path: ./tests/docker-compose.yml - stack_name: nginx_2 + stack_name: nginx - test3: + test_background_deploy: runs-on: ubuntu-latest name: "Background deploy" needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"] @@ -351,7 +351,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Deployment 3 - Background deploy + - name: Deployment uses: ./ with: deployment_mode: docker-swarm @@ -359,12 +359,11 @@ jobs: remote_docker_port: "${{ env.CONTAINER_PORT }}" remote_docker_username: "${{ env.SSH_USERNAME }}" ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" - ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" stack_file_path: ./tests/docker-compose.yml - stack_name: nginx_3 + stack_name: nginx deploy_foreground: false - test4: + test_debug: runs-on: ubuntu-latest name: "Debug" needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"] @@ -388,7 +387,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Deployment 4 - Debug + - name: Deployment uses: ./ with: deployment_mode: docker-swarm @@ -396,12 +395,11 @@ jobs: remote_docker_port: "${{ env.CONTAINER_PORT }}" remote_docker_username: "${{ env.SSH_USERNAME }}" ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" - ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" stack_file_path: ./tests/docker-compose.yml - stack_name: nginx_4 + stack_name: nginx debug: true - test5: + test_secrets: runs-on: ubuntu-latest name: "Secrets" needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"] @@ -426,7 +424,7 @@ jobs: with: fetch-depth: 1 - - name: Deployment 5a - Secrets + - name: Deployment 1 uses: ./ with: deployment_mode: docker-swarm @@ -434,13 +432,12 @@ jobs: remote_docker_port: "${{ env.CONTAINER_PORT }}" remote_docker_username: "${{ env.SSH_USERNAME }}" ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" - ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" stack_file_path: ./tests/docker-compose.yml - stack_name: nginx_5 - debug: true - secrets: web nginx_5 key1 value1 key2 value2 + stack_name: nginx + debug: true # TODO: remove + secrets: web nginx key1 value1 key2 value2 - - name: Deployment 5b - Secrets equals + - name: Deployment 2 uses: ./ with: deployment_mode: docker-swarm @@ -448,13 +445,12 @@ jobs: remote_docker_port: "${{ env.CONTAINER_PORT }}" remote_docker_username: "${{ env.SSH_USERNAME }}" ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" - ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" stack_file_path: ./tests/docker-compose.yml - stack_name: nginx_5 - debug: true + stack_name: nginx + debug: true # TODO: remove secrets: web nginx_5 key1 value1 key2 value2 - - name: Deployment 5c - Secrets change + - name: Deployment 3 uses: ./ with: deployment_mode: docker-swarm @@ -462,13 +458,12 @@ jobs: remote_docker_port: "${{ env.CONTAINER_PORT }}" remote_docker_username: "${{ env.SSH_USERNAME }}" ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" - ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" stack_file_path: ./tests/docker-compose.yml - stack_name: nginx_5 - debug: true - secrets: web nginx_5 key1_b value1_b key2_b value2_b + stack_name: nginx + debug: true # TODO: remove + secrets: web nginx key1_b value1_b key2_b value2_b - - name: Deployment 5d - Secrets prune + - name: Deployment 4 uses: ./ with: deployment_mode: docker-swarm @@ -476,9 +471,8 @@ jobs: remote_docker_port: "${{ env.CONTAINER_PORT }}" remote_docker_username: "${{ env.SSH_USERNAME }}" ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" - ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}" stack_file_path: ./tests/docker-compose.yml - stack_name: nginx_5d - debug: true - secrets: web nginx_5d key1 value1 key2 value2 + stack_name: nginx_2 + debug: true # TODO: remove + secrets: web nginx_2 key1 value1 key2 value2 secrets_prune: true diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index ae4388e..6e7d744 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -86,7 +86,7 @@ prune_secrets() { for secret in $(docker secret ls -q); do if ! echo "$used_secrets" | grep -qw "$secret"; then - debug "Removing unused secret: $secret" + info "Prune unused secret: $secret" docker secret rm "$secret" fi done @@ -194,15 +194,19 @@ yq --inplace ".secrets.$secret_name_full.external = true" "$docker_compose_file_ info "Updating the $service_name service within the docker-compose file with the new secret" yq --inplace ".services.$service_name.secrets += [\"$secret_name_full\"]" "$docker_compose_file_path" +if is_debug; then + debug "Docker compose file $docker_compose_file_path :" + cat "$post_script_path" +fi + if [ -n "$secrets_obsolete" ]; then info "Implementing post-command to remove previous secrets" debug "Creating post-script folder $POST_SCRIPTS_FOLDER" mkdir -p "$POST_SCRIPTS_FOLDER" - post_script_path="$POST_SCRIPTS_FOLDER\docker_secret_rm.sh" - debug "Creating post-script file $post_script_path" + post_script_path="$POST_SCRIPTS_FOLDER/docker_secret_rm.sh" + debug "Post-script file $post_script_path :" touch "$post_script_path" chmod 700 "$post_script_path" - { echo "#!/bin/sh" echo "set -eux" @@ -210,6 +214,9 @@ if [ -n "$secrets_obsolete" ]; then echo "docker secret remove \"$obsolete_secret\"" done } >> "$post_script_path" + if is_debug; then + cat "$post_script_path" + fi fi info "Completion of Docker secret rotation" diff --git a/scripts/functions.sh b/scripts/functions.sh index 527284d..2eb5c24 100755 --- a/scripts/functions.sh +++ b/scripts/functions.sh @@ -63,12 +63,16 @@ EOF ls -l "$KNOWN_HOST_PATH" fi - KNOWN_HOST=$(cat "$KNOWN_HOST_PATH") - debug "$KNOWN_HOST_PATH :" "$KNOWN_HOST" + if is_debug; then + debug "SSH known host $KNOWN_HOST_PATH :" + cat "$KNOWN_HOST_PATH" + fi fi printf ' StrictHostKeyChecking %s\n' $STRICT_HOST >> "$SSH_CONFIG_PATH" - SSH_CONFIG=$(cat "$SSH_CONFIG_PATH") - debug "$SSH_CONFIG_PATH :" "$SSH_CONFIG" + if is_debug; then + debug "SSH config $SSH_CONFIG_PATH :" + cat "$SSH_CONFIG_PATH" + fi info "Testing SSH connection ..." if is_debug; then From 28e8fe1ab1b0ff5407a9cfa3db189cfa73d16253 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 01:23:40 +0200 Subject: [PATCH 09/19] fixup! fix: post script write --- scripts/docker_secrets.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 6e7d744..e1378b8 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -86,7 +86,8 @@ prune_secrets() { for secret in $(docker secret ls -q); do if ! echo "$used_secrets" | grep -qw "$secret"; then - info "Prune unused secret: $secret" + secret_name=$(docker secret inspect "$secret" --format '{{.Spec.Name}}') + info "Prune unused secret: $secret_name" docker secret rm "$secret" fi done @@ -196,7 +197,7 @@ yq --inplace ".services.$service_name.secrets += [\"$secret_name_full\"]" "$dock if is_debug; then debug "Docker compose file $docker_compose_file_path :" - cat "$post_script_path" + cat "$docker_compose_file_path" fi if [ -n "$secrets_obsolete" ]; then @@ -211,7 +212,9 @@ if [ -n "$secrets_obsolete" ]; then echo "#!/bin/sh" echo "set -eux" for obsolete_secret in $secrets_obsolete; do - echo "docker secret remove \"$obsolete_secret\"" + secret_name=$(docker secret inspect "$obsolete_secret" --format '{{.Spec.Name}}') + echo "Delete unused secret: $secret_name" + echo "docker secret rm \"$obsolete_secret\"" done } >> "$post_script_path" if is_debug; then From cd105c3354f8b2c5603e9c27b4e4c4848dce2060 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 01:37:08 +0200 Subject: [PATCH 10/19] fixup! fixup! fix: post script write --- .github/workflows/main.yml | 10 +++++----- scripts/docker_secrets.sh | 21 ++++++++++++++------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 04bbee7..ec65318 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -424,7 +424,7 @@ jobs: with: fetch-depth: 1 - - name: Deployment 1 + - name: Deployment - Add secrets uses: ./ with: deployment_mode: docker-swarm @@ -437,7 +437,7 @@ jobs: debug: true # TODO: remove secrets: web nginx key1 value1 key2 value2 - - name: Deployment 2 + - name: Deployment - Reusing secrets uses: ./ with: deployment_mode: docker-swarm @@ -448,9 +448,9 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx debug: true # TODO: remove - secrets: web nginx_5 key1 value1 key2 value2 + secrets: web nginx key1 value1 key2 value2 - - name: Deployment 3 + - name: Deployment - Change secrets uses: ./ with: deployment_mode: docker-swarm @@ -463,7 +463,7 @@ jobs: debug: true # TODO: remove secrets: web nginx key1_b value1_b key2_b value2_b - - name: Deployment 4 + - name: Deployment - Prune secrets uses: ./ with: deployment_mode: docker-swarm diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index e1378b8..3cd9a95 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -150,7 +150,7 @@ info "Calculating hash for secrets" dotenv_secret_hash=$(calculate_hash "$dotenv_secret") debug "Result: $dotenv_secret_hash" -debug "secret_prune: $secret_prune" +debug "secret_prune: $secret_prune" # TODO: Remove if [ "$secret_prune" = "true" ]; then info "Pruning secrets ..." prune_secrets @@ -165,7 +165,11 @@ if docker service inspect "$service_fullname" >/dev/null 2>&1; then info "Identifying secrets for removal" secrets_obsolete=$(get_secrets_obsolete "$old_service_sercrets" "$secret_label_hash_name" "$dotenv_secret_hash") if [ "$secrets_obsolete" != "" ]; then - info "Secrets to remove: $secrets_obsolete" + info "Secrets to remove:" + for secret_obsolete in $secrets_obsolete; do + printf "\"%s\" " "$secret_obsolete" + done + printf "\n" fi info "Identifying secrets to preserve" @@ -186,7 +190,7 @@ else secrets_obsolete="" fi -info "Generate new secret: $secret_name_full" +info "Generate new secret: \"$secret_name_full\"" printf '%b' "$dotenv_secret" | docker secret create "$secret_name_full" -l "$secret_label_hash_name=$dotenv_secret_hash" - info "Integrating the new secret \"$secret_name_full\" into the docker-compose file" @@ -205,19 +209,22 @@ if [ -n "$secrets_obsolete" ]; then debug "Creating post-script folder $POST_SCRIPTS_FOLDER" mkdir -p "$POST_SCRIPTS_FOLDER" post_script_path="$POST_SCRIPTS_FOLDER/docker_secret_rm.sh" - debug "Post-script file $post_script_path :" + debug "Creating post-script file $post_script_path" touch "$post_script_path" chmod 700 "$post_script_path" { echo "#!/bin/sh" echo "set -eux" for obsolete_secret in $secrets_obsolete; do - secret_name=$(docker secret inspect "$obsolete_secret" --format '{{.Spec.Name}}') - echo "Delete unused secret: $secret_name" - echo "docker secret rm \"$obsolete_secret\"" + info "Secret to remove: $obsolete_secret" + echo "secret=\"$obsolete_secret\"" + echo "secret_name=\$(docker secret inspect \"\$secret\" --format '{{.Spec.Name}}')" + echo "echo \"Delete unused secret: \$secret_name\"" + echo "docker secret rm \"\$secret\"" done } >> "$post_script_path" if is_debug; then + debug "Post-script file $post_script_path :" cat "$post_script_path" fi fi From c8ec0121510fb5f1cefe361d25c3596ca161d74f Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 01:50:11 +0200 Subject: [PATCH 11/19] fixup! fixup! fixup! fix: post script write --- .github/workflows/main.yml | 8 ++++---- action.yml | 2 +- scripts/docker_secrets.sh | 25 ++++++++++++------------- 3 files changed, 17 insertions(+), 18 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ec65318..b00cba7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -435,7 +435,7 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx debug: true # TODO: remove - secrets: web nginx key1 value1 key2 value2 + secrets: web secrets_env key1 value1 key2 value2 - name: Deployment - Reusing secrets uses: ./ @@ -448,7 +448,7 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx debug: true # TODO: remove - secrets: web nginx key1 value1 key2 value2 + secrets: web secrets_env key1 value1 key2 value2 - name: Deployment - Change secrets uses: ./ @@ -461,7 +461,7 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx debug: true # TODO: remove - secrets: web nginx key1_b value1_b key2_b value2_b + secrets: web secrets_env key1_b value1_b key2_b value2_b - name: Deployment - Prune secrets uses: ./ @@ -474,5 +474,5 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx_2 debug: true # TODO: remove - secrets: web nginx_2 key1 value1 key2 value2 + secrets: web secrets_env_2 key1 value1 key2 value2 secrets_prune: true diff --git a/action.yml b/action.yml index e037f5c..b4fa928 100644 --- a/action.yml +++ b/action.yml @@ -44,7 +44,7 @@ inputs: description: '[Docker Swarm] Waiting for the stack to complete the rolling update.' default: true secrets: - description: 'Update Docker Secret using rotation during Stack Update. Format is service_name secret_name key1 value1 key2 value2 ...' + description: 'Update Docker Secret using rotation during stack update. The format is: service_name secret_name key1 value1 key2 value2 ...' secrets_prune: description: 'Remove all unused Docker secrets (default: false).' default: false diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 3cd9a95..8a16660 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -31,10 +31,10 @@ format_secret_input() { # Check if the secrets have been configured by this script is_secret_exists() { - old_service_sercrets="$1" + old_service_secrets="$1" secret_label_hash_name="$2" - for secret in $old_service_sercrets; do + for secret in $old_service_secrets; do old_hash=$(docker secret inspect "$secret" --format="{{index .Spec.Labels \"$secret_label_hash_name\"}}") if [ -n "$old_hash" ]; then return 0 @@ -44,13 +44,13 @@ is_secret_exists() { } get_secrets_obsolete() { - old_service_sercrets="$1" + old_service_secrets="$1" secret_label_hash_name="$2" dotenv_secret_hash="$3" secret_obsolete="" new_line=$(printf '\n') - for secret in $old_service_sercrets; do + for secret in $old_service_secrets; do old_hash=$(docker secret inspect "$secret" --format="{{index .Spec.Labels \"$secret_label_hash_name\"}}") if [ -n "$old_hash" ] && printf "%s" "$old_hash" | grep -q "$new_line" && [ "$old_hash" != "$dotenv_secret_hash" ]; then secret_obsolete="$secret_obsolete$secret " @@ -60,13 +60,13 @@ get_secrets_obsolete() { } get_secrets_to_preserve() { - old_service_sercrets="$1" + old_service_secrets="$1" secret_label_hash_name="$2" dotenv_secret_hash="$3" secret_to_preserve="" new_line=$(printf '\n') - for secret in $old_service_sercrets; do + for secret in $old_service_secrets; do old_hash=$(docker secret inspect "$secret" --format="{{index .Spec.Labels \"$secret_label_hash_name\"}}") if [ -n "$old_hash" ] && printf "%s" "$old_hash" | grep -q "$new_line" && [ "$old_hash" = "$dotenv_secret_hash" ]; then secret_to_preserve="$secret_to_preserve$secret " @@ -148,7 +148,7 @@ dotenv_secret=$(format_secret_input "$secret_values") # Hash indicates when to update the secret info "Calculating hash for secrets" dotenv_secret_hash=$(calculate_hash "$dotenv_secret") -debug "Result: $dotenv_secret_hash" +debug "Secret hash: $dotenv_secret_hash" debug "secret_prune: $secret_prune" # TODO: Remove if [ "$secret_prune" = "true" ]; then @@ -159,11 +159,11 @@ fi # Check if service exists if docker service inspect "$service_fullname" >/dev/null 2>&1; then info "Fetching the current secrets for service $service_fullname" - old_service_sercrets=$(get_service_secrets "$service_fullname") - debug "Result: $old_service_sercrets" + old_service_secrets=$(get_service_secrets "$service_fullname") + debug "Result: $old_service_secrets" info "Identifying secrets for removal" - secrets_obsolete=$(get_secrets_obsolete "$old_service_sercrets" "$secret_label_hash_name" "$dotenv_secret_hash") + secrets_obsolete=$(get_secrets_obsolete "$old_service_secrets" "$secret_label_hash_name" "$dotenv_secret_hash") if [ "$secrets_obsolete" != "" ]; then info "Secrets to remove:" for secret_obsolete in $secrets_obsolete; do @@ -173,7 +173,7 @@ if docker service inspect "$service_fullname" >/dev/null 2>&1; then fi info "Identifying secrets to preserve" - secrets_preserves=$(get_secrets_to_preserve "$old_service_sercrets" "$secret_label_hash_name" "$dotenv_secret_hash") + secrets_preserves=$(get_secrets_to_preserve "$old_service_secrets" "$secret_label_hash_name" "$dotenv_secret_hash") for secret_preserve in $secrets_preserves; do info "Preserve the old secret \"$secret_preserve\" into the docker-compose file" yq --inplace ".secrets.$secret_preserve.external = true" "$docker_compose_file_path" @@ -182,7 +182,7 @@ if docker service inspect "$service_fullname" >/dev/null 2>&1; then yq --inplace ".services.$service_name.secrets += [\"$secret_preserve\"]" "$docker_compose_file_path" done - if is_secret_exists "$old_service_sercrets" "$secret_label_hash_name" && [ "$secrets_obsolete" = "" ]; then + if is_secret_exists "$old_service_secrets" "$secret_label_hash_name" && [ "$secrets_obsolete" = "" ]; then info "Secret rotation not needed" return fi @@ -216,7 +216,6 @@ if [ -n "$secrets_obsolete" ]; then echo "#!/bin/sh" echo "set -eux" for obsolete_secret in $secrets_obsolete; do - info "Secret to remove: $obsolete_secret" echo "secret=\"$obsolete_secret\"" echo "secret_name=\$(docker secret inspect \"\$secret\" --format '{{.Spec.Name}}')" echo "echo \"Delete unused secret: \$secret_name\"" From e371ef6d1d23da37cf223c63443a2badce1b1402 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 02:06:36 +0200 Subject: [PATCH 12/19] feat: prepare multi-secret per service --- scripts/docker_secrets.sh | 40 +++++++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 8a16660..024eed1 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -6,7 +6,8 @@ get_service_secrets() { service_name=$1 return_secrets="" - secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretName }} {{ end }}' "$service_name") + secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretName }} {{ end }}' "$service_name") # TODO use id + # secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretID }} {{ end }}' "$service_name") for secret in $secrets; do return_secrets="$return_secrets$secret " done @@ -43,6 +44,22 @@ is_secret_exists() { return 1 } +get_secrets_with_name() { + old_service_secrets="$1" + secret_label_name="$2" + name_to_retrieve="$3" + secrets_with_name="" + new_line=$(printf '\n') + + for secret in $old_service_secrets; do + old_hash=$(docker secret inspect "$secret" --format="{{index .Spec.Labels \"$secret_label_name\"}}") + if [ -n "$old_hash" ] && printf "%s" "$old_hash" | grep -q "$new_line" && [ "$old_hash" = "$name_to_retrieve" ]; then + secrets_with_name="$secrets_with_name$secret " + fi + done + echo "$secrets_with_name" +} + get_secrets_obsolete() { old_service_secrets="$1" secret_label_hash_name="$2" @@ -80,9 +97,9 @@ prune_secrets() { echo "jq is not installed. Please install it to prune secrets." exit 1 fi - debug "all_secrets: $(docker secret ls -q)" + debug "all_secrets: $(docker secret ls -q)" # TODO: use secret name used_secrets=$(docker service ls -q | xargs -I {} docker service inspect {} --format '{{json .Spec.TaskTemplate.ContainerSpec.Secrets}}' | jq -r 'select(. != null) | .[].SecretID' | sort -u) - debug "used_secrets: $used_secrets" + debug "used_secrets: $used_secrets" # TODO: use secret name for secret in $(docker secret ls -q); do if ! echo "$used_secrets" | grep -qw "$secret"; then @@ -121,6 +138,7 @@ secret_name_full="${secret_name}_${secret_name_suffix}" secret_values="" secret_start_after=5 secret_label_hash_name="hash" +secret_label_name="name" # Check if there are enough arguments for key-value pairs num_args=$(($# - secret_start_after)) @@ -156,11 +174,16 @@ if [ "$secret_prune" = "true" ]; then prune_secrets fi -# Check if service exists +# Check if the service exists; if not, there are no old secrets to handle. if docker service inspect "$service_fullname" >/dev/null 2>&1; then info "Fetching the current secrets for service $service_fullname" old_service_secrets=$(get_service_secrets "$service_fullname") - debug "Result: $old_service_secrets" + debug "Current secrets for service $service_fullname: $old_service_secrets" + + # TODO: test + info "Fetching the secrets with name $secret_name for service $service_fullname" + old_service_secrets=$(get_secrets_with_name "$old_service_secrets" "$secret_label_name" "$secret_name") + debug "Current secrets for service $service_fullname with name $secret_name: $old_service_secrets" info "Identifying secrets for removal" secrets_obsolete=$(get_secrets_obsolete "$old_service_secrets" "$secret_label_hash_name" "$dotenv_secret_hash") @@ -182,6 +205,11 @@ if docker service inspect "$service_fullname" >/dev/null 2>&1; then yq --inplace ".services.$service_name.secrets += [\"$secret_preserve\"]" "$docker_compose_file_path" done + if is_debug; then + debug "Docker compose file $docker_compose_file_path :" + cat "$docker_compose_file_path" + fi + if is_secret_exists "$old_service_secrets" "$secret_label_hash_name" && [ "$secrets_obsolete" = "" ]; then info "Secret rotation not needed" return @@ -191,7 +219,7 @@ else fi info "Generate new secret: \"$secret_name_full\"" -printf '%b' "$dotenv_secret" | docker secret create "$secret_name_full" -l "$secret_label_hash_name=$dotenv_secret_hash" - +printf '%b' "$dotenv_secret" | docker secret create "$secret_name_full" -l "$secret_label_name=$secret_name" -l "$secret_label_hash_name=$dotenv_secret_hash" - info "Integrating the new secret \"$secret_name_full\" into the docker-compose file" yq --inplace ".secrets.$secret_name_full.external = true" "$docker_compose_file_path" From 5909631e78cbc90f9bc0c3a7764ed0de41da879d Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 02:21:01 +0200 Subject: [PATCH 13/19] feat: allow to not delete old secrets --- .github/workflows/main.yml | 22 ++++++++++--- action.yml | 3 ++ docker-entrypoint.sh | 2 +- scripts/docker_secrets.sh | 65 ++++++++++++++++++++++---------------- 4 files changed, 59 insertions(+), 33 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b00cba7..197d9c2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -434,8 +434,8 @@ jobs: ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" stack_file_path: ./tests/docker-compose.yml stack_name: nginx - debug: true # TODO: remove secrets: web secrets_env key1 value1 key2 value2 + debug: true # TODO: remove - name: Deployment - Reusing secrets uses: ./ @@ -447,8 +447,8 @@ jobs: ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" stack_file_path: ./tests/docker-compose.yml stack_name: nginx - debug: true # TODO: remove secrets: web secrets_env key1 value1 key2 value2 + debug: true # TODO: remove - name: Deployment - Change secrets uses: ./ @@ -460,8 +460,22 @@ jobs: ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" stack_file_path: ./tests/docker-compose.yml stack_name: nginx - debug: true # TODO: remove secrets: web secrets_env key1_b value1_b key2_b value2_b + debug: true # TODO: remove + + - name: Deployment - Change secrets without deleting old ones + uses: ./ + with: + deployment_mode: docker-swarm + remote_docker_host: "${{ env.CONTAINER_NAME }}" + remote_docker_port: "${{ env.CONTAINER_PORT }}" + remote_docker_username: "${{ env.SSH_USERNAME }}" + ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" + stack_file_path: ./tests/docker-compose.yml + stack_name: nginx + secrets: web secrets_env key1_c value1_c key2_c value2_c + secrets_delete_old: false + debug: true # TODO: remove - name: Deployment - Prune secrets uses: ./ @@ -473,6 +487,6 @@ jobs: ssh_private_key: "${{ needs.generate_key.outputs.private_key }}" stack_file_path: ./tests/docker-compose.yml stack_name: nginx_2 - debug: true # TODO: remove secrets: web secrets_env_2 key1 value1 key2 value2 secrets_prune: true + debug: true # TODO: remove diff --git a/action.yml b/action.yml index b4fa928..c7ced41 100644 --- a/action.yml +++ b/action.yml @@ -45,6 +45,9 @@ inputs: default: true secrets: description: 'Update Docker Secret using rotation during stack update. The format is: service_name secret_name key1 value1 key2 value2 ...' + secrets_delete_old: + description: 'Remove any replaced secrets during stack update (default: true).' + default: true secrets_prune: description: 'Remove all unused Docker secrets (default: false).' default: false diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 4f3b2fb..686ac0b 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -84,7 +84,7 @@ case $INPUT_DEPLOYMENT_MODE in if [ -n "${INPUT_SECRETS+set}" ] && [ -n "$INPUT_SECRETS" ]; then POST_SCRIPTS_FOLDER="/opt/scripts/post" export POST_SCRIPTS_FOLDER - "$WORKDIR/scripts/docker_secrets.sh" "$INPUT_STACK_FILE_PATH" "$INPUT_STACK_NAME" "$INPUT_SECRETS_PRUNE" $INPUT_SECRETS + "$WORKDIR/scripts/docker_secrets.sh" "$INPUT_STACK_FILE_PATH" "$INPUT_STACK_NAME" "$INPUT_SECRETS_DELETE_OLD" "$INPUT_SECRETS_PRUNE" $INPUT_SECRETS fi "$WORKDIR/scripts/docker_swarm.sh" diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 024eed1..2bbaf15 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -128,15 +128,16 @@ fi docker_compose_file_path=$1 stack_name=$2 -secret_prune=$3 -service_name=$4 -secret_name=$5 +secret_delete_old=$3 +secret_prune=$4 +service_name=$5 +secret_name=$6 service_fullname=${stack_name}_${service_name} secret_name_suffix=$(openssl rand -hex 2) secret_name_full="${secret_name}_${secret_name_suffix}" secret_values="" -secret_start_after=5 +secret_start_after=6 secret_label_hash_name="hash" secret_label_name="name" @@ -176,18 +177,18 @@ fi # Check if the service exists; if not, there are no old secrets to handle. if docker service inspect "$service_fullname" >/dev/null 2>&1; then - info "Fetching the current secrets for service $service_fullname" + info "Fetching all secrets for service $service_fullname" old_service_secrets=$(get_service_secrets "$service_fullname") - debug "Current secrets for service $service_fullname: $old_service_secrets" + debug "All secrets for service $service_fullname: $old_service_secrets" - # TODO: test + # TODO: test more than one secret info "Fetching the secrets with name $secret_name for service $service_fullname" old_service_secrets=$(get_secrets_with_name "$old_service_secrets" "$secret_label_name" "$secret_name") - debug "Current secrets for service $service_fullname with name $secret_name: $old_service_secrets" + debug "Secrets with name $secret_name for service $service_fullname: $old_service_secrets" info "Identifying secrets for removal" secrets_obsolete=$(get_secrets_obsolete "$old_service_secrets" "$secret_label_hash_name" "$dotenv_secret_hash") - if [ "$secrets_obsolete" != "" ]; then + if [ -n "$secrets_obsolete" ]; then info "Secrets to remove:" for secret_obsolete in $secrets_obsolete; do printf "\"%s\" " "$secret_obsolete" @@ -233,26 +234,34 @@ if is_debug; then fi if [ -n "$secrets_obsolete" ]; then - info "Implementing post-command to remove previous secrets" - debug "Creating post-script folder $POST_SCRIPTS_FOLDER" - mkdir -p "$POST_SCRIPTS_FOLDER" - post_script_path="$POST_SCRIPTS_FOLDER/docker_secret_rm.sh" - debug "Creating post-script file $post_script_path" - touch "$post_script_path" - chmod 700 "$post_script_path" - { - echo "#!/bin/sh" - echo "set -eux" - for obsolete_secret in $secrets_obsolete; do - echo "secret=\"$obsolete_secret\"" - echo "secret_name=\$(docker secret inspect \"\$secret\" --format '{{.Spec.Name}}')" - echo "echo \"Delete unused secret: \$secret_name\"" - echo "docker secret rm \"\$secret\"" + if [ "$secret_delete_old" = "true" ]; then + info "Implementing post-command to delete previous secrets" + debug "Creating post-script folder $POST_SCRIPTS_FOLDER" + mkdir -p "$POST_SCRIPTS_FOLDER" + post_script_path="$POST_SCRIPTS_FOLDER/docker_secret_rm.sh" + debug "Creating post-script file $post_script_path" + touch "$post_script_path" + chmod 700 "$post_script_path" + { + echo "#!/bin/sh" + echo "set -eux" + for obsolete_secret in $secrets_obsolete; do + echo "secret=\"$obsolete_secret\"" + echo "secret_name=\$(docker secret inspect \"\$secret\" --format '{{.Spec.Name}}')" + echo "echo \"Delete unused secret: \$secret_name\"" + echo "docker secret rm \"\$secret\"" + done + } >> "$post_script_path" + if is_debug; then + debug "Post-script file $post_script_path :" + cat "$post_script_path" + fi + else + info "Secrets not deleted because of secret deletion policy :" + for secret_obsolete in $secrets_obsolete; do + printf "\"%s\" " "$secret_obsolete" done - } >> "$post_script_path" - if is_debug; then - debug "Post-script file $post_script_path :" - cat "$post_script_path" + printf "\n" fi fi From fdc6a1f52ff66cdfc3cfe35a16d4222fa40bae61 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Thu, 3 Apr 2025 02:33:47 +0200 Subject: [PATCH 14/19] feat: improve output secret name --- scripts/docker_secrets.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 2bbaf15..d5a77d2 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -104,7 +104,7 @@ prune_secrets() { for secret in $(docker secret ls -q); do if ! echo "$used_secrets" | grep -qw "$secret"; then secret_name=$(docker secret inspect "$secret" --format '{{.Spec.Name}}') - info "Prune unused secret: $secret_name" + info "Prune unused secret: \"$secret_name\"" docker secret rm "$secret" fi done @@ -182,9 +182,9 @@ if docker service inspect "$service_fullname" >/dev/null 2>&1; then debug "All secrets for service $service_fullname: $old_service_secrets" # TODO: test more than one secret - info "Fetching the secrets with name $secret_name for service $service_fullname" + info "Fetching the secrets with name \"$secret_name\" for service $service_fullname" old_service_secrets=$(get_secrets_with_name "$old_service_secrets" "$secret_label_name" "$secret_name") - debug "Secrets with name $secret_name for service $service_fullname: $old_service_secrets" + debug "Secrets with name \"$secret_name\" for service $service_fullname: $old_service_secrets" info "Identifying secrets for removal" secrets_obsolete=$(get_secrets_obsolete "$old_service_secrets" "$secret_label_hash_name" "$dotenv_secret_hash") From 670729d67b92f2b9a250a04dc92feec559555071 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Sun, 6 Apr 2025 22:49:59 +0200 Subject: [PATCH 15/19] feat: fetch secret id instead of name --- scripts/docker_secrets.sh | 63 ++++++++++++++++++++++++++++++--------- 1 file changed, 49 insertions(+), 14 deletions(-) diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index d5a77d2..833a987 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -6,8 +6,9 @@ get_service_secrets() { service_name=$1 return_secrets="" - secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretName }} {{ end }}' "$service_name") # TODO use id - # secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretID }} {{ end }}' "$service_name") + # secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretName }} {{ end }}' "$service_name") + # TODO: verify if secret ID works + secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretID }} {{ end }}' "$service_name") for secret in $secrets; do return_secrets="$return_secrets$secret " done @@ -97,19 +98,39 @@ prune_secrets() { echo "jq is not installed. Please install it to prune secrets." exit 1 fi - debug "all_secrets: $(docker secret ls -q)" # TODO: use secret name + if is_debug; then + debug "All secrets :" + for all_secret in $(docker secret ls -q); do + all_secret_name=$(get_secret_name "$all_secret") + printf "\"%s\" " "$all_secret_name" + done + printf "\n" + fi used_secrets=$(docker service ls -q | xargs -I {} docker service inspect {} --format '{{json .Spec.TaskTemplate.ContainerSpec.Secrets}}' | jq -r 'select(. != null) | .[].SecretID' | sort -u) - debug "used_secrets: $used_secrets" # TODO: use secret name + if is_debug; then + debug "Secrets currently used :" + for used_secret in $used_secrets; do + used_secret_name=$(get_secret_name "$used_secret") + printf "\"%s\" " "$used_secret_name" + done + printf "\n" + fi for secret in $(docker secret ls -q); do if ! echo "$used_secrets" | grep -qw "$secret"; then - secret_name=$(docker secret inspect "$secret" --format '{{.Spec.Name}}') + secret_name=$(get_secret_name "$secret") info "Prune unused secret: \"$secret_name\"" docker secret rm "$secret" fi done } +get_secret_name() { + secret=$1 + secret_name=$(docker secret inspect "$secret" --format '{{.Spec.Name}}') + return "$secret_name" +} + if ! command -v yq >/dev/null 2>&1; then echo "yq is needed to use this script." >&2 exit 1 @@ -169,7 +190,6 @@ info "Calculating hash for secrets" dotenv_secret_hash=$(calculate_hash "$dotenv_secret") debug "Secret hash: $dotenv_secret_hash" -debug "secret_prune: $secret_prune" # TODO: Remove if [ "$secret_prune" = "true" ]; then info "Pruning secrets ..." prune_secrets @@ -177,14 +197,28 @@ fi # Check if the service exists; if not, there are no old secrets to handle. if docker service inspect "$service_fullname" >/dev/null 2>&1; then - info "Fetching all secrets for service $service_fullname" + info "Fetching all secrets for service \"$service_fullname\"" old_service_secrets=$(get_service_secrets "$service_fullname") - debug "All secrets for service $service_fullname: $old_service_secrets" + if is_debug; then + debug "Secrets used by service \"$service_fullname\":" + for used_secret in $old_service_secrets; do + used_secret_name=$(get_secret_name "$used_secret") + printf "\"%s\" " "$used_secret_name" + done + printf "\n" + fi # TODO: test more than one secret - info "Fetching the secrets with name \"$secret_name\" for service $service_fullname" + info "Fetching the secrets with name \"$secret_name\" for service \"$service_fullname\"" old_service_secrets=$(get_secrets_with_name "$old_service_secrets" "$secret_label_name" "$secret_name") - debug "Secrets with name \"$secret_name\" for service $service_fullname: $old_service_secrets" + if is_debug; then + debug "Secrets with name \"$secret_name\" used by service \"$service_fullname\":" + for used_secret in $old_service_secrets; do + used_secret_name=$(get_secret_name "$used_secret") + printf "\"%s\" " "$used_secret_name" + done + printf "\n" + fi info "Identifying secrets for removal" secrets_obsolete=$(get_secrets_obsolete "$old_service_secrets" "$secret_label_hash_name" "$dotenv_secret_hash") @@ -199,11 +233,12 @@ if docker service inspect "$service_fullname" >/dev/null 2>&1; then info "Identifying secrets to preserve" secrets_preserves=$(get_secrets_to_preserve "$old_service_secrets" "$secret_label_hash_name" "$dotenv_secret_hash") for secret_preserve in $secrets_preserves; do - info "Preserve the old secret \"$secret_preserve\" into the docker-compose file" - yq --inplace ".secrets.$secret_preserve.external = true" "$docker_compose_file_path" + secret_preserve_name=$(get_secret_name "$secret_preserve") + info "Preserve the old secret \"$secret_preserve_name\" into the docker-compose file" + yq --inplace ".secrets.$secret_preserve_name.external = true" "$docker_compose_file_path" - info "Updating the $service_name service within the docker-compose file with the old secret" - yq --inplace ".services.$service_name.secrets += [\"$secret_preserve\"]" "$docker_compose_file_path" + info "Updating the \"$service_name\" service within the docker-compose file with the old secret" + yq --inplace ".services.$service_name.secrets += [\"$secret_preserve_name\"]" "$docker_compose_file_path" done if is_debug; then From 5b7920b256b49e5c6d34859cac01323d960fc275 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Sun, 6 Apr 2025 22:57:35 +0200 Subject: [PATCH 16/19] fixup! feat: fetch secret id instead of name --- scripts/docker_secrets.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 833a987..88769b9 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -128,7 +128,7 @@ prune_secrets() { get_secret_name() { secret=$1 secret_name=$(docker secret inspect "$secret" --format '{{.Spec.Name}}') - return "$secret_name" + echo "$secret_name" } if ! command -v yq >/dev/null 2>&1; then From 2c8e656e853f4aece6828af21559fb441898c8d5 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Sun, 6 Apr 2025 23:06:48 +0200 Subject: [PATCH 17/19] feat: remove ssh debug on debug: true, only on job debug mod --- scripts/functions.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/functions.sh b/scripts/functions.sh index 2eb5c24..d89c971 100755 --- a/scripts/functions.sh +++ b/scripts/functions.sh @@ -23,7 +23,7 @@ setup_ssh() { chmod 700 "$SSH_FOLDER" if is_debug; then debug "Checking permissions on SSH folder at $SSH_FOLDER" - ls -l "$SSH_FOLDER" + ls -ld "$SSH_FOLDER" fi info "Registering SSH key" @@ -102,7 +102,7 @@ setup_remote_docker() { execute_ssh(){ SSH_PORT=$INPUT_REMOTE_DOCKER_PORT verbose_arg="" - if is_debug; then + if is_running_debug; then verbose_arg="-v" fi debug "Execute over SSH : $ $*" @@ -120,7 +120,7 @@ execute_ssh_raw(){ copy_ssh(){ SSH_PORT=$INPUT_REMOTE_DOCKER_PORT verbose_arg="" - if is_debug; then + if is_running_debug; then verbose_arg="-v" fi local_file="$1" @@ -136,6 +136,13 @@ is_debug() { return 0 } +is_running_debug() { + if [ -z "${RUNNER_DEBUG+set}" ] || [ "$RUNNER_DEBUG" != "1" ]; then + return 1 + fi + return 0 +} + # Define color variables BLACK='\e[0;30m' RED='\e[0;31m' From 06fa1cb8eddaaed315802089572964572fbb6f5e Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Sun, 6 Apr 2025 23:36:48 +0200 Subject: [PATCH 18/19] feat: less debug msg --- scripts/docker_secrets.sh | 12 +++++++++--- scripts/functions.sh | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index 88769b9..d2bec10 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -225,7 +225,8 @@ if docker service inspect "$service_fullname" >/dev/null 2>&1; then if [ -n "$secrets_obsolete" ]; then info "Secrets to remove:" for secret_obsolete in $secrets_obsolete; do - printf "\"%s\" " "$secret_obsolete" + secret_obsolete_name=$(get_secret_name "$secret_obsolete") + printf "\"%s\" " "$secret_obsolete_name" done printf "\n" fi @@ -279,7 +280,11 @@ if [ -n "$secrets_obsolete" ]; then chmod 700 "$post_script_path" { echo "#!/bin/sh" - echo "set -eux" + if ! is_debug; then + echo "set -eu" + else + echo "set -eux" + fi for obsolete_secret in $secrets_obsolete; do echo "secret=\"$obsolete_secret\"" echo "secret_name=\$(docker secret inspect \"\$secret\" --format '{{.Spec.Name}}')" @@ -294,7 +299,8 @@ if [ -n "$secrets_obsolete" ]; then else info "Secrets not deleted because of secret deletion policy :" for secret_obsolete in $secrets_obsolete; do - printf "\"%s\" " "$secret_obsolete" + secret_obsolete_name=$(get_secret_name "$secret_obsolete") + printf "\"%s\" " "$secret_obsolete_name" done printf "\n" fi diff --git a/scripts/functions.sh b/scripts/functions.sh index d89c971..ea136b8 100755 --- a/scripts/functions.sh +++ b/scripts/functions.sh @@ -75,7 +75,7 @@ EOF fi info "Testing SSH connection ..." - if is_debug; then + if is_running_debug; then ssh -v -p "$SSH_PORT" "$DOCKER_USER_HOST" exit else ssh -p "$SSH_PORT" "$DOCKER_USER_HOST" exit From 561947c06395e902aebab796c17b064250b452d6 Mon Sep 17 00:00:00 2001 From: Tristiisch Date: Sun, 6 Apr 2025 23:41:47 +0200 Subject: [PATCH 19/19] clean mr --- .github/workflows/main.yml | 5 ----- scripts/docker_secrets.sh | 2 -- 2 files changed, 7 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 197d9c2..5d7776c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -435,7 +435,6 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx secrets: web secrets_env key1 value1 key2 value2 - debug: true # TODO: remove - name: Deployment - Reusing secrets uses: ./ @@ -448,7 +447,6 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx secrets: web secrets_env key1 value1 key2 value2 - debug: true # TODO: remove - name: Deployment - Change secrets uses: ./ @@ -461,7 +459,6 @@ jobs: stack_file_path: ./tests/docker-compose.yml stack_name: nginx secrets: web secrets_env key1_b value1_b key2_b value2_b - debug: true # TODO: remove - name: Deployment - Change secrets without deleting old ones uses: ./ @@ -475,7 +472,6 @@ jobs: stack_name: nginx secrets: web secrets_env key1_c value1_c key2_c value2_c secrets_delete_old: false - debug: true # TODO: remove - name: Deployment - Prune secrets uses: ./ @@ -489,4 +485,3 @@ jobs: stack_name: nginx_2 secrets: web secrets_env_2 key1 value1 key2 value2 secrets_prune: true - debug: true # TODO: remove diff --git a/scripts/docker_secrets.sh b/scripts/docker_secrets.sh index d2bec10..650bf5e 100755 --- a/scripts/docker_secrets.sh +++ b/scripts/docker_secrets.sh @@ -6,8 +6,6 @@ get_service_secrets() { service_name=$1 return_secrets="" - # secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretName }} {{ end }}' "$service_name") - # TODO: verify if secret ID works secrets=$(docker service inspect --format '{{ range .Spec.TaskTemplate.ContainerSpec.Secrets }}{{ .SecretID }} {{ end }}' "$service_name") for secret in $secrets; do return_secrets="$return_secrets$secret "