feat: prune secret

.github/workflows/main.yml

@@ -256,7 +256,7 @@ jobs:
           ssh -v -i "${{ env.SSH_KEY_PRIVATE_PATH }}" -o 'UserKnownHostsFile=${{ env.KNOWN_HOST_PATH }}' -o 'StrictHostKeyChecking=yes' \
             -p "${{ env.CONTAINER_HOST_PORT }}" "${{ env.SSH_USERNAME }}@${{ env.CONTAINER_HOST_NAME}}" docker info
 
-  test1:
+  test_basic:
     runs-on: ubuntu-latest
     name: "Basic"
     needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"]
@@ -280,21 +280,20 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 1
-    - name: Start Deployment 1 - Basic
+    - name: Deployment
       uses: ./
       with:
         deployment_mode: docker-swarm
         remote_docker_host: "${{ env.CONTAINER_NAME }}"
         remote_docker_port: "${{ env.CONTAINER_PORT }}"
         remote_docker_username: "${{ env.SSH_USERNAME }}"
         ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
-        ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}"
         stack_file_path: ./tests/docker-compose.yml
-        stack_name: nginx_1
+        stack_name: nginx
 
-  test2:
+  test_public_key:
     runs-on: ubuntu-latest
-    name: "No pub key"
+    name: "Public key"
     needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"]
     services:
       docker-throw-ssh:
@@ -316,18 +315,19 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 1
-    - name: Start Deployment 2 - No pub key
+    - name: Deployment
       uses: ./
       with:
         deployment_mode: docker-swarm
         remote_docker_host: "${{ env.CONTAINER_NAME }}"
         remote_docker_port: "${{ env.CONTAINER_PORT }}"
         remote_docker_username: "${{ env.SSH_USERNAME }}"
         ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
+        ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}"
         stack_file_path: ./tests/docker-compose.yml
-        stack_name: nginx_2
+        stack_name: nginx
 
-  test3:
+  test_background_deploy:
     runs-on: ubuntu-latest
     name: "Background deploy"
     needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"]
@@ -351,20 +351,19 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 1
-    - name: Start Deployment 3 - Background deploy
+    - name: Deployment
       uses: ./
       with:
         deployment_mode: docker-swarm
         remote_docker_host: "${{ env.CONTAINER_NAME }}"
         remote_docker_port: "${{ env.CONTAINER_PORT }}"
         remote_docker_username: "${{ env.SSH_USERNAME }}"
         ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
-        ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}"
         stack_file_path: ./tests/docker-compose.yml
-        stack_name: nginx_3
+        stack_name: nginx
         deploy_foreground: false
 
-  test4:
+  test_debug:
     runs-on: ubuntu-latest
     name: "Debug"
     needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"]
@@ -388,15 +387,101 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 1
-    - name: Start Deployment 4 - Debug
+    - name: Deployment
       uses: ./
       with:
         deployment_mode: docker-swarm
         remote_docker_host: "${{ env.CONTAINER_NAME }}"
         remote_docker_port: "${{ env.CONTAINER_PORT }}"
         remote_docker_username: "${{ env.SSH_USERNAME }}"
         ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
-        ssh_public_key: "${{ needs.run_test_service.outputs.ssh_server_public_key }}"
         stack_file_path: ./tests/docker-compose.yml
-        stack_name: nginx_4
+        stack_name: nginx
         debug: true
+
+  test_secrets:
+    runs-on: ubuntu-latest
+    name: "Secrets"
+    needs: ["utils", "generate_key", "build_run_test_service", "run_test_service"]
+    services:
+      docker-throw-ssh:
+        image: "ghcr.io/tristiisch/docker_throw_ssh_with_key:test-${{ needs.utils.outputs.short_sha }}"
+        ports:
+          - 2222:22
+        options: >
+          --privileged
+          --tty
+          -v /sys/fs/cgroup:/sys/fs/cgroup
+          --cgroupns=host
+          --cap-add=NET_ADMIN
+          --cap-add=NET_RAW
+          --cap-add=SYS_ADMIN
+          --tmpfs /run
+          --tmpfs /run/lock
+          --tmpfs /tmp
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 1
+
+    - name: Deployment - Add secrets
+      uses: ./
+      with:
+        deployment_mode: docker-swarm
+        remote_docker_host: "${{ env.CONTAINER_NAME }}"
+        remote_docker_port: "${{ env.CONTAINER_PORT }}"
+        remote_docker_username: "${{ env.SSH_USERNAME }}"
+        ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
+        stack_file_path: ./tests/docker-compose.yml
+        stack_name: nginx
+        secrets: web secrets_env key1 value1 key2 value2
+
+    - name: Deployment - Reusing secrets
+      uses: ./
+      with:
+        deployment_mode: docker-swarm
+        remote_docker_host: "${{ env.CONTAINER_NAME }}"
+        remote_docker_port: "${{ env.CONTAINER_PORT }}"
+        remote_docker_username: "${{ env.SSH_USERNAME }}"
+        ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
+        stack_file_path: ./tests/docker-compose.yml
+        stack_name: nginx
+        secrets: web secrets_env key1 value1 key2 value2
+
+    - name: Deployment - Change secrets
+      uses: ./
+      with:
+        deployment_mode: docker-swarm
+        remote_docker_host: "${{ env.CONTAINER_NAME }}"
+        remote_docker_port: "${{ env.CONTAINER_PORT }}"
+        remote_docker_username: "${{ env.SSH_USERNAME }}"
+        ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
+        stack_file_path: ./tests/docker-compose.yml
+        stack_name: nginx
+        secrets: web secrets_env key1_b value1_b key2_b value2_b
+
+    - name: Deployment - Change secrets without deleting old ones
+      uses: ./
+      with:
+        deployment_mode: docker-swarm
+        remote_docker_host: "${{ env.CONTAINER_NAME }}"
+        remote_docker_port: "${{ env.CONTAINER_PORT }}"
+        remote_docker_username: "${{ env.SSH_USERNAME }}"
+        ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
+        stack_file_path: ./tests/docker-compose.yml
+        stack_name: nginx
+        secrets: web secrets_env key1_c value1_c key2_c value2_c
+        secrets_delete_old: false
+
+    - name: Deployment - Prune secrets
+      uses: ./
+      with:
+        deployment_mode: docker-swarm
+        remote_docker_host: "${{ env.CONTAINER_NAME }}"
+        remote_docker_port: "${{ env.CONTAINER_PORT }}"
+        remote_docker_username: "${{ env.SSH_USERNAME }}"
+        ssh_private_key: "${{ needs.generate_key.outputs.private_key }}"
+        stack_file_path: ./tests/docker-compose.yml
+        stack_name: nginx_2
+        secrets: web secrets_env_2 key1 value1 key2 value2
+        secrets_prune: true

Dockerfile

@@ -8,7 +8,7 @@ LABEL 'com.github.actions.description'='supports docker-compose and Docker Swarm
 LABEL 'com.github.actions.icon'='send'
 LABEL 'com.github.actions.color'='green'
 
-RUN apk --no-cache add openssh-client docker-compose yq
+RUN apk --no-cache add openssh-client docker-compose jq yq
 
 WORKDIR /app
 

action.yml

@@ -18,7 +18,7 @@ inputs:
     required: true
   deployment_mode:
     description: 'Deployment mode: docker-swarm or docker-compose (default: docker-compose)'
-    default: './docker-compose'
+    default: 'docker-compose'
   copy_stack_file:
     description: 'Copy stack file to remote server and deploy from the server (default: false)'
   deploy_path:
@@ -44,7 +44,13 @@ inputs:
     description: '[Docker Swarm] Waiting for the stack to complete the rolling update.'
     default: true
   secrets:
-    description: 'Update Docker Secret using rotation during Stack Update. Format is service_name secret_name key1 value1 key2 value2 ...'
+    description: 'Update Docker Secret using rotation during stack update. The format is: service_name secret_name key1 value1 key2 value2 ...'
+  secrets_delete_old:
+    description: 'Remove any replaced secrets during stack update (default: true).'
+    default: true
+  secrets_prune:
+    description: 'Remove all unused Docker secrets (default: false).'
+    default: false
   args:
     description: 'Command arguments for deployment'
   debug:

docker-entrypoint.sh

@@ -84,7 +84,7 @@ case $INPUT_DEPLOYMENT_MODE in
 	if [ -n "${INPUT_SECRETS+set}" ] && [ -n "$INPUT_SECRETS" ]; then
 		POST_SCRIPTS_FOLDER="/opt/scripts/post"
 		export POST_SCRIPTS_FOLDER
-		"$WORKDIR/scripts/docker_secrets.sh" "$INPUT_STACK_FILE_PATH" "$INPUT_STACK_NAME" $INPUT_SECRETS
+		"$WORKDIR/scripts/docker_secrets.sh" "$INPUT_STACK_FILE_PATH" "$INPUT_STACK_NAME" "$INPUT_SECRETS_DELETE_OLD" "$INPUT_SECRETS_PRUNE" $INPUT_SECRETS
 	fi
 
 	"$WORKDIR/scripts/docker_swarm.sh"
@@ -98,7 +98,11 @@ esac
 
 # Execute post commands if any
 if [ -n "$POST_SCRIPTS_FOLDER" ] && [ -d "$POST_SCRIPTS_FOLDER" ]; then
-	find "$POST_SCRIPTS_FOLDER" -type f -executable -exec sh {} \;
+	debug "Execute post scripts in $POST_SCRIPTS_FOLDER ..."
+    find "$POST_SCRIPTS_FOLDER" -type f -executable | while read -r script; do
+        info "Execute post script $script ..."
+        sh "$script"
+    done
 fi
 
 # Delete temp file