paritytech · sergejparity · Aug 31, 2023
@@ -8,6 +8,12 @@ variables:
   GIT_DEPTH:                       3
   CARGO_TARGET_DIR:                "/ci-cache/${CI_PROJECT_NAME}/targets/${CI_COMMIT_REF_NAME}/${CI_JOB_NAME}"
   GITLAB_URL:                      https://gitlab.parity.io
+  # Vault Section
+  VAULT_SERVER_URL:                "https://vault.parity-mgmt-vault.parity.io"
+  VAULT_ADDR:                      "${VAULT_SERVER_URL}"
+  VAULT_AUTH_PATH:                 "gitlab-parity-io-jwt"
+  VAULT_AUTH_ROLE:                 "gitlab_${CI_PROJECT_NAME}"
+  HELM_SECRETS_DRIVER:             vals
 
 default:
   image:                           $CI_IMAGE
@@ -156,23 +162,19 @@ publish-docker-image-description:
 #### stage:                        deploy
 
 .deploy-k8s:                       &deploy-k8s
-  image:                           paritytech/kubetools:3.5.3
+  image:                           paritytech/kubetools:helm3
   interruptible:                   true
   # PROCESSBOT_KEY should be base64 encoded
   script:
-    - helm upgrade processbot ./helm
+    - export VAULT_TOKEN="$(vault write -field=token auth/$VAULT_AUTH_PATH/login role=$VAULT_AUTH_ROLE jwt=$CI_JOB_JWT)"
+    - helm secrets --evaluate-templates upgrade processbot ./helm
       --install
       --namespace "${KUBE_NAMESPACE}"
       --values "helm/values-${CI_ENVIRONMENT_NAME}.yaml"
-      --set "app.INSTALLATION_LOGIN=${INSTALLATION_LOGIN}"
-      --set "app.KUBE_NAMESPACE=${KUBE_NAMESPACE}"
+      --set "app.DEPENDENCY_UPDATE_CONFIGURATION=${DEPENDENCY_UPDATE_CONFIGURATION}"
       --set "app.DOCKER_TAG=${CI_COMMIT_REF_NAME}"
-      --set "app.PROCESSBOT_KEY=${PROCESSBOT_KEY}"
-      --set "app.GITHUB_APP_ID=${GITHUB_APP_ID}"
-      --set "app.WEBHOOK_SECRET=${WEBHOOK_SECRET}"
       --set "app.GITLAB_URL=${GITLAB_URL}"
-      --set "app.GITLAB_ACCESS_TOKEN=${GITLAB_ACCESS_TOKEN}"
-      --set "app.DEPENDENCY_UPDATE_CONFIGURATION=${DEPENDENCY_UPDATE_CONFIGURATION}"
+      --set "app.KUBE_NAMESPACE=${KUBE_NAMESPACE}"
 
 deploy-staging:
   stage:                           deploy

@@ -14,7 +14,7 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

@@ -1,4 +1,12 @@
 environment: production
+
+app:
+  GITHUB_APP_ID: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-prod#GITHUB_APP_ID
+  GITLAB_ACCESS_TOKEN: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-prod#GITLAB_ACCESS_TOKEN
+  INSTALLATION_LOGIN: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-prod#INSTALLATION_LOGIN
+  PROCESSBOT_KEY: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-prod#PROCESSBOT_KEY
+  WEBHOOK_SECRET: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-prod#WEBHOOK_SECRET
+
 ingress:
   domain: processbot.parity.io
   annotations:

@@ -1,4 +1,12 @@
 environment: staging
+
+app:
+  GITHUB_APP_ID: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-stg#GITHUB_APP_ID
+  GITLAB_ACCESS_TOKEN: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-stg#GITLAB_ACCESS_TOKEN
+  INSTALLATION_LOGIN: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-stg#INSTALLATION_LOGIN
+  PROCESSBOT_KEY: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-stg#PROCESSBOT_KEY
+  WEBHOOK_SECRET: ref+vault://kv/gitlab/parity/mirrors/parity-processbot/cicd-parity-stg#WEBHOOK_SECRET
+
 ingress:
   domain: processbot.parity-stg.parity.io
   annotations:

@@ -1,11 +1,8 @@
 app:
-  WEBHOOK_PORT: 8080
-  INSTALLATION_LOGIN: from-gitlab-vars
   DOCKER_TAG: from-gitlab-vars
-  PROCESSBOT_KEY: from-gitlab-vars
-  WEBHOOK_SECRET: from-gitlab-vars
   KUBE_NAMESPACE: from-gitlab-vars
   START_FROM_CWD: true
+  WEBHOOK_PORT: 8080
 
 config:
   storagePath: /storage