CI: Vault variables (#5)

* Streamline publish and deploy w/ variables from local vault

* Publish should wait for build

* Updated Dockerfile to include compiling step within itself

Previously it dependent on /build folder existing in project folder,
this was done by CI pipeline sharing project directory between build and
publish steps. This is no separated and Dockerfile compiles and serves.

.drone.yml

@@ -23,27 +23,41 @@ steps:
     commands:
       - yarn build
 
+---
+kind: pipeline
+type: docker
+name: Publish
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
   - name: Publish to ghcr
     image: plugins/docker
     settings:
       registry: ghcr.io
-      repo: ghcr.io/kevinmidboe/k9e.no
+      repo: ghcr.io/kevinmidboe/${DRONE_REPO_NAME}
       dockerfile: Dockerfile
       username:
         from_secret: GITHUB_USERNAME
       password:
-        from_secret: GITHUB_PASSWORD
+        from_secret: GHCR_UPLOAD_TOKEN
       tags:
         - latest
         - ${DRONE_COMMIT_SHA}
-    when:
-      event:
-        include:
-          - push
-        exclude:
-          - pull_request
-      branch:
-        - main
+
+trigger:
+  event:
+    include:
+      - push
+    exclude:
+      - pull_request
+  branch:
+    - main
+
+depends_on:
+  - Build
 
 ---
 kind: pipeline
@@ -55,31 +69,60 @@ platform:
   arch: amd64
 
 steps:
+  - name: Prepare kubernetes environment
+    image: alpine/k8s:1.25.15
+    environment:
+      VAULT_TOKEN:
+        from_secret: VAULT_TOKEN
+      VAULT_HOST:
+        from_secret: VAULT_HOST
+    commands:
+      - mkdir -p /root/.kube
+      - echo "IMAGE=ghcr.io/kevinmidboe/${DRONE_REPO_NAME}:${DRONE_COMMIT_SHA}" > /root/.kube/.env
+      - echo "NAMESPACE=${DRONE_REPO_NAME}" >> /root/.kube/.env
+      - 'curl -s
+        -H "X-Vault-Token: $VAULT_TOKEN"
+        $VAULT_HOST/v1/schleppe/data/kazan/_infra
+        | jq -r ".data.data.KUBE_CONFIG" > /root/.kube/config'
+      - 'curl -s
+        -H "X-Vault-Token: $VAULT_TOKEN"
+        $VAULT_HOST/v1/schleppe/data/kazan/_infra
+        | jq -cr ".data.data | .[\"ghcr-login-secret\"] | @base64" > /root/.kube/dockerconfig.json'
+      - echo "DOCKER_CONFIG=$(cat /root/.kube/dockerconfig.json)" >> /root/.kube/.env
+      - sed -i '/^$/!s/^/export /' /root/.kube/.env
+    volumes:
+      - name: kube-config
+        path: /root/.kube
+
   - name: Deploy to kubernetes
     image: alpine/k8s:1.25.15
     commands:
-      - mkdir -p /root/.kube
-      - echo $KUBE_CONFIG | base64 -di > /root/.kube/config
-      - export IMAGE=ghcr.io/kevinmidboe/k9e.no:${DRONE_COMMIT_SHA}
+      - source /root/.kube/.env > /dev/null 2>&1
       - cat .kubernetes/*.yml
         | envsubst
         | kubectl --kubeconfig=/root/.kube/config apply -f -
-    environment:
-      KUBE_CONFIG:
-        from_secret: KUBE_CONFIG
-    when:
-      event:
-        include:
-          - push
-        exclude:
-          - pull_request
-      branch:
-        - main
+    volumes:
+      - name: kube-config
+        path: /root/.kube
+
+trigger:
+  event:
+    include:
+      - push
+    exclude:
+      - pull_request
+  branch:
+    - main
 
 depends_on:
   - Build
+  - Publish
+
+volumes:
+  - name: kube-config
+    temp: {}
 ---
 kind: signature
-hmac: 21637711852b1b5a29ae8fb084cc536daa06f6223a6c3d8a622fdbd2b2df527b
+hmac: 03e25f2d7d7c020ae68bf05137456105df022f967c02709740cf892a94ac8620
 
 ...

Dockerfile

@@ -1,6 +1,16 @@
+
+# Build the project
+FROM node:lts-iron as builder
+
+ADD . .
+
+RUN yarn
+RUN yarn build
+# RUN make test
+
 FROM nginx:alpine
 
 WORKDIR /app
 
 COPY ./nginx.conf /etc/nginx/nginx.conf
-COPY ./build .
+COPY --from=builder ./build .