search

m-adawi / swarm-cd

SwarmCD: Declarative GitOps and Continuous Deployment tool for Docker Swarm.
GNU General Public License v3.0
38 stars 2 forks source link

docs: example using configs, secrets and docket socket proxy #12

Closed sanzoghenzo closed 1 month ago

sanzoghenzo commented 1 month ago

Hi there, I hope I'm not becoming your nightmare 😅

This is what I've come up with to make the swarm-cd deployment a little more secure.

Let me know if you want me to create a PR to add the documentation, and if so, where to put it.

---
version: '3.7'
services:
  socket_proxy:
    image: tecnativa/docker-socket-proxy:0.2.0
    deploy:
      placement:
        constraints:
          - node.role == manager
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      TZ: Europe/Rome
      INFO: 1
      SERVICES: 1
      NETWORKS: 1
      SECRETS: 1
      CONFIGS: 1
      POST: 1

  swarm-cd:
    image: ghcr.io/m-adawi/swarm-cd:1.1.0
    depends_on:
      - socket_proxy
    configs:
      - source: stacks
        target: /app/stacks.yaml
        mode: 0400
    environment:
      DOCKER_HOST: tcp://socket_proxy:2375
    secrets:
      - source: repos
        target: /app/repos.yaml
        mode: 0400

configs:
  stacks:
    file: ./stacks.yaml
    name: stacks-${STACKS_MD5}

secrets:
  repos:
    file: ./repos.yaml
    name: repos-${REPOS_MD5}

Regarging the environment variables, as I mentioned in https://github.com/m-adawi/swarm-cd/issues/6#issuecomment-2233667970, my command to create and update the swarm-cd stack uses yq, awk and md5sum to handle the config and secret upgrades, and is held in a Taskfile so I just have to task bootstrap

version: '3'

vars:
  STACK_NAME: swarm-cd
  COMPOSE_FILE: '{{.STACK_NAME}}/docker-compose.yaml'

tasks:
  bootstrap:
    cmds:
      - "eval $(yq '.secrets + .configs | map((key | upcase | sub(\"[^A-Z0-9_]\", \"_\") + \"_MD5\"): .file) | flatten | .[]' swarm-cd/docker-compose.yaml | awk -F ': ' '{ cmd=\"md5sum {{.STACK_NAME}}/\" $2 \"| cut -f1 -d \\\" \\\"\"; while(cmd | getline line) {print $1 \"=\" line}}' | tr '\n' ' ') docker stack deploy -c {{.COMPOSE_FILE}} -d=true {{.STACK_NAME}}"

  cleanup:
    cmds:
      - docker stack rm {{.STACK_NAME}}
m-adawi commented 1 month ago

Hi there, I hope I'm not becoming your nightmare 😅

Haha no man I really appreciate your feedback and the suggestions you make. You're really helping me shape this tool.

It uses Tecnativa's docker-socket-proxy to only expose the needed Docker Engine API endpoints; the DOCKER_HOST environment variable points to the proxy

Oh I really like this thing

Let me know if you want me to create a PR to add the documentation, and if so, where to put it.

That would be appreciated, can you add it to the README file in a separate section, titled something like "Connecting SwarmCD to a remote docker daemon". I know the README file is getting big and needs to be organized or split into multiple files but I will leave that for later.

Regarging the environment variables, as I mentioned in https://github.com/m-adawi/swarm-cd/issues/6#issuecomment-2233667970, my command to create and update the swarm-cd stack uses yq, awk and md5sum to handle the config and secret upgrades, and is held in a Taskfile so I just have to task bootstrap

Oh I'm planning to implement this in go, making it iterate over configs and secrets and add to them the property name with the value <name>-<file-hash>

m-adawi commented 1 month ago

It uses a secret for the repos.yaml file, since it can contain auth credentials

I just opened #13 to separate the repo secret from its configuration

github-actions[bot] commented 3 weeks ago

:tada: This issue has been resolved in version 1.4.1 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: