vault has been fully setup, and the stack is now zero trust in all environments
all the apps are running but vault controls authnz so nothin can authenticate with anything else
T
manual setup: walk through steps that will be automated later
[x] exec into container and export bff approle secret id and role id json to container disk
it doesnt matter if the token is in a file or env, I chose a file because you wont need to manually restartrestart bff server
this is due to ESBUILD locking the process.env in nodejs runtime
all BFF nodejs servers now expect:
src/Data/Postgres/appRoleId.json
src/Data/Postgres/appRoleSecretId.json
nomad should request these and inject them for each instance of a nodejs bff server it launches
changes to nodemons.json
now watches .json files
changes to bff
switched to node-esbuild-tsc (was still using tsc to build)
now outputs ESM instead of fkn common js
pnpm add -D -E cpy as it keeps file hierarchy when cpying to dist
updated expected compose.env to match whats returned from vault
moved bff secrets from kv-v2 to kv-v1
bff will now { ...compose.env, ...vaultEnv } to overwrite env in other environments
changes to typescript (effects all typescript apps/packages) that extends from root/tsconfig.json
target: es2022 to match etsc.config.js
[x] upsert docker compose convert into kv-v1 for BFF
upsert docker compose convert at kv1-api-endpoint/service-name {env file}
the service names are top level keys
not quite sure how this is gonna work in dev: the order of service instantiation is dynamic and should remain so to force a resiliant architecture; thus vault bootstrap event may or may not have access to the convert output
likely for a dev your just gonna have to run a script on a green environment
on deploy: nomad event occurs after the development cycle completes and has the full docker export + environment specific overrides
C
T
src/Data/Postgres/appRoleId.jsonsrc/Data/Postgres/appRoleSecretId.json.jsonfilespnpm add -D -E cpyas it keeps file hierarchy when cpying to distroot/tsconfig.jsontarget: es2022to match etsc.config.jsdocker compose convertatkv1-api-endpoint/service-name {env file}A
src/**/*.jsonfor composite projects? fixed the typescript error but still weirrd