From bcba4dab80610b94b98581a1c4bbae18c1a73d4b Mon Sep 17 00:00:00 2001 From: Marcel Date: Thu, 21 May 2026 19:44:19 +0200 Subject: [PATCH] ci(observability): inject GRAFANA_DB_PASSWORD from Gitea secrets Wires the new GRAFANA_DB_PASSWORD secret through the deploy pipeline: - docker-compose.prod.yml: backend env now passes GRAFANA_DB_PASSWORD through so Flyway V68 can resolve the ${grafanaDbPassword} placeholder in production and staging (it already worked in local dev via docker-compose.yml). - release.yml + nightly.yml: declare GRAFANA_DB_PASSWORD as a required Gitea secret, write it into .env.production / .env.staging (consumed by archive-backend), and into /opt/familienarchiv/obs-secrets.env (consumed by obs-grafana's PostgreSQL datasource). Operator action before the next deploy: add a GRAFANA_DB_PASSWORD value to the Gitea repo secrets (openssl rand -hex 32). Refs #651. Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/nightly.yml | 3 +++ .gitea/workflows/release.yml | 3 +++ docker-compose.prod.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml index 152050bb..a78637b3 100644 --- a/.gitea/workflows/nightly.yml +++ b/.gitea/workflows/nightly.yml @@ -31,6 +31,7 @@ name: nightly # STAGING_APP_ADMIN_USERNAME # STAGING_APP_ADMIN_PASSWORD # GRAFANA_ADMIN_PASSWORD +# GRAFANA_DB_PASSWORD (read-only grafana_reader DB role, issue #651) # GLITCHTIP_SECRET_KEY # SENTRY_DSN (set after GlitchTip first-run; empty = Sentry disabled) @@ -80,6 +81,7 @@ jobs: POSTGRES_USER=archiv SENTRY_DSN=${{ secrets.SENTRY_DSN }} VITE_SENTRY_DSN=${{ secrets.VITE_SENTRY_DSN }} + GRAFANA_DB_PASSWORD=${{ secrets.GRAFANA_DB_PASSWORD }} EOF - name: Verify backend /import:ro mount is wired @@ -143,6 +145,7 @@ jobs: cp docker-compose.observability.yml /opt/familienarchiv/ cat > /opt/familienarchiv/obs-secrets.env <<'EOF' GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }} + GRAFANA_DB_PASSWORD=${{ secrets.GRAFANA_DB_PASSWORD }} GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }} POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }} POSTGRES_HOST=archiv-staging-db-1 diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index cf30bf83..4ad4ab1e 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -35,6 +35,7 @@ name: release # MAIL_USERNAME # MAIL_PASSWORD # GRAFANA_ADMIN_PASSWORD +# GRAFANA_DB_PASSWORD (read-only grafana_reader DB role, issue #651) # GLITCHTIP_SECRET_KEY # SENTRY_DSN (set after GlitchTip first-run; empty = Sentry disabled) @@ -77,6 +78,7 @@ jobs: IMPORT_HOST_DIR=/srv/familienarchiv-production/import POSTGRES_USER=archiv SENTRY_DSN=${{ secrets.SENTRY_DSN }} + GRAFANA_DB_PASSWORD=${{ secrets.GRAFANA_DB_PASSWORD }} EOF - name: Build images @@ -110,6 +112,7 @@ jobs: cp docker-compose.observability.yml /opt/familienarchiv/ cat > /opt/familienarchiv/obs-secrets.env <<'EOF' GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }} + GRAFANA_DB_PASSWORD=${{ secrets.GRAFANA_DB_PASSWORD }} GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }} POSTGRES_PASSWORD=${{ secrets.PROD_POSTGRES_PASSWORD }} POSTGRES_HOST=archiv-production-db-1 diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index fe435306..cdae6581 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -227,6 +227,9 @@ services: SPRING_DATASOURCE_URL: jdbc:postgresql://db:5432/archiv SPRING_DATASOURCE_USERNAME: archiv SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD} + # Consumed by Flyway V68 via the ${grafanaDbPassword} placeholder to set + # the read-only grafana_reader role's password. + GRAFANA_DB_PASSWORD: ${GRAFANA_DB_PASSWORD} # Application uses the bucket-scoped service account, not MinIO root. S3_ENDPOINT: http://minio:9000 S3_ACCESS_KEY: archiv-app