ricardo/NALU
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: scale service to 0 before secret rotation to avoid AlreadyExists error
Some checks failed
NALU Deployment Pipeline / Run Tests (push) Successful in 1m7s
Details
NALU Deployment Pipeline / PR Validation (push) Has been skipped
Details
NALU Deployment Pipeline / Build and Push Image (push) Failing after 3m51s
Details
NALU Deployment Pipeline / Deploy naluai.dev (push) Has been skipped
Details
NALU Deployment Pipeline / Cleanup Old Resources (push) Has been skipped
Details

Browse Source 
Docker Swarm refuses to delete secrets in use by running services.
Scale nalu_app to 0 first, then rotate, then stack deploy re-creates.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Ricardo Carneiro 2026-05-15 20:21:16 -03:00
parent c5cb9df468
commit 958e71d9bf
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.gitea/workflows/deploy-nalu.yml
View File

@ -91,12 +91,8 @@ jobs:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
run: | run: |
mkdir -p ~/.ssh mkdir -p ~/.ssh
printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa
echo "" >> ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa
# debug key format (no content exposed)
head -1 ~/.ssh/id_rsa
wc -l ~/.ssh/id_rsa
ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null
- name: Build image on ARM server - name: Build image on ARM server
@ -205,8 +201,7 @@ jobs:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
run: | run: |
mkdir -p ~/.ssh mkdir -p ~/.ssh
printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa
echo "" >> ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null
@ -216,6 +211,10 @@ jobs:
ssh -o StrictHostKeyChecking=no ubuntu@${{ env.SWARM_MANAGER }} << SSHEOF ssh -o StrictHostKeyChecking=no ubuntu@${{ env.SWARM_MANAGER }} << SSHEOF
set -e set -e
# ── Scale down so secrets can be rotated ─────────────────────────
docker service scale nalu_app=0 2>/dev/null || true
sleep 5
# ── Create/update Docker secrets ───────────────────────────────── # ── Create/update Docker secrets ─────────────────────────────────
update_secret() { update_secret() {
local name=\$1 local name=\$1
@ -267,8 +266,7 @@ jobs:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
run: | run: |
mkdir -p ~/.ssh mkdir -p ~/.ssh
printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa
echo "" >> ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null
ssh-keyscan -H ${{ env.SWARM_WORKER }} >> ~/.ssh/known_hosts 2>/dev/null ssh-keyscan -H ${{ env.SWARM_WORKER }} >> ~/.ssh/known_hosts 2>/dev/null