feat(blocky): update blocky version from 0.28.2 to 0.29.0

update note:
- step-ca container doesn't support $PWDPATH anymore
- add --password-file argument to exec

ansible/inventory/group_vars/all.yaml

@@ -152,17 +152,17 @@ services:
 version:
   packages:
     sops: "3.12.1"
-    step: "0.29.0"
+    step: "0.30.2"
     kopia: "0.22.3"
-    blocky: "0.28.2"
+    blocky: "0.29.0"
     alloy: "1.13.0"
   containers:
     # common
     caddy: "2.11.2"
     # infra
-    step: "0.29.0"
+    step: "0.30.2"
     ldap: "v0.6.2"
-    x509-exporter: "3.19.1"
+    x509-exporter: "3.21.0"
     prometheus: "v3.9.1"
     loki: "3.6.5"
     grafana: "12.3.3"

ansible/roles/infra/handlers/main.yaml

@@ -73,10 +73,10 @@
   listen: "notification_restart_grafana"
   ignore_errors: true # noqa: ignore-errors
 
-- name: Enable x509-exporter.service
+- name: Restart x509-exporter.service
   ansible.builtin.systemd:
     name: "x509-exporter.service"
-    state: "started"
+    state: "restarted"
     enabled: true
     daemon_reload: true
     scope: "user"

config/services/containers/infra/ca/ca.container.j2

@@ -22,14 +22,17 @@ Volume=%h/containers/ca/db:/home/step/db:rw
 Volume=%h/containers/ca/templates:/home/step/templates:rw
 
 Environment="TZ=Asia/Seoul"
-Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
+# Since 0.30.0, Docker CMD no longer expands PWDPATH.
+#Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
 
 Secret=STEP_CA_PASSWORD,target=/run/secrets/STEP_CA_PASSWORD
 
+Exec=/usr/local/bin/step-ca --password-file /run/secrets/STEP_CA_PASSWORD /home/step/config/ca.json
+
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 
 [Install]
-WantedBy=default.target
+WantedBy=default.target