.gitlab-ci.yml 7.29 KB
Newer Older
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
1
variables:
2
  BUILD_ID: "1.0.6"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
3
  APP_NAME: "earthquake-geoserve-ui"
4
  # DEVOPS_REGISTRY: "$GITLAB_INNERSOURCE_REGISTRY/devops/images"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
5
6
7
  #WORKSPACE: "prod"
  FAILURE: "null"
  # name of the branch; if master, do latest
8
  IMAGE_VERSION: "1.0.6"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
9
10
11
12
13
14
15
  SCM_VARS: "[:]"
  # Name of image to use as basis when building LOCAL_IMAGE/DEPLOY_IMAGE
  BASE_IMAGE: "usgs/nginx:latest"
  # Used to install dependencies and build distributables
  BUILDER_CONTAINER: $APP_NAME-$BUILD_ID-BUILDER
  BUILDER_IMAGE: "usgs/node:10"
  # Name of image to deploy (push) to registry
16
  DEPLOY_IMAGE: "${GITLAB_INNERSOURCE_REGISTRY}:5001/ghsc/hazdev/earthquake-geoserve/ui"
17
18
  # DOCKER_HUB_IMAGE: "usgs/earthquake-geoserve-ui"
  DOCKER_HUB_IMAGE: "jamesmalin/usgs-geoserve-ui"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
19
  # Run application locally for testing security vulnerabilities
20
  LOCAL_CONTAINER: $APP_NAME-$BUILD_ID-PENTEST
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
21
22
  LOCAL_IMAGE: local/$APP_NAME:$BUILD_ID
  # Runs zap.sh as daemon and used to execute zap-cli calls within
23
24
  OWASP_CONTAINER: $APP_NAME-$BUILD_ID-OWASP
  OWASP_IMAGE: "owasp/zap2docker-stable"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
25
26
  OWASP_REPORT_DIR: "owasp-data"
  ZAP_API_PORT: "8090"
27
  PENTEST_IP: 'application:8080'
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
28
29
  S3_BUCKET: usgs-cf-templates

30
31
32
33
34
35
36
37
38
  # COMBINING VARIABLES FROM DEPLOY JOB
  CONFIG: ''
  # DEPLOY_DIR: '/tmp/${APP_NAME}'
  DEPLOY_APP_NAME: 'earthquake-geoserve'
  DEPLOY_DIR: '${APP_NAME}'
  REMOTE_DEPLOY_DIR: '/tmp/${DEPLOY_DIR}'
  TARGET_HOSTS: ''
  branch: 'origin/master'
  REMOTE_USER: 'jmalin'
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

  DB_IMAGE_NAME: 'ghsc/hazdev/earthquake-geoserve/db:latest'
  ENVIRONMENT: 'Development'
  UI_IMAGE_NAME: 'ghsc/hazdev/earthquake-geoserve/ui:latest'
  APP_NAME: 'earthquake-geoserve'
  GIT_BRANCH: 'origin/master'
  WS_IMAGE_NAME: 'ghsc/hazdev/earthquake-geoserve/ws:latest'
  APP_REPOSITORY: 'https://${GITLAB_INNERSOURCE_REGISTRY}/ghsc/hazdev/earthquake-geoserve.git'
  STACK_NAME: 'earthquake-geoserve'
  EXPORTS: 'DB_IMAGE_NAME=${DB_IMAGE_NAME},
  ENVIRONMENT=${ENVIRONMENT},
  UI_IMAGE_NAME=${UI_IMAGE_NAME},
  APP_NAME=${APP_NAME},
  GIT_BRANCH=${GIT_BRANCH},
  WS_IMAGE_NAME=${WS_IMAGE_NAME},
  APP_REPOSITORY=${APP_REPOSITORY},
  STACK_NAME=${STACK_NAME}'

Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
57
# Using docker in docker
Brown, Jonathan D.'s avatar
test5    
Brown, Jonathan D. committed
58
59
services:
  - docker:dind
Brown, Jonathan D.'s avatar
test3    
Brown, Jonathan D. committed
60

61
stages:
62
  - init
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
63
  - build
64
65
66
  - unit-tests
  - pen-tests
  - publish-image
Malin's avatar
Malin committed
67
  - trigger_deploy
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
68

69
initialize:
70
71
  stage: init
  image: node:latest
72
73
  only:
    - merge_requests
74
  script:
75
76
77
78
79
    - node metadata.js ${branch} ${CI_COMMIT_SHA} ${IMAGE_VERSION}
    - cat temp-metadata.json
  artifacts:
    paths:
      - temp-metadata.json
80

81
    
82
    ###### Build ######
83

Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
84
85
86
build:
  stage: build
  image: docker:stable
87
88
  only:
    - merge_requests
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
89
90
91
92
93
94
  before_script:
    - rm -rf docker-images
    - rm -rf $OWASP_REPORT_DIR
    - rm package-lock.json
  script:
    - echo "Building..."
95
    - mv temp-metadata.json metadata.json
96

97
98
99
100
101
102
    # build a local directory to be used later for testing or deploying
    - mkdir docker-images
    # build image and save
    - "docker build --build-arg FROM_IMAGE=$BASE_IMAGE
    --build-arg BUILD_IMAGE=$BUILDER_IMAGE -t $LOCAL_IMAGE ."
    - docker save $LOCAL_IMAGE > docker-images/app.tar
103
    
104
105
#   # Needed later when loading docker images
#   # Could test without the docker images saved and try to pull local image
106
107
  artifacts:
    paths:
108
      - docker-images
109
      - temp-metadata.json
110
111
112
113
  cache:
    key: "$CI_BUILD_REF_NAME"
    paths:
      - docker-images
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
114

115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
run unit tests:
  stage: unit-tests
  image: trion/ng-cli-e2e
  only:
    - merge_requests
  cache:
    # untracked: true # cache all files that are untracked in your Git repository
    # job doesn’t alter cached files, skip the upload step by setting policy: pull
    policy: pull 
  # only:
  #   - master
  script:
    - npm install --no-audit --no-save
    - ng lint
    - ng test hazdev-ng-geoserve-output --watch=false --code-coverage --progress false --browsers ChromeHeadless
    - npm run build
    - ng test earthquake-geoserve-ui --watch=false --code-coverage --progress false --browsers ChromeHeadless
    - ng e2e

run penetration tests:
  stage: pen-tests
  image: docker:stable
  only:
    - merge_requests
  cache:
    policy: pull
  # before_script:
  #   - npm i
  #   - npm i highlightjs
  # only:
  #   - master
  script:
    - mkdir -p $OWASP_REPORT_DIR
    - chmod 777 $OWASP_REPORT_DIR
    - docker load -i docker-images/app.tar
    - docker run --rm --name $LOCAL_CONTAINER -d $LOCAL_IMAGE
    - docker run --rm -d -u zap --name=$OWASP_CONTAINER --link=$LOCAL_CONTAINER:application -v $OWASP_REPORT_DIR:/zap/reports:rw -i $OWASP_IMAGE zap.sh -daemon -port $ZAP_API_PORT -config api.disablekey=true
    - sleep 20
    - "docker exec -i ${OWASP_CONTAINER} 
    curl -I localhost:${ZAP_API_PORT} 
    > /dev/null 2>&1 && echo 'SUCCESS'"
    - docker exec $OWASP_CONTAINER zap-cli -v -p $ZAP_API_PORT spider http://$PENTEST_IP/
    - docker exec $OWASP_CONTAINER zap-cli -v -p $ZAP_API_PORT active-scan http://$PENTEST_IP/
    - docker exec $OWASP_CONTAINER zap-cli -v -p $ZAP_API_PORT report -o owasp-zap-report.html -f html
    - docker stop $OWASP_CONTAINER ${LOCAL_CONTAINER}
  artifacts: # can you make this not available to the public
    paths:
      - owasp-zap-report.html
      - docker-images
  dependencies:
    - build
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
166

167
#     ###### Publish ######
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
168

169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
publish image:
  stage: publish-image
  image: docker:stable
  only:
    - master
  # only:
  #   - merge_requests
  before_script:
    # - curl -O https://bootstrap.pypa.io/get-pip.py
    # - python3 get-pip.py --user
    # - /root/.local/bin/pip3 install awscli --upgrade --user
    # - npm install -g docker
    # - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
  script:
    # - aws cloudformation package --template-file ./deployment/aws-create-user.json --s3-bucket $S3_BUCKET --output-template usgs-user-template-export.yml
    # - aws cloudformation deploy --template-file /builds/jmalin/earthquake-geoserve-ui/usgs-user-template-export.yml --stack-name usgs-user-deploy-stack
    # Re-tag candidate image as actual image name and push actual image to repository
    # TODO - Deploy to USGS Hazdev Registry
    # - docker build --build-arg FROM_IMAGE=$BASE_IMAGE --build-arg BUILD_IMAGE=$BUILDER_IMAGE -t $LOCAL_IMAGE .
    - docker load -i docker-images/app.tar
    - docker tag ${LOCAL_IMAGE} ${DEPLOY_IMAGE}:${IMAGE_VERSION}
    - echo "$CHS_PASSWORD" | docker login --username $CHS_USERNAME --password-stdin $GITLAB_INNERSOURCE_REGISTRY
    - docker push ${DEPLOY_IMAGE}:${IMAGE_VERSION}

    # Re-tag candidate image as public image name and push to docker hub
    # For a private registry include registry URL
    - docker tag ${LOCAL_IMAGE} ${DOCKER_HUB_IMAGE}:${IMAGE_VERSION}
    # login to dockerhub
    - echo "$DOCKER_PASSWORD" | docker login --username $DOCKER_USERNAME --password-stdin
    - docker push ${DOCKER_HUB_IMAGE}:${IMAGE_VERSION}
    # Delete pass file
    - rm -rf /root/.docker/config.json
  dependencies:
    - build
    # - 'run unit tests'
    # - 'run penetration tests'
  cache:
    key: "$CI_BUILD_REF_NAME"
    paths:
      - docker-images
  # artifacts:
  #   paths:
  #     - docker-images
212
213

trigger deploy:
214
215
  # variables:
  #   CI_COMMIT_MESSAGE: $CI_COMMIT_MESSAGE
216
  image: node:latest
217
218
  stage: trigger_deploy
  # trigger: jmalin/geoserve-container
219
220
221
  only:
    - master
  script:
222
    - 'curl -X POST
223
224
225
226
     -F token=${TRIGGER_API_TOKEN}
     -F "ref=master"
     -F "variables[EXPORTS]=${EXPORTS}"
     https://${GITLAB_INNERSOURCE_REGISTRY}/api/v4/projects/769/trigger/pipeline'