.gitlab-ci.yml 9.37 KB
Newer Older
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
1
variables:
2
  BUILD_ID: "1.0.6"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
3
  APP_NAME: "earthquake-geoserve-ui"
4
  # DEVOPS_REGISTRY: "$GITLAB_INNERSOURCE_REGISTRY/devops/images"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
5
6
7
  #WORKSPACE: "prod"
  FAILURE: "null"
  # name of the branch; if master, do latest
8
  IMAGE_VERSION: "1.0.6"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
9
10
11
12
13
14
15
  SCM_VARS: "[:]"
  # Name of image to use as basis when building LOCAL_IMAGE/DEPLOY_IMAGE
  BASE_IMAGE: "usgs/nginx:latest"
  # Used to install dependencies and build distributables
  BUILDER_CONTAINER: $APP_NAME-$BUILD_ID-BUILDER
  BUILDER_IMAGE: "usgs/node:10"
  # Name of image to deploy (push) to registry
16
17
18
  DEPLOY_IMAGE: "$GITLAB_INNERSOURCE_REGISTRY:5001/ghsc/hazdev/earthquake-geoserve/ui"
  # DOCKER_HUB_IMAGE: "usgs/earthquake-geoserve-ui"
  DOCKER_HUB_IMAGE: "jamesmalin/usgs-geoserve-ui"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
19
  # Run application locally for testing security vulnerabilities
20
  LOCAL_CONTAINER: $APP_NAME-$BUILD_ID-PENTEST
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
21
22
  LOCAL_IMAGE: local/$APP_NAME:$BUILD_ID
  # Runs zap.sh as daemon and used to execute zap-cli calls within
23
24
  OWASP_CONTAINER: $APP_NAME-$BUILD_ID-OWASP
  OWASP_IMAGE: "owasp/zap2docker-stable"
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
25
26
  OWASP_REPORT_DIR: "owasp-data"
  ZAP_API_PORT: "8090"
27
  PENTEST_IP: 'application:8080'
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
28
29
30

  S3_BUCKET: usgs-cf-templates

31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

  # COMBINING VARIABLES FROM DEPLOY JOB
  CONFIG: ''
  # DEPLOY_DIR: '/tmp/${APP_NAME}'
  DEPLOY_APP_NAME: 'earthquake-geoserve'
  DEPLOY_DIR: '${APP_NAME}'
  REMOTE_DEPLOY_DIR: '/tmp/${DEPLOY_DIR}'
  EXPORTS: ''
  TARGET_HOSTS: ''
  branch: 'origin/master'
  REMOTE_USER: 'jmalin'
  #WORKING_DIR: '/var/lib/jenkins/workspace/HazDev/earthquake-geoserve/deploy'
  #WORKING_DIR: ''
  # GENERIC_APP_REPOSITORY: 'https://${CHS_USERNAME}:${CHS_PASSWORD}@${GITLAB_INNERSOURCE_REGISTRY}/ghsc/hazdev/container-deploy.git'
  # CUSTOM_APP_REPOSITORY: 'https://${CHS_USERNAME}:${CHS_PASSWORD}@${GITLAB_INNERSOURCE_REGISTRY}/ghsc/hazdev/earthquake-geoserve.git'
  # CONFIG_REPOSITORY: 'https://${CHS_USERNAME}:${CHS_PASSWORD}@${GITLAB_INNERSOURCE_REGISTRY}/ghsc/hazdev/jenkins.git'
  # ENVIRONMENT: 'dev01'
  
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
49
# Using docker in docker
Brown, Jonathan D.'s avatar
test5    
Brown, Jonathan D. committed
50
51
services:
  - docker:dind
Brown, Jonathan D.'s avatar
test3    
Brown, Jonathan D. committed
52

53
stages:
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
54
  - build
55
  # - unit-tests
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
56
  # - pen-tests
57
  # - publish-image
Malin's avatar
Malin committed
58
  - trigger_deploy
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
59

60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88


  # ADD IN METADATA.json for tagging, etc.

# stage('Build Image') {
#       def info = [:]
#       def pkgInfo = readJSON file: 'package.json'

#       info.version = pkgInfo.version
#       info.branch = SCM_VARS.GIT_BRANCH
#       info.commit = SCM_VARS.GIT_COMMIT
#       info.image = IMAGE_VERSION

#       // Convert from Map --> JSON
#       info = readJSON text: groovy.json.JsonOutput.toJson(info)
#       writeJSON file: 'metadata.json', pretty: 4, json: info

#       // Build candidate image for later penetration testing
#       ansiColor('xterm') {
#         sh """
#           docker build \
#             --build-arg FROM_IMAGE=${BASE_IMAGE} \
#             --build-arg BUILD_IMAGE=${BUILDER_IMAGE} \
#             -t ${LOCAL_IMAGE} \
#             .
#         """
#       }
#     }

89
    ###### Build ######
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
90
91
92
93
94
95
96
97
98
build:
  stage: build
  image: docker:stable
  before_script:
    - rm -rf docker-images
    - rm -rf $OWASP_REPORT_DIR
    - rm package-lock.json
  script:
    - echo "Building..."
99
100
101
102
103
104
105
106
107
108

    # # build a local directory to be used later for testing or deploying
    # - mkdir docker-images
    # # build image and save
    # - "docker build --build-arg FROM_IMAGE=$BASE_IMAGE
    # --build-arg BUILD_IMAGE=$BUILDER_IMAGE -t $LOCAL_IMAGE ."
    # - docker save $LOCAL_IMAGE > docker-images/app.tar
    
  # Needed later when loading docker images
  # Could test without the docker images saved and try to pull local image
109
110
111
112
113
114
115
  # artifacts:
  #   paths:
  #     - docker-images
  # cache:
  #   key: "$CI_BUILD_REF_NAME"
  #   paths:
  #     - docker-images
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
116

117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# run unit tests:
#   stage: unit-tests
#   image: trion/ng-cli-e2e
#   cache:
#     # untracked: true # cache all files that are untracked in your Git repository
#     # job doesn’t alter cached files, skip the upload step by setting policy: pull
#     policy: pull 
#   # only:
#   #   - master
#   script:
#     - npm install --no-audit --no-save
#     - ng lint
#     - ng test hazdev-ng-geoserve-output --watch=false --code-coverage --progress false --browsers ChromeHeadless
#     - npm run build
#     - ng test earthquake-geoserve-ui --watch=false --code-coverage --progress false --browsers ChromeHeadless
#     - ng e2e
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
133

Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
134
135
136
# run penetration tests:
#   stage: pen-tests
#   image: docker:stable
137
138
#   cache:
#     policy: pull
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
139
140
141
#   # before_script:
#   #   - npm i
#   #   - npm i highlightjs
142
143
#   # only:
#   #   - master
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
144
145
146
147
148
149
150
151
152
153
#   script:
#     - mkdir -p $OWASP_REPORT_DIR
#     - chmod 777 $OWASP_REPORT_DIR
#     - docker load -i docker-images/app.tar
#     - docker run --rm --name $LOCAL_CONTAINER -d $LOCAL_IMAGE
#     - docker run --rm -d -u zap --name=$OWASP_CONTAINER --link=$LOCAL_CONTAINER:application -v $OWASP_REPORT_DIR:/zap/reports:rw -i $OWASP_IMAGE zap.sh -daemon -port $ZAP_API_PORT -config api.disablekey=true
#     - sleep 20
#     # docker run --rm -d -u zap --name=earthquake-geoserve-ui-3-OWASP --link=earthquake-geoserve-ui-3-PENTEST:application -v /var/lib/jenkins/workspace/HazDev/earthquake-geoserve/build-ui/owasp-data:/zap/reports:rw -i code.chs.usgs.gov:5001/devops/images/owasp/zap2docker-stable zap.sh -daemon -port 8090 -config api.disablekey=true
#     # docker run --rm --name earthquake-geoserve-ui-1.0.4-PENTEST -d jamesmalin/usgs-geoserve-ui:1.0.4
#     # docker run --rm -d -u zap --name=earthquake-geoserve-ui-1.0.4-OWASP --link=earthquake-geoserve-ui-1.0.4-PENTEST:application -v /owasp-data:/zap/reports:rw -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -config api.disablekey=true
154
155
#     - "docker exec -i ${OWASP_CONTAINER} 
#     curl -I localhost:${ZAP_API_PORT} 
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
156
157
158
159
160
161
162
163
#     > /dev/null 2>&1 && echo 'SUCCESS'"
#     - docker exec $OWASP_CONTAINER zap-cli -v -p $ZAP_API_PORT spider http://$PENTEST_IP/
#     - docker exec $OWASP_CONTAINER zap-cli -v -p $ZAP_API_PORT active-scan http://$PENTEST_IP/
#     - docker exec $OWASP_CONTAINER zap-cli -v -p $ZAP_API_PORT report -o owasp-zap-report.html -f html
#     - docker stop $OWASP_CONTAINER ${LOCAL_CONTAINER}
#   artifacts: # can you make this not available to the public
#     paths:
#       - owasp-zap-report.html
164
#       - docker-images
Brown, Jonathan D.'s avatar
test    
Brown, Jonathan D. committed
165
166
#   dependencies:
#     - build
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
167

168
#     ###### Publish ######
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
169

170
171
172
# publish image:
#   stage: publish-image
#   image: docker:stable
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
173
#   only:
174
175
176
177
178
179
180
#     - merge_requests
#   before_script:
#     # - curl -O https://bootstrap.pypa.io/get-pip.py
#     # - python3 get-pip.py --user
#     # - /root/.local/bin/pip3 install awscli --upgrade --user
#     # - npm install -g docker
#     # - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
Brown, Jonathan D.'s avatar
test3    
Brown, Jonathan D. committed
181
#   script:
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
#     # - aws cloudformation package --template-file ./deployment/aws-create-user.json --s3-bucket $S3_BUCKET --output-template usgs-user-template-export.yml
#     # - aws cloudformation deploy --template-file /builds/jmalin/earthquake-geoserve-ui/usgs-user-template-export.yml --stack-name usgs-user-deploy-stack
#     # Re-tag candidate image as actual image name and push actual image to repository
#     # TODO - Deploy to USGS Hazdev Registry
#     # - docker build --build-arg FROM_IMAGE=$BASE_IMAGE --build-arg BUILD_IMAGE=$BUILDER_IMAGE -t $LOCAL_IMAGE .
#     - docker load -i docker-images/app.tar
#     - docker tag ${LOCAL_IMAGE} ${DEPLOY_IMAGE}:${IMAGE_VERSION}
#     - echo "$CHS_PASSWORD" | docker login --username $CHS_USERNAME --password-stdin $GITLAB_INNERSOURCE_REGISTRY
#     - docker push ${DEPLOY_IMAGE}:${IMAGE_VERSION}

#     # Re-tag candidate image as public image name and push to docker hub
#     # For a private registry include registry URL
#     - docker tag ${LOCAL_IMAGE} ${DOCKER_HUB_IMAGE}:${IMAGE_VERSION}
#     # login to dockerhub
#     - echo "$DOCKER_PASSWORD" | docker login --username $DOCKER_USERNAME --password-stdin
#     - docker push ${DOCKER_HUB_IMAGE}:${IMAGE_VERSION}
#     # Delete pass file
#     - rm -rf /root/.docker/config.json
Brown, Jonathan D.'s avatar
updated    
Brown, Jonathan D. committed
200
201
#   dependencies:
#     - build
202
203
204
205
206
207
208
209
#     # - 'run unit tests'
#     # - 'run penetration tests'
#   cache:
#     key: "$CI_BUILD_REF_NAME"
#     paths:
#       - docker-images

trigger deploy:
210
  stage: trigger_deploy
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
  # trigger: ghsc/hazdev/container-deploy
  # variables:
  #   BUILD_ID: '$BUILD_ID'
  #   BUILD_TEST_1: '$$BUILD_ID'
  #   BUILD_TEST_2: '${BUILD_ID}'
  #   BUILD_TEST_3: '$${BUILD_ID}'
  #   BUILD_TEST_4: '{$BUILD_ID}'
  #   BUILD_TEST_5: $BUILD_ID
  #   BUILD_TEST_6: $$BUILD_ID
  #   BUILD_TEST_7: ${BUILD_ID}
  #   BUILD_TEST_8: $${BUILD_ID}
  image: node:latest
  when: manual
  only:
    - merge_requests
    - master
  script:
     - 'curl -X POST
     -F token=5db4dbb65dd8f2583082e1555bae6a
     -F "ref=master"
     -F "variables[CI_COMMIT_MESSAGE]=$CI_COMMIT_MESSAGE"
     -F "variables[IMAGE_VERSION]=${IMAGE_VERSION}"
     -F "variables[DB_IMAGE_NAME]=ghsc/hazdev/earthquake-geoserve/db:${IMAGE_VERSION}"
     -F "variables[ENVIRONMENT]=${ENVIRONMENT}"
     -F "variables[UI_IMAGE_NAME]=ghsc/hazdev/earthquake-geoserve/ui:${IMAGE_VERSION}"
     -F "variables[APP_NAME]=${DEPLOY_APP_NAME}"
     -F "variables[GIT_BRANCH]=origin/master"
     -F "variables[WS_IMAGE_NAME]=ghsc/hazdev/earthquake-geoserve/ws:${IMAGE_VERSION}"
     -F "variables[APP_REPO]=ghsc/hazdev/earthquake-geoserve.git"
     -F "variables[STACK_NAME]=earthquake-geoserve"
     -F "variables[TARGET_HOSTNAME]=dev01-container01.cr.usgs.gov"
     -F "variables[REMOTE_DEPLOY_DIR]=${REMOTE_DEPLOY_DIR}"
     https://code.chs.usgs.gov/api/v4/projects/1955/trigger/pipeline'
244
245
246

# use triggers with Jenkins config
# use triggers w/ container master