refactor: improve security by updating docker login command in...

refactor: improve security by updating docker login command in ci_staging.gitlab-ci.yml to use password-stdin - enabling pipeline releasing when tag

refactor: improve security by updating docker login command in...
4d4642bf · Andres Anaya Amariels · 8a697b1c · 4d4642bf
Commit 4d4642bf authored 1 month ago by Andres Anaya Amariels
--- a/capif/templates/cicd-deploy-release.gitlab-ci.yml
+++ b/capif/templates/cicd-deploy-release.gitlab-ci.yml
@@ -9,17 +9,17 @@ variables:
 #  CI_REGISTRY: $CI_REGISTRY
  CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY
  NAMESPACE_PROD: "ocf-prod"
-  DOMAIN_PROD: prod.int
+  DOMAIN_PROD: ocf.production
  PATH_PROD: prod

 # it will only run when a new tag that starts with ‘v{major.minor.patch}-release’ is pushed
 # to the repository.
-#.release_common: &relase_common
-#  rules:
-##    - if: '$CI_COMMIT_TAG =~ /^.*-release$/'
-#    - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/'
-#  tags:
-#    - shell
+.release_common: &relase_common
+  rules:
+#    - if: '$CI_COMMIT_TAG =~ /^.*-release$/'
+    - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/'
+  tags:
+    - shell

 prod_build_and_push:
  stage: prod_build_and_push
@@ -113,148 +113,148 @@ prod_build_and_push:
   - docker logout $CI_REGISTRY


-#deploy_ocf_prod:
-#  stage: deploy_ocf_prod
-#  needs:
-#    - prod_build_and_push
-#  <<: *relase_common
-#  environment:
-#    name: review/production
-#    url: https://$NAMESPACE_PROD.$DOMAIN_PROD
-#  script:
-#    - | 
-#      echo "------ A release has been created! -------"
-#      helm version
-#      kubectl version --output=yaml
-#      echo "### setting kubeconfig###"
-#      whoami
-#      kubectl cluster-info
-#      yq --version
-#      ls -rtt helm/capif
-#      cat helm/capif/Chart.yaml
-#      yq e -i ".appVersion = \"staging\"" helm/capif/Chart.yaml
-#      cat helm/capif/Chart.yaml
-#
-#      charts=("mock-server" "nginx" "ocf-access-control-policy" 
-#        "ocf-api-invocation-logs" "ocf-api-invoker-management" 
-#        "ocf-api-provider-management" "ocf-auditing-api-logs" 
-#        "ocf-discover-service-api" "ocf-events" "ocf-helper" 
-#        "ocf-publish-service-api" "ocf-register" "ocf-routing-info" 
-#        "ocf-security")
-#      
-#      for chart in "${charts[@]}"; do
-#        yq e -i ".appVersion = \"staging\"" "helm/capif/charts/$chart/Chart.yaml"
-#      done
-#
-#
-#      echo "### download dependencies###"
-#      helm dependency build helm/capif
-#      echo "### updating capif###"
-#      helm upgrade --install -n $NAMESPACE_STAGING ocf-staging helm/capif/ \
-#      --set grafana.enabled=true \
-#      --set grafana.ingress.enabled=true \
-#      --set grafana.ingress.hosts[0].host=ocf-mon-staging.$DOMAIN_STAGING \
-#      --set grafana.ingress.hosts[0].paths[0].path="/" \
-#      --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \
-#      --set grafana.env.prometheusUrl=http://prometheus.ocf.pre-production \
-#      --set grafana.env.tempoUrl="http://ocf-staging-tempo:3100" \
-#      --set fluentbit.enabled=true \
-#      --set loki.enabled=true \
-#      --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.ocf.pre-production/api/v1/write \
-#      --set otelcollector.enabled=true \
-#      --set otelcollector.configMap.tempoEndpoint=ocf-staging-tempo:4317 \
-#      --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-access-control-policy-api \
-#      --set ocf-access-control-policy.image.tag=staging \
-#      --set ocf-access-control-policy.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set ocf-access-control-policy.monitoring="true" \
-#      --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-logging-api-invocation-api \
-#      --set ocf-api-invocation-logs.image.tag=staging \
-#      --set ocf-api-invocation-logs.env.monitoring="true" \
-#      --set ocf-api-invocation-logs.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \
-#      --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \
-#      --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-#      --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-api-invoker-management-api \
-#      --set ocf-api-invoker-management.image.tag=staging \
-#      --set ocf-api-invoker-management.env.monitoring="true" \
-#      --set ocf-api-invoker-management.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \
-#      --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \
-#      --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-#      --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-api-provider-management-api \
-#      --set ocf-api-provider-management.image.tag=staging \
-#      --set ocf-api-provider-management.env.monitoring="true" \
-#      --set ocf-api-provider-management.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \
-#      --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \
-#      --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-#      --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-events-api \
-#      --set ocf-events.image.tag=staging \
-#      --set ocf-events.env.monitoring="true" \
-#      --set ocf-events.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-routing-info-api \
-#      --set ocf-routing-info.image.tag=staging \
-#      --set ocf-routing-info.env.monitoring="true" \
-#      --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-security-api \
-#      --set ocf-security.image.tag=staging \
-#      --set ocf-security.env.monitoring="true" \
-#      --set ocf-security.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \
-#      --set ocf-security.env.vaultPort=$VAULT_PORT \
-#      --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-#      --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/staging/register \
-#      --set ocf-register.image.tag=staging \
-#      --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \
-#      --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-#      --set ocf-register.env.vaultPort=$VAULT_PORT \
-#      --set ocf-register.env.mongoHost=mongo-register \
-#      --set ocf-register.env.mongoPort=27017 \
-#      --set ocf-register.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set ocf-register.ingress.enabled=true \
-#      --set ocf-register.ingress.hosts[0].host=register-staging.$DOMAIN_STAGING \
-#      --set ocf-register.ingress.hosts[0].paths[0].path="/" \
-#      --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \
-#      --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-auditing-api \
-#      --set ocf-auditing-api-logs.image.tag=staging \
-#      --set ocf-auditing-api-logs.env.monitoring="true" \
-#      --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-publish-service-api \
-#      --set ocf-publish-service-api.image.tag=staging \
-#      --set ocf-publish-service-api.env.monitoring="true" \
-#      --set ocf-publish-service-api.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-discover-service-api \
-#      --set ocf-discover-service-api.image.tag=staging \
-#      --set ocf-discover-service-api.env.monitoring="true" \
-#      --set nginx.image.repository=$CI_REGISTRY/ocf/capif/staging/nginx \
-#      --set nginx.image.tag=staging \
-#      --set nginx.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set nginx.env.vaultHostname=$VAULT_HOSTNAME \
-#      --set nginx.env.vaultPort=$VAULT_PORT \
-#      --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-#      --set nginx.ingress.enabled=true \
-#      --set nginx.ingress.hosts[0].host=capif-staging.$DOMAIN_STAGING \
-#      --set nginx.ingress.hosts[0].paths[0].path="/" \
-#      --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \
-#      --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/staging/helper \
-#      --set ocf-helper.image.tag=staging \
-#      --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \
-#      --set ocf-helper.env.vaultPort=$VAULT_PORT \
-#      --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-#      --set ocf-helper.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-#      --set mock-server.enabled=true \
-#      --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/staging/mock-server \
-#      --set mock-server.image.tag=staging \
-#      --set mock-server.ingress.enabled=true \
-#      --set mock-server.ingress.hosts[0].host=mock-server-staging.$DOMAIN_STAGING \
-#      --set mock-server.ingress.hosts[0].paths[0].path="/" \
-#      --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \
-#      --set mongo-register-express.enabled=true \
-#      --set mongo-register-express.ingress.enabled=true \
-#      --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-staging.$DOMAIN_STAGING" \
-#      --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \
-#      --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \
-#      --set mongo-express.enabled=true \
-#      --set mongo-express.ingress.enabled=true \
-#      --set mongo-express.ingress.hosts[0].host="mongo-express-staging.$DOMAIN_STAGING" \
-#      --set mongo-express.ingress.hosts[0].paths[0].path="/" \
-#      --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \
-#      --wait --timeout=10m --create-namespace --atomic
\ No newline at end of file
+deploy_ocf_prod:
+  stage: deploy_ocf_prod
+  needs:
+    - prod_build_and_push
+  <<: *relase_common
+  environment:
+    name: review/production
+    url: https://$NAMESPACE_PROD.$DOMAIN_PROD
+  script:
+    - | 
+      echo "------ A release has been created! -------"
+      helm version
+      kubectl version --output=yaml
+      echo "### setting kubeconfig###"
+      whoami
+      kubectl cluster-info
+      yq --version
+      ls -rtt helm/capif
+      cat helm/capif/Chart.yaml
+      yq e -i ".appVersion = \"prod\"" helm/capif/Chart.yaml
+      cat helm/capif/Chart.yaml
+
+      charts=("mock-server" "nginx" "ocf-access-control-policy" 
+        "ocf-api-invocation-logs" "ocf-api-invoker-management" 
+        "ocf-api-provider-management" "ocf-auditing-api-logs" 
+        "ocf-discover-service-api" "ocf-events" "ocf-helper" 
+        "ocf-publish-service-api" "ocf-register" "ocf-routing-info" 
+        "ocf-security")
+      
+      for chart in "${charts[@]}"; do
+        yq e -i ".appVersion = \"prod\"" "helm/capif/charts/$chart/Chart.yaml"
+      done
+
+
+      echo "### download dependencies###"
+      helm dependency build helm/capif
+      echo "### updating capif###"
+      helm upgrade --install -n $NAMESPACE_PROD ocf-prod helm/capif/ \
+      --set grafana.enabled=true \
+      --set grafana.ingress.enabled=true \
+      --set grafana.ingress.hosts[0].host=ocf-mon-prod.$DOMAIN_PROD \
+      --set grafana.ingress.hosts[0].paths[0].path="/" \
+      --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \
+      --set grafana.env.prometheusUrl=http://prometheus.$DOMAIN_PROD \
+      --set grafana.env.tempoUrl="http://ocf-prod-tempo:3100" \
+      --set fluentbit.enabled=true \
+      --set loki.enabled=true \
+      --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.$DOMAIN_PROD/api/v1/write \
+      --set otelcollector.enabled=true \
+      --set otelcollector.configMap.tempoEndpoint=ocf-prod-tempo:4317 \
+      --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-access-control-policy-api \
+      --set ocf-access-control-policy.image.tag=$CI_COMMIT_TAG \
+      --set ocf-access-control-policy.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set ocf-access-control-policy.monitoring="true" \
+      --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-logging-api-invocation-api \
+      --set ocf-api-invocation-logs.image.tag=$CI_COMMIT_TAG \
+      --set ocf-api-invocation-logs.env.monitoring="true" \
+      --set ocf-api-invocation-logs.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \
+      --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \
+      --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+      --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-invoker-management-api \
+      --set ocf-api-invoker-management.image.tag=$CI_COMMIT_TAG \
+      --set ocf-api-invoker-management.env.monitoring="true" \
+      --set ocf-api-invoker-management.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \
+      --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \
+      --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+      --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-provider-management-api \
+      --set ocf-api-provider-management.image.tag=$CI_COMMIT_TAG \
+      --set ocf-api-provider-management.env.monitoring="true" \
+      --set ocf-api-provider-management.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \
+      --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \
+      --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+      --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-events-api \
+      --set ocf-events.image.tag=$CI_COMMIT_TAG \
+      --set ocf-events.env.monitoring="true" \
+      --set ocf-events.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-routing-info-api \
+      --set ocf-routing-info.image.tag=$CI_COMMIT_TAG \
+      --set ocf-routing-info.env.monitoring="true" \
+      --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-security-api \
+      --set ocf-security.image.tag=$CI_COMMIT_TAG \
+      --set ocf-security.env.monitoring="true" \
+      --set ocf-security.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \
+      --set ocf-security.env.vaultPort=$VAULT_PORT \
+      --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+      --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/register \
+      --set ocf-register.image.tag=$CI_COMMIT_TAG \
+      --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \
+      --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+      --set ocf-register.env.vaultPort=$VAULT_PORT \
+      --set ocf-register.env.mongoHost=mongo-register \
+      --set ocf-register.env.mongoPort=27017 \
+      --set ocf-register.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set ocf-register.ingress.enabled=true \
+      --set ocf-register.ingress.hosts[0].host=register-prod.$DOMAIN_PROD \
+      --set ocf-register.ingress.hosts[0].paths[0].path="/" \
+      --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \
+      --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-auditing-api \
+      --set ocf-auditing-api-logs.image.tag=$CI_COMMIT_TAG \
+      --set ocf-auditing-api-logs.env.monitoring="true" \
+      --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-publish-service-api \
+      --set ocf-publish-service-api.image.tag=$CI_COMMIT_TAG \
+      --set ocf-publish-service-api.env.monitoring="true" \
+      --set ocf-publish-service-api.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-discover-service-api \
+      --set ocf-discover-service-api.image.tag=$CI_COMMIT_TAG \
+      --set ocf-discover-service-api.env.monitoring="true" \
+      --set nginx.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/nginx \
+      --set nginx.image.tag=$CI_COMMIT_TAG \
+      --set nginx.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set nginx.env.vaultHostname=$VAULT_HOSTNAME \
+      --set nginx.env.vaultPort=$VAULT_PORT \
+      --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+      --set nginx.ingress.enabled=true \
+      --set nginx.ingress.hosts[0].host=capif-prod.$DOMAIN_PROD \
+      --set nginx.ingress.hosts[0].paths[0].path="/" \
+      --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \
+      --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/helper \
+      --set ocf-helper.image.tag=$CI_COMMIT_TAG \
+      --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \
+      --set ocf-helper.env.vaultPort=$VAULT_PORT \
+      --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+      --set ocf-helper.env.capifHostname=capif-prod.$DOMAIN_PROD \
+      --set mock-server.enabled=true \
+      --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/mock-server \
+      --set mock-server.image.tag=$CI_COMMIT_TAG \
+      --set mock-server.ingress.enabled=true \
+      --set mock-server.ingress.hosts[0].host=mock-server-prod.$DOMAIN_PROD \
+      --set mock-server.ingress.hosts[0].paths[0].path="/" \
+      --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \
+      --set mongo-register-express.enabled=true \
+      --set mongo-register-express.ingress.enabled=true \
+      --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-prod.$DOMAIN_PROD" \
+      --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \
+      --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \
+      --set mongo-express.enabled=true \
+      --set mongo-express.ingress.enabled=true \
+      --set mongo-express.ingress.hosts[0].host="mongo-express-prod.$DOMAIN_PROD" \
+      --set mongo-express.ingress.hosts[0].paths[0].path="/" \
+      --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \
+      --wait --timeout=10m --create-namespace --atomic
\ No newline at end of file