From 4d4642bff9f1688388cf2a799bf2cb7674fdb84e Mon Sep 17 00:00:00 2001
From: andresanaya21 <alvaroandres.anayaamariles@telefonica.com>
Date: Fri, 17 Jan 2025 15:34:06 +0100
Subject: [PATCH] refactor: improve security by updating docker login command
in ci_staging.gitlab-ci.yml to use password-stdin
- enabling pipeline releasing when tag
---
.../cicd-deploy-release.gitlab-ci.yml | 304 +++++++++---------
1 file changed, 152 insertions(+), 152 deletions(-)
diff --git a/capif/templates/cicd-deploy-release.gitlab-ci.yml b/capif/templates/cicd-deploy-release.gitlab-ci.yml
index eb36b71..919b2f1 100644
--- a/capif/templates/cicd-deploy-release.gitlab-ci.yml
+++ b/capif/templates/cicd-deploy-release.gitlab-ci.yml
@@ -9,17 +9,17 @@ variables:
# CI_REGISTRY: $CI_REGISTRY
CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY
NAMESPACE_PROD: "ocf-prod"
- DOMAIN_PROD: prod.int
+ DOMAIN_PROD: ocf.production
PATH_PROD: prod
# it will only run when a new tag that starts with ‘v{major.minor.patch}-release’ is pushed
# to the repository.
-#.release_common: &relase_common
-# rules:
-## - if: '$CI_COMMIT_TAG =~ /^.*-release$/'
-# - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/'
-# tags:
-# - shell
+.release_common: &relase_common
+ rules:
+# - if: '$CI_COMMIT_TAG =~ /^.*-release$/'
+ - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/'
+ tags:
+ - shell
prod_build_and_push:
stage: prod_build_and_push
@@ -113,148 +113,148 @@ prod_build_and_push:
- docker logout $CI_REGISTRY
-#deploy_ocf_prod:
-# stage: deploy_ocf_prod
-# needs:
-# - prod_build_and_push
-# <<: *relase_common
-# environment:
-# name: review/production
-# url: https://$NAMESPACE_PROD.$DOMAIN_PROD
-# script:
-# - |
-# echo "------ A release has been created! -------"
-# helm version
-# kubectl version --output=yaml
-# echo "### setting kubeconfig###"
-# whoami
-# kubectl cluster-info
-# yq --version
-# ls -rtt helm/capif
-# cat helm/capif/Chart.yaml
-# yq e -i ".appVersion = \"staging\"" helm/capif/Chart.yaml
-# cat helm/capif/Chart.yaml
-#
-# charts=("mock-server" "nginx" "ocf-access-control-policy"
-# "ocf-api-invocation-logs" "ocf-api-invoker-management"
-# "ocf-api-provider-management" "ocf-auditing-api-logs"
-# "ocf-discover-service-api" "ocf-events" "ocf-helper"
-# "ocf-publish-service-api" "ocf-register" "ocf-routing-info"
-# "ocf-security")
-#
-# for chart in "${charts[@]}"; do
-# yq e -i ".appVersion = \"staging\"" "helm/capif/charts/$chart/Chart.yaml"
-# done
-#
-#
-# echo "### download dependencies###"
-# helm dependency build helm/capif
-# echo "### updating capif###"
-# helm upgrade --install -n $NAMESPACE_STAGING ocf-staging helm/capif/ \
-# --set grafana.enabled=true \
-# --set grafana.ingress.enabled=true \
-# --set grafana.ingress.hosts[0].host=ocf-mon-staging.$DOMAIN_STAGING \
-# --set grafana.ingress.hosts[0].paths[0].path="/" \
-# --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \
-# --set grafana.env.prometheusUrl=http://prometheus.ocf.pre-production \
-# --set grafana.env.tempoUrl="http://ocf-staging-tempo:3100" \
-# --set fluentbit.enabled=true \
-# --set loki.enabled=true \
-# --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.ocf.pre-production/api/v1/write \
-# --set otelcollector.enabled=true \
-# --set otelcollector.configMap.tempoEndpoint=ocf-staging-tempo:4317 \
-# --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-access-control-policy-api \
-# --set ocf-access-control-policy.image.tag=staging \
-# --set ocf-access-control-policy.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set ocf-access-control-policy.monitoring="true" \
-# --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-logging-api-invocation-api \
-# --set ocf-api-invocation-logs.image.tag=staging \
-# --set ocf-api-invocation-logs.env.monitoring="true" \
-# --set ocf-api-invocation-logs.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \
-# --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \
-# --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-# --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-api-invoker-management-api \
-# --set ocf-api-invoker-management.image.tag=staging \
-# --set ocf-api-invoker-management.env.monitoring="true" \
-# --set ocf-api-invoker-management.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \
-# --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \
-# --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-# --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-api-provider-management-api \
-# --set ocf-api-provider-management.image.tag=staging \
-# --set ocf-api-provider-management.env.monitoring="true" \
-# --set ocf-api-provider-management.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \
-# --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \
-# --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-# --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-events-api \
-# --set ocf-events.image.tag=staging \
-# --set ocf-events.env.monitoring="true" \
-# --set ocf-events.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-routing-info-api \
-# --set ocf-routing-info.image.tag=staging \
-# --set ocf-routing-info.env.monitoring="true" \
-# --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-security-api \
-# --set ocf-security.image.tag=staging \
-# --set ocf-security.env.monitoring="true" \
-# --set ocf-security.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \
-# --set ocf-security.env.vaultPort=$VAULT_PORT \
-# --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-# --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/staging/register \
-# --set ocf-register.image.tag=staging \
-# --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \
-# --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-# --set ocf-register.env.vaultPort=$VAULT_PORT \
-# --set ocf-register.env.mongoHost=mongo-register \
-# --set ocf-register.env.mongoPort=27017 \
-# --set ocf-register.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set ocf-register.ingress.enabled=true \
-# --set ocf-register.ingress.hosts[0].host=register-staging.$DOMAIN_STAGING \
-# --set ocf-register.ingress.hosts[0].paths[0].path="/" \
-# --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \
-# --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-auditing-api \
-# --set ocf-auditing-api-logs.image.tag=staging \
-# --set ocf-auditing-api-logs.env.monitoring="true" \
-# --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-publish-service-api \
-# --set ocf-publish-service-api.image.tag=staging \
-# --set ocf-publish-service-api.env.monitoring="true" \
-# --set ocf-publish-service-api.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-discover-service-api \
-# --set ocf-discover-service-api.image.tag=staging \
-# --set ocf-discover-service-api.env.monitoring="true" \
-# --set nginx.image.repository=$CI_REGISTRY/ocf/capif/staging/nginx \
-# --set nginx.image.tag=staging \
-# --set nginx.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set nginx.env.vaultHostname=$VAULT_HOSTNAME \
-# --set nginx.env.vaultPort=$VAULT_PORT \
-# --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-# --set nginx.ingress.enabled=true \
-# --set nginx.ingress.hosts[0].host=capif-staging.$DOMAIN_STAGING \
-# --set nginx.ingress.hosts[0].paths[0].path="/" \
-# --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \
-# --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/staging/helper \
-# --set ocf-helper.image.tag=staging \
-# --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \
-# --set ocf-helper.env.vaultPort=$VAULT_PORT \
-# --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \
-# --set ocf-helper.env.capifHostname=capif-staging.$DOMAIN_STAGING \
-# --set mock-server.enabled=true \
-# --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/staging/mock-server \
-# --set mock-server.image.tag=staging \
-# --set mock-server.ingress.enabled=true \
-# --set mock-server.ingress.hosts[0].host=mock-server-staging.$DOMAIN_STAGING \
-# --set mock-server.ingress.hosts[0].paths[0].path="/" \
-# --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \
-# --set mongo-register-express.enabled=true \
-# --set mongo-register-express.ingress.enabled=true \
-# --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-staging.$DOMAIN_STAGING" \
-# --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \
-# --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \
-# --set mongo-express.enabled=true \
-# --set mongo-express.ingress.enabled=true \
-# --set mongo-express.ingress.hosts[0].host="mongo-express-staging.$DOMAIN_STAGING" \
-# --set mongo-express.ingress.hosts[0].paths[0].path="/" \
-# --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \
-# --wait --timeout=10m --create-namespace --atomic
\ No newline at end of file
+deploy_ocf_prod:
+ stage: deploy_ocf_prod
+ needs:
+ - prod_build_and_push
+ <<: *relase_common
+ environment:
+ name: review/production
+ url: https://$NAMESPACE_PROD.$DOMAIN_PROD
+ script:
+ - |
+ echo "------ A release has been created! -------"
+ helm version
+ kubectl version --output=yaml
+ echo "### setting kubeconfig###"
+ whoami
+ kubectl cluster-info
+ yq --version
+ ls -rtt helm/capif
+ cat helm/capif/Chart.yaml
+ yq e -i ".appVersion = \"prod\"" helm/capif/Chart.yaml
+ cat helm/capif/Chart.yaml
+
+ charts=("mock-server" "nginx" "ocf-access-control-policy"
+ "ocf-api-invocation-logs" "ocf-api-invoker-management"
+ "ocf-api-provider-management" "ocf-auditing-api-logs"
+ "ocf-discover-service-api" "ocf-events" "ocf-helper"
+ "ocf-publish-service-api" "ocf-register" "ocf-routing-info"
+ "ocf-security")
+
+ for chart in "${charts[@]}"; do
+ yq e -i ".appVersion = \"prod\"" "helm/capif/charts/$chart/Chart.yaml"
+ done
+
+
+ echo "### download dependencies###"
+ helm dependency build helm/capif
+ echo "### updating capif###"
+ helm upgrade --install -n $NAMESPACE_PROD ocf-prod helm/capif/ \
+ --set grafana.enabled=true \
+ --set grafana.ingress.enabled=true \
+ --set grafana.ingress.hosts[0].host=ocf-mon-prod.$DOMAIN_PROD \
+ --set grafana.ingress.hosts[0].paths[0].path="/" \
+ --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \
+ --set grafana.env.prometheusUrl=http://prometheus.$DOMAIN_PROD \
+ --set grafana.env.tempoUrl="http://ocf-prod-tempo:3100" \
+ --set fluentbit.enabled=true \
+ --set loki.enabled=true \
+ --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.$DOMAIN_PROD/api/v1/write \
+ --set otelcollector.enabled=true \
+ --set otelcollector.configMap.tempoEndpoint=ocf-prod-tempo:4317 \
+ --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-access-control-policy-api \
+ --set ocf-access-control-policy.image.tag=$CI_COMMIT_TAG \
+ --set ocf-access-control-policy.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set ocf-access-control-policy.monitoring="true" \
+ --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-logging-api-invocation-api \
+ --set ocf-api-invocation-logs.image.tag=$CI_COMMIT_TAG \
+ --set ocf-api-invocation-logs.env.monitoring="true" \
+ --set ocf-api-invocation-logs.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \
+ --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \
+ --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+ --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-invoker-management-api \
+ --set ocf-api-invoker-management.image.tag=$CI_COMMIT_TAG \
+ --set ocf-api-invoker-management.env.monitoring="true" \
+ --set ocf-api-invoker-management.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \
+ --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \
+ --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+ --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-provider-management-api \
+ --set ocf-api-provider-management.image.tag=$CI_COMMIT_TAG \
+ --set ocf-api-provider-management.env.monitoring="true" \
+ --set ocf-api-provider-management.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \
+ --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \
+ --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+ --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-events-api \
+ --set ocf-events.image.tag=$CI_COMMIT_TAG \
+ --set ocf-events.env.monitoring="true" \
+ --set ocf-events.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-routing-info-api \
+ --set ocf-routing-info.image.tag=$CI_COMMIT_TAG \
+ --set ocf-routing-info.env.monitoring="true" \
+ --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-security-api \
+ --set ocf-security.image.tag=$CI_COMMIT_TAG \
+ --set ocf-security.env.monitoring="true" \
+ --set ocf-security.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \
+ --set ocf-security.env.vaultPort=$VAULT_PORT \
+ --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+ --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/register \
+ --set ocf-register.image.tag=$CI_COMMIT_TAG \
+ --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \
+ --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+ --set ocf-register.env.vaultPort=$VAULT_PORT \
+ --set ocf-register.env.mongoHost=mongo-register \
+ --set ocf-register.env.mongoPort=27017 \
+ --set ocf-register.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set ocf-register.ingress.enabled=true \
+ --set ocf-register.ingress.hosts[0].host=register-prod.$DOMAIN_PROD \
+ --set ocf-register.ingress.hosts[0].paths[0].path="/" \
+ --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \
+ --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-auditing-api \
+ --set ocf-auditing-api-logs.image.tag=$CI_COMMIT_TAG \
+ --set ocf-auditing-api-logs.env.monitoring="true" \
+ --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-publish-service-api \
+ --set ocf-publish-service-api.image.tag=$CI_COMMIT_TAG \
+ --set ocf-publish-service-api.env.monitoring="true" \
+ --set ocf-publish-service-api.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-discover-service-api \
+ --set ocf-discover-service-api.image.tag=$CI_COMMIT_TAG \
+ --set ocf-discover-service-api.env.monitoring="true" \
+ --set nginx.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/nginx \
+ --set nginx.image.tag=$CI_COMMIT_TAG \
+ --set nginx.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set nginx.env.vaultHostname=$VAULT_HOSTNAME \
+ --set nginx.env.vaultPort=$VAULT_PORT \
+ --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+ --set nginx.ingress.enabled=true \
+ --set nginx.ingress.hosts[0].host=capif-prod.$DOMAIN_PROD \
+ --set nginx.ingress.hosts[0].paths[0].path="/" \
+ --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \
+ --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/helper \
+ --set ocf-helper.image.tag=$CI_COMMIT_TAG \
+ --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \
+ --set ocf-helper.env.vaultPort=$VAULT_PORT \
+ --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \
+ --set ocf-helper.env.capifHostname=capif-prod.$DOMAIN_PROD \
+ --set mock-server.enabled=true \
+ --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/mock-server \
+ --set mock-server.image.tag=$CI_COMMIT_TAG \
+ --set mock-server.ingress.enabled=true \
+ --set mock-server.ingress.hosts[0].host=mock-server-prod.$DOMAIN_PROD \
+ --set mock-server.ingress.hosts[0].paths[0].path="/" \
+ --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \
+ --set mongo-register-express.enabled=true \
+ --set mongo-register-express.ingress.enabled=true \
+ --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-prod.$DOMAIN_PROD" \
+ --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \
+ --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \
+ --set mongo-express.enabled=true \
+ --set mongo-express.ingress.enabled=true \
+ --set mongo-express.ingress.hosts[0].host="mongo-express-prod.$DOMAIN_PROD" \
+ --set mongo-express.ingress.hosts[0].paths[0].path="/" \
+ --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \
+ --wait --timeout=10m --create-namespace --atomic
\ No newline at end of file
--
GitLab