diff --git a/capif/.gitlab-ci.yml b/capif/.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..5114d23b271f035231ac40ab0e53ebcf825d84dd --- /dev/null +++ b/capif/.gitlab-ci.yml @@ -0,0 +1,763 @@ +stages: + - main_pre_pipeline + - merge_request_staging_into_main + - test + - main_sast + - main_build_and_push + - main_container_scanning + - deploy_ocf_main + - main_rf_testing + - delete_ocf_main + - staging_pre_pipeline + - staging_secrets_in_repo + - staging_linting + - staging_unit_tests + - staging_security + - staging_build_and_push + - staging_build_and_push_mr + - deploy_ocf_staging + - deploy_ocf_oficial_staging + - delete_ocf_staging + - dev_pre_pipeline + - dev_secrets_in_repo + - dev_linting + - dev_build_and_push + - deploy_ocf_dev + - delete_ocf_dev + - prod_build_and_push + - deploy_ocf_prod + + +variables: + GITLAB_API: "https://labs.etsi.org/api/v4" +# CI_JOB_TOKEN: $CI_JOB_TOKEN + CI_DEBUG_TRACE: "true" + PROJECT_ID: "294" + SAST_EXCLUDED_ANALYZERS: "nodejs-scan" +# CI_REGISTRY_USER: $CI_REGISTRY_USER +# CI_REGISTRY: $CI_REGISTRY +# CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY + + +.main_common: &main_common +# only: +# - merge_requests +# except: +# variables: +# - $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "OCF16-first-steps-on-ci-at-gitlab-repository" + allow_failure: true + rules: + - if: '$CI_COMMIT_REF_NAME == "main"' + when: always + - when: never + tags: + - shell + +.main_dnd: &main_dnd + allow_failure: true + services: + - docker:24.0.5-dind + rules: + - if: '$CI_COMMIT_REF_NAME == "main"' + when: always + - when: never + tags: + - docker-in-docker + +include: + - template: 'Jobs/SAST.gitlab-ci.yml' + - template: 'Jobs/Dependency-Scanning.gitlab-ci.yml' + - template: 'Jobs/Container-Scanning.gitlab-ci.yml' + - template: 'Secret-Detection.gitlab-ci.yml' + - project: 'ocf/pipeline-scripts' + ref: cicd-capif + file: + - '/capif/templates/ci_staging.gitlab-ci.yml' + - 'capif/templates/ci_dev.gitlab-ci.yml' + - 'capif/templates/ci_unit_test.gitlab-ci.yml' + - 'capif/templates/cd-deploy-ocf.gitlab-ci.yml' + - 'capif/templates/cicd-deploy-release.gitlab-ci.yml' +# - 'capif/templates/ci_main.gitlab-ci.yml' + +#sast: +# variables: +# SAST_DEFAULT_ANALYZERS: "bandit" # to sast +# CI_DEBUG_TRACE: "true" +# stage: main_sast +# rules: +# - if: '$CI_COMMIT_REF_NAME == "OCF16-first-steps-on-ci-at-gitlab-repository"' +# when: always +# - when: never +# script: +# - | +# echo "This is the SAST stage for your Python project." +# tags: +# - docker + + +#sast: +# stage: main_sast +# variables: +## DOCKER_DRIVER: overlay2 +# DOCKER_HOST: tcp://docker:2375 +# SAST_EXCLUDED_ANALYZERS: "nodejs-scan-sast" +# SAST_DEFAULT_ANALYZERS: bandit +# allow_failure: true +# services: +# - docker:24.0.5-dind +# rules: +# - if: '$CI_COMMIT_REF_NAME == "OCF16-first-steps-on-ci-at-gitlab-repository"' +# when: always +# - when: never +# script: +# - export SAST_VERSION=${SP_VERSION:-$(echo \"$CI_SERVER_VERSION\" | sed 's/^\\([0-9]*\\)\\.\\([0-9]*\\).*/\\1-\\2-stable/')} +# - | +# docker run \ +# --env SAST_ANALYZER_IMAGES \ +# --env SAST_ANALYZER_IMAGE_PREFIX \ +# --env SAST_ANALYZER_IMAGE_TAG \ +# --env SAST_DEFAULT_ANALYZERS \ +# --env SAST_BRAKEMAN_LEVEL \ +# --env SAST_GOSEC_LEVEL \ +# --env SAST_FLAWFINDER_LEVEL \ +# --env SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \ +# --env SAST_PULL_ANALYZER_IMAGE_TIMEOUT \ +# --env SAST_RUN_ANALYZER_TIMEOUT \ +# --volume \"$PWD:/code\" \ +# --volume /var/run/docker.sock:/var/run/docker.sock \ +# \"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION\" /app/bin/run capif/services/register/register_service +# dependencies: [] +# artifacts: +# reports: +# sast: gl-sast-report.json +# tags: +# - docker-in-docker + +semgrep-sast: + stage: test + before_script: + - echo " ----- not run test stage -----" + rules: + - when: never + +gemnasium-python-dependency_scanning: + stage: test + before_script: + - echo " ----- not run test stage -----" + rules: + - when: never + +gemnasium-dependency_scanning: + stage: test + before_script: + - echo " ----- not run test stage -----" + rules: + - when: never + +secret_detection: + stage: test + before_script: + - echo " ----- not run test stage -----" + rules: + - when: never + +container_scanning: + stage: test + before_script: + - echo " ----- not run test stage -----" + rules: + - when: never + +main_semgrep_sast: +# needs: +# - main_cancel_previous_action + stage: main_sast + extends: semgrep-sast + variables: +# DOCKER_DRIVER: overlay2 + DOCKER_HOST: tcp://docker:2375 +# SAST_EXCLUDED_ANALYZERS: "nodejs-scan-sast" + SAST_DEFAULT_ANALYZERS: bandit + <<: *main_dnd + +main_kubesec_sast: +# needs: +# - main_cancel_previous_action + stage: main_sast + extends: kubesec-sast + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - ls -lrta + - helm dependency build helm/capif/ + variables: +# DOCKER_DRIVER: overlay2 + DOCKER_HOST: tcp://docker:2375 + SCAN_KUBERNETES_MANIFESTS: "true" + KUBESEC_HELM_CHARTS_PATH: helm/capif/ + <<: *main_dnd + +main_gemnasium_python_dependency_scanning: +# needs: +# - main_cancel_previous_action + stage: main_sast + extends: gemnasium-python-dependency_scanning + variables: + DS_ANALYZER_NAME: "gemnasium-python" + <<: *main_dnd + +main_secret_detection: +# needs: +# - main_cancel_previous_action + stage: main_sast + extends: secret_detection + variables: + SECRET_DETECTION_HISTORIC_SCAN: "true" + <<: *main_dnd + +main_build_and_push: + stage: main_build_and_push + needs: + - main_semgrep_sast + - main_kubesec_sast + - main_gemnasium_python_dependency_scanning + - main_secret_detection + variables: + CI_REGISTRY_USER: $CI_REGISTRY_USER + CI_REGISTRY: $CI_REGISTRY + CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY + script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - echo "### docker login###" + - echo "$CI_JOB_TOKEN" | docker login $CI_REGISTRY --username $CI_REGISTRY_USER --password-stdin + - echo "----------------------------------------------------" + - echo "### build and push nginx image###" + - cd $TMP_PWD/services/nginx/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push register image###" + - cd $TMP_PWD/services/register/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Access_Control_Policy_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Access_Control_Policy_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Invoker_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Invoker_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Provider_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Provider_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Auditing_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Auditing_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Discover_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Discover_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Events_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Events_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Logging_API_Invocation_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Logging_API_Invocation_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Publish_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Publish_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Routing_Info_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Routing_Info_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Security_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Security_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push vault image###" + - cd $TMP_PWD/services/vault/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push helper image###" + - cd $TMP_PWD/services/helper/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push mock-server image###" + - cd $TMP_PWD/services/mock_server/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push celery image###" + - cd $TMP_PWD/services/celery/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - docker logout $CI_REGISTRY + <<: *main_common + +cvs_nginx: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + - ls -lrta + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY +# GIT_STRATEGY: fetch +# CS_DOCKERFILE_PATH: capif/services/nginx/ + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_register: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_access_control_policy_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_api_invoker_management_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_api_provider_management_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_auditing_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_discover_service_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_events_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_logging_api_invocation_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_publish_service_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_routing_info_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_ocf_security_api: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + <<: *main_dnd + +cvs_vault: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +cvs_celery: + stage: main_container_scanning + needs: + - main_build_and_push + before_script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - git clone https://oauth2:${CI_JOB_TOKEN}@labs.etsi.org/rep/ocf/capif.git + extends: container_scanning + variables: + CS_DEFAULT_BRANCH_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG" + CS_IMAGE: "$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG" + CS_REGISTRY_USER: $CI_REGISTRY_USER + CS_REGISTRY_PASSWORD: $CAPIF_DOCKER_REGISTRY + SECURE_LOG_LEVEL: debug + <<: *main_dnd + +deploy_ocf_main: + stage: deploy_ocf_main + before_script: + - echo "--- cluster production ---" + - export KUBECONFIG=$KUBECONFIG_PROD + - kubectl cluster-info + variables: + DOMAIN_PRE_PROD: ocf.pre-production + NAMESPACE_PRE_PROD: ocf-main + needs: + - cvs_nginx + - cvs_register + - cvs_ocf_access_control_policy_api + - cvs_ocf_api_invoker_management_api + - cvs_ocf_api_provider_management_api + - cvs_ocf_auditing_api + - cvs_ocf_discover_service_api + - cvs_ocf_events_api + - cvs_ocf_logging_api_invocation_api + - cvs_ocf_publish_service_api + - cvs_ocf_routing_info_api + - cvs_ocf_security_api + - cvs_vault + - cvs_celery + <<: *main_common + environment: + name: review/main + url: https://$NAMESPACE_PRE_PROD.$DOMAIN_PRE_PROD + script: + - | + helm version + kubectl version --output=yaml + echo "### setting kubeconfig###" + whoami + kubectl cluster-info + yq --version + ls -rtt helm/capif + cat helm/capif/Chart.yaml + yq e -i ".appVersion = \"main\"" helm/capif/Chart.yaml + cat helm/capif/Chart.yaml + + charts=("mock-server" "nginx" "ocf-access-control-policy" + "ocf-api-invocation-logs" "ocf-api-invoker-management" + "ocf-api-provider-management" "ocf-auditing-api-logs" + "ocf-discover-service-api" "ocf-events" "ocf-helper" + "ocf-publish-service-api" "ocf-register" "ocf-routing-info" + "ocf-security" "celery-beat" "celery-worker") + + for chart in "${charts[@]}"; do + yq e -i ".appVersion = \"main\"" "helm/capif/charts/$chart/Chart.yaml" + done + + + echo "### download dependencies###" + helm dependency build helm/capif + echo "### updating capif###" + helm upgrade --install -n $NAMESPACE_PRE_PROD ocf-main helm/capif/ \ + --set grafana.enabled=true \ + --set grafana.ingress.enabled=true \ + --set grafana.ingress.hosts[0].host=ocf-mon-main.$DOMAIN_PRE_PROD \ + --set grafana.ingress.hosts[0].paths[0].path="/" \ + --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set grafana.env.prometheusUrl=http://prometheus.ocf.pre-production \ + --set grafana.env.tempoUrl="http://ocf-main-tempo:3100" \ + --set fluentbit.enabled=true \ + --set loki.enabled=true \ + --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.ocf.pre-production/api/v1/write \ + --set otelcollector.enabled=true \ + --set otelcollector.configMap.tempoEndpoint=ocf-main-tempo:4317 \ + --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api \ + --set ocf-access-control-policy.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-access-control-policy.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-access-control-policy.monitoring="true" \ + --set ocf-access-control-policy.env.logLevel="INFO" \ + --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api \ + --set ocf-api-invocation-logs.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-invocation-logs.env.monitoring="true" \ + --set ocf-api-invocation-logs.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_HOSTNAME_PROD \ + --set ocf-api-invocation-logs.env.logLevel="INFO" \ + --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api \ + --set ocf-api-invoker-management.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-invoker-management.env.monitoring="true" \ + --set ocf-api-invoker-management.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_HOSTNAME_PROD \ + --set ocf-api-invoker-management.env.logLevel="INFO" \ + --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api \ + --set ocf-api-provider-management.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-provider-management.env.monitoring="true" \ + --set ocf-api-provider-management.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_HOSTNAME_PROD \ + --set ocf-api-provider-management.env.logLevel="INFO" \ + --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api \ + --set ocf-events.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-events.env.monitoring="true" \ + --set ocf-events.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-events.env.logLevel="INFO" \ + --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api \ + --set ocf-routing-info.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-routing-info.env.monitoring="true" \ + --set ocf-routing-info.env.logLevel="INFO" \ + --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api \ + --set ocf-security.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-security.env.monitoring="true" \ + --set ocf-security.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-security.env.vaultPort=$VAULT_PORT \ + --set ocf-security.env.vaultAccessToken=$VAULT_HOSTNAME_PROD \ + --set ocf-security.env.logLevel="INFO" \ + --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register \ + --set ocf-register.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-register.env.vaultAccessToken=$VAULT_HOSTNAME_PROD \ + --set ocf-register.env.vaultPort=$VAULT_PORT \ + --set ocf-register.env.mongoHost=mongo-register \ + --set ocf-register.env.mongoPort=27017 \ + --set ocf-register.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-register.ingress.enabled=true \ + --set ocf-register.ingress.hosts[0].host=register-main.$DOMAIN_PRE_PROD \ + --set ocf-register.ingress.hosts[0].paths[0].path="/" \ + --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set ocf-register.env.logLevel="INFO" \ + --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api \ + --set ocf-auditing-api-logs.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-auditing-api-logs.env.monitoring="true" \ + --set ocf-auditing-api-logs.env.logLevel="INFO" \ + --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api \ + --set ocf-publish-service-api.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-publish-service-api.env.monitoring="true" \ + --set ocf-publish-service-api.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-publish-service-api.env.logLevel="INFO" \ + --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api \ + --set ocf-discover-service-api.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-discover-service-api.env.monitoring="true" \ + --set ocf-discover-service-api.env.logLevel="INFO" \ + --set nginx.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx \ + --set nginx.image.tag=$CI_COMMIT_REF_SLUG \ + --set nginx.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set nginx.env.vaultHostname=$VAULT_HOSTNAME \ + --set nginx.env.vaultPort=$VAULT_PORT \ + --set nginx.env.vaultAccessToken=$VAULT_HOSTNAME_PROD \ + --set nginx.ingress.enabled=true \ + --set nginx.ingress.hosts[0].host=capif-main.$DOMAIN_PRE_PROD \ + --set nginx.ingress.hosts[0].paths[0].path="/" \ + --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set nginx.env.logLevel="info" \ + --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper \ + --set ocf-helper.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-helper.env.vaultPort=$VAULT_PORT \ + --set ocf-helper.env.vaultAccessToken=$VAULT_HOSTNAME_PROD \ + --set ocf-helper.env.capifHostname=capif-main.$DOMAIN_PRE_PROD \ + --set ocf-helper.env.logLevel="INFO" \ + --set mock-server.enabled=true \ + --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server \ + --set mock-server.image.tag=$CI_COMMIT_REF_SLUG \ + --set mock-server.ingress.enabled=true \ + --set mock-server.ingress.hosts[0].host=mock-server-main.$DOMAIN_PRE_PROD \ + --set mock-server.ingress.hosts[0].paths[0].path="/" \ + --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mock-server.env.logLevel="INFO" \ + --set mongo.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo.image.tag=6.0.2 \ + --set mongo-register-express.enabled=true \ + --set mongo-register-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-register-express.image.tag=1.0.0-alpha.4 \ + --set mongo-register-express.ingress.enabled=true \ + --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-main.$DOMAIN_PRE_PROD" \ + --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mongo-express.enabled=true \ + --set mongo-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-express.image.tag=1.0.0-alpha.4 \ + --set mongo-express.ingress.enabled=true \ + --set mongo-express.ingress.hosts[0].host="mongo-express-main.$DOMAIN_PRE_PROD" \ + --set mongo-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set redis.image.repository=labs.etsi.org:5050/ocf/capif/redis \ + --set redis.image.tag=7.4.2-alpine \ + --set celery-beat.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery \ + --set celery-beat.image.tag=$CI_COMMIT_REF_SLUG \ + --set celery-beat.env.celeryModel=beat \ + --set celery-beat.env.redisHostname=redis \ + --set celery-beat.env.redisPort=6379 \ + --set celery-beat.env.logLevel="DEBUG" \ + --set celery-worker.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery \ + --set celery-worker.image.tag=$CI_COMMIT_REF_SLUG \ + --set celery-worker.env.celeryModel=worker \ + --set celery-worker.env.redisHostname=redis \ + --set celery-worker.env.redisPort=6379 \ + --set celery-worker.env.logLevel="DEBUG" \ + --wait --timeout=10m --create-namespace --atomic + +main_rf_testing: + needs: ["deploy_ocf_main"] + stage: main_rf_testing + script: + - | + echo "------ Robot Framework Testing ------" + <<: *main_common \ No newline at end of file diff --git a/capif/templates/cd-deploy-ocf.gitlab-ci.yml b/capif/templates/cd-deploy-ocf.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..93de0e4fe1acaf27ecd9b33c9c9be6b1d8b89572 --- /dev/null +++ b/capif/templates/cd-deploy-ocf.gitlab-ci.yml @@ -0,0 +1,693 @@ +stages: + - deploy_ocf_oficial_staging + - deploy_ocf_staging + - delete_ocf_staging + - deploy_ocf_dev + - delete_ocf_dev + +variables: + NAMESPACE_DEV: "ocf-dev-$CI_ENVIRONMENT_SLUG" + NAMESPACE_STAGING: "ocf-staging" + DOMAIN_STAGING: ocf.validation + DOMAIN_DEV: ocf.develop + DOMAIN_PROD: prod.int +# CI_JOB_TOKEN: $CI_JOB_TOKEN + IMAGE_TAG_DEV: $CI_COMMIT_REF_SLUG + IMAGE_TAG_STAGING: $CI_COMMIT_REF_SLUG + VAULT_HOSTNAME: $VAULT_HOSTNAME + VAULT_PORT: $VAULT_PORT + VAULT_ACCESS_TOKEN: $VAULT_ACCESS_TOKEN +# CI_REGISTRY: $CI_REGISTRY + +.staging_common: &staging_common + only: + - merge_requests + except: + variables: + - $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "staging" + tags: + - shell + +.dev_common: &dev_common + rules: + - if: '$CI_COMMIT_REF_NAME == "staging"' + when: never + - if: '$CI_COMMIT_REF_NAME == "main"' + when: never + - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/' + when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never + - when: always + tags: + - shell + +.dev_dnd: &dev_dnd + allow_failure: true + services: + - docker:24.0.5-dind + rules: + - if: '$CI_COMMIT_REF_NAME == "staging"' + when: never + - if: '$CI_COMMIT_REF_NAME == "main"' + when: never + - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/' + when: never + - when: always + tags: + - docker-in-docker + + +## staging before mr ### + +prep_ocf_cd_staging: + stage: deploy_ocf_staging + <<: *staging_common + script: + - | + echo "### filtering name ###" + echo $CI_COMMIT_REF_SLUG + CD_ENV_NAME=${CI_COMMIT_REF_SLUG//-/} + echo $CD_ENV_NAME + echo $CD_ENV_NAME | rev | cut -c 1-6 | rev + echo $(echo $CD_ENV_NAME | rev | cut -c 1-6 | rev) > cd_env_endpoint.txt + artifacts: + paths: + - cd_env_endpoint.txt + +deploy_ocf_staging: + stage: deploy_ocf_staging + needs: + - staging_build_and_push + - prep_ocf_cd_staging + <<: *staging_common + environment: + name: review/dev_to_staging/$CI_COMMIT_REF_SLUG + url: https://capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV + on_stop: delete_ocf_staging + auto_stop_in: 3 day + script: + - | + helm version + kubectl version --output=yaml + echo "### setting kubeconfig###" + whoami + kubectl cluster-info + yq --version + ls -rtt helm/capif + cat helm/capif/Chart.yaml + yq e -i ".appVersion = \"$IMAGE_TAG_STAGING\"" helm/capif/Chart.yaml + cat helm/capif/Chart.yaml + + charts=("mock-server" "nginx" "ocf-access-control-policy" + "ocf-api-invocation-logs" "ocf-api-invoker-management" + "ocf-api-provider-management" "ocf-auditing-api-logs" + "ocf-discover-service-api" "ocf-events" "ocf-helper" + "ocf-publish-service-api" "ocf-register" "ocf-routing-info" + "ocf-security" "celery-beat" "celery-worker") + + for chart in "${charts[@]}"; do + yq e -i ".appVersion = \"$IMAGE_TAG_STAGING\"" "helm/capif/charts/$chart/Chart.yaml" + done + + export CI_ENV_ENDPOINT=$(cat cd_env_endpoint.txt) + export NAMESPACE_DEV_TO_STAGING=$(echo $CI_ENV_ENDPOINT) + + echo "### download dependencies###" + helm dependency build helm/capif + echo "### updating capif###" + helm upgrade --install -n $NAMESPACE_DEV_TO_STAGING-mr ocf-pre-staging helm/capif/ \ + --set grafana.enabled=true \ + --set grafana.ingress.enabled=true \ + --set grafana.ingress.hosts[0].host=ocf-mon-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set grafana.ingress.hosts[0].paths[0].path="/" \ + --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set grafana.env.prometheusUrl=http://prometheus.ocf.pre-production \ + --set grafana.env.tempoUrl="http://ocf-pre-staging-tempo:3100" \ + --set fluentbit.enabled=true \ + --set loki.enabled=true \ + --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.ocf.pre-production/api/v1/write \ + --set otelcollector.enabled=true \ + --set otelcollector.configMap.tempoEndpoint=ocf-pre-staging-tempo:4317 \ + --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api \ + --set ocf-access-control-policy.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-access-control-policy.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-access-control-policy.monitoring="true" \ + --set ocf-access-control-policy.env.logLevel="DEBUG" \ + --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api \ + --set ocf-api-invocation-logs.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-invocation-logs.env.monitoring="true" \ + --set ocf-api-invocation-logs.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-api-invocation-logs.env.logLevel="DEBUG" \ + --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api \ + --set ocf-api-invoker-management.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-invoker-management.env.monitoring="true" \ + --set ocf-api-invoker-management.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-api-invoker-management.env.logLevel="DEBUG" \ + --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api \ + --set ocf-api-provider-management.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-provider-management.env.monitoring="true" \ + --set ocf-api-provider-management.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-api-provider-management.env.logLevel="DEBUG" \ + --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api \ + --set ocf-events.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-events.env.monitoring="true" \ + --set ocf-events.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-events.env.logLevel="DEBUG" \ + --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api \ + --set ocf-routing-info.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-routing-info.env.monitoring="true" \ + --set ocf-routing-info.env.logLevel="DEBUG" \ + --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api \ + --set ocf-security.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-security.env.monitoring="true" \ + --set ocf-security.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-security.env.vaultPort=$VAULT_PORT \ + --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-security.env.logLevel="DEBUG" \ + --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register \ + --set ocf-register.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-register.env.vaultPort=$VAULT_PORT \ + --set ocf-register.env.mongoHost=mongo-register \ + --set ocf-register.env.mongoPort=27017 \ + --set ocf-register.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-register.ingress.enabled=true \ + --set ocf-register.ingress.hosts[0].host=register-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-register.ingress.hosts[0].paths[0].path="/" \ + --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set ocf-register.env.logLevel="DEBUG" \ + --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api \ + --set ocf-auditing-api-logs.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-auditing-api-logs.env.monitoring="true" \ + --set ocf-auditing-api-logs.env.logLevel="DEBUG" \ + --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api \ + --set ocf-publish-service-api.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-publish-service-api.env.monitoring="true" \ + --set ocf-publish-service-api.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-publish-service-api.env.logLevel="DEBUG" \ + --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api \ + --set ocf-discover-service-api.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-discover-service-api.env.monitoring="true" \ + --set ocf-discover-service-api.env.logLevel="DEBUG" \ + --set nginx.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx \ + --set nginx.image.tag=$CI_COMMIT_REF_SLUG \ + --set nginx.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set nginx.env.vaultHostname=$VAULT_HOSTNAME \ + --set nginx.env.vaultPort=$VAULT_PORT \ + --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set nginx.ingress.enabled=true \ + --set nginx.ingress.hosts[0].host=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set nginx.ingress.hosts[0].paths[0].path="/" \ + --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set nginx.env.logLevel="info" \ + --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper \ + --set ocf-helper.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-helper.env.vaultPort=$VAULT_PORT \ + --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-helper.env.capifHostname=capif-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set ocf-helper.env.logLevel="DEBUG" \ + --set mock-server.enabled=true \ + --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server \ + --set mock-server.image.tag=$CI_COMMIT_REF_SLUG \ + --set mock-server.ingress.enabled=true \ + --set mock-server.ingress.hosts[0].host=mock-server-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV \ + --set mock-server.ingress.hosts[0].paths[0].path="/" \ + --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mock-server.env.logLevel="DEBUG" \ + --set mongo.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo.image.tag=6.0.2 \ + --set mongo.busybox.repository=labs.etsi.org:5050/ocf/capif/busybox \ + --set mongo.busybox.tag=1.37.0 \ + --set mongo-register.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo-register.image.tag=6.0.2 \ + --set mongo-register-express.enabled=true \ + --set mongo-register-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-register-express.image.tag=1.0.0-alpha.4 \ + --set mongo-register-express.ingress.enabled=true \ + --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV" \ + --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mongo-express.enabled=true \ + --set mongo-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-express.image.tag=1.0.0-alpha.4 \ + --set mongo-express.ingress.enabled=true \ + --set mongo-express.ingress.hosts[0].host="mongo-express-$CI_ENV_ENDPOINT-mr.$DOMAIN_DEV" \ + --set mongo-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set redis.image.repository=labs.etsi.org:5050/ocf/capif/redis \ + --set redis.image.tag=7.4.2-alpine \ + --set celery-beat.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery \ + --set celery-beat.image.tag=$CI_COMMIT_REF_SLUG \ + --set celery-beat.env.celeryModel=beat \ + --set celery-beat.env.redisHost=redis \ + --set celery-beat.env.redisPort=6379 \ + --set celery-beat.env.logLevel="DEBUG" \ + --set celery-worker.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery \ + --set celery-worker.image.tag=$CI_COMMIT_REF_SLUG \ + --set celery-worker.env.celeryModel=worker \ + --set celery-worker.env.redisHost=redis \ + --set celery-worker.env.redisPort=6379 \ + --set celery-worker.env.logLevel="DEBUG" \ + --wait --timeout=10m --create-namespace --atomic + +delete_ocf_staging: + stage: delete_ocf_staging + needs: + - prep_ocf_cd_staging + <<: *staging_common + script: + - export NAMESPACE_DEV_TO_STAGING=$(cat cd_env_endpoint.txt) + - echo "### deleting environment $NAMESPACE_DEV_TO_STAGING###" + - helm uninstall -n $NAMESPACE_DEV_TO_STAGING-mr ocf-pre-staging + - kubectl delete ns $NAMESPACE_DEV_TO_STAGING-mr + when: manual + environment: + name: review/dev_to_staging/$CI_COMMIT_REF_SLUG + action: stop + +### staging branch merged ### +deploy_ocf_oficial_staging: + stage: deploy_ocf_oficial_staging + before_script: + - echo "--- cluster production ---" + - export KUBECONFIG=$KUBECONFIG_PROD + - kubectl cluster-info +# <<: *staging_common + rules: + - if: '$CI_COMMIT_REF_NAME == "staging"' + when: always + needs: + - staging_build_and_push_mr + tags: + - shell + environment: + name: review/oficial-staging + url: https://capif-staging.$DOMAIN_STAGING + script: + - | + helm version + kubectl version --output=yaml + echo "### setting kubeconfig###" + whoami + kubectl cluster-info + yq --version + ls -rtt helm/capif + cat helm/capif/Chart.yaml + yq e -i ".appVersion = \"staging\"" helm/capif/Chart.yaml + cat helm/capif/Chart.yaml + + charts=("mock-server" "nginx" "ocf-access-control-policy" + "ocf-api-invocation-logs" "ocf-api-invoker-management" + "ocf-api-provider-management" "ocf-auditing-api-logs" + "ocf-discover-service-api" "ocf-events" "ocf-helper" + "ocf-publish-service-api" "ocf-register" "ocf-routing-info" + "ocf-security" "celery-beat" "celery-worker") + + for chart in "${charts[@]}"; do + yq e -i ".appVersion = \"staging\"" "helm/capif/charts/$chart/Chart.yaml" + done + + + echo "### download dependencies###" + helm dependency build helm/capif + echo "### updating capif###" + helm upgrade --install -n $NAMESPACE_STAGING ocf-staging helm/capif/ \ + --set grafana.enabled=true \ + --set grafana.ingress.enabled=true \ + --set grafana.ingress.hosts[0].host=ocf-mon-staging.$DOMAIN_STAGING \ + --set grafana.ingress.hosts[0].paths[0].path="/" \ + --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set grafana.env.prometheusUrl=http://prometheus.ocf.pre-production \ + --set grafana.env.tempoUrl="http://ocf-staging-tempo:3100" \ + --set fluentbit.enabled=true \ + --set loki.enabled=true \ + --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.ocf.pre-production/api/v1/write \ + --set otelcollector.enabled=true \ + --set otelcollector.configMap.tempoEndpoint=ocf-staging-tempo:4317 \ + --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-access-control-policy-api \ + --set ocf-access-control-policy.image.tag=staging \ + --set ocf-access-control-policy.env.logLevel="DEBUG" \ + --set ocf-access-control-policy.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-access-control-policy.monitoring="true" \ + --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-logging-api-invocation-api \ + --set ocf-api-invocation-logs.image.tag=staging \ + --set ocf-api-invocation-logs.env.monitoring="true" \ + --set ocf-api-invocation-logs.env.logLevel="DEBUG" \ + --set ocf-api-invocation-logs.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-api-invoker-management-api \ + --set ocf-api-invoker-management.image.tag=staging \ + --set ocf-api-invoker-management.env.monitoring="true" \ + --set ocf-api-invoker-management.env.logLevel="DEBUG" \ + --set ocf-api-invoker-management.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-api-provider-management-api \ + --set ocf-api-provider-management.image.tag=staging \ + --set ocf-api-provider-management.env.monitoring="true" \ + --set ocf-api-provider-management.env.logLevel="DEBUG" \ + --set ocf-api-provider-management.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-events-api \ + --set ocf-events.image.tag=staging \ + --set ocf-events.env.monitoring="true" \ + --set ocf-events.env.logLevel="DEBUG" \ + --set ocf-events.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-routing-info-api \ + --set ocf-routing-info.image.tag=staging \ + --set ocf-routing-info.env.monitoring="true" \ + --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-security-api \ + --set ocf-security.image.tag=staging \ + --set ocf-security.env.logLevel="DEBUG" \ + --set ocf-security.env.monitoring="true" \ + --set ocf-security.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-security.env.vaultPort=$VAULT_PORT \ + --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/staging/register \ + --set ocf-register.image.tag=staging \ + --set ocf-register.env.logLevel="DEBUG" \ + --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-register.env.vaultPort=$VAULT_PORT \ + --set ocf-register.env.mongoHost=mongo-register \ + --set ocf-register.env.mongoPort=27017 \ + --set ocf-register.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-register.ingress.enabled=true \ + --set ocf-register.ingress.hosts[0].host=register-staging.$DOMAIN_STAGING \ + --set ocf-register.ingress.hosts[0].paths[0].path="/" \ + --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-auditing-api \ + --set ocf-auditing-api-logs.image.tag=staging \ + --set ocf-auditing-api-logs.env.monitoring="true" \ + --set ocf-auditing-api-logs.env.logLevel="DEBUG" \ + --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-publish-service-api \ + --set ocf-publish-service-api.image.tag=staging \ + --set ocf-publish-service-api.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-publish-service-api.env.monitoring="true" \ + --set ocf-publish-service-api.env.logLevel="DEBUG" \ + --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/staging/ocf-discover-service-api \ + --set ocf-discover-service-api.image.tag=staging \ + --set ocf-discover-service-api.env.monitoring="true" \ + --set ocf-discover-service-api.env.logLevel="DEBUG" \ + --set nginx.image.repository=$CI_REGISTRY/ocf/capif/staging/nginx \ + --set nginx.image.tag=staging \ + --set nginx.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set nginx.env.vaultHostname=$VAULT_HOSTNAME \ + --set nginx.env.vaultPort=$VAULT_PORT \ + --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set nginx.ingress.enabled=true \ + --set nginx.ingress.hosts[0].host=capif-staging.$DOMAIN_STAGING \ + --set nginx.ingress.hosts[0].paths[0].path="/" \ + --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/staging/helper \ + --set ocf-helper.image.tag=staging \ + --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-helper.env.vaultPort=$VAULT_PORT \ + --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-helper.env.capifHostname=capif-staging.$DOMAIN_STAGING \ + --set ocf-helper.env.logLevel="DEBUG" \ + --set mock-server.enabled=true \ + --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/staging/mock-server \ + --set mock-server.image.tag=staging \ + --set mock-server.ingress.enabled=true \ + --set mock-server.ingress.hosts[0].host=mock-server-staging.$DOMAIN_STAGING \ + --set mock-server.ingress.hosts[0].paths[0].path="/" \ + --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mock-server.env.logLevel="DEBUG" \ + --set mongo.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo.image.tag=6.0.2 \ + --set mongo.busybox.repository=labs.etsi.org:5050/ocf/capif/busybox \ + --set mongo.busybox.tag=1.37.0 \ + --set mongo-register.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo-register.image.tag=6.0.2 \ + --set mongo-register-express.enabled=true \ + --set mongo-register-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-register-express.image.tag=1.0.0-alpha.4 \ + --set mongo-register-express.ingress.enabled=true \ + --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-staging.$DOMAIN_STAGING" \ + --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mongo-express.enabled=true \ + --set mongo-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-express.image.tag=1.0.0-alpha.4 \ + --set mongo-express.ingress.enabled=true \ + --set mongo-express.ingress.hosts[0].host="mongo-express-staging.$DOMAIN_STAGING" \ + --set mongo-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set redis.image.repository=labs.etsi.org:5050/ocf/capif/redis \ + --set redis.image.tag=7.4.2-alpine \ + --set celery-beat.image.repository=$CI_REGISTRY/ocf/capif/staging/celery \ + --set celery-beat.image.tag=staging \ + --set celery-beat.env.celeryModel=beat \ + --set celery-beat.env.redisHost=redis \ + --set celery-beat.env.redisPort=6379 \ + --set celery-beat.env.logLevel="DEBUG" \ + --set celery-worker.image.repository=$CI_REGISTRY/ocf/capif/staging/celery \ + --set celery-worker.image.tag=staging \ + --set celery-worker.env.celeryModel=worker \ + --set celery-worker.env.redisHost=redis \ + --set celery-worker.env.redisPort=6379 \ + --set celery-worker.env.logLevel="DEBUG" \ + --wait --timeout=10m --create-namespace --atomic + +## dev ### + +prep_ocf_cd_dev: + stage: deploy_ocf_dev + <<: *dev_common + script: + - | + echo "### filtering name ###" + echo $CI_COMMIT_REF_SLUG + CD_ENV_NAME=${CI_COMMIT_REF_SLUG//-/} + echo $CD_ENV_NAME + echo $CD_ENV_NAME | rev | cut -c 1-6 | rev + echo $(echo $CD_ENV_NAME | rev | cut -c 1-6 | rev) > cd_env_endpoint.txt + artifacts: + paths: + - cd_env_endpoint.txt + +deploy_ocf_dev: + stage: deploy_ocf_dev + needs: + - dev_build_and_push + - prep_ocf_cd_dev + <<: *dev_common + environment: + name: review/$CI_COMMIT_REF_SLUG + url: https://capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV + on_stop: delete_ocf_dev + auto_stop_in: 3 day +# rules: +# - if: $CI_COMMIT_BRANCH == "main" +# when: never +# - if: $CI_COMMIT_BRANCH == "staging" +# when: never +# - if: $CI_COMMIT_BRANCH + script: + - | + helm version + kubectl version --output=yaml + echo "### setting kubeconfig###" + kubectl cluster-info + yq --version + ### Chart main ocf### + cat helm/capif/Chart.yaml + yq e -i ".appVersion = \"$IMAGE_TAG_DEV\"" helm/capif/Chart.yaml + cat helm/capif/Chart.yaml + + charts=("mock-server" "nginx" "ocf-access-control-policy" + "ocf-api-invocation-logs" "ocf-api-invoker-management" + "ocf-api-provider-management" "ocf-auditing-api-logs" + "ocf-discover-service-api" "ocf-events" "ocf-helper" + "ocf-publish-service-api" "ocf-register" "ocf-routing-info" + "ocf-security" "celery-beat" "celery-worker") + + for chart in "${charts[@]}"; do + yq e -i ".appVersion = \"$IMAGE_TAG_DEV\"" "helm/capif/charts/$chart/Chart.yaml" + done + + export CI_ENV_ENDPOINT=$(cat cd_env_endpoint.txt) + + echo "### download dependencies###" + helm dependency build helm/capif + echo "### updating capif###" + helm upgrade --install -n $NAMESPACE_DEV ocf-developer helm/capif/ \ + --set grafana.enabled=true \ + --set grafana.ingress.enabled=true \ + --set grafana.ingress.hosts[0].host=ocf-mon-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set grafana.ingress.hosts[0].paths[0].path="/" \ + --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set grafana.env.prometheusUrl=http://prometheus.ocf.pre-production \ + --set grafana.env.tempoUrl="http://ocf-developer-tempo:3100" \ + --set fluentbit.enabled=true \ + --set loki.enabled=true \ + --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.ocf.pre-production/api/v1/write \ + --set otelcollector.enabled=true \ + --set otelcollector.configMap.tempoEndpoint=ocf-developer-tempo:4317 \ + --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api \ + --set ocf-access-control-policy.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-access-control-policy.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-access-control-policy.monitoring="true" \ + --set ocf-access-control-policy.env.logLevel="DEBUG" \ + --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api \ + --set ocf-api-invocation-logs.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-invocation-logs.env.monitoring="true" \ + --set ocf-api-invocation-logs.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-api-invocation-logs.env.logLevel="DEBUG" \ + --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api \ + --set ocf-api-invoker-management.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-invoker-management.env.monitoring="true" \ + --set ocf-api-invoker-management.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-api-invoker-management.env.logLevel="DEBUG" \ + --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api \ + --set ocf-api-provider-management.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-api-provider-management.env.monitoring="true" \ + --set ocf-api-provider-management.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-provider-management.env.logLevel="DEBUG" \ + --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api \ + --set ocf-events.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-events.env.monitoring="true" \ + --set ocf-events.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-events.env.logLevel="DEBUG" \ + --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api \ + --set ocf-routing-info.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-routing-info.env.monitoring="true" \ + --set ocf-routing-info.env.logLevel="DEBUG" \ + --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api \ + --set ocf-security.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-security.env.monitoring="true" \ + --set ocf-security.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-security.env.vaultPort=$VAULT_PORT \ + --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-security.env.logLevel="DEBUG" \ + --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register \ + --set ocf-register.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-register.env.vaultPort=$VAULT_PORT \ + --set ocf-register.env.mongoHost=mongo-register \ + --set ocf-register.env.mongoPort=27017 \ + --set ocf-register.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-register.ingress.enabled=true \ + --set ocf-register.ingress.hosts[0].host=register-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-register.ingress.hosts[0].paths[0].path="/" \ + --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set ocf-register.env.logLevel="DEBUG" \ + --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api \ + --set ocf-auditing-api-logs.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-auditing-api-logs.env.monitoring="true" \ + --set ocf-auditing-api-logs.env.logLevel="DEBUG" \ + --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api \ + --set ocf-publish-service-api.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-publish-service-api.env.monitoring="true" \ + --set ocf-publish-service-api.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-publish-service-api.env.logLevel="DEBUG" \ + --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api \ + --set ocf-discover-service-api.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-discover-service-api.env.monitoring="true" \ + --set ocf-discover-service-api.env.logLevel="DEBUG" \ + --set nginx.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx \ + --set nginx.image.tag=$CI_COMMIT_REF_SLUG \ + --set nginx.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set nginx.env.vaultHostname=$VAULT_HOSTNAME \ + --set nginx.env.vaultPort=$VAULT_PORT \ + --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set nginx.ingress.enabled=true \ + --set nginx.ingress.hosts[0].host=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set nginx.ingress.hosts[0].paths[0].path="/" \ + --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set nginx.env.logLevel="debug" \ + --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper \ + --set ocf-helper.image.tag=$CI_COMMIT_REF_SLUG \ + --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-helper.env.vaultPort=$VAULT_PORT \ + --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ + --set ocf-helper.env.capifHostname=capif-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set ocf-helper.env.logLevel="DEBUG" \ + --set mock-server.enabled=true \ + --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server \ + --set mock-server.image.tag=$CI_COMMIT_REF_SLUG \ + --set mock-server.ingress.enabled=true \ + --set mock-server.ingress.hosts[0].host=mock-server-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV \ + --set mock-server.ingress.hosts[0].paths[0].path="/" \ + --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mock-server.env.logLevel="DEBUG" \ + --set mongo.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo.image.tag=6.0.2 \ + --set mongo.busybox.repository=labs.etsi.org:5050/ocf/capif/busybox \ + --set mongo.busybox.tag=1.37.0 \ + --set mongo-register.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo-register.image.tag=6.0.2 \ + --set mongo-register-express.enabled=true \ + --set mongo-register-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-register-express.image.tag=1.0.0-alpha.4 \ + --set mongo-register-express.ingress.enabled=true \ + --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV" \ + --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mongo-express.enabled=true \ + --set mongo-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-express.image.tag=1.0.0-alpha.4 \ + --set mongo-express.ingress.enabled=true \ + --set mongo-express.ingress.hosts[0].host="mongo-express-$CI_ENV_ENDPOINT-dev.$DOMAIN_DEV" \ + --set mongo-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set redis.image.repository=labs.etsi.org:5050/ocf/capif/redis \ + --set redis.image.tag=7.4.2-alpine \ + --set celery-beat.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery \ + --set celery-beat.image.tag=$CI_COMMIT_REF_SLUG \ + --set celery-beat.env.celeryModel=beat \ + --set celery-beat.env.redisHost=redis \ + --set celery-beat.env.redisPort=6379 \ + --set celery-beat.env.logLevel="DEBUG" \ + --set celery-worker.image.repository=$CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery \ + --set celery-worker.image.tag=$CI_COMMIT_REF_SLUG \ + --set celery-worker.env.celeryModel=worker \ + --set celery-worker.env.redisHost=redis \ + --set celery-worker.env.redisPort=6379 \ + --set celery-worker.env.logLevel="DEBUG" \ + --wait --timeout=10m --create-namespace --atomic + +delete_ocf_dev: + stage: delete_ocf_dev + <<: *dev_common + tags: + - shell + script: + - echo "### deleting environment $NAMESPACE_DEV###" + - helm uninstall -n $NAMESPACE_DEV ocf-developer + - kubectl delete ns $NAMESPACE_DEV --force + when: manual + environment: + name: review/$CI_COMMIT_REF_SLUG + action: stop \ No newline at end of file diff --git a/capif/templates/ci_dev.gitlab-ci.yml b/capif/templates/ci_dev.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..baa82e6e31c2c5fa9464f75f5ada2a7fb04bf445 --- /dev/null +++ b/capif/templates/ci_dev.gitlab-ci.yml @@ -0,0 +1,214 @@ +stages: +# - dev_pulling_repo + - dev_pre_pipeline + - dev_secrets_in_repo + - dev_linting + - dev_build_and_push + +variables: +# CI_JOB_TOKEN: $CI_JOB_TOKEN + CI_DEBUG_TRACE: "false" +# CI_REGISTRY_USER: $CI_REGISTRY_USER +# CI_REGISTRY: $CI_REGISTRY +# CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY + + +.dev_common: &dev_common + tags: + - shell + +dev_secrets_in_repo: + stage: dev_secrets_in_repo + rules: + - if: '$CI_COMMIT_REF_NAME == "staging"' + when: never + - if: '$CI_COMMIT_REF_NAME == "main"' + when: never + - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/' + when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never + - when: always + script: + - | + pip install trufflehog + cd ../ + trufflehog capif --exclude_paths capif/cicd/exclusions --max_depth=5 +# needs: ["dev_pulling_repo"] + <<: *dev_common + +# define the process to do linting code: Sonarque, ruff? +dev_linting_code: + stage: dev_linting + rules: + - if: '$CI_COMMIT_REF_NAME == "staging"' + when: never + - if: '$CI_COMMIT_REF_NAME == "main"' + when: never + - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/' + when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never + - when: always + script: + - | + echo "###ruff checks###" + pip install ruff + ruff check --config cicd/ruff.toml . || true + needs: ["dev_secrets_in_repo"] + <<: *dev_common + +dev_linting_docker: + stage: dev_linting + rules: + - if: '$CI_COMMIT_REF_NAME == "staging"' + when: never + - if: '$CI_COMMIT_REF_NAME == "main"' + when: never + - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/' + when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never + - when: always + script: + - | + # Download hadolint binary + wget https://github.com/hadolint/hadolint/releases/download/v2.8.0/hadolint-Linux-x86_64 -O hadolint + + # Make it executable + chmod +x hadolint + + # Move it to your binaries folder + mv hadolint ../ + + # Verify the installation + echo "### hadolint version ###" + ../hadolint --version + + # Array of service names + SERVICES=("celery" "vault" "nginx" "register" "TS29222_CAPIF_Access_Control_Policy_API" "TS29222_CAPIF_API_Invoker_Management_API" + "TS29222_CAPIF_API_Provider_Management_API" "TS29222_CAPIF_Auditing_API" "TS29222_CAPIF_Discover_Service_API" "TS29222_CAPIF_Events_API" + "TS29222_CAPIF_Logging_API_Invocation_API" "TS29222_CAPIF_Publish_Service_API" "TS29222_CAPIF_Routing_Info_API" "TS29222_CAPIF_Security_API") + + # Loop over service names + for SERVICE in "${SERVICES[@]}"; do + echo "### $SERVICE ###" + + # Run hadolint on Dockerfile + ../hadolint services/$SERVICE/Dockerfile || true + + echo "----------------------------------------------------" + done +# artifacts: +# name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" +# when: always +# reports: +# codequality: +# - docker-lint.json +# interruptible: true + <<: *dev_common + +dev_build_and_push: + rules: + - if: '$CI_COMMIT_REF_NAME == "staging"' + when: never + - if: '$CI_COMMIT_REF_NAME == "main"' + when: never + - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/' + when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never + - when: always + needs: + - dev_linting_code + - dev_linting_docker + stage: dev_build_and_push + script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - echo "### docker login###" + - echo "$CI_JOB_TOKEN" | docker login $CI_REGISTRY --username $CI_REGISTRY_USER --password-stdin + - echo "----------------------------------------------------" + - echo "### build and push nginx image###" + - cd $TMP_PWD/services/nginx/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push register image###" + - cd $TMP_PWD/services/register/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Access_Control_Policy_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Access_Control_Policy_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Invoker_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Invoker_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Provider_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Provider_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Auditing_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Auditing_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Discover_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Discover_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Events_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Events_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Logging_API_Invocation_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Logging_API_Invocation_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Publish_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Publish_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Routing_Info_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Routing_Info_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Security_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Security_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push vault image###" + - cd $TMP_PWD/services/vault/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push helper image###" + - cd $TMP_PWD/services/helper/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push mock-server image###" + - cd $TMP_PWD/services/mock_server/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push celery image###" + - cd $TMP_PWD/services/celery/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + + - docker logout $CI_REGISTRY + <<: *dev_common \ No newline at end of file diff --git a/capif/templates/ci_main.gitlab-ci.yml b/capif/templates/ci_main.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..3390796733ca1611619471cbe6429e6c7703662d --- /dev/null +++ b/capif/templates/ci_main.gitlab-ci.yml @@ -0,0 +1,279 @@ +#stages: +## - main_pulling_repo +# - main_secrets_in_repo +# - main_linting_code +# - main_linting_docker +# - main_security +# - main_build_and_push +# +#variables: +# CI_JOB_TOKEN: $CI_JOB_TOKEN +# CI_DEBUG_TRACE: "false" +# CI_REGISTRY_USER: $CI_REGISTRY_USER +# CI_REGISTRY: $CI_REGISTRY +# CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY +# +#.main_common: &main_common +# only: +# - merge_requests +# except: +# variables: +# - $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "main" +# tags: +# - shell +# +#.main_dnd: &main_dnd +# allow_failure: true +# rules: +# - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"' +# when: always +# - when: never +# services: +# - docker:24.0.5-dind +# tags: +# - docker-in-docker +# +#main_secrets_in_repo: +# stage: main_secrets_in_repo +# script: +# - | +# pip install trufflehog +# cd ../ +# trufflehog capif --exclude_paths capif/cicd/exclusions --max_depth=5 +# <<: *main_common +# +## define the process to do linting code: Sonarque, ruff? +#main_linting_code: +# stage: main_linting_code +# script: +# - | +# echo "###ruff checks###" +# pip install ruff +# ruff check --config cicd/ruff.toml . || true +# needs: ["main_secrets_in_repo"] +# <<: *main_common +# +#main_linting_docker: +# stage: main_linting_docker +# script: +# - | +# # Download hadolint binary +# wget https://github.com/hadolint/hadolint/releases/download/v2.8.0/hadolint-Linux-x86_64 -O hadolint +# +# # Make it executable +# chmod +x hadolint +# +# # Move it to your binaries folder +# mv hadolint ../ +# +# # Verify the installation +# echo "### hadolint version ###" +# ../hadolint --version +# +# # Array of service names +# SERVICES=("vault" "nginx" "register" "TS29222_CAPIF_Access_Control_Policy_API" "TS29222_CAPIF_API_Invoker_Management_API" +# "TS29222_CAPIF_API_Provider_Management_API" "TS29222_CAPIF_Auditing_API" "TS29222_CAPIF_Discover_Service_API" "TS29222_CAPIF_Events_API" +# "TS29222_CAPIF_Logging_API_Invocation_API" "TS29222_CAPIF_Publish_Service_API" "TS29222_CAPIF_Routing_Info_API" "TS29222_CAPIF_Security_API" +# "vault") +# +# # Loop over service names +# for SERVICE in "${SERVICES[@]}"; do +# echo "### $SERVICE ###" +# +# # Run hadolint on Dockerfile +# ../hadolint services/$SERVICE/Dockerfile || true +# +# echo "----------------------------------------------------" +# done +# +## artifacts: +## name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" +## when: always +## reports: +## codequality: +## - docker-lint.json +## interruptible: true +# needs: ["main_linting_code"] +# <<: *main_common +# +# +#main_cvs: +# needs: ["main_linting_docker"] +# stage: main_security +# script: +# - | +# # Install grype +# curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ../ +# +# # Print grype version +# echo "### grype version###" +# ../grype version +# +# # Create output directory if it doesn't exist +# DIRECTORY=./grype-outputs +# if [ ! -d "$DIRECTORY" ]; then +# mkdir $DIRECTORY +# echo "Directory created" +# else +# echo "Directory already exists" +# fi +# +# # Save current directory +# export TMP_PWD=$PWD +# echo "TMP_PWD=$TMP_PWD" +# +# # Array of image names +# IMAGE_NAMES=("nginx" "register" "TS29222_CAPIF_Access_Control_Policy_API" "TS29222_CAPIF_API_Invoker_Management_API" +# "TS29222_CAPIF_API_Provider_Management_API" "TS29222_CAPIF_Auditing_API" "TS29222_CAPIF_Discover_Service_API" +# "TS29222_CAPIF_Events_API" "TS29222_CAPIF_Logging_API_Invocation_API" "TS29222_CAPIF_Publish_Service_API" +# "TS29222_CAPIF_Routing_Info_API" "TS29222_CAPIF_Security_API" "vault") +# +# # Loop over image names +# for IMAGE_NAME in "${IMAGE_NAMES[@]}"; do +# # Convert SERVICE to lowercase +# IMAGE_LOWER=${IMAGE_NAME,,} +# +# echo "---- variable ----" +# echo "### build and push $IMAGE_NAME image###" +# +# # Navigate to service directory +# cd services/$IMAGE_NAME/ +# +# # Login to Docker registry +# docker login --username $CI_REGISTRY_USER --password $CAPIF_DOCKER_REGISTRY $CI_REGISTRY +# +# # Build Docker image +# docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/$IMAGE_LOWER:latest . +# +# # Navigate back to original directory +# cd $TMP_PWD +# +# echo "### Container Vulnerability Scanning $IMAGE_NAME###" +# +# # Scan Docker image with grype and save output to file +# #../grype $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/$IMAGE_LOWER:latest --scope all-layers > ./grype-outputs/grype_$IMAGE_NAME-latest.txt +# +# echo "----------------------------------------------------" +# done +# artifacts: +# untracked: false +# paths: +# - ./grype-outputs/*.txt +# when: on_success +# expire_in: "1 week" +# <<: *main_common +# +#main_semgrep_sast: +# needs: +# - main_linting_code +# - main_linting_docker +# stage: main_security +# extends: semgrep-sast +# variables: +# DOCKER_HOST: tcp://docker:2375 +# SAST_DEFAULT_ANALYZERS: bandit +# <<: *main_dnd +# +#gemnasium-python-dependency_scanning: +# stage: test +# before_script: +# - echo " ----- not run test stage -----" +# rules: +# - when: never +# +#main_gemnasium_python_sca: +# needs: +# - main_linting_code +# - main_linting_docker +# stage: staging_security +# extends: gemnasium-python-dependency_scanning +# variables: +# DS_ANALYZER_NAME: "gemnasium-python" +# <<: *main_dnd +# +#main_build_and_push: +# needs: ["main_security"] +# stage: main_build_and_push +# script: +# - export TMP_PWD=$PWD +# - echo "TMP_PWD=$TMP_PWD" +# - echo "### docker login###" +# - docker login --username $CI_REGISTRY_USER --password $CAPIF_DOCKER_REGISTRY $CI_REGISTRY +# - echo "----------------------------------------------------" +# - echo "### build and push nginx image###" +# - cd $TMP_PWD/services/nginx/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push register image###" +# - cd $TMP_PWD/services/register/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_Access_Control_Policy_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_Access_Control_Policy_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_API_Invoker_Management_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_API_Invoker_Management_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_API_Provider_Management_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_API_Provider_Management_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_Auditing_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_Auditing_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_Discover_Service_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_Discover_Service_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_Events_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_Events_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_Logging_API_Invocation_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_Logging_API_Invocation_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_Publish_Service_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_Publish_Service_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_Routing_Info_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_Routing_Info_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push TS29222_CAPIF_Security_API image###" +# - cd $TMP_PWD/services/TS29222_CAPIF_Security_API/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push vault image###" +# - cd $TMP_PWD/services/vault/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push helper image###" +# - cd $TMP_PWD/services/helper/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - echo "### build and push mock-server image###" +# - cd $TMP_PWD/services/mock_server/ +# - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG . +# - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG +# - echo "----------------------------------------------------" +# - docker logout $CI_REGISTRY +# <<: *main_common diff --git a/capif/templates/ci_staging.gitlab-ci.yml b/capif/templates/ci_staging.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..ff560e09c0b2e67a425b29ad46055e017c19da03 --- /dev/null +++ b/capif/templates/ci_staging.gitlab-ci.yml @@ -0,0 +1,428 @@ +stages: +# - staging_pulling_repo + - test # to Security and Compliance gitLab + - staging_pre_pipeline + - staging_secrets_in_repo + - staging_linting + - staging_unit_tests + - staging_security + - staging_build_and_push + - staging_build_and_push_mr + +variables: +# CI_JOB_TOKEN: $CI_JOB_TOKEN + CI_DEBUG_TRACE: "false" +# CI_REGISTRY_USER: $CI_REGISTRY_USER +# CI_REGISTRY: $CI_REGISTRY +# CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY + +.staging_common: &staging_common + only: + - merge_requests + except: + variables: + - $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "staging" + tags: + - shell + +.staging_dnd: &staging_dnd + allow_failure: true + rules: + - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "staging"' + when: always + - when: never + services: + - docker:24.0.5-dind + tags: + - docker-in-docker + +#staging_cancel_previous_action: +# stage: staging_pre_pipeline +# script: +# - | +# echo "### cancel previous actions in dev branchc ###" +# if [[ -n "$CI_JOB_TOKEN" ]]; then +# echo "Checking for running jobs in the same pipeline..." +# jobs=$(curl --header "PRIVATE-TOKEN: $CI_JOB_TOKEN" "$GITLAB_API/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs") +# for job in $(echo "$jobs" | jq -r '.[] | @base64'); do +# _jq() { +# echo ${job} | base64 --decode | jq -r ${1} +# } +# status=$(_jq '.status') +# id=$(_jq '.id') +# if [[ "$status" == "running" ]] && [[ "$id" != "$CI_JOB_ID" ]]; then +# echo "Cancelling job $id" +# curl --request POST --header "PRIVATE-TOKEN: $CI_JOB_TOKEN" "$GITLAB_API/projects/$CI_PROJECT_ID/jobs/$id/cancel" +# fi +# done +# fi +# <<: *staging_common + +staging_secrets_in_repo: + stage: staging_secrets_in_repo + script: + - | + pip install trufflehog + cd ../ + trufflehog capif --exclude_paths capif/cicd/exclusions --max_depth=5 +# needs: +# - staging_cancel_previous_action + <<: *staging_common + +# define the process to do linting code: Sonarque, ruff? +staging_linting_code: + stage: staging_linting + script: + - | + echo "###ruff checks###" + pip install ruff + ruff check --config cicd/ruff.toml . || true + needs: ["staging_secrets_in_repo"] + <<: *staging_common + +staging_linting_docker: + stage: staging_linting + script: + - | + # Download hadolint binary + wget https://github.com/hadolint/hadolint/releases/download/v2.8.0/hadolint-Linux-x86_64 -O hadolint + + # Make it executable + chmod +x hadolint + + # Move it to your binaries folder + mv hadolint ../ + + # Verify the installation + echo "### hadolint version ###" + ../hadolint --version + + # Array of service names + SERVICES=("celery" "nginx" "register" "TS29222_CAPIF_Access_Control_Policy_API" "TS29222_CAPIF_API_Invoker_Management_API" + "TS29222_CAPIF_API_Provider_Management_API" "TS29222_CAPIF_Auditing_API" "TS29222_CAPIF_Discover_Service_API" "TS29222_CAPIF_Events_API" + "TS29222_CAPIF_Logging_API_Invocation_API" "TS29222_CAPIF_Publish_Service_API" "TS29222_CAPIF_Routing_Info_API" "TS29222_CAPIF_Security_API" + "vault") + + # Loop over service names + for SERVICE in "${SERVICES[@]}"; do + echo "### $SERVICE ###" + + # Run hadolint on Dockerfile + ../hadolint services/$SERVICE/Dockerfile || true + + echo "----------------------------------------------------" + done + +# artifacts: +# name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" +# when: always +# reports: +# codequality: +# - docker-lint.json +# interruptible: true + <<: *staging_common + +staging_unit_tests: + needs: + - staging_linting_code + - staging_linting_docker + stage: staging_unit_tests + script: + - | + echo "------- Unit Tests -------" + <<: *staging_common + + +staging_grype_cvs: + needs: + - staging_unit_tests + stage: staging_security + script: + - | + # Install grype + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ../ + + # Print grype version + echo "### grype version###" + ../grype version + + # Create output directory if it doesn't exist + DIRECTORY=./grype-outputs + if [ ! -d "$DIRECTORY" ]; then + mkdir $DIRECTORY + echo "Directory created" + else + echo "Directory already exists" + fi + + # Save current directory + export TMP_PWD=$PWD + echo "TMP_PWD=$TMP_PWD" + + # Array of image names + IMAGE_NAMES=("nginx" "celery" "register" "TS29222_CAPIF_Access_Control_Policy_API" "TS29222_CAPIF_API_Invoker_Management_API" + "TS29222_CAPIF_API_Provider_Management_API" "TS29222_CAPIF_Auditing_API" "TS29222_CAPIF_Discover_Service_API" + "TS29222_CAPIF_Events_API" "TS29222_CAPIF_Logging_API_Invocation_API" "TS29222_CAPIF_Publish_Service_API" + "TS29222_CAPIF_Routing_Info_API" "TS29222_CAPIF_Security_API" "vault") + + # Loop over image names + for IMAGE_NAME in "${IMAGE_NAMES[@]}"; do + # Convert SERVICE to lowercase + IMAGE_LOWER=${IMAGE_NAME,,} + + echo "---- variable ----" + echo "### build and push $IMAGE_NAME image###" + + # Navigate to service directory + cd services/$IMAGE_NAME/ + + # Login to Docker registry + echo "$CI_JOB_TOKEN" | docker login $CI_REGISTRY --username $CI_REGISTRY_USER --password-stdin + + # Build Docker image + docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/$IMAGE_LOWER:$CI_COMMIT_REF_SLUG . + + # Navigate back to original directory + cd $TMP_PWD + + echo "### Container Vulnerability Scanning $IMAGE_NAME###" + + # Scan Docker image with grype and save output to file + ../grype $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/$IMAGE_LOWER:$CI_COMMIT_REF_SLUG --scope all-layers > ./grype-outputs/grype_$IMAGE_NAME-$CI_COMMIT_REF_SLUG.txt + + echo "----------------------------------------------------" + done + artifacts: + untracked: false + paths: + - ./grype-outputs/*.txt + when: on_success + expire_in: "1 week" + <<: *staging_common + +semgrep-sast: + stage: test + before_script: + - echo " ----- not run test stage -----" + rules: + - when: never + +staging_semgrep_sast: + needs: + - staging_unit_tests + stage: staging_security + extends: semgrep-sast + variables: +# DOCKER_DRIVER: overlay2 + DOCKER_HOST: tcp://docker:2375 +# SAST_EXCLUDED_ANALYZERS: "nodejs-scan-sast" + SAST_DEFAULT_ANALYZERS: bandit + <<: *staging_dnd + +gemnasium-python-dependency_scanning: + stage: test + before_script: + - echo " ----- not run test stage -----" + rules: + - when: never + +staging_gemnasium_python_sca: + needs: + - staging_unit_tests + stage: staging_security + extends: gemnasium-python-dependency_scanning + variables: + DS_ANALYZER_NAME: "gemnasium-python" + <<: *staging_dnd + +staging_build_and_push: + needs: + - staging_gemnasium_python_sca + - staging_semgrep_sast + - staging_grype_cvs + stage: staging_build_and_push + script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - echo "### docker login###" + - echo "$CI_JOB_TOKEN" | docker login $CI_REGISTRY --username $CI_REGISTRY_USER --password-stdin + - echo "----------------------------------------------------" + - echo "### build and push nginx image###" + - cd $TMP_PWD/services/nginx/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push register image###" + - cd $TMP_PWD/services/register/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Access_Control_Policy_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Access_Control_Policy_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Invoker_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Invoker_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Provider_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Provider_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Auditing_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Auditing_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Discover_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Discover_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Events_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Events_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Logging_API_Invocation_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Logging_API_Invocation_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Publish_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Publish_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Routing_Info_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Routing_Info_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Security_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Security_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push vault image###" + - cd $TMP_PWD/services/vault/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push helper image###" + - cd $TMP_PWD/services/helper/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/helper:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push mock-server image###" + - cd $TMP_PWD/services/mock_server/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push celery image###" + - cd $TMP_PWD/services/celery/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - docker logout $CI_REGISTRY + <<: *staging_common + +### staging branch merged ### +staging_build_and_push_mr: + stage: staging_build_and_push_mr +# <<: *staging_common + rules: + - if: '$CI_COMMIT_REF_NAME == "staging"' + when: always + tags: + - shell + script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - echo "### docker login###" + - echo "$CI_JOB_TOKEN" | docker login $CI_REGISTRY --username $CI_REGISTRY_USER --password-stdin + - echo "----------------------------------------------------" + - echo "### build and push nginx image###" + - cd $TMP_PWD/services/nginx/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/nginx:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/nginx:staging + - echo "----------------------------------------------------" + - echo "### build and push register image###" + - cd $TMP_PWD/services/register/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/register:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/register:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Access_Control_Policy_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Access_Control_Policy_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-access-control-policy-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-access-control-policy-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Invoker_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Invoker_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-api-invoker-management-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-api-invoker-management-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Provider_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Provider_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-api-provider-management-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-api-provider-management-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Auditing_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Auditing_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-auditing-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-auditing-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Discover_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Discover_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-discover-service-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-discover-service-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Events_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Events_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-events-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-events-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Logging_API_Invocation_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Logging_API_Invocation_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-logging-api-invocation-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-logging-api-invocation-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Publish_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Publish_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-publish-service-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-publish-service-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Routing_Info_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Routing_Info_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-routing-info-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-routing-info-api:staging + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Security_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Security_API/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/ocf-security-api:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/ocf-security-api:staging + - echo "----------------------------------------------------" + - echo "### build and push vault image###" + - cd $TMP_PWD/services/vault/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/vault:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/vault:staging + - echo "----------------------------------------------------" + - echo "### build and push helper image###" + - cd $TMP_PWD/services/helper/ + - docker build -t $CI_REGISTRY/ocf/capif/staging/helper:staging . + - docker push $CI_REGISTRY/ocf/capif/staging/helper:staging + - echo "----------------------------------------------------" + - echo "### build and push mock-server image###" + - cd $TMP_PWD/services/mock_server/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/mock-server:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - echo "### build and push celery image###" + - cd $TMP_PWD/services/celery/ + - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG . + - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/celery:$CI_COMMIT_REF_SLUG + - echo "----------------------------------------------------" + - docker logout $CI_REGISTRY \ No newline at end of file diff --git a/capif/templates/ci_unit_test.gitlab-ci.yml b/capif/templates/ci_unit_test.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..74288a5eef2fa12d652762697411a9579733cd4d --- /dev/null +++ b/capif/templates/ci_unit_test.gitlab-ci.yml @@ -0,0 +1,25 @@ +stages: + - staging_unit_tests + +variables: +# CI_JOB_TOKEN: $CI_JOB_TOKEN + CI_DEBUG_TRACE: "false" +# CI_REGISTRY_USER: $CI_REGISTRY_USER +# CI_REGISTRY: $CI_REGISTRY +# CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY + +.staging_common: &staging_common + only: + - merge_requests + except: + variables: + - $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "staging" + tags: + - shell + +staging_unit_tests: + stage: staging_unit_tests + script: + - | + echo "------- Unit Tests -------" + <<: *staging_common diff --git a/capif/templates/cicd-deploy-release.gitlab-ci.yml b/capif/templates/cicd-deploy-release.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..c2fa43329b8b0ecf5b8069df1eb6328dff84e3ad --- /dev/null +++ b/capif/templates/cicd-deploy-release.gitlab-ci.yml @@ -0,0 +1,293 @@ +stages: + - prod_build_and_push + - deploy_ocf_prod + +variables: +# CI_JOB_TOKEN: $CI_JOB_TOKEN + CI_DEBUG_TRACE: "false" +# CI_REGISTRY_USER: $CI_REGISTRY_USER +# CI_REGISTRY: $CI_REGISTRY + CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY + NAMESPACE_PROD: "ocf-prod" + DOMAIN_PROD: ocf.production + PATH_PROD: prod + +# it will only run when a new tag that starts with ‘v{major.minor.patch}-release’ is pushed +# to the repository. +.release_common: &relase_common + rules: +# - if: '$CI_COMMIT_TAG =~ /^.*-release$/' + - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/' + tags: + - shell + +prod_build_and_push: + stage: prod_build_and_push + rules: + - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+-release$/' + when: always + - when: never + tags: + - shell + script: + - export TMP_PWD=$PWD + - echo "TMP_PWD=$TMP_PWD" + - echo "### docker login###" + - echo "$CI_JOB_TOKEN" | docker login $CI_REGISTRY --username $CI_REGISTRY_USER --password-stdin + - echo "----------------------------------------------------" + - echo "### build and push nginx image###" + - cd $TMP_PWD/services/nginx/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/nginx:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/nginx:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push register image###" + - cd $TMP_PWD/services/register/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/register:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/register:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Access_Control_Policy_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Access_Control_Policy_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-access-control-policy-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-access-control-policy-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Invoker_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Invoker_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-invoker-management-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-invoker-management-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_API_Provider_Management_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_API_Provider_Management_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-provider-management-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-provider-management-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Auditing_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Auditing_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-auditing-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-auditing-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Discover_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Discover_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-discover-service-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-discover-service-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Events_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Events_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-events-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-events-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Logging_API_Invocation_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Logging_API_Invocation_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-logging-api-invocation-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-logging-api-invocation-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Publish_Service_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Publish_Service_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-publish-service-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-publish-service-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Routing_Info_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Routing_Info_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-routing-info-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-routing-info-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push TS29222_CAPIF_Security_API image###" + - cd $TMP_PWD/services/TS29222_CAPIF_Security_API/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-security-api:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-security-api:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push vault image###" + - cd $TMP_PWD/services/vault/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/vault:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/vault:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push helper image###" + - cd $TMP_PWD/services/helper/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/helper:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/helper:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push mock-server image###" + - cd $TMP_PWD/services/mock_server/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/mock-server:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/mock-server:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - echo "### build and push celery image###" + - cd $TMP_PWD/services/celery/ + - docker build -t $CI_REGISTRY/ocf/capif/$PATH_PROD/celery:$CI_COMMIT_TAG . + - docker push $CI_REGISTRY/ocf/capif/$PATH_PROD/celery:$CI_COMMIT_TAG + - echo "----------------------------------------------------" + - docker logout $CI_REGISTRY + + +deploy_ocf_prod: + stage: deploy_ocf_prod + before_script: + - echo "--- cluster production ---" + - export KUBECONFIG=$KUBECONFIG_PROD + - kubectl cluster-info + needs: + - prod_build_and_push + <<: *relase_common + environment: + name: review/production + url: https://$NAMESPACE_PROD.$DOMAIN_PROD + script: + - | + echo "------ A release has been created! -------" + helm version + kubectl version --output=yaml + echo "### setting kubeconfig###" + whoami + kubectl cluster-info + yq --version + ls -rtt helm/capif + cat helm/capif/Chart.yaml + yq e -i ".appVersion = \"prod\"" helm/capif/Chart.yaml + cat helm/capif/Chart.yaml + + charts=("mock-server" "nginx" "ocf-access-control-policy" + "ocf-api-invocation-logs" "ocf-api-invoker-management" + "ocf-api-provider-management" "ocf-auditing-api-logs" + "ocf-discover-service-api" "ocf-events" "ocf-helper" + "ocf-publish-service-api" "ocf-register" "ocf-routing-info" + "ocf-security" "celery-beat" "celery-worker") + + for chart in "${charts[@]}"; do + yq e -i ".appVersion = \"$CI_COMMIT_TAG\"" "helm/capif/charts/$chart/Chart.yaml" + done + + + echo "### download dependencies###" + helm dependency build helm/capif + echo "### updating capif###" + helm upgrade --install -n $NAMESPACE_PROD ocf-prod helm/capif/ \ + --set grafana.enabled=true \ + --set grafana.ingress.enabled=true \ + --set grafana.ingress.hosts[0].host=ocf-mon-prod.$DOMAIN_PROD \ + --set grafana.ingress.hosts[0].paths[0].path="/" \ + --set grafana.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set grafana.env.prometheusUrl=http://prometheus.$DOMAIN_PROD \ + --set grafana.env.tempoUrl="http://ocf-prod-tempo:3100" \ + --set fluentbit.enabled=true \ + --set loki.enabled=true \ + --set tempo.tempo.metricsGenerator.remoteWriteUrl=http://prometheus.$DOMAIN_PROD/api/v1/write \ + --set otelcollector.enabled=true \ + --set otelcollector.configMap.tempoEndpoint=ocf-prod-tempo:4317 \ + --set ocf-access-control-policy.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-access-control-policy-api \ + --set ocf-access-control-policy.image.tag=$CI_COMMIT_TAG \ + --set ocf-access-control-policy.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set ocf-access-control-policy.monitoring="true" \ + --set ocf-api-invocation-logs.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-logging-api-invocation-api \ + --set ocf-api-invocation-logs.image.tag=$CI_COMMIT_TAG \ + --set ocf-api-invocation-logs.env.monitoring="true" \ + --set ocf-api-invocation-logs.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-api-invoker-management.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-invoker-management-api \ + --set ocf-api-invoker-management.image.tag=$CI_COMMIT_TAG \ + --set ocf-api-invoker-management.env.monitoring="true" \ + --set ocf-api-invoker-management.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set ocf-api-invoker-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-api-provider-management.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-api-provider-management-api \ + --set ocf-api-provider-management.image.tag=$CI_COMMIT_TAG \ + --set ocf-api-provider-management.env.monitoring="true" \ + --set ocf-api-provider-management.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set ocf-api-provider-management.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \ + --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-events.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-events-api \ + --set ocf-events.image.tag=$CI_COMMIT_TAG \ + --set ocf-events.env.monitoring="true" \ + --set ocf-events.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set ocf-routing-info.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-routing-info-api \ + --set ocf-routing-info.image.tag=$CI_COMMIT_TAG \ + --set ocf-routing-info.env.monitoring="true" \ + --set ocf-security.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-security-api \ + --set ocf-security.image.tag=$CI_COMMIT_TAG \ + --set ocf-security.env.monitoring="true" \ + --set ocf-security.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set ocf-security.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-security.env.vaultPort=$VAULT_PORT \ + --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-register.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/register \ + --set ocf-register.image.tag=$CI_COMMIT_TAG \ + --set ocf-register.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-register.env.vaultPort=$VAULT_PORT \ + --set ocf-register.env.mongoHost=mongo-register \ + --set ocf-register.env.mongoPort=27017 \ + --set ocf-register.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set ocf-register.ingress.enabled=true \ + --set ocf-register.ingress.hosts[0].host=register-prod.$DOMAIN_PROD \ + --set ocf-register.ingress.hosts[0].paths[0].path="/" \ + --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set ocf-auditing-api-logs.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-auditing-api \ + --set ocf-auditing-api-logs.image.tag=$CI_COMMIT_TAG \ + --set ocf-auditing-api-logs.env.monitoring="true" \ + --set ocf-publish-service-api.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-publish-service-api \ + --set ocf-publish-service-api.image.tag=$CI_COMMIT_TAG \ + --set ocf-publish-service-api.env.monitoring="true" \ + --set ocf-publish-service-api.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set ocf-discover-service-api.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/ocf-discover-service-api \ + --set ocf-discover-service-api.image.tag=$CI_COMMIT_TAG \ + --set ocf-discover-service-api.env.monitoring="true" \ + --set nginx.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/nginx \ + --set nginx.image.tag=$CI_COMMIT_TAG \ + --set nginx.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set nginx.env.vaultHostname=$VAULT_HOSTNAME \ + --set nginx.env.vaultPort=$VAULT_PORT \ + --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set nginx.ingress.enabled=true \ + --set nginx.ingress.hosts[0].host=capif-prod.$DOMAIN_PROD \ + --set nginx.ingress.hosts[0].paths[0].path="/" \ + --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set ocf-helper.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/helper \ + --set ocf-helper.image.tag=$CI_COMMIT_TAG \ + --set ocf-helper.env.vaultHostname=$VAULT_HOSTNAME \ + --set ocf-helper.env.vaultPort=$VAULT_PORT \ + --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN_PROD \ + --set ocf-helper.env.capifHostname=capif-prod.$DOMAIN_PROD \ + --set mock-server.enabled=true \ + --set mock-server.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/mock-server \ + --set mock-server.image.tag=$CI_COMMIT_TAG \ + --set mock-server.ingress.enabled=true \ + --set mock-server.ingress.hosts[0].host=mock-server-prod.$DOMAIN_PROD \ + --set mock-server.ingress.hosts[0].paths[0].path="/" \ + --set mock-server.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mongo.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo.image.tag=6.0.2 \ + --set mongo.busybox.repository=labs.etsi.org:5050/ocf/capif/busybox \ + --set mongo.busybox.tag=1.37.0 \ + --set mongo-register.image.repository=labs.etsi.org:5050/ocf/capif/mongo \ + --set mongo-register.image.tag=6.0.2 \ + --set mongo-register-express.enabled=true \ + --set mongo-register-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-register-express.image.tag=1.0.0-alpha.4 \ + --set mongo-register-express.ingress.enabled=true \ + --set mongo-register-express.ingress.hosts[0].host="mongo-express-register-prod.$DOMAIN_PROD" \ + --set mongo-register-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-register-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set mongo-express.enabled=true \ + --set mongo-express.image.repository=labs.etsi.org:5050/ocf/capif/mongo-express \ + --set mongo-express.image.tag=1.0.0-alpha.4 \ + --set mongo-express.ingress.enabled=true \ + --set mongo-express.ingress.hosts[0].host="mongo-express-prod.$DOMAIN_PROD" \ + --set mongo-express.ingress.hosts[0].paths[0].path="/" \ + --set mongo-express.ingress.hosts[0].paths[0].pathType="Prefix" \ + --set redis.image.repository=labs.etsi.org:5050/ocf/capif/redis \ + --set redis.image.tag=7.4.2-alpine \ + --set celery-beat.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/celery \ + --set celery-beat.image.tag=$CI_COMMIT_TAG \ + --set celery-beat.env.celeryModel=beat \ + --set celery-beat.env.redisHost=redis \ + --set celery-beat.env.redisPort=6379 \ + --set celery-beat.env.logLevel="DEBUG" \ + --set celery-worker.image.repository=$CI_REGISTRY/ocf/capif/$PATH_PROD/celery \ + --set celery-worker.image.tag=$CI_COMMIT_TAG \ + --set celery-worker.env.celeryModel=worker \ + --set celery-worker.env.redisHost=redis \ + --set celery-worker.env.redisPort=6379 \ + --set celery-worker.env.logLevel="DEBUG" \ + --wait --timeout=10m --create-namespace --atomic \ No newline at end of file