diff --git a/ci/partials/build-redirects.yml b/ci/partials/build-redirects.yml new file mode 100644 index 0000000..74afcda --- /dev/null +++ b/ci/partials/build-redirects.yml @@ -0,0 +1,7 @@ +platform: linux +inputs: [name: src] +outputs: [name: src] +run: + dir: src + path: bash + args: [-c, npm run build-redirects] diff --git a/ci/partials/cancel-deployment.yml b/ci/partials/cancel-deployment.yml new file mode 100644 index 0000000..6356691 --- /dev/null +++ b/ci/partials/cancel-deployment.yml @@ -0,0 +1,5 @@ +platform: linux +inputs: [name: src] +run: + dir: src + path: ci/tasks/cancel-deployment.sh diff --git a/ci/partials/deploy.yml b/ci/partials/deploy.yml new file mode 100644 index 0000000..9876758 --- /dev/null +++ b/ci/partials/deploy.yml @@ -0,0 +1,5 @@ +platform: linux +inputs: [name: src] +run: + dir: src + path: ci/tasks/deploy.sh diff --git a/ci/partials/restage.yml b/ci/partials/restage.yml new file mode 100644 index 0000000..ab4c309 --- /dev/null +++ b/ci/partials/restage.yml @@ -0,0 +1,5 @@ +platform: linux +inputs: [name: src] +run: + dir: src + path: ci/tasks/restage.sh diff --git a/ci/partials/test-integrations.yml b/ci/partials/test-integrations.yml index 1524da2..cfbeafc 100644 --- a/ci/partials/test-integrations.yml +++ b/ci/partials/test-integrations.yml @@ -10,16 +10,22 @@ image_resource: inputs: - name: src - name: nginx + - name: node-oci run: dir: src path: ci/docker/entrypoint.sh + # the docker tag commands tag our hardened images with the name of + # docker registry images used in the local compose file for ease + # of test running args: - bash - -ceux - | pushd .. - docker load -i nginx/image - docker tag "$(cat nginx/image-id)" "$(cat nginx/repository):$(cat nginx/tag)" + docker load -i nginx/image.tar + docker tag "$(cat nginx/repository):$(cat nginx/tag)" openresty/openresty:1.19.9.1-4-buster + docker load -i node-oci/image.tar + docker tag "$(cat node-oci/repository):$(cat node-oci/tag)" node:20 popd docker-compose -f docker-compose.yml run --no-deps app npm install docker-compose -f docker-compose.yml run --no-deps app npm run parse:integration diff --git a/ci/partials/test-mocks.yml b/ci/partials/test-mocks.yml index 057066d..b7ec9d1 100644 --- a/ci/partials/test-mocks.yml +++ b/ci/partials/test-mocks.yml @@ -10,16 +10,22 @@ image_resource: inputs: - name: src - name: nginx + - name: node-oci run: dir: src path: ci/docker/entrypoint.sh + # the docker tag commands tag our hardened images with the name of + # docker registry images used in the local compose file for ease + # of test running args: - bash - -ceux - | pushd .. - docker load -i nginx/image - docker tag "$(cat nginx/image-id)" "$(cat nginx/repository):$(cat nginx/tag)" + docker load -i nginx/image.tar + docker tag "$(cat nginx/repository):$(cat nginx/tag)" openresty/openresty:1.19.9.1-4-buster + docker load -i node-oci/image.tar + docker tag "$(cat node-oci/repository):$(cat node-oci/tag)" node:20 popd docker-compose -f docker-compose.yml run --no-deps app npm install docker-compose -f docker-compose.yml run --no-deps app npm run parse diff --git a/ci/pipeline-dev.yml b/ci/pipeline-dev.yml index 9fbc9f6..2e82b97 100644 --- a/ci/pipeline-dev.yml +++ b/ci/pipeline-dev.yml @@ -10,43 +10,6 @@ env-cf: &env-cf CF_SPACE: ((deploy-env)) CF_STACK: cflinuxfs4 -node-image: &node-image - platform: linux - image_resource: - type: registry-image - source: - aws_access_key_id: ((ecr-aws-key)) - aws_secret_access_key: ((ecr-aws-secret)) - repository: pages-node-v20 - aws_region: us-gov-west-1 - tag: latest - -cf-image: &cf-image - platform: linux - image_resource: - type: registry-image - source: - aws_access_key_id: ((ecr-aws-key)) - aws_secret_access_key: ((ecr-aws-secret)) - repository: harden-concourse-task - aws_region: us-gov-west-1 - tag: ((harden-concourse-task-tag)) - -test: &test - - in_parallel: - - get: nginx - params: { save: true } - - in_parallel: - - task: test-mock - privileged: true - file: src/ci/partials/test-mocks.yml - - task: test-integration - privileged: true - params: - DEDICATED_AWS_ACCESS_KEY_ID: ((dedicated-aws-access-key-id)) - DEDICATED_AWS_SECRET_ACCESS_KEY: ((dedicated-aws-secret-access-key)) - file: src/ci/partials/test-integrations.yml - ############################ # JOBS @@ -68,25 +31,33 @@ jobs: resource: pr-((git-branch)) passed: [set-pipeline] trigger: true - - do: *test + - get: nginx + params: + format: oci + - get: node + - get: node-oci + resource: node + params: + format: oci + - get: cf-image + - in_parallel: + - task: test-mock + privileged: true + file: src/ci/partials/test-mocks.yml + - task: test-integration + privileged: true + params: + DEDICATED_AWS_ACCESS_KEY_ID: ((dedicated-aws-access-key-id)) + DEDICATED_AWS_SECRET_ACCESS_KEY: ((dedicated-aws-secret-access-key)) + file: src/ci/partials/test-integrations.yml - task: build-redirects - config: - <<: *node-image - inputs: [name: src] - outputs: [name: src] - params: - SITE_REDIRECTS: ((pages-proxy-((deploy-env))-site-redirects)) - run: - dir: src - path: bash - args: [-c, npm run build-redirects] + image: node + file: src/ci/partials/build-redirects.yml + params: + SITE_REDIRECTS: ((pages-proxy-((deploy-env))-site-redirects)) - task: deploy - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/deploy.sh + image: cf-image + file: src/ci/partials/deploy.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -95,12 +66,8 @@ jobs: on_failure: try: task: cancel-api-deployment - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/cancel-deployment.sh + image: cf-image + file: src/ci/partials/cancel-deployment.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -130,15 +97,12 @@ jobs: - get: src resource: pr-((git-branch)) passed: [set-pipeline] + - get: cf-image - get: nightly trigger: true - task: restage - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/restage.sh + image: cf-image + file: src/ci/partials/restage.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -165,16 +129,37 @@ resources: location: America/New_York - name: nginx - type: docker-image + type: registry-image source: - repository: nginx - tag: 1 + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: pages-nginx-v1 + aws_region: us-gov-west-1 + tag: latest - name: slack type: slack-notification source: url: ((slack-webhook-url)) + - name: node + type: registry-image + source: + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: pages-node-v20 + aws_region: us-gov-west-1 + tag: latest + + - name: cf-image + type: registry-image + source: + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: general-task + aws_region: us-gov-west-1 + tag: latest + ############################ # RESOURCE TYPES @@ -206,3 +191,12 @@ resource_types: repository: time-resource aws_region: us-gov-west-1 tag: latest + + - name: registry-image + type: registry-image + source: + aws_access_key_id: ((ecr_aws_key)) + aws_secret_access_key: ((ecr_aws_secret)) + repository: registry-image-resource + aws_region: us-gov-west-1 + tag: latest diff --git a/ci/pipeline.yml b/ci/pipeline.yml index fb76e9e..8eebc74 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -10,32 +10,7 @@ env-cf: &env-cf CF_SPACE: ((deploy-env)) CF_STACK: cflinuxfs4 -node-image: &node-image - platform: linux - image_resource: - type: registry-image - source: - aws_access_key_id: ((ecr-aws-key)) - aws_secret_access_key: ((ecr-aws-secret)) - repository: pages-node-v20 - aws_region: us-gov-west-1 - tag: latest - -cf-image: &cf-image - platform: linux - image_resource: - type: registry-image - source: - aws_access_key_id: ((ecr-aws-key)) - aws_secret_access_key: ((ecr-aws-secret)) - repository: harden-concourse-task - aws_region: us-gov-west-1 - tag: ((harden-concourse-task-tag)) - test: &test - - in_parallel: - - get: nginx - params: {save: true} - in_parallel: - task: test-mock privileged: true @@ -77,7 +52,14 @@ jobs: status: pending base_context: concourse context: test-pr-proxy-((deploy-env)) - + - get: nginx + params: + format: oci + - get: node + - get: node-oci + resource: node + params: + format: oci - do: *test on_failure: @@ -105,25 +87,24 @@ jobs: passed: [set-pipeline] trigger: true params: {depth: 1} + - get: cf-image + - get: nginx + params: + format: oci + - get: node + - get: node-oci + resource: node + params: + format: oci - do: *test - task: build-redirects - config: - <<: *node-image - inputs: [name: src] - outputs: [name: src] - params: - SITE_REDIRECTS: ((pages-proxy-((deploy-env))-site-redirects)) - run: - dir: src - path: bash - args: [-c, npm run build-redirects] + image: node + file: src/ci/partials/build-redirects.yml + params: + SITE_REDIRECTS: ((pages-proxy-((deploy-env))-site-redirects)) - task: deploy - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/deploy.sh + image: cf-image + file: src/ci/partials/deploy.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -132,12 +113,8 @@ jobs: on_failure: try: task: cancel-api-deployment - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/cancel-deployment.sh + image: cf-image + file: src/ci/partials/cancel-deployment.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -170,13 +147,10 @@ jobs: params: {depth: 1} - get: nightly trigger: true + - get: cf-image - task: restage - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/restage.sh + image: cf-image + file: src/ci/partials/restage.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -212,16 +186,38 @@ resources: location: America/New_York - name: nginx - type: docker-image + type: registry-image source: - repository: nginx - tag: 1 + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: pages-nginx-v1 + aws_region: us-gov-west-1 + tag: latest - name: slack type: slack-notification source: url: ((slack-webhook-url)) + - name: node + type: registry-image + source: + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: pages-node-v20 + aws_region: us-gov-west-1 + tag: latest + + - name: cf-image + type: registry-image + source: + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: general-task + aws_region: us-gov-west-1 + tag: latest + + ############################ # RESOURCE TYPES @@ -262,3 +258,12 @@ resource_types: repository: time-resource aws_region: us-gov-west-1 tag: latest + + - name: registry-image + type: registry-image + source: + aws_access_key_id: ((ecr_aws_key)) + aws_secret_access_key: ((ecr_aws_secret)) + repository: registry-image-resource + aws_region: us-gov-west-1 + tag: latest diff --git a/docker-compose.yml b/docker-compose.yml index 1616975..bcc74ad 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -21,7 +21,7 @@ services: depends_on: - mock-dedicated app: - image: node:18 + image: node:20 volumes: - .:/app working_dir: /app