From 619c5a59f055f125d6e81e6383db9f14591401ac Mon Sep 17 00:00:00 2001 From: Andrew Burnes Date: Tue, 12 Mar 2024 12:21:22 -0700 Subject: [PATCH 1/3] chore(ci): Switch to general-task and registry-image for CI jobs --- ci/pipeline-dev.yml | 13 +++++++++++-- ci/pipeline.yml | 13 +++++++++++-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/ci/pipeline-dev.yml b/ci/pipeline-dev.yml index 9fbc9f6..dcc47ce 100644 --- a/ci/pipeline-dev.yml +++ b/ci/pipeline-dev.yml @@ -28,9 +28,9 @@ cf-image: &cf-image source: aws_access_key_id: ((ecr-aws-key)) aws_secret_access_key: ((ecr-aws-secret)) - repository: harden-concourse-task + repository: general-task aws_region: us-gov-west-1 - tag: ((harden-concourse-task-tag)) + tag: latest test: &test - in_parallel: @@ -206,3 +206,12 @@ resource_types: repository: time-resource aws_region: us-gov-west-1 tag: latest + + - name: registry-image + type: registry-image + source: + aws_access_key_id: ((ecr_aws_key)) + aws_secret_access_key: ((ecr_aws_secret)) + repository: registry-image-resource + aws_region: us-gov-west-1 + tag: latest diff --git a/ci/pipeline.yml b/ci/pipeline.yml index fb76e9e..43cb7d0 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -28,9 +28,9 @@ cf-image: &cf-image source: aws_access_key_id: ((ecr-aws-key)) aws_secret_access_key: ((ecr-aws-secret)) - repository: harden-concourse-task + repository: general-task aws_region: us-gov-west-1 - tag: ((harden-concourse-task-tag)) + tag: latest test: &test - in_parallel: @@ -262,3 +262,12 @@ resource_types: repository: time-resource aws_region: us-gov-west-1 tag: latest + + - name: registry-image + type: registry-image + source: + aws_access_key_id: ((ecr_aws_key)) + aws_secret_access_key: ((ecr_aws_secret)) + repository: registry-image-resource + aws_region: us-gov-west-1 + tag: latest From 4185caaef8caaa8a3b991a781927d6b92521e6f5 Mon Sep 17 00:00:00 2001 From: Drew Bollinger Date: Fri, 10 May 2024 12:23:11 -0700 Subject: [PATCH 2/3] chore: container hardening --- ci/partials/build-redirects.yml | 7 ++ ci/partials/cancel-deployment.yml | 5 ++ ci/partials/deploy.yml | 5 ++ ci/partials/restage.yml | 5 ++ ci/pipeline-dev.yml | 109 ++++++++++++------------------ ci/pipeline.yml | 86 +++++++++-------------- 6 files changed, 98 insertions(+), 119 deletions(-) create mode 100644 ci/partials/build-redirects.yml create mode 100644 ci/partials/cancel-deployment.yml create mode 100644 ci/partials/deploy.yml create mode 100644 ci/partials/restage.yml diff --git a/ci/partials/build-redirects.yml b/ci/partials/build-redirects.yml new file mode 100644 index 0000000..74afcda --- /dev/null +++ b/ci/partials/build-redirects.yml @@ -0,0 +1,7 @@ +platform: linux +inputs: [name: src] +outputs: [name: src] +run: + dir: src + path: bash + args: [-c, npm run build-redirects] diff --git a/ci/partials/cancel-deployment.yml b/ci/partials/cancel-deployment.yml new file mode 100644 index 0000000..6356691 --- /dev/null +++ b/ci/partials/cancel-deployment.yml @@ -0,0 +1,5 @@ +platform: linux +inputs: [name: src] +run: + dir: src + path: ci/tasks/cancel-deployment.sh diff --git a/ci/partials/deploy.yml b/ci/partials/deploy.yml new file mode 100644 index 0000000..9876758 --- /dev/null +++ b/ci/partials/deploy.yml @@ -0,0 +1,5 @@ +platform: linux +inputs: [name: src] +run: + dir: src + path: ci/tasks/deploy.sh diff --git a/ci/partials/restage.yml b/ci/partials/restage.yml new file mode 100644 index 0000000..ab4c309 --- /dev/null +++ b/ci/partials/restage.yml @@ -0,0 +1,5 @@ +platform: linux +inputs: [name: src] +run: + dir: src + path: ci/tasks/restage.sh diff --git a/ci/pipeline-dev.yml b/ci/pipeline-dev.yml index dcc47ce..7c02e8b 100644 --- a/ci/pipeline-dev.yml +++ b/ci/pipeline-dev.yml @@ -10,43 +10,6 @@ env-cf: &env-cf CF_SPACE: ((deploy-env)) CF_STACK: cflinuxfs4 -node-image: &node-image - platform: linux - image_resource: - type: registry-image - source: - aws_access_key_id: ((ecr-aws-key)) - aws_secret_access_key: ((ecr-aws-secret)) - repository: pages-node-v20 - aws_region: us-gov-west-1 - tag: latest - -cf-image: &cf-image - platform: linux - image_resource: - type: registry-image - source: - aws_access_key_id: ((ecr-aws-key)) - aws_secret_access_key: ((ecr-aws-secret)) - repository: general-task - aws_region: us-gov-west-1 - tag: latest - -test: &test - - in_parallel: - - get: nginx - params: { save: true } - - in_parallel: - - task: test-mock - privileged: true - file: src/ci/partials/test-mocks.yml - - task: test-integration - privileged: true - params: - DEDICATED_AWS_ACCESS_KEY_ID: ((dedicated-aws-access-key-id)) - DEDICATED_AWS_SECRET_ACCESS_KEY: ((dedicated-aws-secret-access-key)) - file: src/ci/partials/test-integrations.yml - ############################ # JOBS @@ -68,25 +31,28 @@ jobs: resource: pr-((git-branch)) passed: [set-pipeline] trigger: true - - do: *test + - get: nginx + params: { save: true } + - get: node + - get: cf-image + - in_parallel: + - task: test-mock + privileged: true + file: src/ci/partials/test-mocks.yml + - task: test-integration + privileged: true + params: + DEDICATED_AWS_ACCESS_KEY_ID: ((dedicated-aws-access-key-id)) + DEDICATED_AWS_SECRET_ACCESS_KEY: ((dedicated-aws-secret-access-key)) + file: src/ci/partials/test-integrations.yml - task: build-redirects - config: - <<: *node-image - inputs: [name: src] - outputs: [name: src] - params: - SITE_REDIRECTS: ((pages-proxy-((deploy-env))-site-redirects)) - run: - dir: src - path: bash - args: [-c, npm run build-redirects] + image: node + file: src/ci/partials/build-redirects.yml + params: + SITE_REDIRECTS: ((pages-proxy-((deploy-env))-site-redirects)) - task: deploy - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/deploy.sh + image: cf-image + file: src/ci/partials/deploy.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -95,12 +61,8 @@ jobs: on_failure: try: task: cancel-api-deployment - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/cancel-deployment.sh + image: cf-image + file: src/ci/partials/cancel-deployment.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -130,15 +92,12 @@ jobs: - get: src resource: pr-((git-branch)) passed: [set-pipeline] + - get: cf-image - get: nightly trigger: true - task: restage - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/restage.sh + image: cf-image + file: src/ci/partials/restage.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -175,6 +134,24 @@ resources: source: url: ((slack-webhook-url)) + - name: node + type: registry-image + source: + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: pages-node-v20 + aws_region: us-gov-west-1 + tag: latest + + - name: cf-image + type: registry-image + source: + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: general-task + aws_region: us-gov-west-1 + tag: latest + ############################ # RESOURCE TYPES diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 43cb7d0..ffb3087 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -10,32 +10,9 @@ env-cf: &env-cf CF_SPACE: ((deploy-env)) CF_STACK: cflinuxfs4 -node-image: &node-image - platform: linux - image_resource: - type: registry-image - source: - aws_access_key_id: ((ecr-aws-key)) - aws_secret_access_key: ((ecr-aws-secret)) - repository: pages-node-v20 - aws_region: us-gov-west-1 - tag: latest - -cf-image: &cf-image - platform: linux - image_resource: - type: registry-image - source: - aws_access_key_id: ((ecr-aws-key)) - aws_secret_access_key: ((ecr-aws-secret)) - repository: general-task - aws_region: us-gov-west-1 - tag: latest - test: &test - - in_parallel: - - get: nginx - params: {save: true} + - get: nginx + params: {save: true} - in_parallel: - task: test-mock privileged: true @@ -105,25 +82,16 @@ jobs: passed: [set-pipeline] trigger: true params: {depth: 1} + - get: node - do: *test - task: build-redirects - config: - <<: *node-image - inputs: [name: src] - outputs: [name: src] - params: - SITE_REDIRECTS: ((pages-proxy-((deploy-env))-site-redirects)) - run: - dir: src - path: bash - args: [-c, npm run build-redirects] + image: node + file: src/ci/partials/build-redirects.yml + params: + SITE_REDIRECTS: ((pages-proxy-((deploy-env))-site-redirects)) - task: deploy - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/deploy.sh + image: cf-image + file: src/ci/partials/deploy.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -132,12 +100,8 @@ jobs: on_failure: try: task: cancel-api-deployment - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/cancel-deployment.sh + image: cf-image + file: src/ci/partials/cancel-deployment.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -170,13 +134,10 @@ jobs: params: {depth: 1} - get: nightly trigger: true + - get: cf-image - task: restage - config: - <<: *cf-image - inputs: [name: src] - run: - dir: src - path: ci/tasks/restage.sh + image: cf-image + file: src/ci/partials/restage.yml params: <<: *env-cf CF_APP_NAME: pages-proxy-((deploy-env)) @@ -222,6 +183,25 @@ resources: source: url: ((slack-webhook-url)) + - name: node + type: registry-image + source: + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: pages-node-v20 + aws_region: us-gov-west-1 + tag: latest + + - name: cf-image + type: registry-image + source: + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: general-task + aws_region: us-gov-west-1 + tag: latest + + ############################ # RESOURCE TYPES From 93c32a54182ba5e615d508dacf12616e286f14d4 Mon Sep 17 00:00:00 2001 From: Drew Bollinger Date: Thu, 16 May 2024 10:08:46 -0700 Subject: [PATCH 3/3] chore: use hardened nginx image --- ci/partials/test-integrations.yml | 10 ++++++++-- ci/partials/test-mocks.yml | 10 ++++++++-- ci/pipeline-dev.yml | 16 ++++++++++++---- ci/pipeline.yml | 28 ++++++++++++++++++++++------ docker-compose.yml | 2 +- 5 files changed, 51 insertions(+), 15 deletions(-) diff --git a/ci/partials/test-integrations.yml b/ci/partials/test-integrations.yml index 1524da2..cfbeafc 100644 --- a/ci/partials/test-integrations.yml +++ b/ci/partials/test-integrations.yml @@ -10,16 +10,22 @@ image_resource: inputs: - name: src - name: nginx + - name: node-oci run: dir: src path: ci/docker/entrypoint.sh + # the docker tag commands tag our hardened images with the name of + # docker registry images used in the local compose file for ease + # of test running args: - bash - -ceux - | pushd .. - docker load -i nginx/image - docker tag "$(cat nginx/image-id)" "$(cat nginx/repository):$(cat nginx/tag)" + docker load -i nginx/image.tar + docker tag "$(cat nginx/repository):$(cat nginx/tag)" openresty/openresty:1.19.9.1-4-buster + docker load -i node-oci/image.tar + docker tag "$(cat node-oci/repository):$(cat node-oci/tag)" node:20 popd docker-compose -f docker-compose.yml run --no-deps app npm install docker-compose -f docker-compose.yml run --no-deps app npm run parse:integration diff --git a/ci/partials/test-mocks.yml b/ci/partials/test-mocks.yml index 057066d..b7ec9d1 100644 --- a/ci/partials/test-mocks.yml +++ b/ci/partials/test-mocks.yml @@ -10,16 +10,22 @@ image_resource: inputs: - name: src - name: nginx + - name: node-oci run: dir: src path: ci/docker/entrypoint.sh + # the docker tag commands tag our hardened images with the name of + # docker registry images used in the local compose file for ease + # of test running args: - bash - -ceux - | pushd .. - docker load -i nginx/image - docker tag "$(cat nginx/image-id)" "$(cat nginx/repository):$(cat nginx/tag)" + docker load -i nginx/image.tar + docker tag "$(cat nginx/repository):$(cat nginx/tag)" openresty/openresty:1.19.9.1-4-buster + docker load -i node-oci/image.tar + docker tag "$(cat node-oci/repository):$(cat node-oci/tag)" node:20 popd docker-compose -f docker-compose.yml run --no-deps app npm install docker-compose -f docker-compose.yml run --no-deps app npm run parse diff --git a/ci/pipeline-dev.yml b/ci/pipeline-dev.yml index 7c02e8b..2e82b97 100644 --- a/ci/pipeline-dev.yml +++ b/ci/pipeline-dev.yml @@ -32,8 +32,13 @@ jobs: passed: [set-pipeline] trigger: true - get: nginx - params: { save: true } + params: + format: oci - get: node + - get: node-oci + resource: node + params: + format: oci - get: cf-image - in_parallel: - task: test-mock @@ -124,10 +129,13 @@ resources: location: America/New_York - name: nginx - type: docker-image + type: registry-image source: - repository: nginx - tag: 1 + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: pages-nginx-v1 + aws_region: us-gov-west-1 + tag: latest - name: slack type: slack-notification diff --git a/ci/pipeline.yml b/ci/pipeline.yml index ffb3087..8eebc74 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -11,8 +11,6 @@ env-cf: &env-cf CF_STACK: cflinuxfs4 test: &test - - get: nginx - params: {save: true} - in_parallel: - task: test-mock privileged: true @@ -54,7 +52,14 @@ jobs: status: pending base_context: concourse context: test-pr-proxy-((deploy-env)) - + - get: nginx + params: + format: oci + - get: node + - get: node-oci + resource: node + params: + format: oci - do: *test on_failure: @@ -82,7 +87,15 @@ jobs: passed: [set-pipeline] trigger: true params: {depth: 1} + - get: cf-image + - get: nginx + params: + format: oci - get: node + - get: node-oci + resource: node + params: + format: oci - do: *test - task: build-redirects image: node @@ -173,10 +186,13 @@ resources: location: America/New_York - name: nginx - type: docker-image + type: registry-image source: - repository: nginx - tag: 1 + aws_access_key_id: ((ecr-aws-key)) + aws_secret_access_key: ((ecr-aws-secret)) + repository: pages-nginx-v1 + aws_region: us-gov-west-1 + tag: latest - name: slack type: slack-notification diff --git a/docker-compose.yml b/docker-compose.yml index 1616975..bcc74ad 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -21,7 +21,7 @@ services: depends_on: - mock-dedicated app: - image: node:18 + image: node:20 volumes: - .:/app working_dir: /app