Update .gitlab-ci.yml, pica-etherpad/clair-whitelist.yml files

7ab3ebf0 · Igor Witz · 8fad595e · 7ab3ebf0 · 7ab3ebf0
Commit 7ab3ebf0 authored 6 years ago by Igor Witz
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -93,7 +93,7 @@ docker-bench-security:
            - pica-etherpad/*
            - pica-dokuwiki/*

-deployment-pica01-test: 
+deployment-test: 
    stage: deployment
    before_script:
        - apk update
@@ -129,3 +129,42 @@ deployment-pica01-test:
            - pica-etherpad/*
            - pica-dokuwiki/*

+deployment-prod: 
+    stage: deployment
+    before_script:
+        - apk update
+        - apk add wget py-pip git iproute2
+        - pip install docker-compose        
+        - chmod +x get-modified-image.sh 
+        - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
+        - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
+        - export CURRENT_CONTAINER_ID=$(docker container ls -a | grep pica-dokuwiki| cut -d ' ' -f1)
+        - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+        - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+        - docker logout $REGISTRY
+        - echo $REGISTRY_PROD_PASSWORD | docker login $REGISTRY_PROD -u $REGISTRY_PROD_USERNAME --password-stdin
+        - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest  $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
+        - docker push $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
+        - docker logout $REGISTRY_PROD
+        - export REMOTE_HOSTNAME=pica01
+        - export DOCKER_HOST=tcp://$REMOTE_HOSTNAME.picasoft.net:2376
+        - export DOCKER_TLS_VERIFY=1
+        - export DOCKER_CERT_PATH=/tmp/certs
+        - mkdir -p $DOCKER_CERT_PATH
+        - echo "$PROD_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
+        - echo "$PROD_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
+        - echo "$PROD_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
+    script:   
+        - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+        - docker pull $REGISTRY/$MODIFIED_IMAGE_FULL
+        - docker logout $REGISTRY
+        - cd pica-etherpad
+        - docker-compose up -d --force-recreate --remove-orphans $(cat docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1)
+    after_script:
+        - rm -rf $DOCKER_CERT_PATH
+    tags: [build]
+    only:
+        changes:
+            - pica-etherpad/*
+    when: manual
+
--- a/pica-etherpad/clair-whitelist.yml
+++ b/pica-etherpad/clair-whitelist.yml
@@ -12,4 +12,4 @@ generalwhitelist:
    CVE-2018-1000001: glibc -> Pas de contre mesure
    CVE-2017-1000408: glibc -> Pas de contre mesure
    CVE-2018-6954: systemd -> Pas de contre mesure
-    CVE-2018-6797: Perl est une dépendance du client mysql et la version non vulnérable dans stretch n'a pas été backportée -> Pas de contre-mesure 
\ No newline at end of file
+    CVE-2018-6797: Perl est une dépendance du client mysql et la version non vulnérable dans stretch n'a pas été backportée -> Pas de contre-mesure
\ No newline at end of file