Remove deployment stage and add push stage

fd6d039b · Quentin Duchemin · e5176af6 · fd6d039b
Verified Commit fd6d039b authored 5 years ago by Quentin Duchemin
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 image: docker:19.03.0

-# disable TLS just for the docker daemon running locally, TLS is still used to deploy built images!
+# Disable TLS just for the docker daemon running locally, TLS is still used to deploy built images!
 variables:
    DOCKER_TLS_CERTDIR: ""
    DOCKER_DRIVER: overlay2
@@ -14,9 +14,9 @@ stages:
    - build
    - static_tests
    - dynamic_tests
-    - deployment
+    - push-prod

-# build the base image used for all further steps : this is done only when pica-ci's Dockerfile is modified
+# Build the base image used for all further steps : this is done only when pica-ci's Dockerfile is modified
 pica-ci-base:
    stage: pica-ci-base
    before_script:
@@ -34,7 +34,7 @@ pica-ci-base:
            - master
            - dev-ci

-# create a image based on pica-ci with only a few environment variables added (which Dockerfile has been modified...)
+# Create a image based on pica-ci with only a few environment variables added (which Dockerfile has been modified...)
 metabuid:
    stage: metabuild
    before_script:
@@ -58,7 +58,7 @@ metabuid:
            - dev-ci
            - dev-sympa

-# build the container that was modified
+# Build the image that was modified
 build:
    stage: build
    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
@@ -117,7 +117,7 @@ clair:
            - dev-ci
            - dev-sympa

-# run docker-bench-security and upload the results
+# Run docker-bench-security and upload the results
 docker-bench-security:
    stage: dynamic_tests
    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
@@ -156,80 +156,21 @@ docker-bench-security:
            - dev-ci
            - dev-sympa

-# automatically deploy the container on pica01-test
-deployment-test:
-    stage: deployment
+# Push the generated image on the production registry,
+# once it passed all security tests and has been successfully built
+push-prod:
+    stage: push-prod
    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
-    variables:
-        PICA_ENVIRONMENT: "TEST"
    before_script:
        - source /etc/profile.d/ci-variables
-        - export DOCKER_HOST=tcp://pica01-test.picasoft.net:2376
-        - export DOCKER_TLS_VERIFY=1
-        - export DOCKER_CERT_PATH=/tmp/certs
-        - mkdir -p $DOCKER_CERT_PATH
-        - echo "$DEV_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
-        - echo "$DEV_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
-        - echo "$DEV_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
-        - chmod +x decrypt-secrets.sh
-        - if [[ -d "$MODIFIED_IMAGE/secrets" ]]; then eval $(cat /etc/profile.d/ci-variables) ./decrypt-secrets.sh; fi
        - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
        - docker pull $REGISTRY/ci-builds/$MODIFIED_IMAGE:$CI_COMMIT_SHA
-        - docker tag $REGISTRY/ci-builds/$MODIFIED_IMAGE:$CI_COMMIT_SHA $MODIFIED_IMAGE_FULL
-    script:
-        - cd $MODIFIED_IMAGE
-        - sed -i -e  s/picasoft.net/test.picasoft.net/g docker-compose.yml
-        - for VOLUME in $(docker-compose config --volumes | sed 's/-volume//g'); do if [[ ! $(docker volume ls -q | grep "^$VOLUME\$") ]]; then docker volume create --name=$VOLUME; fi; done
-        - for SERVICE in $(docker-compose config --services); do if [[ $(docker container ls --format "{{.Names}}" | grep $SERVICE) ]]; then docker stop $SERVICE | xargs docker rm; fi; done
-        - docker-compose up -d --force-recreate --remove-orphans $CONTAINER_NAME
-    after_script:
-        - rm -rf $DOCKER_CERT_PATH
        - docker logout $REGISTRY
-    tags: [build]
-    only:
-        changes:
-            - "pica-dokuwiki/*"
-            - "pica-etherpad/*"
-            - "pica-wekan/*"
-            - "pica-sympa/*"
-        refs:
-            - master
-            - dev-ci
-            - dev-sympa
-
-# automatically deploy the container on the production host associated with the modified image
-# this will only happen after manually triggering the deployment
-deployment-prod:
-    stage: deployment
-    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
-    variables:
-        PICA_ENVIRONMENT: "PRODUCTION"
-    before_script:
-        - source /etc/profile.d/ci-variables
-        - TMP_DOCKER_CA_CERT="${HOST}_DOCKER_CA_CERT" && eval DOCKER_CA_CERT_VARIABLE=\$$TMP_DOCKER_CA_CERT
-        - TMP_DOCKER_CLIENT_CERT="${HOST}_DOCKER_CLIENT_CERT" && eval DOCKER_CLIENT_CERT_VARIABLE=\$$TMP_DOCKER_CLIENT_CERT
-        - TMP_DOCKER_CLIENT_KEY="${HOST}_DOCKER_CLIENT_KEY" && eval DOCKER_CLIENT_KEY_VARIABLE=\$$TMP_DOCKER_CLIENT_KEY
-        - export DOCKER_HOST=tcp://$HOST.picasoft.net:2376
-        - export DOCKER_TLS_VERIFY=1
-        - export DOCKER_CERT_PATH=/tmp/certs
-        - mkdir -p $DOCKER_CERT_PATH
-        - echo "$DOCKER_CA_CERT_VARIABLE" > $DOCKER_CERT_PATH/ca.pem
-        - echo "$DOCKER_CLIENT_CERT_VARIABLE" > $DOCKER_CERT_PATH/cert.pem
-        - echo "$DOCKER_CLIENT_KEY_VARIABLE" > $DOCKER_CERT_PATH/key.pem
-        - chmod +x decrypt-secrets.sh
-        - if [[ -d "$MODIFIED_IMAGE/secrets" ]]; then eval $(cat /etc/profile.d/ci-variables) ./decrypt-secrets.sh; fi
-        - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
-        - docker pull $REGISTRY/ci-builds/$MODIFIED_IMAGE:$CI_COMMIT_SHA
-        - docker logout $REGISTRY
-        - docker tag $REGISTRY/ci-builds/$MODIFIED_IMAGE:$CI_COMMIT_SHA $MODIFIED_IMAGE_FULL
    script:
-        - cd $MODIFIED_IMAGE
-        - for SERVICE in $(docker-compose config --services); do if [[ $(docker container ls --format "{{.Names}}" | grep $SERVICE) ]]; then docker stop $SERVICE | xargs docker rm; fi; done
-        - docker-compose up -d --force-recreate --remove-orphans $CONTAINER_NAME
-        - docker tag $REGISTRY/ci-builds/$MODIFIED_IMAGE:$CI_COMMIT_SHA $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
+        - docker tag $REGISTRY/ci-builds/$MODIFIED_IMAGE:$CI_COMMIT_SHA $MODIFIED_IMAGE_FULL
        - echo $REGISTRY_PROD_PASSWORD | docker login $REGISTRY_PROD -u $REGISTRY_PROD_USERNAME --password-stdin
        - docker push $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
-        - rm -rf $DOCKER_CERT_PATH
+    after_script:
        - docker logout $REGISTRY_PROD
    tags: [build]
    only:
@@ -237,6 +178,6 @@ deployment-prod:
            - "pica-dokuwiki/*"
            - "pica-etherpad/*"
            - "pica-wekan/*"
+            - "pica-oh-my-form/*"
        refs:
            - master
-    when: manual