1a7fb3e5ba
Hadolint fixes: - Use printf instead of echo for escape sequences - Add hadolint ignore for apt pin version (DL3008) KICS fixes (docker-compose): - Add security_opt: no-new-privileges to all services - Add mem_limit and cpus to prevent resource exhaustion - Add healthcheck to orchard-server in docker-compose.yml Gitleaks: - Add .gitleaksignore for false positive (s3_key attribute name) - Remove allow_failure from secrets job (now blocking) Also: - Remove || echo fallback from python_tests (tests should fail pipeline)
165 lines
5.4 KiB
YAML
165 lines
5.4 KiB
YAML
include:
|
|
- project: 'esv/bsf/pypi/prosper'
|
|
ref: v0.64.1
|
|
file: '/prosper/templates/projects/docker.yml'
|
|
|
|
variables:
|
|
# renovate: datasource=gitlab-tags depName=esv/bsf/pypi/prosper versioning=semver registryUrl=https://gitlab.global.bsf.tools
|
|
PROSPER_VERSION: v0.64.1
|
|
|
|
kics:
|
|
allow_failure: true
|
|
|
|
hadolint:
|
|
allow_failure: true
|
|
|
|
# secrets job is a blocking check - real credential leaks should fail the pipeline
|
|
|
|
# Run Python tests
|
|
python_tests:
|
|
stage: test
|
|
image: deps.global.bsf.tools/docker/python:3.12-slim
|
|
before_script:
|
|
- pip install -r backend/requirements.txt
|
|
- pip install pytest pytest-asyncio httpx
|
|
script:
|
|
- cd backend
|
|
- python -m pytest -v
|
|
|
|
# Deploy to stage (main branch)
|
|
deploy_stage:
|
|
stage: deploy
|
|
needs: [build_image]
|
|
image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
|
|
variables:
|
|
ENV: stage
|
|
NAMESPACE: orch-stage-namespace
|
|
VALUES_FILE: helm/orchard/values-stage.yaml
|
|
before_script:
|
|
- kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-stage
|
|
- helm version
|
|
- helm repo add stable https://charts.helm.sh/stable
|
|
- helm repo add bitnami https://charts.bitnami.com/bitnami
|
|
- cd helm/orchard
|
|
- helm dependency update
|
|
- helm repo update
|
|
script:
|
|
- echo "Deploying to stage environment"
|
|
- cd $CI_PROJECT_DIR
|
|
- helm upgrade --install orchard-stage ./helm/orchard --namespace $NAMESPACE -f $VALUES_FILE --set image.tag=git.linux-amd64-$CI_COMMIT_SHA
|
|
environment:
|
|
name: stage
|
|
url: https://orchard-stage.common.global.bsf.tools
|
|
kubernetes:
|
|
agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-stage
|
|
rules:
|
|
- if: '$CI_COMMIT_BRANCH == "main"'
|
|
when: always
|
|
|
|
# Deploy feature branch to dev namespace
|
|
deploy_feature:
|
|
stage: deploy
|
|
needs: [build_image]
|
|
image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
|
|
variables:
|
|
NAMESPACE: orch-dev-namespace
|
|
VALUES_FILE: helm/orchard/values-dev.yaml
|
|
before_script:
|
|
- kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
|
|
- helm version
|
|
- helm repo add stable https://charts.helm.sh/stable
|
|
- helm repo add bitnami https://charts.bitnami.com/bitnami
|
|
- cd helm/orchard
|
|
- helm dependency update
|
|
- helm repo update
|
|
script:
|
|
- echo "Deploying feature branch $CI_COMMIT_REF_SLUG"
|
|
- cd $CI_PROJECT_DIR
|
|
- |
|
|
helm upgrade --install orchard-$CI_COMMIT_REF_SLUG ./helm/orchard \
|
|
--namespace $NAMESPACE \
|
|
-f $VALUES_FILE \
|
|
--set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
|
|
--set ingress.hosts[0].host=orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
|
|
--set ingress.tls[0].hosts[0]=orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
|
|
--set ingress.tls[0].secretName=orchard-$CI_COMMIT_REF_SLUG-tls \
|
|
--set minioIngress.host=minio-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
|
|
--set minioIngress.tls.secretName=minio-$CI_COMMIT_REF_SLUG-tls \
|
|
--wait \
|
|
--timeout 5m
|
|
- echo "Waiting for deployment to be ready..."
|
|
- kubectl rollout status deployment/orchard-$CI_COMMIT_REF_SLUG -n $NAMESPACE --timeout=5m
|
|
- |
|
|
BASE_URL="https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools"
|
|
|
|
echo "=== Waiting for health endpoint (certs may take a few minutes) ==="
|
|
for i in $(seq 1 30); do
|
|
if curl -sf --max-time 10 "$BASE_URL/health" > /dev/null 2>&1; then
|
|
echo "Health check passed!"
|
|
break
|
|
fi
|
|
echo "Attempt $i/30 - waiting 10s..."
|
|
sleep 10
|
|
done
|
|
|
|
# Verify health endpoint
|
|
echo ""
|
|
echo "=== Health Check ==="
|
|
curl -sf "$BASE_URL/health" || { echo "Health check failed"; exit 1; }
|
|
echo ""
|
|
|
|
# Verify API is responding
|
|
echo ""
|
|
echo "=== API Check (GET /api/v1/projects) ==="
|
|
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" "$BASE_URL/api/v1/projects")
|
|
if [ "$HTTP_CODE" = "200" ]; then
|
|
echo "API responding: HTTP $HTTP_CODE"
|
|
else
|
|
echo "API check failed: HTTP $HTTP_CODE"
|
|
exit 1
|
|
fi
|
|
|
|
# Verify frontend is served
|
|
echo ""
|
|
echo "=== Frontend Check ==="
|
|
if curl -sf "$BASE_URL/" | grep -q "</html>"; then
|
|
echo "Frontend is being served"
|
|
else
|
|
echo "Frontend check failed"
|
|
exit 1
|
|
fi
|
|
|
|
echo ""
|
|
echo "=== All checks passed! ==="
|
|
echo "Deployment URL: $BASE_URL"
|
|
environment:
|
|
name: review/$CI_COMMIT_REF_SLUG
|
|
url: https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools
|
|
on_stop: cleanup_feature
|
|
kubernetes:
|
|
agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
|
|
rules:
|
|
- if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
|
|
when: always
|
|
|
|
# Cleanup feature branch deployment
|
|
cleanup_feature:
|
|
stage: deploy
|
|
image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
|
|
variables:
|
|
NAMESPACE: orch-dev-namespace
|
|
before_script:
|
|
- kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
|
|
script:
|
|
- echo "Cleaning up feature deployment orchard-$CI_COMMIT_REF_SLUG"
|
|
- helm uninstall orchard-$CI_COMMIT_REF_SLUG --namespace $NAMESPACE || true
|
|
environment:
|
|
name: review/$CI_COMMIT_REF_SLUG
|
|
action: stop
|
|
kubernetes:
|
|
agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
|
|
rules:
|
|
- if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
|
|
when: manual
|
|
allow_failure: true
|