Merge branch 'main' of https://gitlab-sml.din.developpement-durable.g…

…ouv.fr/num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2

.gitlab-ci.yml

@@ -2,8 +2,10 @@ stages:
   - build
   - pre-analyze
   - analyze
-  - pre-deploy
-  - deploy
+  - pre-deploy-int
+  - deploy-int
+  - pre-deploy-prod
+  - deploy-prod
 variables:
   #  Configuration spécifique projet
   PROJECT_NAME:
@@ -12,43 +14,56 @@ variables:
   PROJECT_VERSION:
     value: 0.0.0.14
     description: "Version du projet à déployer"
-  PROJECT_ENV:
-    value: "int"
-    description: "Environnement cible"
-  SERVER_ENV:
+  SERVER_ENV_INT:
     value: "int-rapportnav-appli01"
-    description: "Serveur cible"
+    description: "Serveur cible d'intégration"
+  SERVER_ENV_PROD:
+    value: "prod-rapportnav-appli01"
+    description: "Serveur cible de production"
   TAG_LATEST: $NEXUS_DOCKER_REPO/$PROJECT_NAME:latest
   TAG_VERSION: $NEXUS_DOCKER_REPO/$PROJECT_NAME:$PROJECT_VERSION
-  ID_PROJET_INVENTAIRE: 156
-  PROJECT_PORTS:
-    value: "[80:80]"
-    description: "Tableau contenant les ports exposés par le container Docker du projet"
-  PROJECT_VOLUMES:
-    value: "[]"
-    description: "Tableau contenant les volumes du container Docker du projet"
   FAIL_SONAR_CONDITION:
     value: "-Dsonar.qualitygate.wait=true"
     description: "Détermine la commande à passer au scanner Sonar pour bloquer ou non le job. -Dsonar.qualitygate.wait=true fait échouer le job si le quality gate Sonar n'est pas conforme."
   FAIL_TRIVY_CONDITION:
     value: "--severity CRITICAL"
     description: "Détermine la commande à passer à Trivy pour bloquer ou non le job. --severity CRITICAL fait échouer le job si Trivy remonte des anomalies critiques."
+
 include:
-  - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
-    ref: master
-    file: '/jobs/verif_image_checksum.yml'
- # - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
- #   ref: master
- #   file: '/jobs/build_projet_maven.yml'
-  - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
-    ref: master
-    file: '/jobs/construction_image.yml'
-  - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
-    ref: master
-    file: '/jobs/analyse_sonar.yml'
-  - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
-    ref: master
-    file: '/jobs/analyse_trivy.yml'
-  - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
-    ref: master
-    file: '/jobs/deploiement_image.yml'
+  - '/ci/jobs/verif_image_checksum.yml'
+  - '/ci/jobs/build_projet_maven.yml'
+  - '/ci/jobs/build_projet_npm.yml'
+  - '/ci/jobs/construction_image.yml'
+  - '/ci/jobs/dependency-check.yml'
+  - '/ci/jobs/analyse_sonar.yml'
+  - '/ci/jobs/analyse_trivy.yml'
+  - '/ci/jobs/deploiement_image_int.yml'
+  - '/ci/jobs/deploiement_image_prod.yml'
+# include:
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/verif_image_checksum.yml'
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/build_projet_maven.yml'
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/build_projet_npm.yml'
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/construction_image.yml'
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/dependency-check.yml'
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/analyse_sonar.yml'
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/analyse_trivy.yml'
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/deploiement_image_int.yml'
+#   - project: 'num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2-jobs-scripts'
+#     ref: master
+#     file: '/jobs/deploiement_image_prod.yml'

ci/deploiement_image_docker.yml

@@ -0,0 +1,6 @@
+- hosts: "{{ inventory_hostname }}"
+  roles:
+    - stop_docker_containers
+    - install_docker_image
+    - start_docker_containers
+    - clean_docker_images

ci/jobs/analyse_sonar.yml

@@ -0,0 +1,26 @@
+analyse_sonar:
+  stage: analyze
+  image:
+    name: sonarsource/sonar-scanner-cli:latest
+    entrypoint: [""]
+  tags:
+    - analyze
+  variables:
+    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
+    # Shallow cloning needs to be disabled.
+    # See https://docs.sonarqube.org/latest/analysis/gitlab-cicd/.
+    GIT_DEPTH: 0
+  cache:
+    key: "${CI_JOB_NAME}"
+    paths:
+      - .sonar/cache
+  script:
+    - |
+      if [ $KEEP_RUNNING == "true" ]
+        then
+          sonar-scanner 
+      else
+        # -Dsonar.qualitygate.wait=true stop le job si le quality gate est KO
+        sonar-scanner $FAIL_SONAR_CONDITION
+      fi
+

ci/jobs/analyse_trivy.yml

@@ -0,0 +1,39 @@
+analyse_trivy:
+  stage: analyze
+  image:
+    name: aquasec/trivy:0.38.1
+    entrypoint: [""]
+  variables:
+    # No need to clone the repo, we exclusively work on artifacts.  See
+    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
+    GIT_STRATEGY: none
+    TRIVY_USERNAME: $NEXUS_USER
+    TRIVY_PASSWORD: $NEXUS_PWD
+    TRIVY_NON_SSL: "true"
+    TRIVY_SERVER: "http://trivy.dsi.damgm.i2"
+    FULL_IMAGE_NAME: $TAG_LATEST
+    HTTP_PROXY: "http://172.27.229.197:8090"
+    HTTPS_PROXY: "http://172.27.229.197:8090"
+    NO_PROXY: "gitlab-sml.din.developpement-durable.gouv.fr,int-docker01,localhost,127.0.0.1,0.0.0.0,.dsi.damgm.i2"
+  script:
+    - trivy --version
+    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
+    - time trivy image -d --server $TRIVY_SERVER $FULL_IMAGE_NAME --clear-cache --timeout 120m --cache-dir .trivycache/
+    - |
+      if [[ "$FAIL_TRIVY_CONDITION" != "" && "$KEEP_RUNNING" != "true" ]]; then
+        # Fail on critical vulnerabilities
+        time trivy image -d --server $TRIVY_SERVER --exit-code 1 --cache-dir .trivycache/ $FAIL_TRIVY_CONDITION --no-progress --format template --template "@/contrib/html.tpl" --output "container-scanning-report.html" "$FULL_IMAGE_NAME"
+      else
+        # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
+        time trivy image -d --server $TRIVY_SERVER --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/html.tpl" --output "container-scanning-report.html" "$FULL_IMAGE_NAME"
+      fi
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    when: always
+    paths:
+      - container-scanning-report.html
+  tags:
+    - analyze
+

ci/jobs/build_projet_maven.yml

@@ -0,0 +1,19 @@
+# TODO à adapter selon le projet
+build_projet_maven:
+  stage: build
+  image: maven:3.8.5-openjdk-17-slim
+  variables:
+    HTTP_PROXY: "http://172.27.229.197:8090"
+    HTTPS_PROXY: "http://172.27.229.197:8090"
+    NO_PROXY: "gitlab-sml.din.developpement-durable.gouv.fr,localhost,127.0.0.1,0.0.0.0,.dsi.damgm.i2"
+  script:
+    - cd backend
+    - mvn dependency:go-offline -B -Dhttps.proxyHost=172.27.229.197 -Dhttps.proxyPort=8090
+    - mvn clean package -DskipTests=true -Dhttps.proxyHost=172.27.229.197 -Dhttps.proxyPort=8090
+  tags:
+    - build
+  artifacts:
+    name: "Maven artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    when: on_success
+    paths:
+      - "backend/target/rapportnav-VERSION_TO_CHANGE.jar"

ci/jobs/build_projet_npm.yml

@@ -0,0 +1,20 @@
+# TODO à adapter selon le projet
+build_projet_npm:
+  stage: build
+  image: node:18
+  variables:
+    HTTP_PROXY: "http://172.27.229.197:8090"
+    HTTPS_PROXY: "http://172.27.229.197:8090"
+    NO_PROXY: "gitlab-sml.din.developpement-durable.gouv.fr,localhost,127.0.0.1,0.0.0.0,.dsi.damgm.i2"
+  script:
+    - cd frontend
+    - npm config set proxy $HTTP_PROXY
+    - npm config set https-proxy $HTTPS_PROXY
+    - npm ci
+    - npm run build --verbose
+  tags:
+    - build
+  artifacts:
+    name: "Npm artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    paths:
+      - "frontend/"

ci/jobs/construction_image.yml

@@ -0,0 +1,28 @@
+construction_image:
+  stage: build
+  except:
+    variables:
+      - $IMAGE_CHECKSUM
+  image: docker:20.10.5
+  variables:
+    HTTP_PROXY: "http://172.27.229.197:8090"
+    HTTPS_PROXY: "http://172.27.229.197:8090"
+    NO_PROXY: "docker,dockerhost,gitlab-sml.din.developpement-durable.gouv.fr,int-docker01,localhost,127.0.0.1,0.0.0.0,.dsi.damgm.i2"
+    GIT_STRATEGY: fetch
+    GIT_CLEAN_FLAGS: none
+    DOCKER_HOST: tcp://dockerhost:2375/
+    DOCKER_DRIVER: overlay2
+    DOCKER_TLS_CERTDIR: ""
+  services:
+    - name: docker:20.10.5-dind
+      alias: dockerhost
+      entrypoint: ["sh", "-c", "dockerd-entrypoint.sh"]
+  script:
+    # TODO à adapter en fonction du projet
+    - docker build -f infra/docker/app/Dockerfile -t $TAG_VERSION -t $TAG_LATEST .
+    - docker login $NEXUS_DOCKER_REPO -u $NEXUS_USER -p $NEXUS_PWD
+    - docker image push --all-tags $NEXUS_DOCKER_REPO/$PROJECT_NAME
+    - docker logout $NEXUS_DOCKER_REPO
+  tags:
+    - build
+

ci/jobs/dependency-check.yml

@@ -0,0 +1,24 @@
+dependency_check:
+  stage: analyze
+  image:
+    name: owasp/dependency-check:latest
+    entrypoint: [""]
+  variables:
+    HTTP_PROXY: "http://172.27.229.197:8090"
+    HTTPS_PROXY: "http://172.27.229.197:8090"
+    NO_PROXY: "gitlab-sml.din.developpement-durable.gouv.fr,localhost,127.0.0.1,0.0.0.0,.dsi.damgm.i2"  
+  script:
+    - /usr/share/dependency-check/bin/dependency-check.sh --scan frontend/ --project "${PROJECT_NAME} ${PROJECT_VERSION}" --failOnCVSS 8 --proxyserver 172.27.229.197 --proxyport 8090
+    - cd backend/target/
+    - /usr/share/dependency-check/bin/dependency-check.sh --scan rapportnav-VERSION_TO_CHANGE.jar --project "${PROJECT_NAME} ${PROJECT_VERSION}" --failOnCVSS 8 --proxyserver 172.27.229.197 --proxyport 8090
+  tags:
+    - analyze
+  artifacts:
+    when: on_success 
+    paths:
+      - backend/target/./dependency-check-report.html
+      - dependency-check-report.html
+  needs:
+    - job: build_projet_maven
+    - job: build_projet_npm
+      artifacts: true

ci/jobs/deploiement_image_int.yml

@@ -0,0 +1,34 @@
+recup_inventaire_int:
+  stage: pre-deploy-int
+  only:
+    - main
+  variables:
+    ID_PROJET_INVENTAIRE_INT: 156  #ID du projet GITLAB de l'inventaire d'intégration
+  image: alpine/curl
+  tags:
+    - deployment
+  script:
+    - cd $CI_PROJECT_DIR
+    - curl -H "PRIVATE-TOKEN:$PROJET_INVENTAIRE_ACCESS_TOKEN" "$CI_API_V4_URL/projects/$ID_PROJET_INVENTAIRE_INT/repository/files/topologie.ini/raw" --output inventory.ini
+  artifacts:
+    paths:
+      - inventory.ini
+
+deploiement_image_int:
+  stage: deploy-int
+  only:
+    - main
+  image: cbhek/ansible-worker:1.0.0
+  tags:
+    - deployment
+  dependencies:
+    - "recup_inventaire_int"
+  variables:
+    GIT_STRATEGY: fetch
+    GIT_CLEAN_FLAGS: none
+  before_script:
+    # requis pour que le pipeline du projet appelant ce script ait accès aux scripts ansible
+    - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2
+  script:
+    - cd rapportnav-v2/ci && ansible-playbook -i ../inventory.ini deploiement_image_docker.yml --extra-vars "env=int inventory_hostname=$SERVER_ENV_INT"
+

ci/jobs/deploiement_image_prod.yml

@@ -0,0 +1,33 @@
+recup_inventaire_prod:
+  stage: pre-deploy-prod
+  variables:
+    ID_PROJET_INVENTAIRE_PROD: 155  #ID du projet GITLAB de l'inventaire de production
+  image: alpine/curl
+  tags:
+    - deployment
+  script:
+    - cd $CI_PROJECT_DIR
+    - curl -H "PRIVATE-TOKEN:$PROJET_INVENTAIRE_ACCESS_TOKEN" "$CI_API_V4_URL/projects/$ID_PROJET_INVENTAIRE_PROD/repository/files/topologie.ini/raw" --output inventory.ini
+  artifacts:
+    paths:
+      - inventory.ini
+  when: manual
+
+
+deploiement_image_prod:
+  stage: deploy-prod
+  image: cbhek/ansible-worker:1.0.0
+  tags:
+    - deployment
+  needs:
+    - "recup_inventaire_prod"
+  variables:
+    GIT_STRATEGY: fetch
+    GIT_CLEAN_FLAGS: none
+  before_script:
+    # requis pour que le pipeline du projet appelant ce script ait accès aux scripts ansible
+    - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/num3-exploitation/deploiement-continu/gitlab-ci/applications/rapportnav-v2/rapportnav-v2
+  script:
+    - cd rapportnav-v2/ci && ansible-playbook -i ../inventory.ini deploiement_image_docker.yml --extra-vars "env=prod inventory_hostname=$SERVER_ENV_PROD"
+
+

ci/jobs/verif_image_checksum.yml

@@ -0,0 +1,21 @@
+verif_image_checksum:
+  stage: pre-analyze
+  only:
+    variables:
+      - $IMAGE_CHECKSUM
+  image: docker:20.10.5
+  services:
+    - name: docker:20.10.5-dind
+      entrypoint: ["sh", "-c", "dockerd-entrypoint.sh"]
+  script:
+    - docker login $NEXUS_DOCKER_REPO -u $NEXUS_USER -p $NEXUS_PWD
+    - docker pull $NEXUS_DOCKER_REPO/$PROJECT_NAME:$PROJECT_VERSION
+    - CHECKSUM=`docker image ls --digests --format '{{.Digest}}' $NEXUS_DOCKER_REPO/$PROJECT_NAME`
+    - |
+      if [ $IMAGE_CHECKSUM != $CHECKSUM ]
+        then
+          echo "Checksum incorrect"
+          exit 1
+      fi
+  tags:
+    - analyze

ci/roles/clean_docker_images/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+
+# Suppression images obsolètes
+- name: "Remove old images"
+  command: docker image prune -a -f

ci/roles/install_docker_image/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+#------------------------------------------------------------------------
+#   Liste des taches d'installation/mise à jour d'une image Docker
+#------------------------------------------------------------------------
+
+# Connexion au repository Nexus/récupération de l'image/logout
+- name: "Log into nexus repository"
+  command: docker login {{ nexus_repo }} -u {{ nexus_user }} -p {{ nexus_password }}
+  no_log: true
+
+- name: "Pull docker images"
+  command: "docker pull {{ docker_image_path }}"
+  args:
+    chdir: "{{ docker_compose_path }}"
+
+- name: "Log out of any docker registry"
+  command: docker logout {{ nexus_repo }}
+  no_log: true

ci/roles/install_docker_image/vars/main.yml

@@ -0,0 +1,7 @@
+---
+docker_image_path: "{{ lookup('env', 'TAG_VERSION') }}"
+docker_compose_path: "/opt/dockers/{{ project_name }}"
+nexus_repo: "{{ lookup('env', 'NEXUS_DOCKER_REPO') }}"
+nexus_user: "{{ lookup('env', 'NEXUS_USER') }}"
+nexus_password: "{{ lookup('env', 'NEXUS_PWD') }}"
+docker_compose_source: "docker-compose.yml.j2"