This commit is contained in:
parent
bb14ea74f3
commit
d5848a6494
@ -6,86 +6,76 @@ name: prod-promotion
|
||||
steps:
|
||||
- name: promote-tag-and-mirror
|
||||
image: google/cloud-sdk:latest
|
||||
entrypoint:
|
||||
- bash
|
||||
- -c
|
||||
entrypoint: [bash, -c]
|
||||
commands:
|
||||
- |
|
||||
set -euo pipefail
|
||||
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
||||
if [ "x$PROMOTE" != "xprod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
|
||||
|
||||
# Dev is the single source of truth for IMG_TAG
|
||||
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
||||
SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
|
||||
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
|
||||
|
||||
# Hard guards so we fail *before* skopeo if anything is empty
|
||||
[ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG is empty"; exit 2; }
|
||||
[ -n "$SRC" ] || { echo "❌ SRC is empty"; exit 2; }
|
||||
[ -n "$DST" ] || { echo "❌ DST is empty"; exit 2; }
|
||||
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq skopeo
|
||||
TOKEN="$(gcloud auth print-access-token)"
|
||||
for s in server1 server2 server3 nginx; do
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq skopeo
|
||||
TOKEN="$(gcloud auth print-access-token)"
|
||||
|
||||
for s in server1 server2 server3 nginx; do
|
||||
SRC_REF="docker://$SRC/$s:$IMG_TAG"
|
||||
DST_REF="docker://$DST/$s:$IMG_TAG"
|
||||
echo "🔁 copy $SRC_REF → $DST_REF"
|
||||
skopeo copy --insecure-policy \
|
||||
--src-creds "oauth2accesstoken:${TOKEN}" \
|
||||
--dest-creds "oauth2accesstoken:${TOKEN}" \
|
||||
"docker://${SRC}/${s}:${IMG_TAG}" \
|
||||
"docker://${DST}/${s}:${IMG_TAG}"
|
||||
done
|
||||
|
||||
for svc in server1 server2 server3 nginx; do
|
||||
docker pull "$SRC/$svc:$IMG_TAG"
|
||||
docker tag "$SRC/$svc:$IMG_TAG" "$DST/$svc:$IMG_TAG"
|
||||
docker push "$DST/$svc:$IMG_TAG"
|
||||
--src-creds "oauth2accesstoken:$TOKEN" \
|
||||
--dest-creds "oauth2accesstoken:$TOKEN" \
|
||||
"$SRC_REF" "$DST_REF"
|
||||
done
|
||||
|
||||
# Publish the exact tag to prod SM so deploy & scan read the same value
|
||||
printf "%s" "${IMG_TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="aptivaai-prod" >/dev/null
|
||||
echo "🏷 Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
|
||||
printf "%s" "$IMG_TAG" | gcloud secrets versions add IMG_TAG --data-file=- --project=aptivaai-prod >/dev/null
|
||||
echo "🏷 Promoted IMG_TAG=$IMG_TAG → aptivaai-prod"
|
||||
|
||||
|
||||
- name: verify-sync
|
||||
depends_on: [promote-tag-and-mirror]
|
||||
image: google/cloud-sdk:latest
|
||||
entrypoint:
|
||||
- bash
|
||||
- -c
|
||||
entrypoint: [bash, -c]
|
||||
commands:
|
||||
- |
|
||||
set -euo pipefail
|
||||
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
||||
if [ "x$PROMOTE" != "xprod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
|
||||
|
||||
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
||||
prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
|
||||
[[ "$IMG_TAG" == "$prod_val" ]] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$prod_val"; exit 1; }
|
||||
PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
|
||||
[ "$IMG_TAG" = "$PROD_TAG" ] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$PROD_TAG"; exit 1; }
|
||||
echo "✅ Tag parity confirmed: $IMG_TAG"
|
||||
# Ensure images truly exist in PROD AR
|
||||
|
||||
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
|
||||
apt-get update -qq && apt-get install -y -qq skopeo
|
||||
TOKEN="$(gcloud auth print-access-token)"
|
||||
for s in server1 server2 server3 nginx; do
|
||||
REF="docker://${DST}/${s}:${IMG_TAG}"
|
||||
echo "🔎 verify ${REF}"
|
||||
skopeo inspect --creds "oauth2accesstoken:${TOKEN}" "$REF" >/dev/null
|
||||
REF="docker://$DST/$s:$IMG_TAG"
|
||||
echo "🔎 verify $REF"
|
||||
skopeo inspect --creds "oauth2accesstoken:$TOKEN" "$REF" >/dev/null
|
||||
done
|
||||
echo "✅ Prod AR has all images at :$IMG_TAG"
|
||||
|
||||
|
||||
- name: security-scan
|
||||
depends_on: [verify-sync]
|
||||
image: google/cloud-sdk:latest
|
||||
entrypoint:
|
||||
- bash
|
||||
- -c
|
||||
entrypoint: [bash, -c]
|
||||
commands:
|
||||
- |
|
||||
set -euo pipefail
|
||||
# Guard so this file doesn't run unless you explicitly set PROMOTE=prod in the UI
|
||||
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
|
||||
if [ "x$PROMOTE" != "xprod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
|
||||
|
||||
# Scan the images that WILL be deployed: pull IMG_TAG from PROD
|
||||
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
|
||||
REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
|
||||
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
|
||||
|
||||
apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
|
||||
export PATH="$PATH:$(pwd)/bin"
|
||||
|
||||
@ -97,6 +87,7 @@ steps:
|
||||
--scanners vuln --ignore-unfixed --ignorefile .trivyignore \
|
||||
--exit-code 1 --severity CRITICAL "$REF"
|
||||
done
|
||||
|
||||
|
||||
- name: prod-deploy
|
||||
depends_on: [security-scan]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user