Skip to content
Snippets Groups Projects
Commit 0b00fba9 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat: initial release

parents
No related branches found
No related tags found
No related merge requests found
Expand all Hide whitespace changes
Inline Side-by-side
Showing
with 1135 additions and 0 deletions
.gitignore 0 → 100644
+ 135
0
View file @ 0b00fba9
# Created by .ignore support plugin (hsz.mobi)
### Eclipse template
.metadata
bin/
tmp/
*.tmp
*.bak
*.swp
*~.nib
local.properties
.settings/
.loadpath
.recommenders
# External tool builders
.externalToolBuilders/
# Locally stored "Eclipse launch configurations"
*.launch
# PyDev specific (Python IDE for Eclipse)
*.pydevproject
# CDT-specific (C/C++ Development Tooling)
.cproject
# CDT- autotools
.autotools
# Java annotation processor (APT)
.factorypath
# PDT-specific (PHP Development Tools)
.buildpath
# sbteclipse plugin
.target
# Tern plugin
.tern-project
# TeXlipse plugin
.texlipse
# STS (Spring Tool Suite)
.springBeans
# Code Recommenders
.recommenders/
# Annotation Processing
.apt_generated/
# Scala IDE specific (Scala & Java development for Eclipse)
.cache-main
.scala_dependencies
.worksheet
### JetBrains template
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
# User-specific stuff
.idea/**/workspace.xml
.idea/**/tasks.xml
.idea/**/usage.statistics.xml
.idea/**/dictionaries
.idea/**/shelf
# Generated files
.idea/**/contentModel.xml
# Sensitive or high-churn files
.idea/**/dataSources/
.idea/**/dataSources.ids
.idea/**/dataSources.local.xml
.idea/**/sqlDataSources.xml
.idea/**/dynamic.xml
.idea/**/uiDesigner.xml
.idea/**/dbnavigator.xml
# Gradle
.idea/**/gradle.xml
.idea/**/libraries
# Gradle and Maven with auto-import
# When using Gradle or Maven with auto-import, you should exclude module files,
# since they will be recreated, and may cause churn. Uncomment if using
# auto-import.
# .idea/modules.xml
# .idea/*.iml
# .idea/modules
# *.iml
# *.ipr
# CMake
cmake-build-*/
# Mongo Explorer plugin
.idea/**/mongoSettings.xml
# File-based project format
*.iws
# IntelliJ
out/
# mpeltonen/sbt-idea plugin
.idea_modules/
# JIRA plugin
atlassian-ide-plugin.xml
# Cursive Clojure plugin
.idea/replstate.xml
# Crashlytics plugin (for Android Studio and IntelliJ)
com_crashlytics_export_strings.xml
crashlytics.properties
crashlytics-build.properties
fabric.properties
# Editor-based Rest Client
.idea/httpRequests
# Android studio 3.1+ serialized cache file
.idea/caches/build_file_checksums.ser
### VisualStudioCode template
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
.gitlab-ci.yml 0 → 100644
+ 44
0
View file @ 0b00fba9
include:
- project: 'Orange-OpenSource/tbc/tools/gitlab-ci'
ref: 'master'
file: '/templates/validation.yml'
- project: 'Orange-OpenSource/tbc/kicker'
ref: 'master'
file: '/templates/validation.yml'
- project: 'Orange-OpenSource/tbc/bash'
ref: '1.0.0'
file: 'templates/gitlab-ci-bash.yml'
stages:
- build
- publish
variables:
GITLAB_CI_FILES: "templates/gitlab-ci-docker.yml"
BASH_SHELLCHECK_FILES: "*.sh"
extract-script:
stage: .pre
script:
- echo "#!/bin/bash" > script.sh
- sed -n '/BEGSCRIPT/,/ENDSCRIPT/p' "$GITLAB_CI_FILES" | sed 's/^ //' >> script.sh
- export LC_ALL=C.UTF-8
artifacts:
when: always
name: extracted template script
expire_in: 1h
paths:
- script.sh
release:
image: node:12
stage: publish
before_script:
- npm install -g semantic-release @semantic-release/gitlab @semantic-release/exec @semantic-release/git
script:
- semantic-release
only:
refs:
- master
variables:
- $TMPL_RELEASE_ENABLED
.gitlab/issue_templates/bug_report.md 0 → 100644
+ 53
0
View file @ 0b00fba9
## Describe the bug
(Describe the problem clearly and concisely.)
## Expected behavior
(Describe the expected behavior clearly and concisely.)
## Actual behavior
(Describe the actual behavior clearly and concisely.)
## Logs and/or screenshots
(Join any relevant logs and/or screenshot. Please use code blocks (```) to format console output, logs, and code.)
## Context & Configuration
Link to a project, pipeline or job facing the bug: (please provide one if possible)
The issue was reproduced using:
* Version of the template: (type in the version)
* GitLab server(s): (Was it gitlab.com? A self-managed server? Which version? CE / EE? Which license?)
* GitLab runner(s): (type in any relevant information about the GitLab runner(s) you used)
Here is the `.gitlab-ci.yml` file:
```yaml
# Add your .gitlab-ci.yml here, if applicable and useful.
```
(If useful, list configured GitLab CI project and/or group variables.)
Configured GitLab CI project or group variables:
* `VARIABLE_1`
* `VARIABLE_2`
* ...
(Finally add any possible additional useful context info here.)
/label ~kind/bug ~status/needs-investigation
.gitlab/issue_templates/feature_request.md 0 → 100644
+ 11
0
View file @ 0b00fba9
## Description
(Describe the feature clearly and concisely.)
## Implementation ideas
(If you have any implementation ideas, they can go here.)
(Any design change proposal could be also discussed on the _to be continuous_ Google Group: https://groups.google.com/g/tbc-dev.)
/label ~kind/enhancement ~status/needs-investigation
.gitlab/merge_request_templates/bug_fix.md 0 → 100644
+ 15
0
View file @ 0b00fba9
## Presentation
(Necessarily link to an issue. If it doesn't exist, please create one.)
Fixes #999
## Checklist
* Documented:
* [ ] `README.md` reflects any job, variable or whichever visible change
* [ ] `kicker.json` reflects any job, variable or whichever visible change
* Tested & examplified:
* [ ] (url to a project sample successfully proving the merge request fixes the issue)
/label ~kind/fix
.gitlab/merge_request_templates/new_feature.md 0 → 100644
+ 29
0
View file @ 0b00fba9
## Presentation
(Necessarily link to an issue. If it doesn't exist, please create one.)
Closes #999
## Checklist
* General:
* [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
* [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
* Publicly usable:
* [ ] untagged runners
* [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`
* [ ] no custom CA certificate(s) but supports `$CUSTOM_CA_CERTS` or `$DEFAULT_CA_CERTS` to declare custom CA certificate(s)
* [ ] internet hostnames/urls only
* Used Docker images:
* [ ] **public** images
* [ ] **official** images (when possible)
* [ ] `latest` tag (when possible)
* Documented:
* [ ] `README.md` documents the new feature
* [ ] `kicker.json` describes the new feature
* Tested & examplified:
* [ ] (url to a project sample successfully using the new feature)
/label ~kind/enhancement
.releaserc.yml 0 → 100644
+ 21
0
View file @ 0b00fba9
plugins: [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"@semantic-release/gitlab",
[
"@semantic-release/exec",
{
"prepareCmd": "./bumpversion.sh \"${lastRelease.version}\" \"${nextRelease.version}\" \"${nextRelease.type}\""
}
],
[
"@semantic-release/git",
{
"assets": ["*.md", "templates/*.yml"]
}
]
]
branches:
- "master"
tagFormat: "${version}"
\ No newline at end of file
CONTRIBUTE.md 0 → 100644
+ 77
0
View file @ 0b00fba9
# Contributors guide
**Want to contribute? Great!**
We try to make it easy, and all contributions, even the smaller ones, are more than welcome.
This includes bug reports, fixes, documentation, examples...
But first, read this page (including the small print at the end).
## Legal
All original contributions to _to be continuous_ are licensed under the
[GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.html),
version 3.0 or later.
All contributions are subject to the [Developer Certificate of Origin](https://developercertificate.org/) (DCO).
The DCO is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
The DCO text is also included verbatim in the [DCO.txt](DCO.txt) file in the root directory of the repository.
Contributors **must** _sign-off_ that they adhere to these requirements by adding a `Signed-off-by` line to commit messages, as shown below:
```text
This is the commit message
Signed-off-by: John Dev <john.dev@developer.example.org>
```
Git has a handy [`-s` command line option](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt---signoff) to append this automatically to your commit message:
```bash
$ git commit -s -m 'This is the commit message'
```
## Reporting an issue
This project uses GitLab issues to manage the issues.
Before creating an issue:
1. upgrade your project to the latest released template version, and check whether your bug is still present,
2. have a look in the opened issues if your problem is already known/tracked, and possibly contribute to the thread with your own information.
If none of the above was met, open an issue directly in GitLab, select the appropriate issue template and fill-in each section when applicable.
## Submitting a code change
### Git Setup
Before contributing, make sure you have set up your Git authorship correctly:
```bash
git config --global user.name "Your Full Name"
git config --global user.email your.email@example.com
```
### Workflow
All submissions, including submissions by project members, need to be reviewed before being merged.
To contribute:
1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
2. Make sure the issue has been reviewed and agreed.
3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
### Git Commit Conventions
In addition to being signed-off according the [Developer Certificate of Origin](https://developercertificate.org/) (see above),
Git commits in _to be continuous_ shall be:
1. **atomic** (1 commit `=` 1 and only 1 _thing_),
2. **semantic** (using [semantic-release commit message syntax](https://semantic-release.gitbook.io/semantic-release/#commit-message-format)).
You'll find extensive information about Git commit conventions on the [reference documentation website](https://orange-opensource.gitlab.io/tbc/doc/dev/workflow/#git-commit-guidelines).
### Coding Guidelines
The extensive _to be continuous_ coding guidelines can be found on the [reference documentation website](https://orange-opensource.gitlab.io/tbc/doc/dev/guidelines/).
DCO.txt 0 → 100644
+ 38
0
View file @ 0b00fba9
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
\ No newline at end of file
LICENSE.txt 0 → 100644
+ 166
0
View file @ 0b00fba9
GNU LESSER GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
This version of the GNU Lesser General Public License incorporates
the terms and conditions of version 3 of the GNU General Public
License, supplemented by the additional permissions listed below.
0. Additional Definitions.
As used herein, "this License" refers to version 3 of the GNU Lesser
General Public License, and the "GNU GPL" refers to version 3 of the GNU
General Public License.
"The Library" refers to a covered work governed by this License,
other than an Application or a Combined Work as defined below.
An "Application" is any work that makes use of an interface provided
by the Library, but which is not otherwise based on the Library.
Defining a subclass of a class defined by the Library is deemed a mode
of using an interface provided by the Library.
A "Combined Work" is a work produced by combining or linking an
Application with the Library. The particular version of the Library
with which the Combined Work was made is also called the "Linked
Version".
The "Minimal Corresponding Source" for a Combined Work means the
Corresponding Source for the Combined Work, excluding any source code
for portions of the Combined Work that, considered in isolation, are
based on the Application, and not on the Linked Version.
The "Corresponding Application Code" for a Combined Work means the
object code and/or source code for the Application, including any data
and utility programs needed for reproducing the Combined Work from the
Application, but excluding the System Libraries of the Combined Work.
1. Exception to Section 3 of the GNU GPL.
You may convey a covered work under sections 3 and 4 of this License
without being bound by section 3 of the GNU GPL.
2. Conveying Modified Versions.
If you modify a copy of the Library, and, in your modifications, a
facility refers to a function or data to be supplied by an Application
that uses the facility (other than as an argument passed when the
facility is invoked), then you may convey a copy of the modified
version:
a) under this License, provided that you make a good faith effort to
ensure that, in the event an Application does not supply the
function or data, the facility still operates, and performs
whatever part of its purpose remains meaningful, or
b) under the GNU GPL, with none of the additional permissions of
this License applicable to that copy.
3. Object Code Incorporating Material from Library Header Files.
The object code form of an Application may incorporate material from
a header file that is part of the Library. You may convey such object
code under terms of your choice, provided that, if the incorporated
material is not limited to numerical parameters, data structure
layouts and accessors, or small macros, inline functions and templates
(ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the
Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the object code with a copy of the GNU GPL and this license
document.
4. Combined Works.
You may convey a Combined Work under terms of your choice that,
taken together, effectively do not restrict modification of the
portions of the Library contained in the Combined Work and reverse
engineering for debugging such modifications, if you also do each of
the following:
a) Give prominent notice with each copy of the Combined Work that
the Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the Combined Work with a copy of the GNU GPL and this license
document.
c) For a Combined Work that displays copyright notices during
execution, include the copyright notice for the Library among
these notices, as well as a reference directing the user to the
copies of the GNU GPL and this license document.
d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this
License, and the Corresponding Application Code in a form
suitable for, and under terms that permit, the user to
recombine or relink the Application with a modified version of
the Linked Version to produce a modified Combined Work, in the
manner specified by section 6 of the GNU GPL for conveying
Corresponding Source.
1) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (a) uses at run time
a copy of the Library already present on the user's computer
system, and (b) will operate properly with a modified version
of the Library that is interface-compatible with the Linked
Version.
e) Provide Installation Information, but only if you would otherwise
be required to provide such information under section 6 of the
GNU GPL, and only to the extent that such information is
necessary to install and execute a modified version of the
Combined Work produced by recombining or relinking the
Application with a modified version of the Linked Version. (If
you use option 4d0, the Installation Information must accompany
the Minimal Corresponding Source and Corresponding Application
Code. If you use option 4d1, you must provide the Installation
Information in the manner specified by section 6 of the GNU GPL
for conveying Corresponding Source.)
5. Combined Libraries.
You may place library facilities that are a work based on the
Library side by side in a single library together with other library
facilities that are not Applications and are not covered by this
License, and convey such a combined library under terms of your
choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based
on the Library, uncombined with any other library facilities,
conveyed under the terms of this License.
b) Give prominent notice with the combined library that part of it
is a work based on the Library, and explaining where to find the
accompanying uncombined form of the same work.
6. Revised Versions of the GNU Lesser General Public License.
The Free Software Foundation may publish revised and/or new versions
of the GNU Lesser General Public License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the
Library as you received it specifies that a certain numbered version
of the GNU Lesser General Public License "or any later version"
applies to it, you have the option of following the terms and
conditions either of that published version or of any later version
published by the Free Software Foundation. If the Library as you
received it does not specify a version number of the GNU Lesser
General Public License, you may choose any version of the GNU Lesser
General Public License ever published by the Free Software Foundation.
If the Library as you received it specifies that a proxy can decide
whether future versions of the GNU Lesser General Public License shall
apply, that proxy's public statement of acceptance of any version is
permanent authorization for you to choose that version for the
Library.
\ No newline at end of file
README.md 0 → 100644
+ 343
0
View file @ 0b00fba9
# GitLab CI template for Docker
This project implements a generic GitLab CI template [Docker](https://www.docker.com/) based projects.
## Usage
In order to include this template in your project, add the following to your `.gitlab-ci.yml` :
```yaml
include:
- project: 'Orange-OpenSource/tbc/docker'
ref: '1.0.0'
file: '/templates/gitlab-ci-docker.yml'
```
## Understanding the Docker template
The template supports two ways of building your Docker images:
1. The former **Docker-in-Docker** technique, that was widely used for years because of no other alternative, but that
is now commonly recognized to have **significant security issues** ([read this post](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/) for more info),
2. Or using [kaniko](https://github.com/GoogleContainerTools/kaniko), an open-source tool from Google for building Docker
images, and that solves Docker-in-Docker security issues (and also speeds-up build times).
By default, the template uses the [kaniko](https://docs.gitlab.com/ee/ci/docker/using_kaniko.html) way, but you may
activate the Docker-in-Docker build at your own risks by setting `DOCKER_DIND_BUILD` to `true` (see below).
:warning: In that case, make sure your runner has required privileges to run Docker-in-Docker ([see GitLab doc](https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-workflow-with-docker-executor)).
### Global variables
The Docker template uses some global configuration used throughout all jobs.
| Name | description | default value |
| --------------------- | -------------------------------------- | ----------------- |
| `DOCKER_DIND_BUILD` | Set to enable Docker-in-Docker build (:warning: unsecured, requires privileged runners). | _(none)_ (kaniko build by default) |
| `DOCKER_KANIKO_IMAGE` | The Docker image used to run kaniko - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
| `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `docker:latest` |
| `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `docker:dind` |
| `DOCKER_FILE` | The path to your `Dockerfile` | `./Dockerfile` |
| `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ |
In addition to this, the template supports _standard_ Linux proxy variables:
| Name | description | default value |
| --------------------- | ------------------------------------------- | ------------- |
| `http_proxy` | Proxy used for http requests | _none_ |
| `https_proxy` | Proxy used for https requests | _none_ |
| `no_proxy` | List of comma-separated hosts/host suffixes | _none_ |
### Images
For each Dockerfile, the template builds an image that may be [pushed](https://docs.docker.com/engine/reference/commandline/push/)
as two distinct images, depending on a certain _workflow_:
1. **snapshot**: the image is first built from the Dockerfile and then pushed to some Docker registry as
the **snapshot** image. It can be seen as the raw result of the build, but still **untested and unreliable**.
2. **release**: once the snapshot image has been thoroughly tested (both by `package-test` stage jobs and/or `acceptance`
stage jobs after being deployed to some server), then the image is pushed one more time as the **release** image.
This second push can be seen as the **promotion** of the snapshot image being now **tested and reliable**.
In practice:
* the **snapshot** image is **always pushed** by the template (pipeline triggered by a Git tag or commit on any branch),
* the **release** image is only pushed:
* on a pipeline triggered by a Git tag,
* on a pipeline triggered by a Git commit on `master`.
The **snapshot** and **release** images are defined by the following variables:
| Name | description | default value |
| ------------------------- | --------------------- | ------------------------------------------------- |
| `DOCKER_SNAPSHOT_IMAGE` | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
| `DOCKER_RELEASE_IMAGE` | Docker release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` |
As you can see, the Docker template is configured by default to use the GitLab container registry.
You may perfectly override this and use another Docker registry, but be aware of a few things:
* the `DOCKER_SNAPSHOT_IMAGE` requires a Docker registry that allows tag overwrite,
* the `DOCKER_RELEASE_IMAGE` _may_ use a Docker registry that doesn't allow tag overwrite, but:
1. you should avoid overwriting a Git tag (at it will obviously fail while trying to (re)push the Docker image),
2. you have to deactivate publish on `master` branch by setting the `$PUBLISH_ON_PROD` variable to `false` (as it would lead to the `master` tag being overwritten).
### Registries and credentials
As seen in the previous chapter, the Docker template uses by default the GitLab registry to push snapshot and release images.
Thus it makes use of credentials provided by GitLab itself to login (`CI_REGISTRY_USER` / `CI_REGISTRY_PASSWORD`).
But when using other registry(ies), you'll have also to **configure appropriate Docker credentials**.
#### Using the same registry for snapshot and release
If you use the **same registry** for both snapshot and release images, you shall use the following configuration
variables:
| Name | description |
| -------------------------------- | -------------------------------------- |
| :lock: `DOCKER_REGISTRY_USER` | Docker registry username for image registry |
| :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry |
#### Using different registries for snapshot and release
If you use **different registries** for snapshot and release images, you shall use separate configuration variables:
| Name | description |
| ---------------------------------------- | -------------------------------------- |
| :lock: `DOCKER_REGISTRY_SNAPSHOT_USER` | Docker registry username for snapshot image registry |
| :lock `DOCKER_REGISTRY_SNAPSHOT_PASSWORD`| Docker registry password for snapshot image registry |
| :lock: `DOCKER_REGISTRY_RELEASE_USER` | Docker registry username for release image registry |
| :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD`| Docker registry password for release image registry |
## Multi Dockerfile support
This template supports building multiple Docker images from a single Git repository.
You can define the images to build using the [parallel matrix jobs](https://docs.gitlab.com/ee/ci/yaml/#parallel-matrix-jobs)
pattern inside the `.docker-base` job (this is the top parent job of all Docker template jobs).
Since each job in the template extends this base job, the pipeline will produce one job instance per image to build.
You can independently configure each instance of these jobs by redefining the variables described throughout this
documentation.
For example, if you want to build two Docker images, you must specify where the Dockerfiles are located and where the
resulting images will be stored.
You can do so by adding a patch to the `.docker-base` job in your `.gitlab-ci.yml` file so that it looks like this:
```yaml
.docker-base:
parallel:
matrix:
- DOCKER_FILE: "front/Dockerfile"
DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/front:$CI_COMMIT_REF_SLUG"
DOCKER_RELEASE_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/front:$CI_COMMIT_REF_NAME"
- DOCKER_FILE: "back/Dockerfile"
DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/back:$CI_COMMIT_REF_SLUG"
DOCKER_RELEASE_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/back:$CI_COMMIT_REF_NAME"
```
If you need to redefine a variable with the same value for all your Dockerfiles, you can just declare this variable as a global variable. For example, if you want to build all your images using Docker-in-Docker, you can simply define the `DOCKER_DIND_BUILD` variable as a global variable:
```yaml
variables:
DOCKER_DIND_BUILD: "True"
```
### Secrets management
Here are some advices about your **secrets** (variables marked with a :lock:):
1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#create-a-custom-variable-in-the-ui):
* [**masked**](https://docs.gitlab.com/ee/ci/variables/#mask-a-custom-variable) to prevent them from being inadvertently
displayed in your job logs,
* [**protected**](https://docs.gitlab.com/ee/ci/variables/#protect-a-custom-variable) if you want to secure some secrets
you don't want everyone in the project to have access to (for instance production secrets).
2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ee/ci/variables/#masked-variable-requirements),
simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:
it will then be possible to mask it and the template will automatically decode it prior to using it.
3. Don't forget to escape special characters (ex: `$` -> `$$`).
## Jobs
### `docker-lint` job
This job performs a [Lint](https://github.com/projectatomic/dockerfile_lint) on your `Dockerfile`.
It is bound to the `build` stage, and uses the following variables:
| Name | description | default value |
| --------------------- | -------------------------------------- | --------------------------------------- |
| `DOCKER_LINT_IMAGE` | The dockerlint image | `projectatomic/dockerfile-lint:latest` |
| `DOCKER_LINT_ARGS` | Additional `dockerfile_lint` arguments | _(none)_ |
In case you have to disable some rules, copy and edit the [rules](https://github.com/projectatomic/dockerfile_lint#extending-and-customizing-rule-files) into `mycustomdockerlint.yml` and set `DOCKER_LINT_ARGS: '-r mycustomdockerlint.yml'`
### `docker-hadolint` job
This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Dockerfile`.
It is bound to the `build` stage, and uses the following variables:
| Name | description | default value |
| -------------------------- | -------------------------------------- | --------------------------------------- |
| `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `hadolint/hadolint:latest-alpine` |
| `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | `` |
In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
You can also use [inline ignores](https://github.com/hadolint/hadolint#inline-ignores) in your Dockerfile:
```Dockerfile
# hadolint ignore=DL3006
FROM ubuntu
# hadolint ignore=DL3003,SC1035
RUN cd /tmp && echo "hello!"
```
### `docker-build` job
This job builds the image and publishes it to the _snapshot_ repository.
It is bound to the `package-build` stage, and uses the following variables:
| Name | description | default value |
| ------------------------ | ------------------------------------------------------------------------------------------------------------- | ----------------- |
| `DOCKER_BUILD_ARGS` | Additional `docker build`/`kaniko` arguments | _(none)_ |
| `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`) | _(none)_ |
This job produces an _output variable_ that is propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
* `docker_image`: set to `$DOCKER_SNAPSHOT_IMAGE`
It may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch of tag).
If you want to use GitLab CI variables or any other variable in your Dockerfile, you can add them to `DOCKER_BUILD_ARGS` like so:
```yaml
DOCKER_BUILD_ARGS: "--build-arg CI_PROJECT_URL --build-arg MY_VAR='MY_VALUE'"
```
These variables will then be available for use in your Dockerfile:
```Dockerfile
FROM scratch
ARG CI_PROJECT_URL
ARG MY_VAR
LABEL name="my-project" \
description="My Project: $MY_VAR" \
url=$CI_PROJECT_URL \
maintainer="my-project@acme.com"
```
### `docker-healthcheck` job
:warning: this job requires that your runner has required privileges to run [Docker-in-Docker](https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-workflow-with-docker-executor).
If it is not the case this job will not be run.
This job performs a [Health Check](https://docs.docker.com/engine/reference/builder/#healthcheck) on your built image.
It is bound to the `package-test` stage, and uses the following variables:
| Name | description | default value |
| -------------------------------------- | -------------------------------------------------------------------- | ----------------- |
| `DOCKER_HEALTHCHECK_DISABLED` | Set to disable health check | _(none: enabled by default)_ |
| `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
| `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
| `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check | _(none)_ |
In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
:warning: Keep in mind that the downloading of the snapshot image by the GitLab runner will be done during the waiting time (max `DOCKER_HEALTHCHECK_TIMEOUT`).
In case your image takes quite some time to be downloaded by the runner, increase the value of `DOCKER_HEALTHCHECK_TIMEOUT` in your `.gitlab-ci.yml` file.
### `docker-trivy` job
This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image.
:warning: As presented below, this job is enabled only if you specify a Trivy server address with the `DOCKER_TRIVY_ADDR` environment variable.
A Trivy server has been deployed internally. If you want to use it, you can add the following variable definition to you `.gitlab-ci.yml`:
```yaml
variables:
DOCKER_TRIVY_ADDR: "https://trivy.acme.host"
```
It is bound to the `package-test` stage, and uses the following variables:
| Name | description | default value |
| ---------------------- | -------------------------------------- | ----------------- |
| `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `aquasec/trivy:latest` |
| `DOCKER_TRIVY_ADDR` | The Trivy server address | _(none: disabled by default)_ |
| `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `DOCKER_TRIVY_DISABLED`| Set to disable Trivy analysis | _(none)_ |
### `docker-publish` job
This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).
| Name | description | default value |
| --------------------- | --------------------------------------------------------------------------- | ----------------- |
| `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` |
| `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_ |
| `AUTODEPLOY_TO_PROD` | Set to enable automatic publish (and deploy) on `master` branch | _none_ (enabled) |
| `PUBLISH_ON_PROD` | Determines whether this job is enabled on `master` branch | `true`_ (enabled) |
This job produces an _output variable_ that is propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
* `docker_image`: set to `$DOCKER_RELEASE_IMAGE`
It may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch of tag).
## Examples
### Using the GitLab Docker registry
This sample is the easiest one as you just have nothing to do.
All template variables are configured by default to build and push your Docker images on the GitLab registry.
### Using an external Docker registry
With this template, you may perfectly use an external Docker registry (ex: a [JFrog Artifactory](https://www.jfrog.com/confluence/display/JFROG/Docker+Registry), a private Kubernetes registry, ...).
Here is a `.gitlab-ci.yaml` using an external Docker registry:
```yaml
include:
- project: 'Orange-OpenSource/tbc/docker'
ref: '1.0.0'
file: '/templates/gitlab-ci-docker.yml'
variables:
DOCKER_SNAPSHOT_IMAGE: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
DOCKER_RELEASE_IMAGE: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
# $DOCKER_REGISTRY_USER and $DOCKER_REGISTRY_PASSWORD are defined as secret GitLab variables
```
Depending on the Docker registry you're using, you may have to use a real password or generate a token as authentication credential.
### Building multiple Docker images
Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (uses [parallel matrix jobs](https://docs.gitlab.com/ee/ci/yaml/#parallel-matrix-jobs)):
```yaml
include:
- project: 'Orange-OpenSource/tbc/docker'
ref: '1.0.0'
file: '/templates/gitlab-ci-docker.yml'
variables:
DOCKER_DIND_BUILD: "True"
.docker-base:
parallel:
matrix:
- DOCKER_FILE: "front/Dockerfile"
DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/front/snapshot:$CI_COMMIT_REF_SLUG"
DOCKER_RELEASE_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/front:$CI_COMMIT_REF_NAME"
- DOCKER_FILE: "back/Dockerfile"
DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/back/snapshot:$CI_COMMIT_REF_SLUG"
DOCKER_RELEASE_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/back:$CI_COMMIT_REF_NAME"
```
bumpversion.sh 0 → 100755
+ 41
0
View file @ 0b00fba9
#!/usr/bin/env bash
function log_info() {
>&2 echo -e "[\\e[1;94mINFO\\e[0m] $*"
}
function log_warn() {
>&2 echo -e "[\\e[1;93mWARN\\e[0m] $*"
}
function log_error() {
>&2 echo -e "[\\e[1;91mERROR\\e[0m] $*"
}
# check number of arguments
if [[ "$#" -le 2 ]]; then
log_error "Missing arguments"
log_error "Usage: $0 <current version> <next version>"
exit 1
fi
curVer=$1
nextVer=$2
relType=$3
if [[ "$curVer" ]]; then
log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
# replace in README
sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
mv -f README.md.next README.md
# replace in template and variants
for tmpl in templates/*.yml
do
sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
mv -f "$tmpl.next" "$tmpl"
done
else
log_info "Bump version to \\e[33;1m${nextVer}\\e[0m (release type: $relType): this is the first release (skip)..."
fi
kicker.json 0 → 100644
+ 162
0
View file @ 0b00fba9
{
"name": "Docker",
"description": "Check, build, test, audit and publish a [Docker](https://www.docker.com/) image",
"template_path": "templates/gitlab-ci-docker.yml",
"kind": "package",
"variables": [
{
"name": "DOCKER_KANIKO_IMAGE",
"description": "The Docker image used to run kaniko\n\n_for kaniko build only_",
"default": "gcr.io/kaniko-project/executor:debug"
},
{
"name": "DOCKER_IMAGE",
"description": "The Docker image used to run the docker client\n\n_for Docker-in-Docker build only_",
"default": "docker:latest"
},
{
"name": "DOCKER_DIND_IMAGE",
"description": "The Docker image used to run the Docker daemon\n\n_for Docker-in-Docker build only_",
"default": "docker:dind"
},
{
"name": "DOCKER_SKOPEO_IMAGE",
"description": "The docker image used to publish docker image with Skopeo",
"default": "quay.io/skopeo/stable:latest"
},
{
"name": "DOCKER_FILE",
"description": "The path to your `Dockerfile`",
"default": "$CI_PROJECT_DIR/Dockerfile"
},
{
"name": "DOCKER_CONTEXT_PATH",
"description": "The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) - _only set if you want a context path different from the Dockerfile location_",
"advanced": true
},
{
"name": "DOCKER_SNAPSHOT_IMAGE",
"description": "Docker snapshot image",
"default": "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG"
},
{
"name": "DOCKER_RELEASE_IMAGE",
"description": "Docker release image",
"default": "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME"
},
{
"name": "DOCKER_BUILD_ARGS",
"description": "Additional docker build/kaniko arguments"
},
{
"name": "DOCKER_PUBLISH_ARGS",
"description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)"
},
{
"name": "PUBLISH_ON_PROD",
"description": "Determines whether this job is enabled on `master` branch",
"default": "true",
"type": "boolean"
},
{
"name": "DOCKER_REGISTRY_MIRROR",
"description": "URL of a Docker registry mirror to use instead of default `https://index.docker.io`"
}
],
"features": [
{
"id": "lint",
"name": "dockerfile-lint",
"description": "This job performs a [Lint](https://github.com/projectatomic/dockerfile_lint) on your `Dockerfile`.",
"enable_with": "DOCKER_LINT_ENABLED",
"variables": [
{
"name": "DOCKER_LINT_IMAGE",
"description": "The docker image to lint your Dockerfile",
"default": "projectatomic/dockerfile-lint:latest"
},
{
"name": "DOCKER_LINT_ARGS",
"description": "Additional `dockerfile_lint` arguments",
"advanced": true
}
]
},
{
"id": "hadolint",
"name": "Hadolint",
"description": "This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Dockerfile`.",
"disable_with": "DOCKER_HADOLINT_DISABLED",
"variables": [
{
"name": "DOCKER_HADOLINT_IMAGE",
"description": "The docker image to lint your Dockerfile with Hadolint",
"default": "hadolint/hadolint:latest-alpine"
},
{
"name": "DOCKER_HADOLINT_ARGS",
"description": "Additional `hadolint` arguments",
"advanced": true
}
]
},
{
"id": "dind",
"name": "Docker-in-Docker",
"description": "Use Docker-in-Docker to build the image (instead of Kaniko)\n\n_Warning: unsecured, requires privileged runners_",
"enable_with": "DOCKER_DIND_BUILD"
},
{
"id": "healthcheck",
"name": "Health Check",
"description": "[Health Check](https://docs.docker.com/engine/reference/builder/#healthcheck) image analysis",
"disable_with": "DOCKER_HEALTHCHECK_DISABLED",
"variables": [
{
"name": "DOCKER_HEALTHCHECK_TIMEOUT",
"type": "number",
"description": "When testing an image, how long (in seconds) wait for the HealthCheck status",
"default": "60",
"advanced": true
},
{
"name": "DOCKER_HEALTHCHECK_OPTIONS",
"description": "Docker options for health check such as port mapping, environment...",
"advanced": true
},
{
"name": "DOCKER_HEALTHCHECK_CONTAINER_ARGS",
"description": "Arguments sent to the running container for health check",
"advanced": true
}
]
},
{
"id": "trivy",
"name": "Trivy",
"description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
"disable_with": "DOCKER_TRIVY_DISABLED",
"variables": [
{
"name": "DOCKER_TRIVY_IMAGE",
"description": "The docker image used to scan images with Trivy",
"default": "aquasec/trivy:latest",
"advanced": true
},
{
"name": "DOCKER_TRIVY_ADDR",
"type": "url",
"description": "The Trivy server address",
"mandatory": true
},
{
"name": "DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD",
"type": "enum",
"values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
"description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
"default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
}
]
}
]
}
logo.png 0 → 100644
+ 0
0
View file @ 0b00fba9
logo.png

18 KiB

templates/gitlab-ci-docker.yml 0 → 100644
+ 0
0
View file @ 0b00fba9
This diff is collapsed.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment