diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index af4d514e89123e4cb8c6bb7ca07549d589c45766..1e5e8570b132893636b6480df5909bb4448ca29f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,24 +1,31 @@
+# variables in the GitLab CI/CD variables:
+ # GITLAB_TOKEN to support the semantic-release
+ # DOCKER_AUTH_CONFIG to support the usage of private docker images as job docker image
+ # TMPL_RELEASE_ENABLED to enable the semantic-release job
+ # TBC_NAMESPACE: smartdatalab/public/ci-cd-components
+
include:
- - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/extract@master
+ - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/extract@master
inputs:
extract-script-job-tags: ["docker"]
- - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/validation@master
+ - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/validation@master
inputs:
check-links-job-tags: ["docker"]
tbc-check-job-tags: ["docker"]
tbc-check-image: cicd-docker-dev.artifact.tecnalia.com/tbc-check:master
gitlab-ci-lint-job-tags: ["docker"]
- - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/kicker/validation@master
+ - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
inputs:
kicker-validation-job-tags: ["docker"]
schema-base-url: "https://git.code.tecnalia.com/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
- - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/bash/gitlab-ci-bash@master
+ yajsv-image: "cicd-docker-dev.artifact.tecnalia.com/yajsv:latest"
+ - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
inputs:
bash-shellcheck-job-tags: ["docker"]
- - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/semantic-release/gitlab-ci-semrel@master
+ - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@master
inputs:
semantic-release-job-tags: ["docker"]
- - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitleaks/gitlab-ci-gitleaks@master
+ - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitleaks/gitlab-ci-gitleaks@master
inputs:
gitleaks-job-tags: ["docker"]
diff --git a/.gitleaksignore b/.gitleaksignore
index acbfc368f933b8cd67ddf98707c3df1e01cef275..e04e06523d44bea20b299b30d082727e6e458263 100644
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -1 +1,2 @@
-a64568eb3639a163cb0f387257017209a85869d7:README.md:generic-api-key:181
\ No newline at end of file
+README.md:generic-api-key:181
+README.md:generic-api-key:202
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4fbc521df7e393b4f1248f103cb904c9335b76ce..7a83c4dc79ac1405288e25bd6046f47e10f77dac 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,11 @@
-# [5.11.0](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/compare/5.10.3...5.11.0) (2024-07-26)
-### Features
+## [5.11.1](https://gitlab.com/to-be-continuous/docker/compare/5.11.0...5.11.1) (2024-08-13)
+
+
+### Bug Fixes
-* display tools' version ([9fa5118](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/commit/9fa51183755b94e02af9a3151eccc5ba9be75b15))
+* **build:** support metadata labels and build command arguments containing spaces ([ac391c3](https://gitlab.com/to-be-continuous/docker/commit/ac391c3aa1b7811abddeef0e68a2916669687036))
# [5.11.0](https://gitlab.com/to-be-continuous/docker/compare/5.10.3...5.11.0) (2024-07-05)
diff --git a/README.md b/README.md
index 1740c66ea3f3fd7ee78772f0219e77d71d270b67..71b3daac4e704a7125b88a88b703a737e2fad620 100644
--- a/README.md
+++ b/README.md
@@ -4,17 +4,17 @@ This project implements a GitLab CI/CD template to build, check and inspect your
## Usage
-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration)
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component)
or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
### Use as a CI/CD component
-Add the following to your `gitlab-ci.yml`:
+Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.2
+ - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/docker/gitlab-ci-docker@5.12.0
# 2: set/override component inputs
inputs:
build-tool: buildah # ⚠ this is only an example
@@ -22,13 +22,13 @@ include:
### Use as a CI/CD template (legacy)
-Add the following to your `gitlab-ci.yml`:
+Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the template
- project: 'to-be-continuous/docker'
- ref: '5.10.2'
+ ref: '5.12.0'
file: '/templates/gitlab-ci-docker.yml'
variables:
@@ -41,11 +41,11 @@ variables:
The template supports following ways of building container images:
1. The former **Docker-in-Docker (DinD)** technique, that was widely used for years because of no other alternative, but that
- is now commonly recognized to have **significant security issues** ([read this post](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/) for more info),
+ is now commonly recognized to have **significant security issues** ([read this post](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/) for more info),
2. Or using [kaniko](https://github.com/GoogleContainerTools/kaniko), an open-source, daemonless tool from Google for building Docker
- images, and that solves Docker-in-Docker security issues (and also speeds-up build times).
+ images, and that solves Docker-in-Docker security issues (and also speeds-up build times).
3. Or using [buildah](https://buildah.io/), an open-source, daemonless tool backed by RedHat for building Docker
- images, and that solves Docker-in-Docker security issues (and also speeds-up build times), and can also be configured to run rootless.
+ images, and that solves Docker-in-Docker security issues (and also speeds-up build times), and can also be configured to run rootless.
By default, the template uses the [kaniko](https://docs.gitlab.com/ee/ci/docker/using_kaniko.html) way, but you may
select an alternate build tool by using the `DOCKER_BUILD_TOOL` variable (see below).
@@ -56,24 +56,23 @@ select an alternate build tool by using the `DOCKER_BUILD_TOOL` variable (see be
The Docker template uses some global configuration used throughout all jobs.
-| Input / Variable | Description | Default value |
-| --------------------- | -------------------------------------- | ----------------- |
-| `build-tool` / `DOCKER_BUILD_TOOL` | The build tool to use for building container image, possible values are `kaniko`, `buildah` or `dind` | `kaniko` |
-| `kaniko-image` / `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
-| `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable` |
-| `image` / `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest` |
-| `dind-image` / `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind` |
-| `file` / `DOCKER_FILE` | The path to your `Dockerfile` | `Dockerfile` |
-| `context-path` / `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ |
+| Input / Variable | Description | Default value |
+| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| `build-tool` / `DOCKER_BUILD_TOOL` | The build tool to use for building container image, possible values are `kaniko`, `buildah` or `dind` | `kaniko` |
+| `kaniko-image` / `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
+| `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable` |
+| `image` / `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest` |
+| `dind-image` / `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind` |
+| `file` / `DOCKER_FILE` | The path to your `Dockerfile` | `Dockerfile` |
+| `context-path` / `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ |
In addition to this, the template supports _standard_ Linux proxy variables:
| Input / Variable | Description | Default value |
-| --------------------- | ------------------------------------------- | ------------- |
-| `http_proxy` | Proxy used for http requests | _none_ |
-| `https_proxy` | Proxy used for https requests | _none_ |
-| `no_proxy` | List of comma-separated hosts/host suffixes | _none_ |
-
+| ---------------- | ------------------------------------------- | ------------- |
+| `http_proxy` | Proxy used for http requests | _none_ |
+| `https_proxy` | Proxy used for https requests | _none_ |
+| `no_proxy` | List of comma-separated hosts/host suffixes | _none_ |
### Images
@@ -81,32 +80,32 @@ For each Dockerfile, the template builds an image that may be [pushed](https://d
as two distinct images, depending on a certain _workflow_:
1. **snapshot**: the image is first built from the Dockerfile and then pushed to some Docker registry as
- the **snapshot** image. It can be seen as the raw result of the build, but still **untested and unreliable**.
+ the **snapshot** image. It can be seen as the raw result of the build, but still **untested and unreliable**.
2. **release**: once the snapshot image has been thoroughly tested (both by `package-test` stage jobs and/or `acceptance`
- stage jobs after being deployed to some server), then the image is pushed one more time as the **release** image.
- This second push can be seen as the **promotion** of the snapshot image being now **tested and reliable**.
+ stage jobs after being deployed to some server), then the image is pushed one more time as the **release** image.
+ This second push can be seen as the **promotion** of the snapshot image being now **tested and reliable**.
In practice:
-* the **snapshot** image is **always pushed** by the template (pipeline triggered by a Git tag or commit on any branch),
-* the **release** image is only pushed:
- * on a pipeline triggered by a Git tag,
- * on a pipeline triggered by a Git commit on `master`.
+- the **snapshot** image is **always pushed** by the template (pipeline triggered by a Git tag or commit on any branch),
+- the **release** image is only pushed:
+ - on a pipeline triggered by a Git tag,
+ - on a pipeline triggered by a Git commit on `master`.
The **snapshot** and **release** images are defined by the following variables:
-| Input / Variable | Description | Default value |
-| ------------------------- | --------------------- | ------------------------------------------------- |
+| Input / Variable | Description | Default value |
+| ------------------------------------------ | --------------------- | ------------------------------------------------- |
| `snapshot-image` / `DOCKER_SNAPSHOT_IMAGE` | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
-| `release-image` / `DOCKER_RELEASE_IMAGE` | Docker release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` |
+| `release-image` / `DOCKER_RELEASE_IMAGE` | Docker release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` |
As you can see, the Docker template is configured by default to use the GitLab container registry.
You may perfectly override this and use another Docker registry, but be aware of a few things:
-* the `DOCKER_SNAPSHOT_IMAGE` requires a Docker registry that allows tag overwrite,
-* the `DOCKER_RELEASE_IMAGE` _may_ use a Docker registry that doesn't allow tag overwrite, but:
- 1. you should avoid overwriting a Git tag (at it will obviously fail while trying to (re)push the Docker image),
- 2. you have to deactivate publish on `main` (or `master`) branch by setting the `$DOCKER_PROD_PUBLISH_STRATEGY` variable to `none` (as it would lead to the `main` tag being overwritten).
+- the `DOCKER_SNAPSHOT_IMAGE` requires a Docker registry that allows tag overwrite,
+- the `DOCKER_RELEASE_IMAGE` _may_ use a Docker registry that doesn't allow tag overwrite, but:
+ 1. you should avoid overwriting a Git tag (at it will obviously fail while trying to (re)push the Docker image),
+ 2. you have to deactivate publish on `main` (or `master`) branch by setting the `$DOCKER_PROD_PUBLISH_STRATEGY` variable to `none` (as it would lead to the `main` tag being overwritten).
### Registries and credentials
@@ -121,38 +120,38 @@ If you use the **same registry** for both snapshot and release images, you shall
variables:
-| Input / Variable | Description |
-| -------------------------------- | -------------------------------------- |
-| :lock: `DOCKER_REGISTRY_USER` | Docker registry username for image registry |
-| :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry |
+| Input / Variable | Description |
+| --------------------------------- | ------------------------------------------- |
+| :lock: `DOCKER_REGISTRY_USER` | Docker registry username for image registry |
+| :lock: `DOCKER_REGISTRY_PASSWORD` | Docker registry password for image registry |
#### Using different registries for snapshot and release
If you use **different registries** for snapshot and release images, you shall use separate configuration variables:
-| Input / Variable | Description |
-| ---------------------------------------- | -------------------------------------- |
-| :lock: `DOCKER_REGISTRY_SNAPSHOT_USER` | Docker registry username for snapshot image registry |
-| :lock: `DOCKER_REGISTRY_SNAPSHOT_PASSWORD`| Docker registry password for snapshot image registry |
-| :lock: `DOCKER_REGISTRY_RELEASE_USER` | Docker registry username for release image registry |
-| :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD`| Docker registry password for release image registry |
+| Input / Variable | Description |
+| ------------------------------------------ | ---------------------------------------------------- |
+| :lock: `DOCKER_REGISTRY_SNAPSHOT_USER` | Docker registry username for snapshot image registry |
+| :lock: `DOCKER_REGISTRY_SNAPSHOT_PASSWORD` | Docker registry password for snapshot image registry |
+| :lock: `DOCKER_REGISTRY_RELEASE_USER` | Docker registry username for release image registry |
+| :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD` | Docker registry password for release image registry |
#### Setting your own Docker configuration file (advanced)
There might be cases where you need to provide the complete [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files):
-* need to declare authentication credentials for other registries than the 2 predefined ones (snapshot & release),
-* need to declare a [credentials store](https://docs.docker.com/engine/reference/commandline/login/#credentials-store) (ex: in order to [publish to Amazon ECR](https://github.com/GoogleContainerTools/kaniko#pushing-to-amazon-ecr) with Kaniko for instance),
-* need to declare [proxies](https://docs.docker.com/engine/reference/commandline/cli/#automatic-proxy-configuration-for-containers),
-* ...
+- need to declare authentication credentials for other registries than the 2 predefined ones (snapshot & release),
+- need to declare a [credentials store](https://docs.docker.com/engine/reference/commandline/login/#credentials-store) (ex: in order to [publish to Amazon ECR](https://github.com/GoogleContainerTools/kaniko#pushing-to-amazon-ecr) with Kaniko for instance),
+- need to declare [proxies](https://docs.docker.com/engine/reference/commandline/cli/#automatic-proxy-configuration-for-containers),
+- ...
If you are in one of those cases, you will need to use the `DOCKER_CONFIG_FILE` variable, expected to declare the path to your custom Docker configuration file (JSON). You may:
-* leave the default value (`.docker/config.json`) or override it to some alternate location in your project repository and create the file **without any secret in it** using our dynamic variables replacement (see below),
-* or override it as a GitLab project variable of type [File](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types), possibly inlining your secret credentials in it.
+- leave the default value (`.docker/config.json`) or override it to some alternate location in your project repository and create the file **without any secret in it** using our dynamic variables replacement (see below),
+- or override it as a GitLab project variable of type [File](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types), possibly inlining your secret credentials in it.
-| Input / Variable | Description | Default value |
-| ------------------------- | --------------------- | ------------------------------------------------- |
+| Input / Variable | Description | Default value |
+| ------------------------------------ | -------------------------------------------- | --------------------- |
| `config-file` / `DOCKER_CONFIG_FILE` | Path to the Docker configuration file (JSON) | `.docker/config.json` |
Moreover, this file supports **dynamic environment variables replacement**.
@@ -160,57 +159,56 @@ That means it may contain references to other environment variables (in the form
by the template before evaluation.
In addition to you own defined variables, you may use the following variables (provided and managed by the template):
-* `${docker_snapshot_authent_token}`: the authentication token required by the snapshot registry (computed from configured `DOCKER_REGISTRY_SNAPSHOT_USER` / `DOCKER_REGISTRY_SNAPSHOT_PASSWORD` variables)
-* `${docker_snapshot_registry_host}`: the snapshot registry host (based on the configured `DOCKER_SNAPSHOT_IMAGE ` variable)
-* `${docker_release_authent_token}`: the authentication token required by the release registry (computed from configured `DOCKER_REGISTRY_RELEASE_USER` / `DOCKER_REGISTRY_RELEASE_PASSWORD` variables)
-* `${docker_release_registry_host}`: the release registry host (based on the configured `DOCKER_RELEASE_IMAGE ` variable)
+- `${docker_snapshot_authent_token}`: the authentication token required by the snapshot registry (computed from configured `DOCKER_REGISTRY_SNAPSHOT_USER` / `DOCKER_REGISTRY_SNAPSHOT_PASSWORD` variables)
+- `${docker_snapshot_registry_host}`: the snapshot registry host (based on the configured `DOCKER_SNAPSHOT_IMAGE` variable)
+- `${docker_release_authent_token}`: the authentication token required by the release registry (computed from configured `DOCKER_REGISTRY_RELEASE_USER` / `DOCKER_REGISTRY_RELEASE_PASSWORD` variables)
+- `${docker_release_registry_host}`: the release registry host (based on the configured `DOCKER_RELEASE_IMAGE` variable)
Example 1: Docker configuration file inlined in the project repository (`.docker/config.json`) with **dynamic variables replacement**:
```json
{
- "auths": {
- "${docker_snapshot_registry_host}": {
- "auth": "${docker_release_authent_token}"
- },
- "${docker_release_registry_host}": {
- "auth": "${docker_snapshot_authent_token}"
- },
- "my-readonly-repo-to-pull": {
- "auth": "${MY_OWN_REGISTRY_TOKEN}"
- }
+ "auths": {
+ "${docker_snapshot_registry_host}": {
+ "auth": "${docker_release_authent_token}"
+ },
+ "${docker_release_registry_host}": {
+ "auth": "${docker_snapshot_authent_token}"
+ },
+ "my-readonly-repo-to-pull": {
+ "auth": "${MY_OWN_REGISTRY_TOKEN}"
}
+ }
}
```
This file uses:
-* template-managed `${docker_snapshot_authent_token}`, `${docker_snapshot_registry_host}`, `${docker_release_authent_token}` and `${docker_release_registry_host}` variables,
-* the user-defined `${MY_OWN_REGISTRY_TOKEN}` (:information_source: an authentication token can be obtained with command `echo "user:password" | base64` and then be stored as a masked GitLab CI/CD project variable).
+- template-managed `${docker_snapshot_authent_token}`, `${docker_snapshot_registry_host}`, `${docker_release_authent_token}` and `${docker_release_registry_host}` variables,
+- the user-defined `${MY_OWN_REGISTRY_TOKEN}` (:information_source: an authentication token can be obtained with command `echo "user:password" | base64` and then be stored as a masked GitLab CI/CD project variable).
Example 2: Docker configuration file declared as a GitLab project variable of type [File](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types) with **dynamic variables replacement**:
-
```json
{
- "auths": {
- "$${docker_snapshot_registry_host}": {
- "auth": "$${docker_release_authent_token}"
- },
- "$${docker_release_registry_host}": {
- "auth": "$${docker_snapshot_authent_token}"
- },
- "my-readonly-repo-to-pull": {
- "auth": "ZG9ja2VyZHVkZTpnb3RjaGEh"
- }
+ "auths": {
+ "$${docker_snapshot_registry_host}": {
+ "auth": "$${docker_release_authent_token}"
+ },
+ "$${docker_release_registry_host}": {
+ "auth": "$${docker_snapshot_authent_token}"
+ },
+ "my-readonly-repo-to-pull": {
+ "auth": "ZG9ja2VyZHVkZTpnb3RjaGEh"
}
+ }
}
```
This file uses:
-* template-managed `${docker_snapshot_authent_token}`, `${docker_snapshot_registry_host}`, `${docker_release_authent_token}` and `${docker_release_registry_host}` variables (:warning: mind the double `$$` to prevent GitLab from [trying to evaluate the variable](https://docs.gitlab.com/ee/ci/variables/index.html#use-the--character-in-variables)),
-* the user-defined authentication may be inlined as a GitLab project variable is a place safe enough to store secrets.
+- template-managed `${docker_snapshot_authent_token}`, `${docker_snapshot_registry_host}`, `${docker_release_authent_token}` and `${docker_release_registry_host}` variables (:warning: mind the double `$$` to prevent GitLab from [trying to evaluate the variable](https://docs.gitlab.com/ee/ci/variables/index.html#use-the--character-in-variables)),
+- the user-defined authentication may be inlined as a GitLab project variable is a place safe enough to store secrets.
## Multi Dockerfile support
@@ -231,12 +229,12 @@ You can do so by adding a patch to the `.docker-base` job in your `.gitlab-ci.ym
.docker-base:
parallel:
matrix:
- - DOCKER_FILE: "front/Dockerfile"
- DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/front:$CI_COMMIT_REF_SLUG"
- DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE/front:$CI_COMMIT_REF_NAME"
- - DOCKER_FILE: "back/Dockerfile"
- DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/back:$CI_COMMIT_REF_SLUG"
- DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE/back:$CI_COMMIT_REF_NAME"
+ - DOCKER_FILE: "front/Dockerfile"
+ DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/front:$CI_COMMIT_REF_SLUG"
+ DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE/front:$CI_COMMIT_REF_NAME"
+ - DOCKER_FILE: "back/Dockerfile"
+ DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/back:$CI_COMMIT_REF_SLUG"
+ DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE/back:$CI_COMMIT_REF_NAME"
```
If you need to redefine a variable with the same value for all your Dockerfiles, you can just declare this variable as a global variable. For example, if you want to build all your images using `buildah`, you can simply define the `DOCKER_BUILD_TOOL` variable as a global variable with value `buildah`:
@@ -250,14 +248,14 @@ variables:
Here are some advices about your **secrets** (variables marked with a :lock:):
-1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-project):
- * [**masked**](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
- displayed in your job logs,
- * [**protected**](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables) if you want to secure some secrets
- you don't want everyone in the project to have access to (for instance production secrets).
+1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#for-a-project):
+ - [**masked**](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
+ displayed in your job logs,
+ - [**protected**](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables) if you want to secure some secrets
+ you don't want everyone in the project to have access to (for instance production secrets).
2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable),
- simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:
- it will then be possible to mask it and the template will automatically decode it prior to using it.
+ simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:
+ it will then be possible to mask it and the template will automatically decode it prior to using it.
3. Don't forget to escape special characters (ex: `$` -> `$$`).
## Jobs
@@ -289,10 +287,10 @@ RUN cd /tmp && echo "hello!"
In addition to a textual report in the console, this job produces the following reports, kept for one day:
-| Report | Format | Usage |
-| -------------- | ---------------------------------------------------------------------------- | ----------------- |
-| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ |
-| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
+| Report | Format | Usage |
+| -------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
### `docker-*-build` jobs
@@ -314,13 +312,13 @@ It is bound to the `package-build` stage, and uses the following variables:
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
-| Input / Variable | Description | Example |
-| --------------------- | ------------------------------------------------------ | --------------------------------------- |
-| `docker_image` | snapshot image name **with tag** | `registry.gitlab.com/acme/website/snapshot:main` |
+| Input / Variable | Description | Example |
+| --------------------- | ------------------------------------------------------ | -------------------------------------------------------------- |
+| `docker_image` | snapshot image name **with tag** | `registry.gitlab.com/acme/website/snapshot:main` |
| `docker_image_digest` | snapshot image name **with digest** (no tag) | `registry.gitlab.com/acme/website/snapshot@sha256:b7914a91...` |
-| `docker_repository` | snapshot image **bare repository** (no tag nor digest) | `registry.gitlab.com/acme/website/snapshot` |
-| `docker_tag` | snapshot image tag | `main` |
-| `docker_digest` | snapshot image digest | `sha256:b7914a91...` |
+| `docker_repository` | snapshot image **bare repository** (no tag nor digest) | `registry.gitlab.com/acme/website/snapshot` |
+| `docker_tag` | snapshot image tag | `main` |
+| `docker_digest` | snapshot image digest | `sha256:b7914a91...` |
They may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch or tag).
@@ -362,6 +360,21 @@ You may disable this feature by setting `DOCKER_METADATA` to empty or you can ov
DOCKER_BUILD_ARGS: "--label org.opencontainers.image.title=my-project"
```
+If a label contains spaces then quotes need to be correctly escaped:
+
+```yaml
+DOCKER_BUILD_ARGS: '--label "org.opencontainers.image.title=my project"'
+```
+
+or
+
+```yaml
+DOCKER_BUILD_ARGS: |-
+ --label "org.opencontainers.image.title=my project"
+```
+
+The `DOCKER_METADATA` variable can be overwritten in a similar way, but you will need to ensure that **all** relevant values are added.
+
If you have defined one of those labels in the Dockerfile, the final value will depend if image is built with Kaniko or Docker in Docker. With Kaniko, the value of the Dockerfile take precedence, while with DinD command-line argument take precedence.
### `docker-healthcheck` job
@@ -381,7 +394,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check | _(none)_ |
| `healthcheck-job-tags` / `DOCKER_HEALTHCHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
-In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
+In case your Docker image is not intended to run as a service and only contains a _client tool_ (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
:warning: Keep in mind that the downloading of the snapshot image by the GitLab runner will be done during the waiting time (max `DOCKER_HEALTHCHECK_TIMEOUT`).
In case your image takes quite some time to be downloaded by the runner, increase the value of `DOCKER_HEALTHCHECK_TIMEOUT` in your `.gitlab-ci.yml` file.
@@ -414,10 +427,10 @@ It is bound to the `package-test` stage, and uses the following variables:
In addition to a textual report in the console, this job produces the following reports, kept for one day:
-| Report | Format | Usage |
-| -------------- | ---------------------------------------------------------------------------- | ----------------- |
-| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
-| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
+| Report | Format | Usage |
+| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
### `docker-sbom` job
@@ -448,13 +461,13 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
-| Input / Variable | Description | Example |
-| --------------------- | ----------------------------------------------------- | --------------------------------------- |
-| `docker_image` | release image name **with tag** | `registry.gitlab.com/acme/website:main` |
+| Input / Variable | Description | Example |
+| --------------------- | ----------------------------------------------------- | ----------------------------------------------------- |
+| `docker_image` | release image name **with tag** | `registry.gitlab.com/acme/website:main` |
| `docker_image_digest` | release image name **with digest** (no tag) | `registry.gitlab.com/acme/website@sha256:b7914a91...` |
-| `docker_repository` | release image **bare repository** (no tag nor digest) | `registry.gitlab.com/acme/website` |
-| `docker_tag` | release image tag | `main` |
-| `docker_digest` | release image digest | `sha256:b7914a91...` |
+| `docker_repository` | release image **bare repository** (no tag nor digest) | `registry.gitlab.com/acme/website` |
+| `docker_tag` | release image tag | `main` |
+| `docker_digest` | release image digest | `sha256:b7914a91...` |
They may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch or tag).
@@ -462,26 +475,26 @@ They may be freely used in downstream jobs (for instance to deploy the upstream
When publishing the _release_ image, the Docker template might publish it again with additional tags (aliases):
-* the original published image tag (extracted from `$DOCKER_RELEASE_IMAGE`) must match `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` ([semantic versioning](https://semver.org/) pattern by default),
-* extra tags to publish can be defined in the `$DOCKER_RELEASE_EXTRA_TAGS` variable, each separated with a whitespace.
+- the original published image tag (extracted from `$DOCKER_RELEASE_IMAGE`) must match `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` ([semantic versioning](https://semver.org/) pattern by default),
+- extra tags to publish can be defined in the `$DOCKER_RELEASE_EXTRA_TAGS` variable, each separated with a whitespace.
:information_source: the Docker template supports [group references substitution](https://learnbyexample.github.io/py_regular_expressions/groupings-and-backreferences.html) to evaluate extra tags:
-* `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` supports capturing groups:
- * `v([0-9]+)\.([0-9]+)\.([0-9]+)` has 3 (unnamed) capturing groups, each capturing any number of digits
- * `v(?<major>[0-9]+)\.(?<minor>[0-9]+)\.(?<patch>[0-9]+)` has 3 **named** capturing groups (_major_, _minor_ and _patch_), each capturing any number of digits
-* `$DOCKER_RELEASE_EXTRA_TAGS` supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN`:
- * `\g1` is a reference to capturing group number 1
- * `\g<major>` is a reference to capturing group named _major_
+- `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` supports capturing groups:
+ - `v([0-9]+)\.([0-9]+)\.([0-9]+)` has 3 (unnamed) capturing groups, each capturing any number of digits
+ - `v(?<major>[0-9]+)\.(?<minor>[0-9]+)\.(?<patch>[0-9]+)` has 3 **named** capturing groups (_major_, _minor_ and _patch_), each capturing any number of digits
+- `$DOCKER_RELEASE_EXTRA_TAGS` supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN`:
+ - `\g1` is a reference to capturing group number 1
+ - `\g<major>` is a reference to capturing group named _major_
:information_source: the default value of `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` matches and captures all parts of a standard [semantic versioning](https://semver.org/)-compliant tag:
-* the **major** group captures the major version
-* the **minor** group captures the minor version
-* the **patch** group captures the patch version
-* the **prerelease** group captures the (optional) pre-release version (including the leading `-`)
-* the **build** group captures the (optional) build version (including the leading `+`)
-* the **suffix** group captures the (optional) entire suffix (including pre-release and/or build)
+- the **major** group captures the major version
+- the **minor** group captures the minor version
+- the **patch** group captures the patch version
+- the **prerelease** group captures the (optional) pre-release version (including the leading `-`)
+- the **build** group captures the (optional) build version (including the leading `+`)
+- the **suffix** group captures the (optional) entire suffix (including pre-release and/or build)
Example: publish latest, major.minor and major aliases for a SemVer release:
@@ -493,21 +506,21 @@ variables:
With this contiguration, the following extra tags would be published:
-| original tag | extra tags |
-| --------------------- | ---------- |
-| `main` | _none_ (doesn't match `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN`) |
-| `some-manual-tag` | _none_ (doesn't match `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN`) |
-| `1.2.3` | `latest`, `1.2`, `1` |
-| `1.2.3-alpha.12` | `latest`, `1.2`, `1` |
-| `1.2.3+linux` | `latest`, `1.2+linux`, `1+linux` |
-| `1.2.3-alpha.12+linux`| `latest`, `1.2+linux`, `1+linux` |
+| original tag | extra tags |
+| ---------------------- | ----------------------------------------------------------- |
+| `main` | _none_ (doesn't match `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN`) |
+| `some-manual-tag` | _none_ (doesn't match `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN`) |
+| `1.2.3` | `latest`, `1.2`, `1` |
+| `1.2.3-alpha.12` | `latest`, `1.2`, `1` |
+| `1.2.3+linux` | `latest`, `1.2+linux`, `1+linux` |
+| `1.2.3-alpha.12+linux` | `latest`, `1.2+linux`, `1+linux` |
#### `semantic-release` integration
If you activate the [`semantic-release-info` job from the `semantic-release` template](https://gitlab.com/to-be-continuous/semantic-release/#semantic-release-info-job), the `docker-publish` job will rely on the generated next version info.
-* the release will only be performed if a semantic release is present
-* the tag will be based on `SEMREL_INFO_NEXT_VERSION`, it will override `DOCKER_RELEASE_IMAGE` by simply substituting the tag, or adding a tag when there's none.
+- the release will only be performed if a semantic release is present
+- the tag will be based on `SEMREL_INFO_NEXT_VERSION`, it will override `DOCKER_RELEASE_IMAGE` by simply substituting the tag, or adding a tag when there's none.
For instance, in both cases:
@@ -515,9 +528,10 @@ For instance, in both cases:
DOCKER_RELEASE_IMAGE: "registry.gitlab.com/$CI_PROJECT_NAME"
DOCKER_RELEASE_IMAGE: "registry.gitlab.com/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
```
+
The published Docker image will be `registry.gitlab.com/$CI_PROJECT_NAME:$SEMREL_INFO_NEXT_VERSION` and all subsequent jobs relying on the `docker_image` variable will be provided with this tag.
-:warning: When `semantic-release` detects no release (i.e. either the semantic-release template is misconfigured, or there were simply no `feat`/`fix` commits), the `docker-publish` job will report a warning and *no image will be pushed* in the release registry. In such a case, the `docker_image` remains unchanged, and will refer to the snapshot image. Any subsequent job that may deploy to production (Kubernetes or Openshift), should thus be configured *not to deploy* in this situation. Refer to deployment template for more information.
+:warning: When `semantic-release` detects no release (i.e. either the semantic-release template is misconfigured, or there were simply no `feat`/`fix` commits), the `docker-publish` job will report a warning and _no image will be pushed_ in the release registry. In such a case, the `docker_image` remains unchanged, and will refer to the snapshot image. Any subsequent job that may deploy to production (Kubernetes or Openshift), should thus be configured _not to deploy_ in this situation. Refer to deployment template for more information.
Finally, the semantic-release integration can be disabled with the `DOCKER_SEMREL_RELEASE_DISABLED` variable.
@@ -537,7 +551,7 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:
```yaml
include:
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
inputs:
snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
@@ -552,17 +566,17 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u
```yaml
include:
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
.docker-base:
parallel:
matrix:
- - DOCKER_FILE: "front/Dockerfile"
- DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/front/snapshot:$CI_COMMIT_REF_SLUG"
- DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE/front:$CI_COMMIT_REF_NAME"
- - DOCKER_FILE: "back/Dockerfile"
- DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/back/snapshot:$CI_COMMIT_REF_SLUG"
- DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE/back:$CI_COMMIT_REF_NAME"
+ - DOCKER_FILE: "front/Dockerfile"
+ DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/front/snapshot:$CI_COMMIT_REF_SLUG"
+ DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE/front:$CI_COMMIT_REF_NAME"
+ - DOCKER_FILE: "back/Dockerfile"
+ DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/back/snapshot:$CI_COMMIT_REF_SLUG"
+ DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE/back:$CI_COMMIT_REF_NAME"
```
## Variants
@@ -577,13 +591,13 @@ This variant allows delegating your secrets management to a [Vault](https://www.
In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
-| Input / Variable | Description | Default value |
-| ----------------- | -------------------------------------- | ----------------- |
-| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
-| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ |
-| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
-| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
-| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
+| Input / Variable | Description | Default value |
+| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
+| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
+| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ |
+| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
+| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
+| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
#### Usage
@@ -595,9 +609,9 @@ Then you may retrieve any of your secret(s) from Vault using the following synta
With:
-| Parameter | Description |
-| -------------------------------- | -------------------------------------- |
-| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
+| Parameter | Description |
+| -------------------------------- | --------------------------------------------------------------------- |
+| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
#### Example
@@ -605,9 +619,9 @@ With:
```yaml
include:
# main template
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
# Vault variant
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0
inputs:
# audience claim for JWT
vault-oidc-aud: "https://vault.acme.host"
@@ -636,16 +650,16 @@ List of requirements before using this variant for publishing your container ima
#### Configuration
-| Input / Variable | Description | Default value |
-| ------------------------ | -------------------------------------- | ----------------- |
-| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest` |
-| `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
-| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
-| `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
-| `gcp-snapshot-oidc-provider` / `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define to override default)_ | _none_ |
-| `gcp-snapshot-oidc-account` / `GCP_SNAPSHOT_OIDC_ACCOUNT` | Service Account to use to push the snapshot image _(only define to override default)_ | _none_ |
-| `gcp-release-oidc-provider` / `GCP_RELEASE_OIDC_PROVIDER` | Workload Identity Provider to push the release image _(only define to override default)_ | _none_ |
-| `gcp-release-oidc-account` / `GCP_RELEASE_OIDC_ACCOUNT` | Service Account to use to push the release image _(only define to override default)_ | _none_ |
+| Input / Variable | Description | Default value |
+| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- |
+| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest` |
+| `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
+| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
+| `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
+| `gcp-snapshot-oidc-provider` / `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define to override default)_ | _none_ |
+| `gcp-snapshot-oidc-account` / `GCP_SNAPSHOT_OIDC_ACCOUNT` | Service Account to use to push the snapshot image _(only define to override default)_ | _none_ |
+| `gcp-release-oidc-provider` / `GCP_RELEASE_OIDC_PROVIDER` | Workload Identity Provider to push the release image _(only define to override default)_ | _none_ |
+| `gcp-release-oidc-account` / `GCP_RELEASE_OIDC_ACCOUNT` | Service Account to use to push the release image _(only define to override default)_ | _none_ |
:warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`
to use the snapshot image repository (will host your snapshot image as well as cached layers).
@@ -654,7 +668,7 @@ to use the snapshot image repository (will host your snapshot image as well as c
```yaml
include:
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
inputs:
build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET
# untested & unverified container image
@@ -662,7 +676,7 @@ include:
# ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko
# validated container image (published)
release-image: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-gcp@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-gcp@5.7.0
inputs:
# default WIF provider
gcp-oidc-provider: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
@@ -690,12 +704,12 @@ In order to use the AWS APIs, the variant supports two authentication methods:
#### Configuration
-| Input / Variable | Description | Default value |
-| ------------------------ | -------------------------------------- | ----------------- |
-| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest` |
-| `aws-region` / `AWS_REGION` | Default region (where the ECR registry is located) | _none_ |
-| `aws-snapshot-region` / `AWS_SNAPSHOT_REGION` | Region of the ECR registry for the snapshot image _(only define to override default)_ | _none_ |
-| `aws-release-region` / `AWS_RELEASE_REGION` | Region of the ECR registry for the release image _(only define to override default)_ | _none_ |
+| Input / Variable | Description | Default value |
+| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- |
+| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest` |
+| `aws-region` / `AWS_REGION` | Default region (where the ECR registry is located) | _none_ |
+| `aws-snapshot-region` / `AWS_SNAPSHOT_REGION` | Region of the ECR registry for the snapshot image _(only define to override default)_ | _none_ |
+| `aws-release-region` / `AWS_RELEASE_REGION` | Region of the ECR registry for the release image _(only define to override default)_ | _none_ |
:warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`
to use the snapshot image repository (will host your snapshot image as well as cached layers).
@@ -705,36 +719,36 @@ to use the snapshot image repository (will host your snapshot image as well as c
This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/),
then set the required configuration.
-| Input / Variable | Description | Default value |
-| ------------------------ | -------------------------------------- | ----------------- |
-| `aws-oidc-aud` / `AWS_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
-| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab | _none_ |
-| `aws-snapshot-oidc-role-arn` / `AWS_SNAPSHOT_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab for the snapshot image _(only define to override default)_| _none_ |
-| `aws-release-oidc-role-arn` / `AWS_RELEASE_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab for the release image _(only define to override default)_| _none_ |
+| Input / Variable | Description | Default value |
+| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ---------------- |
+| `aws-oidc-aud` / `AWS_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
+| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab | _none_ |
+| `aws-snapshot-oidc-role-arn` / `AWS_SNAPSHOT_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab for the snapshot image _(only define to override default)_ | _none_ |
+| `aws-release-oidc-role-arn` / `AWS_RELEASE_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab for the release image _(only define to override default)_ | _none_ |
##### Basic authentication config
-| Variable | Description | Default value |
-| ------------------------ | -------------------------------------- | ----------------- |
-| :lock: `AWS_ACCESS_KEY_ID` | Default access key ID | _none_ (disabled) |
-| :lock: `AWS_SECRET_ACCESS_KEY` | Default secret access key | _none_ (disabled) |
-| :lock: `AWS_SNAPSHOT_ACCESS_KEY_ID`| Access key ID for the snapshot image _(only define to override default)_ | _none_ |
-| :lock: `AWS_SNAPSHOT_SECRET_ACCESS_KEY`| Secret access key for the snapshot image _(only define to override default)_ | _none_ |
-| :lock: `AWS_RELEASE_ACCESS_KEY_ID`| Access key ID for the release image _(only define to override default)_ | _none_ |
-| :lock: `AWS_RELEASE_SECRET_ACCESS_KEY`| Secret access key for the release image _(only define to override default)_ | _none_ |
+| Variable | Description | Default value |
+| --------------------------------------- | ---------------------------------------------------------------------------- | ----------------- |
+| :lock: `AWS_ACCESS_KEY_ID` | Default access key ID | _none_ (disabled) |
+| :lock: `AWS_SECRET_ACCESS_KEY` | Default secret access key | _none_ (disabled) |
+| :lock: `AWS_SNAPSHOT_ACCESS_KEY_ID` | Access key ID for the snapshot image _(only define to override default)_ | _none_ |
+| :lock: `AWS_SNAPSHOT_SECRET_ACCESS_KEY` | Secret access key for the snapshot image _(only define to override default)_ | _none_ |
+| :lock: `AWS_RELEASE_ACCESS_KEY_ID` | Access key ID for the release image _(only define to override default)_ | _none_ |
+| :lock: `AWS_RELEASE_SECRET_ACCESS_KEY` | Secret access key for the release image _(only define to override default)_ | _none_ |
#### Example
```yaml
include:
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
inputs:
# untested & unverified container image
snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG/snapshot:$CI_COMMIT_REF_SLUG"
# ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko
# validated container image (published)
release-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG:$CI_COMMIT_REF_NAME"
- - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-ecr@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-ecr@5.7.0
inputs:
# default Role ARN (using OIDC authentication method)
aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci"
diff --git a/kicker.json b/kicker.json
index 3893cd823110539c447749b02e61f8d4ada48290..e6e285a9a6fe5ce015e8e297e5a612b37112c052 100644
--- a/kicker.json
+++ b/kicker.json
@@ -77,12 +77,12 @@
},
{
"name": "DOCKER_BUILD_ARGS",
- "description": "Additional docker/kaniko/buildah build arguments"
+ "description": "Additional docker/kaniko/buildah build arguments.\n\n_If values contain spaces, ensure any required quote are correctly escaped when needed (not supported for Kaniko)_"
},
{
"name": "DOCKER_METADATA",
- "description": "Additional metadata to set as labels",
- "default": "--label org.opencontainers.image.url=${CI_PROJECT_URL} --label org.opencontainers.image.source=${CI_PROJECT_URL} --label org.opencontainers.image.title=${CI_PROJECT_PATH} --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME} --label org.opencontainers.image.revision=${CI_COMMIT_SHA} --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}",
+ "description": "Additional metadata to set as labels.\n\nIf values contain spaces, ensure any required quote are correctly escaped when needed (not supported for Kaniko)_",
+ "default": "--label \"org.opencontainers.image.url=${CI_PROJECT_URL}\" --label \"org.opencontainers.image.source=${CI_PROJECT_URL}\" --label \"org.opencontainers.image.title=${CI_PROJECT_PATH}\" --label \"org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}\" --label \"org.opencontainers.image.revision=${CI_COMMIT_SHA}\" --label \"org.opencontainers.image.created=${CI_JOB_STARTED_AT}\"",
"advanced": true
},
{
@@ -148,6 +148,11 @@
"type": "array",
"default": [],
"advanced": true
+ },
+ {
+ "name": "DOCKER_PUSH_ARGS",
+ "description": "Additional docker/buildah `push` arguments (executed right after `build`).\n\nEx: `--compression-format zstd --compression-level 20`",
+ "advanced": true
}
],
"features": [
diff --git a/templates/gitlab-ci-docker-ecr.yml b/templates/gitlab-ci-docker-ecr.yml
index 9db80cd9a1cc7e56a9391049f8639116b5d7af11..fee78fe138af70333e626874990b7cdab94c5f8a 100644
--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -45,7 +45,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.11.0"]
+ command: ["--service", "docker", "5.12.0"]
- name: "$TBC_AWS_PROVIDER_IMAGE"
alias: "aws-auth-provider"
id_tokens:
diff --git a/templates/gitlab-ci-docker-gcp.yml b/templates/gitlab-ci-docker-gcp.yml
index 10280f80f4df9332031c58da249d71c5d596bd43..3632573329fcbdf23a6a88be6eb6249d81e23d88 100644
--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -44,7 +44,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.11.0"]
+ command: ["--service", "docker", "5.12.0"]
- name: "$TBC_GCP_PROVIDER_IMAGE"
alias: "gcp-auth-provider"
variables:
diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml
index d79473f647548f4d5091eb5f838f4dfed7863b80..5a06bb88dd901acfda8d6789f51ad49e567b4cf3 100644
--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -22,7 +22,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.11.0"]
+ command: ["--service", "docker", "5.12.0"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index f12524b8d5af5470048c1f0a3dcefd3f43ba2fc6..6a31be89ff93298a0a7cb33a6d98749361fea79e 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -79,6 +79,9 @@ spec:
build-args:
description: Additional docker/kaniko/buildah build arguments
default: ''
+ push-args:
+ description: Additional docker/buildah `push` arguments (executed right after `build`)
+ default: ''
build-cache-disabled:
description: Disable the build cache
type: boolean
@@ -86,12 +89,12 @@ spec:
metadata:
description: Additional metadata to set as labels
default: >-
- --label org.opencontainers.image.url=${CI_PROJECT_URL}
- --label org.opencontainers.image.source=${CI_PROJECT_URL}
- --label org.opencontainers.image.title=${CI_PROJECT_PATH}
- --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}
- --label org.opencontainers.image.revision=${CI_COMMIT_SHA}
- --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}
+ --label "org.opencontainers.image.url=${CI_PROJECT_URL}"
+ --label "org.opencontainers.image.source=${CI_PROJECT_URL}"
+ --label "org.opencontainers.image.title=${CI_PROJECT_PATH}"
+ --label "org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}"
+ --label "org.opencontainers.image.revision=${CI_COMMIT_SHA}"
+ --label "org.opencontainers.image.created=${CI_JOB_STARTED_AT}"
publish-args:
description: Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)
default: ''
@@ -318,6 +321,7 @@ variables:
DOCKER_REGISTRY_MIRROR: $[[ inputs.registry-mirror ]]
CONTAINER_REGISTRIES_CONFIG_FILE: $[[ inputs.container-registries-config-file ]]
KANIKO_SNAPSHOT_IMAGE_CACHE: $[[ inputs.kaniko-snapshot-image-cache ]]
+ DOCKER_PUSH_ARGS: $[[ inputs.push-args ]]
DOCKER_HADOLINT_DISABLED: $[[ inputs.hadolint-disabled ]]
DOCKER_HADOLINT_ARGS: $[[ inputs.hadolint-args ]]
DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
@@ -650,9 +654,9 @@ stages:
kaniko_registry_mirror_option="--registry-mirror $(echo ${DOCKER_REGISTRY_MIRROR} | sed "s|^https*://||")"
fi
log_info "Build & deploy image $docker_image"
- log_info "Kaniko command: /kaniko/executor ${TRACE+--verbosity debug} --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS $*"
+ log_info "Kaniko command: echo $DOCKER_METADATA $DOCKER_BUILD_ARGS $* | xargs /kaniko/executor ${TRACE+--verbosity debug} --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} $kaniko_registry_mirror_option"
# shellcheck disable=SC2086
- /kaniko/executor ${TRACE+--verbosity debug} --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@"
+ echo $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@" | xargs /kaniko/executor ${TRACE+--verbosity debug} --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} $kaniko_registry_mirror_option
}
# Used by containers tools like buildah, skopeo.
@@ -697,7 +701,7 @@ stages:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.11.0"]
+ command: ["--service", "docker", "5.12.0"]
before_script:
- !reference [.docker-scripts]
@@ -733,7 +737,7 @@ stages:
_TRACE: "${TRACE}"
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.11.0"]
+ command: ["--service", "docker", "5.12.0"]
- name: $DOCKER_DIND_IMAGE
alias: docker
command:
@@ -834,8 +838,8 @@ docker-dind-build:
log_info "Build cache enabled; CLI options: ${dind_cache_args}"
fi
# Build using cache if exist
- - docker build --file "$DOCKER_FILE" ${dind_cache_args} --tag $DOCKER_SNAPSHOT_IMAGE --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy" $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)"
- - docker push $DOCKER_SNAPSHOT_IMAGE
+ - echo $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)" | xargs docker build --file "$DOCKER_FILE" ${dind_cache_args} --tag $DOCKER_SNAPSHOT_IMAGE --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy"
+ - docker push $DOCKER_PUSH_ARGS $DOCKER_SNAPSHOT_IMAGE
# Display the size of each layer
- docker history $DOCKER_SNAPSHOT_IMAGE
# Display the total size of the image
@@ -878,8 +882,8 @@ docker-buildah-build:
log_info "Buildah version:"
buildah version
# build and push image
- - buildah build --file "$DOCKER_FILE" --tag $DOCKER_SNAPSHOT_IMAGE $buildah_cache_args --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy" $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)"
- - buildah push --digestfile .img-digest.txt "$DOCKER_SNAPSHOT_IMAGE"
+ - echo $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)" | xargs buildah build --file "$DOCKER_FILE" --tag $DOCKER_SNAPSHOT_IMAGE $buildah_cache_args --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy"
+ - buildah push --digestfile .img-digest.txt $DOCKER_PUSH_ARGS "$DOCKER_SNAPSHOT_IMAGE"
# display digest of the resulting image
- cat .img-digest.txt
# create dotenv file