Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision

Target

Select target project
  • smartdatalab/public/ci-cd-components/docker
1 result
Select Git revision
Show changes
Commits on Source (24)
include:
- project: 'to-be-continuous/tools/gitlab-ci'
ref: 'master'
file: '/templates/extract.yml'
- project: 'to-be-continuous/tools/gitlab-ci'
ref: 'master'
file: '/templates/validation.yml'
- project: 'to-be-continuous/kicker'
ref: 'master'
file: '/templates/validation.yml'
- project: 'to-be-continuous/bash'
ref: '3.4'
file: '/templates/gitlab-ci-bash.yml'
- project: 'to-be-continuous/semantic-release'
ref: '3.8'
file: '/templates/gitlab-ci-semrel.yml'
- component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/extract@master
inputs:
extract-script-job-tags: ["docker"]
- component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/validation@master
inputs:
check-links-job-tags: ["docker"]
tbc-check-job-tags: ["docker"]
tbc-check-image: registry.gitlab.com/gbenguria/tbc-check:main
gitlab-ci-lint-job-tags: ["docker"]
- component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/kicker/validation@master
inputs:
kicker-validation-job-tags: ["docker"]
schema-base-url: "https://git.code.tecnalia.com/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
- component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/bash/gitlab-ci-bash@master
inputs:
bash-shellcheck-job-tags: ["docker"]
- component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/semantic-release/gitlab-ci-semrel@master
inputs:
semantic-release-job-tags: ["docker"]
stages:
- build
......
## [5.10.2](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/compare/5.10.1...5.10.2) (2024-05-13)
### Bug Fixes
* **workflow:** disable MR pipeline from prod & integ branches ([6460d7b](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/commit/6460d7bba7a231ff68b163c861a4b40f37ee08bb))
## [5.10.2](https://gitlab.com/to-be-continuous/docker/compare/5.10.1...5.10.2) (2024-05-05)
### Bug Fixes
* **workflow:** disable MR pipeline from prod & integ branches ([6460d7b](https://gitlab.com/to-be-continuous/docker/commit/6460d7bba7a231ff68b163c861a4b40f37ee08bb))
## [5.10.1](https://gitlab.com/to-be-continuous/docker/compare/5.10.0...5.10.1) (2024-04-03)
......
......@@ -14,7 +14,7 @@ Add the following to your `gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.1
- component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.2
# 2: set/override component inputs
inputs:
build-tool: buildah # ⚠ this is only an example
......@@ -28,7 +28,7 @@ Add the following to your `gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/docker'
ref: '5.10.1'
ref: '5.10.2'
file: '/templates/gitlab-ci-docker.yml'
variables:
......@@ -273,6 +273,7 @@ It is bound to the `build` stage, and uses the following variables:
| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine` |
| `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ |
| `hadolint-job-tags` / `DOCKER_HADOLINT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
......@@ -307,6 +308,9 @@ It is bound to the `package-build` stage, and uses the following variables:
| `metadata` / `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label | OCI Image Format Specification |
| `kaniko-snapshot-image-cache` / `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers (leave empty to use default: snapshot image repository + `/cache`)<br>:warning: Used by the `kaniko` build only | _none_ (default cache path) |
| `build-cache-disabled` / `DOCKER_BUILD_CACHE_DISABLED` | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
| `kaniko-build-job-tags` / `DOCKER_KANIKO_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `dind-build-job-tags` / `DOCKER_DIND_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `buildah-build-job-tags` / `DOCKER_BUILDAH_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
......@@ -375,6 +379,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `healthcheck-timeout` / `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
| `healthcheck-options` / `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
| `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check | _(none)_ |
| `healthcheck-job-tags` / `DOCKER_HEALTHCHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
......@@ -405,6 +410,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |
| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
| `docker-trivy-job-tags` / `DOCKER_DOCKER_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
......@@ -424,6 +430,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` |
| `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
| `docker-sbom-job-tags` / `DOCKER_DOCKER_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `docker-publish` job
......@@ -437,6 +444,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
| `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) | _(none)_ |
| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) |
| `docker-publish-job-tags` / `DOCKER_DOCKER_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
......
......@@ -33,7 +33,7 @@ if [[ "$curVer" ]]; then
# replace in template and variants
for tmpl in templates/*.yml
do
sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
sed -e "s/command: *\[ *\"--service\", *\"\(.*\)\", *\"$curVer\" *\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
mv -f "$tmpl.next" "$tmpl"
done
else
......
......@@ -120,6 +120,34 @@
"description": "Set to `true` to disable the build cache.",
"type": "boolean",
"advanced": true
},
{
"name": "DOCKER_KANIKO_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "DOCKER_DIND_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "DOCKER_BUILDAH_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "DOCKER_DOCKER_PUBLISH_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
],
"features": [
......@@ -138,6 +166,13 @@
"name": "DOCKER_HADOLINT_ARGS",
"description": "Additional `hadolint` arguments",
"advanced": true
},
{
"name": "DOCKER_HADOLINT_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -163,6 +198,13 @@
"name": "DOCKER_HEALTHCHECK_CONTAINER_ARGS",
"description": "Arguments sent to the running container for health check",
"advanced": true
},
{
"name": "DOCKER_HEALTHCHECK_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -205,6 +247,13 @@
"name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",
"description": "OCI repository to retrieve Trivy Java Database from",
"advanced": true
},
{
"name": "DOCKER_DOCKER_TRIVY_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -223,6 +272,13 @@
"description": "Options for syft used for SBOM analysis",
"default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger",
"advanced": true
},
{
"name": "DOCKER_DOCKER_SBOM_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
}
......
......@@ -45,7 +45,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.10.1"]
command: ["--service", "docker", "5.10.2"]
- name: "$TBC_AWS_PROVIDER_IMAGE"
alias: "aws-auth-provider"
id_tokens:
......
......@@ -44,7 +44,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.10.1"]
command: ["--service", "docker", "5.10.2"]
- name: "$TBC_GCP_PROVIDER_IMAGE"
alias: "gcp-auth-provider"
variables:
......
......@@ -22,7 +22,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.10.1"]
command: ["--service", "docker", "5.10.2"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
......
......@@ -185,12 +185,48 @@ spec:
sbom-opts:
description: Options for syft used for SBOM analysis
default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger
hadolint-job-tags:
description: tags to filter applicable runners for hadolint job
type: array
default: []
kaniko-build-job-tags:
description: tags to filter applicable runners for kaniko build job
type: array
default: []
dind-build-job-tags:
description: tags to filter applicable runners for dind build job
type: array
default: []
buildah-build-job-tags:
description: tags to filter applicable runners for buildah build job
type: array
default: []
healthcheck-job-tags:
description: tags to filter applicable runners for healthcheck job
type: array
default: []
docker-trivy-job-tags:
description: tags to filter applicable runners for docker-trivy job
type: array
default: []
docker-sbom-job-tags:
description: tags to filter applicable runners for docker-sbom job
type: array
default: []
docker-publish-job-tags:
description: tags to filter applicable runners for docker-publish job
type: array
default: []
---
# default workflow rules: Merge Request pipelines
workflow:
rules:
# prevent branch pipeline when an MR is open (prefer MR pipeline)
- if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
# prevent MR pipeline originating from production or integration branch(es)
- if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ $PROD_REF || $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ $INTEG_REF'
when: never
# on non-prod, non-integration branches: prefer MR pipeline over branch pipeline
- if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
when: never
- if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*tag(,[^],]*)*\]/" && $CI_COMMIT_TAG'
when: never
......@@ -661,7 +697,7 @@ stages:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.10.1"]
command: ["--service", "docker", "5.10.2"]
before_script:
- !reference [.docker-scripts]
......@@ -694,7 +730,7 @@ stages:
_TRACE: "${TRACE}"
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.10.1"]
command: ["--service", "docker", "5.10.2"]
- name: $DOCKER_DIND_IMAGE
alias: docker
command:
......@@ -747,6 +783,7 @@ docker-hadolint:
- if: '$DOCKER_HADOLINT_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.hadolint-job-tags ]]
# ==================================================
# Stage: package-build
......@@ -774,6 +811,7 @@ docker-kaniko-build:
- docker.env
rules:
- if: '$DOCKER_BUILD_TOOL == "kaniko"'
tags: $[[ inputs.kaniko-build-job-tags ]]
docker-dind-build:
extends: .docker-dind-base
......@@ -811,6 +849,7 @@ docker-dind-build:
- docker.env
rules:
- if: '$DOCKER_BUILD_TOOL == "dind"'
tags: $[[ inputs.dind-build-job-tags ]]
docker-buildah-build:
extends: .docker-base
......@@ -848,6 +887,7 @@ docker-buildah-build:
- docker.env
rules:
- if: '$DOCKER_BUILD_TOOL == "buildah"'
tags: $[[ inputs.buildah-build-job-tags ]]
# ==================================================
# Stage: package-test
......@@ -915,6 +955,7 @@ docker-healthcheck:
- if: '$DOCKER_BUILD_TOOL != "dind"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.healthcheck-job-tags ]]
# Security audit with trivy
docker-trivy:
......@@ -965,6 +1006,7 @@ docker-trivy:
- if: '$DOCKER_TRIVY_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.docker-trivy-job-tags ]]
docker-sbom:
extends: .docker-base
......@@ -991,6 +1033,7 @@ docker-sbom:
- if: '$DOCKER_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.docker-sbom-job-tags ]]
# ==================================================
# Stage: publish
......@@ -1062,3 +1105,4 @@ docker-publish:
- if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
when: manual
- if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
tags: $[[ inputs.docker-publish-job-tags ]]
\ No newline at end of file