Skip to content
Snippets Groups Projects
Commit ed6b967c authored by girija.saintange's avatar girija.saintange Committed by Pierre Smeyers
Browse files

feat: migrate to CI/CD component

:warning: requires GitLab 16.6 or later
parent 51ad749b
Branches
Tags
No related merge requests found
...@@ -10,7 +10,7 @@ include: ...@@ -10,7 +10,7 @@ include:
file: '/templates/validation.yml' file: '/templates/validation.yml'
- project: 'to-be-continuous/bash' - project: 'to-be-continuous/bash'
ref: '3.3' ref: '3.3'
file: 'templates/gitlab-ci-bash.yml' file: '/templates/gitlab-ci-bash.yml'
- project: 'to-be-continuous/semantic-release' - project: 'to-be-continuous/semantic-release'
ref: '3.7' ref: '3.7'
file: '/templates/gitlab-ci-semrel.yml' file: '/templates/gitlab-ci-semrel.yml'
......
...@@ -7,13 +7,35 @@ security vulnerabilities as early as possible. ...@@ -7,13 +7,35 @@ security vulnerabilities as early as possible.
## Usage ## Usage
In order to include this template in your project, add the following to your `gitlab-ci.yml`: This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
### Use as a CI/CD component
Add the following to your `gitlab-ci.yml`:
```yaml ```yaml
include: include:
# 1: include the component
- component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar@4.1.1
# 2: set/override component inputs
inputs:
host-url: https://sonarqube.acme.host # ⚠ this is only an example
```
### Use as a CI/CD template (legacy)
Add the following to your `gitlab-ci.yml`:
```yaml
include:
# 1: include the template
- project: 'to-be-continuous/sonar' - project: 'to-be-continuous/sonar'
ref: '4.1.1' ref: '4.1.1'
file: '/templates/gitlab-ci-sonar.yml' file: '/templates/gitlab-ci-sonar.yml'
variables:
# 2: set/override template variables
SONAR_HOST_URL: https://sonarqube.acme.host # ⚠ this is only an example
``` ```
## SonarQube analysis job ## SonarQube analysis job
...@@ -22,17 +44,17 @@ This job performs a SonarQube analysis of your code. ...@@ -22,17 +44,17 @@ This job performs a SonarQube analysis of your code.
It is bound to the `test` stage, and uses the following variables: It is bound to the `test` stage, and uses the following variables:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| ------------------------ | ------------------------------- | ----------------------------- | | ------------------------ | ------------------------------- | ----------------------------- |
| `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` | | `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
| `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) | | `host-url` / `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) |
| `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) | | `project-key` / `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) |
| `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) | | `project-name` / `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) |
| :lock: `SONAR_TOKEN` | SonarQube authentication [token](https://docs.sonarqube.org/latest/user-guide/user-token/) (depends on your authentication method) | _none_ | | :lock: `SONAR_TOKEN` | SonarQube authentication [token](https://docs.sonarqube.org/latest/user-guide/user-token/) (depends on your authentication method) | _none_ |
| :lock: `SONAR_LOGIN` | SonarQube login (depends on your authentication method) | _none_ | | :lock: `SONAR_LOGIN` | SonarQube login (depends on your authentication method) | _none_ |
| :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ | | :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ |
| `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) | `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` | | `base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) | `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
| `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._ | _none_ (disabled) | | `quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._ | _none_ (disabled) |
### Automatic Branch Analysis & Merge Request Analysis ### Automatic Branch Analysis & Merge Request Analysis
...@@ -65,11 +87,11 @@ This variant allows delegating your secrets management to a [Vault](https://www. ...@@ -65,11 +87,11 @@ This variant allows delegating your secrets management to a [Vault](https://www.
In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- | | ----------------- | -------------------------------------- | ----------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` | | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
| `VAULT_BASE_URL` | The Vault server base API url | _none_ | | `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ |
| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` | | `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
...@@ -83,7 +105,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta ...@@ -83,7 +105,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta
With: With:
| Name | Description | | Parameter | Description |
| -------------------------------- | -------------------------------------- | | -------------------------------- | -------------------------------------- |
| `secret_path` (_path parameter_) | this is your secret location in the Vault server | | `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | | `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
...@@ -93,19 +115,16 @@ With: ...@@ -93,19 +115,16 @@ With:
```yaml ```yaml
include: include:
# main template # main template
- project: 'to-be-continuous/sonar' - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar@4.1.1
ref: '4.1.1'
file: '/templates/gitlab-ci-sonar.yml'
# Vault variant # Vault variant
- project: 'to-be-continuous/sonar' - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.1.1
ref: '4.1.1' inputs:
file: '/templates/gitlab-ci-sonar-vault.yml' # audience claim for JWT
vault-oidc-aud: "https://vault.acme.host"
vault-base-url: "https://vault.acme.host/v1"
variables: variables:
# audience claim for JWT
VAULT_OIDC_AUD: "https://vault.acme.host"
# Secrets managed by Vault # Secrets managed by Vault
SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token" SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token"
VAULT_BASE_URL: "https://vault.acme.host/v1"
# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
``` ```
...@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then ...@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then
log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..." log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
# replace in README # replace in README
sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
mv -f README.md.next README.md mv -f README.md.next README.md
# replace in template and variants # replace in template and variants
for tmpl in templates/*.yml for tmpl in templates/*.yml
do do
sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next" sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
mv -f "$tmpl.next" "$tmpl" mv -f "$tmpl.next" "$tmpl"
done done
else else
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
"description": "Continuously inspect your codebase with [SonarQube](https://www.sonarqube.org/)", "description": "Continuously inspect your codebase with [SonarQube](https://www.sonarqube.org/)",
"template_path": "templates/gitlab-ci-sonar.yml", "template_path": "templates/gitlab-ci-sonar.yml",
"kind": "analyse", "kind": "analyse",
"prefix": "sonar",
"is_component": true,
"variables": [ "variables": [
{ {
"name": "SONAR_SCANNER_IMAGE", "name": "SONAR_SCANNER_IMAGE",
......
logo.png

15.2 KiB | W: | H:

logo.png

18.2 KiB | W: | H:

logo.png
logo.png
logo.png
logo.png
  • 2-up
  • Swipe
  • Onion skin
# ===================================================================================================================== # =====================================================================================================================
# === Vault template variant # === Vault template variant
# ===================================================================================================================== # =====================================================================================================================
spec:
inputs:
vault-base-url:
description: The Vault server base API url
default: ''
vault-oidc-aud:
description: The `aud` claim for the JWT
default: $CI_SERVER_URL
---
variables: variables:
# variabilized vault-secrets-provider image # variabilized vault-secrets-provider image
TBC_VAULT_IMAGE: "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master" TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master
# variables have to be explicitly declared in the YAML to be exported to the service # variables have to be explicitly declared in the YAML to be exported to the service
VAULT_ROLE_ID: "$VAULT_ROLE_ID" VAULT_ROLE_ID: "$VAULT_ROLE_ID"
VAULT_SECRET_ID: "$VAULT_SECRET_ID" VAULT_SECRET_ID: "$VAULT_SECRET_ID"
VAULT_OIDC_AUD: "$CI_SERVER_URL" VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
sonar: sonar:
services: services:
......
...@@ -14,6 +14,34 @@ ...@@ -14,6 +14,34 @@
# Floor, Boston, MA 02110-1301, USA. # Floor, Boston, MA 02110-1301, USA.
# ========================================================================================= # =========================================================================================
# default workflow rules: Merge Request pipelines # default workflow rules: Merge Request pipelines
spec:
inputs:
scanner-image:
description: The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/)
default: registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest
host-url:
description: SonarQube server url
default: ''
project-key:
description: SonarQube Project Key (might also be set in the `sonar-project.properties` file)
default: ''
project-name:
description: SonarQube Project Name (might also be set in the `sonar-project.properties` file)
default: ''
base-args:
description: SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)
default: >-
-Dsonar.links.homepage=${CI_PROJECT_URL}
-Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
-Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
quality-gate-enabled:
description: |-
Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.
_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._
type: boolean
default: false
---
workflow: workflow:
rules: rules:
# prevent branch pipeline when an MR is open (prefer MR pipeline) # prevent branch pipeline when an MR is open (prefer MR pipeline)
...@@ -56,23 +84,23 @@ workflow: ...@@ -56,23 +84,23 @@ workflow:
variables: variables:
# variabilized tracking image # variabilized tracking image
TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master" TBC_TRACKING_IMAGE: registry.gitlab.com/to-be-continuous/tools/tracking:master
# Sonar # Sonar
SONAR_SCANNER_IMAGE: "registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest" SONAR_SCANNER_IMAGE: $[[ inputs.scanner-image ]]
SONAR_HOST_URL: $[[ inputs.host-url ]]
SONAR_PROJECT_KEY: $[[ inputs.project-key ]]
SONAR_PROJECT_NAME: $[[ inputs.project-name ]]
SONAR_QUALITY_GATE_ENABLED: $[[ inputs.quality-gate-enabled ]]
# Sonar base analysis default args # Sonar base analysis default args
# see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/ # see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/
# default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/ # default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/
SONAR_BASE_ARGS: >- SONAR_BASE_ARGS: $[[ inputs.base-args ]]
-Dsonar.links.homepage=${CI_PROJECT_URL}
-Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
-Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
# default production ref name (pattern) # default production ref name (pattern)
PROD_REF: '/^(master|main)$/' PROD_REF: /^(master|main)$/
# default integration ref name (pattern) # default integration ref name (pattern)
INTEG_REF: '/^develop$/' INTEG_REF: /^develop$/
stages: stages:
- build - build
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment