Added: nightly pipeline.

2021-01-25 18:51:08 +01:00 · 2021-01-25 18:51:08 +01:00 · bd19c1a15b
parent 08e090abc5
commit bd19c1a15b
3 changed files with 102 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,13 @@
+image: alpine:latest
+
+variables:
+  DOCKER_DRIVER: overlay2
+  DOCKER_HOST: tcp://localhost:2375/
+
+stages:
+  - build
+  - test
+
+include:
+  - local: '/.gitlab-ci/Jobs/build_image.yml'
+  - local: '/.gitlab-ci/Jobs/container_security_scan.yml'
--- a/.gitlab-ci/Jobs/build_image.yml
+++ b/.gitlab-ci/Jobs/build_image.yml
@ -0,0 +1,30 @@
+.passbolt-prerelease:
+  stage: build
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  script:
+    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+    - |
+      echo "********************************************"
+      echo "Build details"
+      echo "============================================"
+      echo "Flavour ${PASSBOLT_FLAVOUR:-local}"
+      echo "Commit  ${UPSTREAM_COMMIT_SHA:-latest}"
+      echo "********************************************"
+    - |
+      /kaniko/executor --context $CI_PROJECT_DIR \
+        --build-arg PASSBOLT_PKG="passbolt-$PASSBOLT_FLAVOUR-server" \
+        --build-arg PASSBOLT_REPO_URL="https://download.passbolt.com/$PASSBOLT_FLAVOUR/debian" \
+        --build-arg PASSBOLT_COMPONENT="$COMPONENT" \
+        --dockerfile $CI_PROJECT_DIR/debian/Dockerfile \
+        --destination $CI_REGISTRY_IMAGE:${PASSBOLT_FLAVOUR:-local}-$(date +%s)
+
+prerelease-pro:
+  extends: .passbolt-prerelease
+  variables:
+    PASSBOLT_URL: "https://gitlab.com/api/v4/projects/$UPSTREAM_PROJECT_ID/repository/archive.tar.gz?sha=$UPSTREAM_COMMIT_SHA"
+    PASSBOLT_CURL_HEADERS: "PRIVATE-TOKEN: $PRIVATE_TOKEN"
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "develop"'
+      when: on_success
--- a/.gitlab-ci/Jobs/container_security_scan.yml
+++ b/.gitlab-ci/Jobs/container_security_scan.yml
@ -0,0 +1,59 @@
+# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html
+
+container_scanning:
+  stage: test
+  image: docker:stable
+  variables:
+    DOCKER_DRIVER: overlay2
+    # Defining two new variables based on GitLab's CI/CD predefined variables
+    # https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables
+    CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE
+    # Prior to this, you need to have the Container Registry running for your project and setup a build job
+    # with at least the following steps:
+    #
+    # docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG .
+    # docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
+    #
+    # Container Scanning deals with Docker images only so no need to import the project's Git repository:
+    GIT_STRATEGY: none
+    # Services and containers running in the same Kubernetes pod are all sharing the same localhost address
+    # https://docs.gitlab.com/runner/executors/kubernetes.html
+    DOCKER_SERVICE: localhost
+    DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
+    # https://hub.docker.com/r/arminc/clair-local-scan/tags
+    CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
+  allow_failure: true
+  services:
+    - docker:18-dind
+  script:
+    - export CI_APPLICATION_TAG=${PASSBOLT_FLAVOUR:-local}-${UPSTREAM_COMMIT_SHA:-latest}
+    - echo "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG"
+    - if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then { export DOCKER_SERVICE="localhost" ; export DOCKER_HOST="tcp://${DOCKER_SERVICE}:2375" ; } fi
+    - |
+      if [[ -n "$CI_REGISTRY_USER" ]]; then
+        echo "Logging to GitLab Container Registry with CI credentials..."
+        docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
+        echo ""
+      fi
+    - docker run -d --name db arminc/clair-db:latest
+    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
+    - apk add -U wget ca-certificates
+    - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
+    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
+    - mv clair-scanner_linux_amd64 clair-scanner
+    - chmod +x clair-scanner
+    - touch clair-whitelist.yml
+    - retries=0
+    - echo "Waiting for clair daemon to start"
+    - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
+    - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml -t Medium ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json
+  dependencies: []
+  only:
+    refs:
+      - branches
+  except:
+    variables:
+      - $CONTAINER_SCANNING_DISABLED