diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 105784d85b11f231e4f6b2b3a7236f85673d9629..022e37b10d723ef5de62a334eae0aa9992dc71b3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,9 +5,9 @@ variables:
GOLANG_VERSION: "1.16"
stages:
- - .pre
- build
- test
+ - analyze
- apply
- integration-test
- deploy
@@ -15,11 +15,17 @@ stages:
workflow:
rules:
- - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+ - if: '$CI_PIPELINE_SOURCE == "push" && $CI_OPEN_MERGE_REQUESTS'
when: never
- - when: always
+ - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+ when: always
+ - if: '$CI_PIPELINE_SOURCE == "push"'
+ when: always
+ - if: '$CI_PIPELINE_SOURCE == "schedule"'
+ when: always
include:
+ - local: '/.gitlab/ci/.ruleset.yml'
- local: '/.gitlab/ci/.build-container.yml'
- local: '/.gitlab/ci/.code-quality-ci.yml'
- local: '/.gitlab/ci/.security-and-compliance-ci.yml'
diff --git a/.gitlab/ci/.build-container.yml b/.gitlab/ci/.build-container.yml
index 99c7cb1e20520343f459e89396936463537e2d84..80fa497ed33299d437a6b41cb8b8680f4497e8ab 100644
--- a/.gitlab/ci/.build-container.yml
+++ b/.gitlab/ci/.build-container.yml
@@ -5,6 +5,14 @@
entrypoint: [ "" ]
variables:
TAG: $CI_COMMIT_BRANCH
+ before_script:
+ # replace all slashes in the tag with hyphen, because slashes are not allowed in tags
+ - TAG=${TAG//\//-}
+ - mkdir -p /kaniko/.docker
+ - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"},\"$CI_DEPENDENCY_PROXY_SERVER\":{\"username\":\"$CI_DEPENDENCY_PROXY_USER\",\"password\":\"$CI_DEPENDENCY_PROXY_TOKEN\"}}}" > /kaniko/.docker/config.json
+ needs: []
+
+build-testing-image:
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
variables:
@@ -13,9 +21,10 @@
variables:
TAG: develop
BUILDARGS: -race
- - when: always
+ - !reference [.push_event, rules]
+ - !reference [.merge_request, rules]
before_script:
- # replace all slashes in the tag with hyphen, because slashes are not allowed in tags
+ # replace all slashes in the tag with hyphen, because slashes are not allowed in tags
- TAG=${TAG//\//-}
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" >/kaniko/.docker/config.json
@@ -29,11 +38,23 @@ build-testing-image:
--dockerfile "Dockerfile"
--build-arg "GOLANG_VERSION=$GOLANG_VERSION"
--build-arg "BUILDARGS=$BUILDARGS"
+ --build-arg "GITLAB_PROXY=${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/"
--destination "$GOSDN_TESTING_IMAGE"
--target "installer"
<<: *build
build-image:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+ variables:
+ TAG: latest
+ - if: $CI_COMMIT_BRANCH == "develop"
+ variables:
+ TAG: develop
+ BUILDARGS: -race
+ - when: always
script:
- /kaniko/executor
--cache=true
@@ -41,6 +62,9 @@ build-image:
--dockerfile "Dockerfile"
--build-arg "GOLANG_VERSION=$GOLANG_VERSION"
--build-arg "BUILDARGS=$BUILDARGS"
+ --build-arg "GITLAB_PROXY=${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/"
--destination "$GOSDN_IMAGE"
--destination "$CI_REGISTRY_IMAGE:$TAG"
<<: *build
+
+ #--build-arg "GITLAB_PROXY=${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/"
diff --git a/.gitlab/ci/.code-quality-ci.yml b/.gitlab/ci/.code-quality-ci.yml
index dec181fcd6a0a091a2a368409530dedf2ed10316..bc283cf53753be249af8cb856bb0c0c75ca9a182 100644
--- a/.gitlab/ci/.code-quality-ci.yml
+++ b/.gitlab/ci/.code-quality-ci.yml
@@ -1,6 +1,6 @@
code-quality:
- image: golangci/golangci-lint:latest-alpine
- stage: test
+ image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/golangci/golangci-lint:latest-alpine
+ stage: analyze
script:
# writes golangci-lint output to gl-code-quality-report.json
- golangci-lint run --config .gitlab/ci/.golangci-config/.golangci.yml --out-format code-climate | tee gl-code-quality-report.json
@@ -9,5 +9,6 @@ code-quality:
codequality: gl-code-quality-report.json
paths:
- gl-code-quality-report.json
+ rules:
+ - !reference [.merge_request, rules]
needs: []
-
\ No newline at end of file
diff --git a/.gitlab/ci/.containerlab-ci.yml b/.gitlab/ci/.containerlab-ci.yml
index c3df1abacca1c42ba1feb8eaf4a0803b656c2ecd..3fde1f9e80ce86d669faedf3c4b790bd8c13d644 100644
--- a/.gitlab/ci/.containerlab-ci.yml
+++ b/.gitlab/ci/.containerlab-ci.yml
@@ -5,6 +5,10 @@ variables:
# Templates for Job Types
.containerlab_deploy: &containerlab_deploy
stage: apply
+ rules:
+ - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+ when: never
+ - when: on_success
tags:
- shell
before_script:
@@ -16,8 +20,12 @@ variables:
- docker pull ${CEOS_IMAGE}
.containerlab_template: &containerlab_template
- image: alpine:latest
+ image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine:latest
stage: build
+ rules:
+ - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+ when: never
+ - when: on_success
before_script:
- export PATH="${PATH}:${CI_PROJECT_DIR}/.gitlab/ci/scripts"
- firstOctet=$(generate_octet.sh $CI_COMMIT_SHA)
@@ -35,6 +43,8 @@ variables:
name: ${CLAB_NAME}
paths:
- ${CLAB_NAME}.clab.yml
+ rules:
+ - !reference [.merge_request, rules]
# JOBS
containerlab:template:integration:
@@ -58,9 +68,16 @@ containerlab:deploy:integration:
artifacts:
reports:
dotenv: ${CI_PROJECT_DIR}/build.env
+ rules:
+ - !reference [.merge_request, rules]
+
containerlab:destroy:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+ when: never
+ - when: always
stage: .post
tags:
- shell
@@ -72,7 +89,8 @@ containerlab:destroy:
- docker volume rm -f ${CLAB_NAME}-volume
- docker image rm -f ${GOSDN_IMAGE}
allow_failure: true
- when: always
+ rules:
+ - !reference [.containerlab_cleanup, rules]
#containerlab:template:develop:
diff --git a/.gitlab/ci/.deploy-k8s.yml b/.gitlab/ci/.deploy-k8s.yml
index bac4bcbbe1e466d32866bdef4690632cdf451121..e2d8e52baae3834784bfd8cbe1a36f38d699b3bd 100644
--- a/.gitlab/ci/.deploy-k8s.yml
+++ b/.gitlab/ci/.deploy-k8s.yml
@@ -1,6 +1,6 @@
build:k8s-bot:
stage: build
- image: golang:$GOLANG_VERSION
+ image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/golang:$GOLANG_VERSION
rules:
- if: $CI_COMMIT_BRANCH == "develop"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
@@ -14,7 +14,7 @@ build:k8s-bot:
.deploy: &deploy
image:
- name: bitnami/kubectl:latest
+ name: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/bitnami/kubectl:latest
entrypoint: [""]
before_script:
- echo "override global before script"
diff --git a/.gitlab/ci/.integration-test.yml b/.gitlab/ci/.integration-test.yml
index ef542259e7e7e2acd2ef8119cea98e2cf7eabefb..cf304933eefed8cc616381afd6ffff9670791c2e 100644
--- a/.gitlab/ci/.integration-test.yml
+++ b/.gitlab/ci/.integration-test.yml
@@ -1,6 +1,10 @@
.integration-test: &integration-test
image: $GOSDN_TESTING_IMAGE
stage: integration-test
+ rules:
+ - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+ when: never
+ - when: on_success
needs:
- job: "containerlab:deploy:integration"
tags:
@@ -22,6 +26,8 @@ integration-test:nucleus:
- go test -race -v -run TestGnmi_GetIntegration
- go test -race -v -run TestGnmi_SubscribeIntegration
- go test -race -v -run TestGnmi_CapabilitiesIntegration
+ rules:
+ - !reference [.merge_request, rules]
integration-test:api:
<<: *integration-test
@@ -30,3 +36,5 @@ integration-test:api:
script:
- cd ./api
- go test -race -v -run TestApiIntegration
+ rules:
+ - !reference [.merge_request, rules]
diff --git a/.gitlab/ci/.ruleset.yml b/.gitlab/ci/.ruleset.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9fbb10f0fc72f9b36353618e5dca997934a645e8
--- /dev/null
+++ b/.gitlab/ci/.ruleset.yml
@@ -0,0 +1,37 @@
+.push_event:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE == "push"'
+ when: on_success
+
+.merge_request:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+ when: on_success
+
+.containerlab_cleanup:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+ when: always
+
+.merge_request_and_changed_dependency:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+ changes:
+ - go.mod
+ - go.sum
+ when: always
+
+.nightly_pipeline:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE == "schedule"'
+ when: always
+
+.nightly_develop_pipeline:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_NIGHTLY == "develop"'
+ when: always
+
+.nightly_main_pipeline:
+ rules:
+ - if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_NIGHTLY == "mainline"'
+ when: always
diff --git a/.gitlab/ci/.security-and-compliance-ci.yml b/.gitlab/ci/.security-and-compliance-ci.yml
index 3e98b739e62763538a6e6fe0d5bcf9259b91fbbd..6157fbe9f352bec93876192923e95aae7482ea75 100644
--- a/.gitlab/ci/.security-and-compliance-ci.yml
+++ b/.gitlab/ci/.security-and-compliance-ci.yml
@@ -1,3 +1,11 @@
+.rules: &rules
+ stage: analyze
+ rules:
+ - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+ when: never
+ - when: always
+ needs: []
+
sast:
variables:
SAST_ANALYZER_IMAGE_TAG: '2'
@@ -8,3 +16,34 @@ include:
- template: Security/SAST.gitlab-ci.yml
- template: Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
+ # - template: Security/Secret-Detection.gitlab-ci.yml
+ - template: Security/Container-Scanning.gitlab-ci.yml
+
+license_scanning:
+ rules:
+ - !reference [.merge_request_and_changed_dependency, rules]
+
+gemnasium-dependency_scanning:
+ rules:
+ - !reference [.merge_request_and_changed_dependency, rules]
+
+gosec-sast:
+ rules:
+ - !reference [.nightly_pipeline, rules]
+
+semgrep-sast:
+ rules:
+ - !reference [.nightly_pipeline, rules]
+
+container_scanning:
+ stage: analyze
+ rules:
+ - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+ when: never
+ - when: always
+ variables:
+ DOCKER_IMAGE: "${GOSDN_IMAGE}"
+ DOCKER_USER: "${CI_REGISTRY_USER}"
+ DOCKER_PASSWORD: "${CI_REGISTRY_PASSWORD}"
+ needs:
+ - build-image
diff --git a/.gitlab/ci/.test.yml b/.gitlab/ci/.test.yml
index 68b22dc6fd23a977476696aa803b78c1710a4adf..738560c401bd92eff06e30036b2fee3a0ad2c693 100644
--- a/.gitlab/ci/.test.yml
+++ b/.gitlab/ci/.test.yml
@@ -1,6 +1,8 @@
.test: &test
image: $GOSDN_TESTING_IMAGE
stage: test
+ rules:
+ - when: on_success
variables:
GOSDN_LOG: "nolog"
GOSDN_CHANGE_TIMEOUT: "100ms"
@@ -19,8 +21,20 @@ unit-test:
after_script:
- go tool cover -func=coverage.out
<<: *test
+ rules:
+ - !reference [.push_event, rules]
+ - !reference [.merge_request, rules]
controller-test:
script:
- gotestsum --junitfile report.xml --format testname -- -race -v -run TestRun
<<: *test
+ rules:
+ - !reference [.merge_request, rules]
+
+test-build:
+ artifacts:
+ when: never
+ script:
+ - GOOS=linux go build $BUILDARGS ./cmd/gosdn
+ <<: *test
diff --git a/.gitlab/ci/.uml-autogen-ci.yml b/.gitlab/ci/.uml-autogen-ci.yml
index cd7db4c9dceb8716b47f27401b940159157b26d3..adaf8c99dc09056b5183d0177e7c3e7dfaf6a5b3 100644
--- a/.gitlab/ci/.uml-autogen-ci.yml
+++ b/.gitlab/ci/.uml-autogen-ci.yml
@@ -1,5 +1,5 @@
goplantuml:
- image: golang:$GOLANG_VERSION
+ image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/golang:$GOLANG_VERSION
stage: .post
only:
- develop
diff --git a/Dockerfile b/Dockerfile
index 48ab0f161f61439459a792aac584ee7c82132630..b583530d460522d176b4899f774ef7e73c546f80 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,8 @@
ARG GOLANG_VERSION=1.16
ARG BUILDARGS
+ARG $GITLAB_PROXY
-FROM golang:$GOLANG_VERSION-buster AS installer
+FROM ${GITLAB_PROXY}golang:$GOLANG_VERSION-buster AS installer
WORKDIR /src/gosdn
COPY go.* ./
@@ -13,7 +14,7 @@ COPY . ./
RUN GOOS=linux go build $BUILDARGS ./cmd/gosdn
-FROM debian:bullseye
+FROM ${GITLAB_PROXY}debian:bullseye
EXPOSE 8080
EXPOSE 55055
COPY --from=builder /src/gosdn/gosdn .