Skip to content
Snippets Groups Projects
Commit 60f2c3f6 authored by Pierre Smeyers's avatar Pierre Smeyers Committed by Cédric OLIVIER
Browse files

feat: migrate to GitLab CI/CD component

parent b8b40b73
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
.gitlab-ci.yml
+ 1
1
View file @ 60f2c3f6
...@@ -10,7 +10,7 @@ include: ...@@ -10,7 +10,7 @@ include:
file: '/templates/validation.yml' file: '/templates/validation.yml'
- project: 'to-be-continuous/bash' - project: 'to-be-continuous/bash'
ref: '3.3' ref: '3.3'
file: 'templates/gitlab-ci-bash.yml' file: '/templates/gitlab-ci-bash.yml'
- project: 'to-be-continuous/semantic-release' - project: 'to-be-continuous/semantic-release'
ref: '3.7' ref: '3.7'
file: '/templates/gitlab-ci-semrel.yml' file: '/templates/gitlab-ci-semrel.yml'
......
README.md
+ 149
144
View file @ 60f2c3f6
...@@ -4,13 +4,36 @@ This project implements a GitLab CI/CD template to build, check and inspect your ...@@ -4,13 +4,36 @@ This project implements a GitLab CI/CD template to build, check and inspect your
## Usage ## Usage
In order to include this template in your project, add the following to your `.gitlab-ci.yml` : This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration)
or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
### Use as a CI/CD component
Add the following to your `gitlab-ci.yml`:
```yaml ```yaml
include: include:
# 1: include the component
- component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
# 2: set/override component inputs
inputs:
build-tool: buildah # ⚠ this is only an example
```
### Use as a CI/CD template (legacy)
Add the following to your `gitlab-ci.yml`:
```yaml
include:
# 1: include the template
- project: 'to-be-continuous/docker' - project: 'to-be-continuous/docker'
ref: '5.7.1' ref: '5.7.1'
file: '/templates/gitlab-ci-docker.yml' file: '/templates/gitlab-ci-docker.yml'
variables:
# 2: set/override template variables
DOCKER_BUILD_TOOL: buildah # ⚠ this is only an example
``` ```
## Understanding the Docker template ## Understanding the Docker template
...@@ -33,19 +56,19 @@ select an alternate build tool by using the `DOCKER_BUILD_TOOL` variable (see be ...@@ -33,19 +56,19 @@ select an alternate build tool by using the `DOCKER_BUILD_TOOL` variable (see be
The Docker template uses some global configuration used throughout all jobs. The Docker template uses some global configuration used throughout all jobs.
| Name | Description | Default value | | Input / Variable | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- | | --------------------- | -------------------------------------- | ----------------- |
| `DOCKER_BUILD_TOOL` | The build tool to use for building container image, possible values are `kaniko`, `buildah` or `dind` | `kaniko` | | `build-tool` / `DOCKER_BUILD_TOOL` | The build tool to use for building container image, possible values are `kaniko`, `buildah` or `dind` | `kaniko` |
| `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) | | `kaniko-image` / `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
| `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable` | | `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable` |
| `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest` | | `image` / `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest` |
| `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind` | | `dind-image` / `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind` |
| `DOCKER_FILE` | The path to your `Dockerfile` | `./Dockerfile` | | `file` / `DOCKER_FILE` | The path to your `Dockerfile` | `Dockerfile` |
| `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ | | `context-path` / `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ |
In addition to this, the template supports _standard_ Linux proxy variables: In addition to this, the template supports _standard_ Linux proxy variables:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| --------------------- | ------------------------------------------- | ------------- | | --------------------- | ------------------------------------------- | ------------- |
| `http_proxy` | Proxy used for http requests | _none_ | | `http_proxy` | Proxy used for http requests | _none_ |
| `https_proxy` | Proxy used for https requests | _none_ | | `https_proxy` | Proxy used for https requests | _none_ |
...@@ -72,10 +95,10 @@ In practice: ...@@ -72,10 +95,10 @@ In practice:
The **snapshot** and **release** images are defined by the following variables: The **snapshot** and **release** images are defined by the following variables:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| ------------------------- | --------------------- | ------------------------------------------------- | | ------------------------- | --------------------- | ------------------------------------------------- |
| `DOCKER_SNAPSHOT_IMAGE` | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` | | `snapshot-image` / `DOCKER_SNAPSHOT_IMAGE` | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
| `DOCKER_RELEASE_IMAGE` | Docker release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` | | `release-image` / `DOCKER_RELEASE_IMAGE` | Docker release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` |
As you can see, the Docker template is configured by default to use the GitLab container registry. As you can see, the Docker template is configured by default to use the GitLab container registry.
You may perfectly override this and use another Docker registry, but be aware of a few things: You may perfectly override this and use another Docker registry, but be aware of a few things:
...@@ -98,7 +121,7 @@ If you use the **same registry** for both snapshot and release images, you shall ...@@ -98,7 +121,7 @@ If you use the **same registry** for both snapshot and release images, you shall
variables: variables:
| Name | Description | | Input / Variable | Description |
| -------------------------------- | -------------------------------------- | | -------------------------------- | -------------------------------------- |
| :lock: `DOCKER_REGISTRY_USER` | Docker registry username for image registry | | :lock: `DOCKER_REGISTRY_USER` | Docker registry username for image registry |
| :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry | | :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry |
...@@ -107,7 +130,7 @@ variables: ...@@ -107,7 +130,7 @@ variables:
If you use **different registries** for snapshot and release images, you shall use separate configuration variables: If you use **different registries** for snapshot and release images, you shall use separate configuration variables:
| Name | Description | | Input / Variable | Description |
| ---------------------------------------- | -------------------------------------- | | ---------------------------------------- | -------------------------------------- |
| :lock: `DOCKER_REGISTRY_SNAPSHOT_USER` | Docker registry username for snapshot image registry | | :lock: `DOCKER_REGISTRY_SNAPSHOT_USER` | Docker registry username for snapshot image registry |
| :lock: `DOCKER_REGISTRY_SNAPSHOT_PASSWORD`| Docker registry password for snapshot image registry | | :lock: `DOCKER_REGISTRY_SNAPSHOT_PASSWORD`| Docker registry password for snapshot image registry |
...@@ -128,9 +151,9 @@ If you are in one of those cases, you will need to use the `DOCKER_CONFIG_FILE` ...@@ -128,9 +151,9 @@ If you are in one of those cases, you will need to use the `DOCKER_CONFIG_FILE`
* leave the default value (`.docker/config.json`) or override it to some alternate location in your project repository and create the file **without any secret in it** using our dynamic variables replacement (see below), * leave the default value (`.docker/config.json`) or override it to some alternate location in your project repository and create the file **without any secret in it** using our dynamic variables replacement (see below),
* or override it as a GitLab project variable of type [File](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types), possibly inlining your secret credentials in it. * or override it as a GitLab project variable of type [File](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types), possibly inlining your secret credentials in it.
| Name | Description | Default value | | Input / Variable | Description | Default value |
| ------------------------- | --------------------- | ------------------------------------------------- | | ------------------------- | --------------------- | ------------------------------------------------- |
| `DOCKER_CONFIG_FILE` | Path to the Docker configuration file (JSON) | `.docker/config.json` | | `config-file` / `DOCKER_CONFIG_FILE` | Path to the Docker configuration file (JSON) | `.docker/config.json` |
Moreover, this file supports **dynamic environment variables replacement**. Moreover, this file supports **dynamic environment variables replacement**.
That means it may contain references to other environment variables (in the format `${variable_name}`) that will be dynamically replaced That means it may contain references to other environment variables (in the format `${variable_name}`) that will be dynamically replaced
...@@ -245,11 +268,11 @@ This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Docker ...@@ -245,11 +268,11 @@ This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Docker
It is bound to the `build` stage, and uses the following variables: It is bound to the `build` stage, and uses the following variables:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| -------------------------- | -------------------------------------- | --------------------------------------- | | -------------------------- | -------------------------------------- | --------------------------------------- |
| `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ | | `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
| `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine` | | `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine` |
| `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ | | `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ |
In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository. In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
...@@ -276,18 +299,18 @@ This job builds the image and publishes it to the _snapshot_ repository. ...@@ -276,18 +299,18 @@ This job builds the image and publishes it to the _snapshot_ repository.
It is bound to the `package-build` stage, and uses the following variables: It is bound to the `package-build` stage, and uses the following variables:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `DOCKER_BUILD_ARGS` | Additional `docker/kaniko/buildah` `build` arguments | _(none)_ | | `build-args` / `DOCKER_BUILD_ARGS` | Additional `docker/kaniko/buildah` `build` arguments | _(none)_ |
| `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`) <br>:warning: Used by the `kaniko` and `dind` options only | _(none)_ | | `registry-mirror` / `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`) <br>:warning: Used by the `kaniko` and `dind` options only | _(none)_ |
| `CONTAINER_REGISTRIES_CONFIG_FILE` | The [`registries.conf`](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used<br>:warning: Used by the `buildah` build only | _(none)_ | | `container-registries-config-file` / `CONTAINER_REGISTRIES_CONFIG_FILE` | The [`registries.conf`](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used<br>:warning: Used by the `buildah` build only | _(none)_ |
| `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label | OCI Image Format Specification | | `metadata` / `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label | OCI Image Format Specification |
| `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers<br>:warning: Used by the `kaniko` build only | `${DOCKER_SNAPSHOT_IMAGE%:*}/cache` | | `kaniko-snapshot-image-cache` / `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers<br>:warning: Used by the `kaniko` build only | `${DOCKER_SNAPSHOT_IMAGE%:*}/cache` |
| `DOCKER_BUILD_CACHE_DISABLED` | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) | | `build-cache-disabled` / `DOCKER_BUILD_CACHE_DISABLED` | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)): This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
| Name | Description | Example | | Input / Variable | Description | Example |
| --------------------- | ------------------------------------------------------ | --------------------------------------- | | --------------------- | ------------------------------------------------------ | --------------------------------------- |
| `docker_image` | snapshot image name **with tag** | `registry.gitlab.com/acme/website/snapshot:main` | | `docker_image` | snapshot image name **with tag** | `registry.gitlab.com/acme/website/snapshot:main` |
| `docker_image_digest` | snapshot image name **with digest** (no tag) | `registry.gitlab.com/acme/website/snapshot@sha256:b7914a91...` | | `docker_image_digest` | snapshot image name **with digest** (no tag) | `registry.gitlab.com/acme/website/snapshot@sha256:b7914a91...` |
...@@ -346,12 +369,12 @@ This job performs a [Health Check](https://docs.docker.com/engine/reference/buil ...@@ -346,12 +369,12 @@ This job performs a [Health Check](https://docs.docker.com/engine/reference/buil
It is bound to the `package-test` stage, and uses the following variables: It is bound to the `package-test` stage, and uses the following variables:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| -------------------------------------- | -------------------------------------------------------------------- | ----------------- | | -------------------------------------- | -------------------------------------------------------------------- | ----------------- |
| `DOCKER_HEALTHCHECK_DISABLED` | Set to `true` to disable health check | _(none: enabled by default)_ | | `healthcheck-disabled` / `DOCKER_HEALTHCHECK_DISABLED` | Set to `true` to disable health check | _(none: enabled by default)_ |
| `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` | | `healthcheck-timeout` / `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
| `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ | | `healthcheck-options` / `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
| `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check | _(none)_ | | `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check | _(none)_ |
In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck). In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
...@@ -373,13 +396,13 @@ variables: ...@@ -373,13 +396,13 @@ variables:
It is bound to the `package-test` stage, and uses the following variables: It is bound to the `package-test` stage, and uses the following variables:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| ---------------------- | -------------------------------------- | ----------------- | | ---------------------- | -------------------------------------- | ----------------- |
| `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` | | `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` |
| `DOCKER_TRIVY_ADDR` | The Trivy server address (for client/server mode) | _(none: standalone mode)_ | | `trivy-addr` / `DOCKER_TRIVY_ADDR` | The Trivy server address (for client/server mode) | _(none: standalone mode)_ |
| `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis | _(none)_ | | `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
| `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` | | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
In addition to a textual report in the console, this job produces the following reports, kept for one day: In addition to a textual report in the console, this job produces the following reports, kept for one day:
...@@ -394,28 +417,28 @@ This job generates a [SBOM](https://cyclonedx.org/) file listing installed packa ...@@ -394,28 +417,28 @@ This job generates a [SBOM](https://cyclonedx.org/) file listing installed packa
It is bound to the `package-test` stage, and uses the following variables: It is bound to the `package-test` stage, and uses the following variables:
| Name | description | default value | | Input / Variable | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- | | --------------------- | -------------------------------------- | ----------------- |
| `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | | `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` | | `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` |
| `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` | | `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger` |
### `docker-publish` job ### `docker-publish` job
This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo). This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).
| Name | Description | Default value | | Input / Variable | Description | Default value |
| --------------------- | --------------------------------------------------------------------------- | ----------------- | | --------------------- | --------------------------------------------------------------------------- | ----------------- |
| `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` | | `skopeo-image` / `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` |
| `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_ | | `publish-args` / `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_ |
| `DOCKER_PROD_PUBLISH_STRATEGY`| Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). | `manual` | | `prod-publish-strategy` / `DOCKER_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). | `manual` |
| `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ | | `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
| `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) | _(none)_ | | `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) | _(none)_ |
| `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) | | `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)): This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
| Name | Description | Example | | Input / Variable | Description | Example |
| --------------------- | ----------------------------------------------------- | --------------------------------------- | | --------------------- | ----------------------------------------------------- | --------------------------------------- |
| `docker_image` | release image name **with tag** | `registry.gitlab.com/acme/website:main` | | `docker_image` | release image name **with tag** | `registry.gitlab.com/acme/website:main` |
| `docker_image_digest` | release image name **with digest** (no tag) | `registry.gitlab.com/acme/website@sha256:b7914a91...` | | `docker_image_digest` | release image name **with digest** (no tag) | `registry.gitlab.com/acme/website@sha256:b7914a91...` |
...@@ -504,14 +527,11 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry: ...@@ -504,14 +527,11 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:
```yaml ```yaml
include: include:
- project: 'to-be-continuous/docker' - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
ref: '5.7.1' inputs:
file: '/templates/gitlab-ci-docker.yml' snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
variables: # $DOCKER_REGISTRY_USER and $DOCKER_REGISTRY_PASSWORD are defined as secret GitLab variables
DOCKER_SNAPSHOT_IMAGE: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
DOCKER_RELEASE_IMAGE: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
# $DOCKER_REGISTRY_USER and $DOCKER_REGISTRY_PASSWORD are defined as secret GitLab variables
``` ```
Depending on the Docker registry you're using, you may have to use a real password or generate a token as authentication credential. Depending on the Docker registry you're using, you may have to use a real password or generate a token as authentication credential.
...@@ -522,12 +542,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u ...@@ -522,12 +542,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u
```yaml ```yaml
include: include:
- project: 'to-be-continuous/docker' - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
ref: '5.7.1'
file: '/templates/gitlab-ci-docker.yml'
variables:
DOCKER_DIND_BUILD: "true"
.docker-base: .docker-base:
parallel: parallel:
...@@ -552,11 +567,11 @@ This variant allows delegating your secrets management to a [Vault](https://www. ...@@ -552,11 +567,11 @@ This variant allows delegating your secrets management to a [Vault](https://www.
In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
| Name | Description | Default value | | Input / Variable | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- | | ----------------- | -------------------------------------- | ----------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` | | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
| `VAULT_BASE_URL` | The Vault server base API url | _none_ | | `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ |
| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` | | `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
...@@ -570,7 +585,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta ...@@ -570,7 +585,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta
With: With:
| Name | Description | | Parameter | Description |
| -------------------------------- | -------------------------------------- | | -------------------------------- | -------------------------------------- |
| `secret_path` (_path parameter_) | this is your secret location in the Vault server | | `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | | `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
...@@ -580,24 +595,21 @@ With: ...@@ -580,24 +595,21 @@ With:
```yaml ```yaml
include: include:
# main template # main template
- project: 'to-be-continuous/docker' - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
ref: '5.7.1'
file: '/templates/gitlab-ci-docker.yml'
# Vault variant # Vault variant
- project: 'to-be-continuous/docker' - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0
ref: '5.7.1' inputs:
file: '/templates/gitlab-ci-docker-vault.yml' # audience claim for JWT
vault-oidc-aud: "https://vault.acme.host"
vault-base-url: "https://vault.acme.host/v1"
# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
variables: variables:
# audience claim for JWT # Secrets managed by Vault
VAULT_OIDC_AUD: "https://vault.acme.host" DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user"
# Secrets managed by Vault DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token"
DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user" DOCKER_REGISTRY_RELEASE_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=user"
DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token" DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=token"
DOCKER_REGISTRY_RELEASE_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=user"
DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=token"
VAULT_BASE_URL: "https://vault.acme.host/v1"
# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
``` ```
### Google Cloud variant ### Google Cloud variant
...@@ -614,15 +626,16 @@ List of requirements before using this variant for publishing your container ima ...@@ -614,15 +626,16 @@ List of requirements before using this variant for publishing your container ima
#### Configuration #### Configuration
| Name | description | default value | | Input / Variable | Description | Default value |
| ------------------------ | -------------------------------------- | ----------------- | | ------------------------ | -------------------------------------- | ----------------- |
| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main` | | `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main` |
| `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ | | `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
| `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ | | `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
| `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define if different from default)_ | _none_ | | `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
| `GCP_SNAPSHOT_OIDC_ACCOUNT` | Service Account to use to push the snapshot image _(only define if different from default)_ | _none_ | | `gcp-snapshot-oidc-provider` / `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define to override default)_ | _none_ |
| `GCP_RELEASE_OIDC_PROVIDER` | Workload Identity Provider to push the release image _(only define if different from default)_ | _none_ | | `gcp-snapshot-oidc-account` / `GCP_SNAPSHOT_OIDC_ACCOUNT` | Service Account to use to push the snapshot image _(only define to override default)_ | _none_ |
| `GCP_RELEASE_OIDC_ACCOUNT` | Service Account to use to push the release image _(only define if different from default)_ | _none_ | | `gcp-release-oidc-provider` / `GCP_RELEASE_OIDC_PROVIDER` | Workload Identity Provider to push the release image _(only define to override default)_ | _none_ |
| `gcp-release-oidc-account` / `GCP_RELEASE_OIDC_ACCOUNT` | Service Account to use to push the release image _(only define to override default)_ | _none_ |
:warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE` :warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`
to use the snapshot image repository (will host your snapshot image as well as cached layers). to use the snapshot image repository (will host your snapshot image as well as cached layers).
...@@ -631,28 +644,24 @@ to use the snapshot image repository (will host your snapshot image as well as c ...@@ -631,28 +644,24 @@ to use the snapshot image repository (will host your snapshot image as well as c
```yaml ```yaml
include: include:
- project: 'to-be-continuous/docker' - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
ref: "5.2.0" inputs:
file: '/templates/gitlab-ci-docker.yml' build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET
- project: 'to-be-continuous/docker' # untested & unverified container image
ref: "5.2.0" snapshot-image: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot:$CI_COMMIT_REF_SLUG"
file: '/templates/gitlab-ci-docker-gcp.yml' # ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko
# validated container image (published)
variables: release-image: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"
# untested & unverified container image - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-gcp@5.7.0
DOCKER_SNAPSHOT_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot:$CI_COMMIT_REF_SLUG" inputs:
# ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko # default WIF provider
# validated container image (published) gcp-oidc-provider: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
DOCKER_RELEASE_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME" # default GCP Service Account
# default WIF provider gcp-oidc-account: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
GCP_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod" # WIF provider for snapshot images
# default GCP Service Account gcp-snapshot-oidc-provider: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
GCP_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com" # GCP Service Account for snapshot images
# WIF provider for snapshot images gcp-snapshot-oidc-account: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
GCP_SNAPSHOT_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
# GCP Service Account for snapshot images
GCP_SNAPSHOT_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
DOCKER_BUILD_TOOL: "kaniko" # Only Kaniko has been proved to work for this use case YET
``` ```
### Amazon Elastic Container Registry ### Amazon Elastic Container Registry
...@@ -671,12 +680,12 @@ In order to use the AWS APIs, the variant supports two authentication methods: ...@@ -671,12 +680,12 @@ In order to use the AWS APIs, the variant supports two authentication methods:
#### Configuration #### Configuration
| Name | description | default value | | Input / Variable | Description | Default value |
| ------------------------ | -------------------------------------- | ----------------- | | ------------------------ | -------------------------------------- | ----------------- |
| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master` | | `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master` |
| `AWS_REGION` | Default region (where the ECR registry is located) | _none_ | | `aws-region` / `AWS_REGION` | Default region (where the ECR registry is located) | _none_ |
| `AWS_SNAPSHOT_REGION` | Region of the ECR registry for the snapshot image _(only define if different from default)_ | _none_ | | `aws-snapshot-region` / `AWS_SNAPSHOT_REGION` | Region of the ECR registry for the snapshot image _(only define to override default)_ | _none_ |
| `AWS_RELEASE_REGION` | Region of the ECR registry for the release image _(only define if different from default)_ | _none_ | | `aws-release-region` / `AWS_RELEASE_REGION` | Region of the ECR registry for the release image _(only define to override default)_ | _none_ |
:warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE` :warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`
to use the snapshot image repository (will host your snapshot image as well as cached layers). to use the snapshot image repository (will host your snapshot image as well as cached layers).
...@@ -686,42 +695,38 @@ to use the snapshot image repository (will host your snapshot image as well as c ...@@ -686,42 +695,38 @@ to use the snapshot image repository (will host your snapshot image as well as c
This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/), This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/),
then set the required configuration. then set the required configuration.
| Name | description | default value | | Input / Variable | Description | Default value |
| ------------------------ | -------------------------------------- | ----------------- | | ------------------------ | -------------------------------------- | ----------------- |
| `AWS_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` | | `aws-oidc-aud` / `AWS_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
| `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab | _none_ | | `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab | _none_ |
| `AWS_SNAPSHOT_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab for the snapshot image _(only define if different from default)_| _none_ | | `aws-snapshot-oidc-role-arn` / `AWS_SNAPSHOT_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab for the snapshot image _(only define to override default)_| _none_ |
| `AWS_RELEASE_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab for the release image _(only define if different from default)_| _none_ | | `aws-release-oidc-role-arn` / `AWS_RELEASE_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab for the release image _(only define to override default)_| _none_ |
##### Basic authentication config ##### Basic authentication config
| Name | description | default value | | Variable | Description | Default value |
| ------------------------ | -------------------------------------- | ----------------- | | ------------------------ | -------------------------------------- | ----------------- |
| `AWS_ACCESS_KEY_ID` | Default access key ID | _none_ (disabled) | | `AWS_ACCESS_KEY_ID` | Default access key ID | _none_ (disabled) |
| `AWS_SECRET_ACCESS_KEY` | Default secret access key | _none_ (disabled) | | `AWS_SECRET_ACCESS_KEY` | Default secret access key | _none_ (disabled) |
| `AWS_SNAPSHOT_ACCESS_KEY_ID`| Access key ID for the snapshot image _(only define if different from default)_ | _none_ | | `AWS_SNAPSHOT_ACCESS_KEY_ID`| Access key ID for the snapshot image _(only define to override default)_ | _none_ |
| `AWS_SNAPSHOT_SECRET_ACCESS_KEY`| Secret access key for the snapshot image _(only define if different from default)_ | _none_ | | `AWS_SNAPSHOT_SECRET_ACCESS_KEY`| Secret access key for the snapshot image _(only define to override default)_ | _none_ |
| `AWS_RELEASE_ACCESS_KEY_ID`| Access key ID for the release image _(only define if different from default)_ | _none_ | | `AWS_RELEASE_ACCESS_KEY_ID`| Access key ID for the release image _(only define to override default)_ | _none_ |
| `AWS_RELEASE_SECRET_ACCESS_KEY`| Secret access key for the release image _(only define if different from default)_ | _none_ | | `AWS_RELEASE_SECRET_ACCESS_KEY`| Secret access key for the release image _(only define to override default)_ | _none_ |
#### Example #### Example
```yaml ```yaml
include: include:
- project: 'to-be-continuous/docker' - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
ref: "5.2.0" inputs:
file: '/templates/gitlab-ci-docker.yml' # untested & unverified container image
- project: 'to-be-continuous/docker' snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot:$CI_COMMIT_REF_SLUG"
ref: "5.2.0" # ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko
file: '/templates/gitlab-ci-docker-ecr.yml' # validated container image (published)
release-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH:$CI_COMMIT_REF_NAME"
variables: - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-ecr@5.7.0
AWS_REGION: "us-east-1" inputs:
# untested & unverified container image # default Role ARN (using OIDC authentication method)
DOCKER_SNAPSHOT_IMAGE: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot:$CI_COMMIT_REF_SLUG" aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci"
# ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko aws-region: "us-east-1"
# validated container image (published)
DOCKER_RELEASE_IMAGE: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH:$CI_COMMIT_REF_NAME"
# default Role ARN (using OIDC authentication method)
AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/gitlab-ci"
``` ```
bumpversion.sh
+ 2
2
View file @ 60f2c3f6
...@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then ...@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then
log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..." log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
# replace in README # replace in README
sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
mv -f README.md.next README.md mv -f README.md.next README.md
# replace in template and variants # replace in template and variants
for tmpl in templates/*.yml for tmpl in templates/*.yml
do do
sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next" sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
mv -f "$tmpl.next" "$tmpl" mv -f "$tmpl.next" "$tmpl"
done done
else else
......
kicker.json
+ 15
7
View file @ 60f2c3f6
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
"description": "Build, check and inspect your containers with [Docker](https://www.docker.com/)", "description": "Build, check and inspect your containers with [Docker](https://www.docker.com/)",
"template_path": "templates/gitlab-ci-docker.yml", "template_path": "templates/gitlab-ci-docker.yml",
"kind": "package", "kind": "package",
"prefix": "docker",
"is_component": true,
"variables": [ "variables": [
{ {
"name": "DOCKER_BUILD_TOOL", "name": "DOCKER_BUILD_TOOL",
...@@ -39,7 +41,7 @@ ...@@ -39,7 +41,7 @@
{ {
"name": "DOCKER_FILE", "name": "DOCKER_FILE",
"description": "The path to your `Dockerfile`", "description": "The path to your `Dockerfile`",
"default": "$CI_PROJECT_DIR/Dockerfile" "default": "Dockerfile"
}, },
{ {
"name": "DOCKER_CONTEXT_PATH", "name": "DOCKER_CONTEXT_PATH",
...@@ -265,6 +267,12 @@ ...@@ -265,6 +267,12 @@
"default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main", "default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main",
"advanced": true "advanced": true
}, },
{
"name": "GCP_OIDC_AUD",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL",
"advanced": true
},
{ {
"name": "GCP_OIDC_ACCOUNT", "name": "GCP_OIDC_ACCOUNT",
"description": "Default Service Account to which impersonate with OpenID Connect authentication" "description": "Default Service Account to which impersonate with OpenID Connect authentication"
...@@ -275,22 +283,22 @@ ...@@ -275,22 +283,22 @@
}, },
{ {
"name": "GCP_SNAPSHOT_OIDC_ACCOUNT", "name": "GCP_SNAPSHOT_OIDC_ACCOUNT",
"description": "Service Account to use to push the snapshot image _(only define if different from default)_", "description": "Service Account to use to push the snapshot image _(only define to override default)_",
"advanced": true "advanced": true
}, },
{ {
"name": "GCP_SNAPSHOT_OIDC_PROVIDER", "name": "GCP_SNAPSHOT_OIDC_PROVIDER",
"description": "Workload Identity Provider to push the snapshot image _(only define if different from default)_", "description": "Workload Identity Provider to push the snapshot image _(only define to override default)_",
"advanced": true "advanced": true
}, },
{ {
"name": "GCP_RELEASE_OIDC_ACCOUNT", "name": "GCP_RELEASE_OIDC_ACCOUNT",
"description": "Service Account to use to push the release image _(only define if different from default)_", "description": "Service Account to use to push the release image _(only define to override default)_",
"advanced": true "advanced": true
}, },
{ {
"name": "GCP_RELEASE_OIDC_PROVIDER", "name": "GCP_RELEASE_OIDC_PROVIDER",
"description": "Workload Identity Provider to push the release image _(only define if different from default)_", "description": "Workload Identity Provider to push the release image _(only define to override default)_",
"advanced": true "advanced": true
} }
] ]
...@@ -313,12 +321,12 @@ ...@@ -313,12 +321,12 @@
}, },
{ {
"name": "AWS_SNAPSHOT_REGION", "name": "AWS_SNAPSHOT_REGION",
"description": "Region of the ECR registry for the snapshot image _(only define if different from default)_", "description": "Region of the ECR registry for the snapshot image _(only define to override default)_",
"advanced": true "advanced": true
}, },
{ {
"name": "AWS_RELEASE_REGION", "name": "AWS_RELEASE_REGION",
"description": "Region of the ECR registry for the release image _(only define if different from default)_", "description": "Region of the ECR registry for the release image _(only define to override default)_",
"advanced": true "advanced": true
}, },
{ {
......
logo.png
+ 0
0
View replaced file @ b8b40b73 View file @ 60f2c3f6
logo.png

22 KiB | W: | H:

logo.png

16.5 KiB | W: | H:

logo.png
logo.png
logo.png
logo.png
  • 2-up
  • Swipe
  • Onion skin
templates/gitlab-ci-docker-ecr.yml
+ 39
2
View file @ 60f2c3f6
# ===================================================================================================================== # =====================================================================================================================
# === AWS Auth template variant # === AWS Auth template variant
# ===================================================================================================================== # =====================================================================================================================
spec:
inputs:
aws-region:
description: Default region (where the ECR registry is located)
default: ''
aws-snapshot-region:
description: Region of the ECR registry for the snapshot image _(only define if
different from default)_
default: ''
aws-release-region:
description: Region of the ECR registry for the release image _(only define if
different from default)_
default: ''
aws-oidc-aud:
description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
default: $CI_SERVER_URL
aws-oidc-role-arn:
description: Default IAM Role ARN associated with GitLab _(only required for [OIDC
authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
default: ''
aws-snapshot-oidc-role-arn:
description: IAM Role ARN associated with GitLab for the snapshot image _(only
required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
and if different from default)_
default: ''
aws-release-oidc-role-arn:
description: IAM Role ARN associated with GitLab for the release image _(only
required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
and if different from default)_
default: ''
---
variables: variables:
TBC_AWS_PROVIDER_IMAGE: "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master" TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master
AWS_OIDC_AUD: "$CI_SERVER_URL" AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]
AWS_REGION: $[[ inputs.aws-region ]]
AWS_SNAPSHOT_REGION: $[[ inputs.aws-snapshot-region ]]
AWS_RELEASE_REGION: $[[ inputs.aws-release-region ]]
AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]
AWS_SNAPSHOT_OIDC_ROLE_ARN: $[[ inputs.aws-snapshot-oidc-role-arn ]]
AWS_RELEASE_OIDC_ROLE_ARN: $[[ inputs.aws-release-oidc-role-arn ]]
.docker-base: .docker-base:
services: services:
......
templates/gitlab-ci-docker-gcp.yml
+ 39
3
View file @ 60f2c3f6
# ===================================================================================================================== # =====================================================================================================================
# === GCP Auth template variant # === GCP Auth template variant
# ===================================================================================================================== # =====================================================================================================================
spec:
inputs:
gcp-oidc-aud:
description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
default: $CI_SERVER_URL
gcp-oidc-account:
description: Default Service Account to which impersonate with OpenID Connect
authentication
default: ''
gcp-oidc-provider:
description: Default Workload Identity Provider associated with GitLab to [authenticate
with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
default: ''
gcp-snapshot-oidc-account:
description: Service Account to use to push the snapshot image _(only define if
different from default)_
default: ''
gcp-snapshot-oidc-provider:
description: Workload Identity Provider to push the snapshot image _(only define
if different from default)_
default: ''
gcp-release-oidc-account:
description: Service Account to use to push the release image _(only define if
different from default)_
default: ''
gcp-release-oidc-provider:
description: Workload Identity Provider to push the release image _(only define
if different from default)_
default: ''
---
variables: variables:
TBC_GCP_PROVIDER_IMAGE: "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main" TBC_GCP_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main
GCP_OIDC_AUD: "$CI_SERVER_URL" GCP_OIDC_AUD: $[[ inputs.gcp-oidc-aud ]]
GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]]
GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]]
GCP_SNAPSHOT_OIDC_ACCOUNT: $[[ inputs.gcp-snapshot-oidc-account ]]
GCP_SNAPSHOT_OIDC_PROVIDER: $[[ inputs.gcp-snapshot-oidc-provider ]]
GCP_RELEASE_OIDC_ACCOUNT: $[[ inputs.gcp-release-oidc-account ]]
GCP_RELEASE_OIDC_PROVIDER: $[[ inputs.gcp-release-oidc-provider ]]
.docker-base: .docker-base:
services: services:
- name: "$TBC_TRACKING_IMAGE" - name: "$TBC_TRACKING_IMAGE"
......
templates/gitlab-ci-docker-vault.yml
+ 12
2
View file @ 60f2c3f6
# ===================================================================================================================== # =====================================================================================================================
# === Vault template variant # === Vault template variant
# ===================================================================================================================== # =====================================================================================================================
spec:
inputs:
vault-base-url:
description: The Vault server base API url
default: ''
vault-oidc-aud:
description: The `aud` claim for the JWT
default: $CI_SERVER_URL
---
variables: variables:
# variabilized vault-secrets-provider image # variabilized vault-secrets-provider image
TBC_VAULT_IMAGE: "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master" TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master
VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
# variables have to be explicitly declared in the YAML to be exported to the service # variables have to be explicitly declared in the YAML to be exported to the service
VAULT_ROLE_ID: "$VAULT_ROLE_ID" VAULT_ROLE_ID: "$VAULT_ROLE_ID"
VAULT_SECRET_ID: "$VAULT_SECRET_ID" VAULT_SECRET_ID: "$VAULT_SECRET_ID"
VAULT_OIDC_AUD: "$CI_SERVER_URL" VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
.docker-base: .docker-base:
services: services:
......
templates/gitlab-ci-docker.yml
+ 221
40
View file @ 60f2c3f6
...@@ -13,6 +13,183 @@ ...@@ -13,6 +13,183 @@
# program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
# Floor, Boston, MA 02110-1301, USA. # Floor, Boston, MA 02110-1301, USA.
# ========================================================================================= # =========================================================================================
spec:
inputs:
build-tool:
description: The build tool to use for building container image
options:
- kaniko
- buildah
- dind
default: kaniko
kaniko-image:
description: |-
The image used to run kaniko
_for kaniko build only_
default: gcr.io/kaniko-project/executor:debug
buildah-image:
description: |-
The image used to run buildah
_for buildah build only_
default: quay.io/buildah/stable:latest
image:
description: |-
The image used to run the docker client
_for Docker-in-Docker(dind) build only_
default: registry.hub.docker.com/library/docker:latest
dind-image:
description: |-
The image used to run the Docker daemon
_for Docker-in-Docker(dind) build only_
default: registry.hub.docker.com/library/docker:dind
skopeo-image:
description: The image used to publish docker image with Skopeo
default: quay.io/skopeo/stable:latest
file:
description: The path to your `Dockerfile`
default: Dockerfile
context-path:
description: The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) - _only set if you want a context path different from the Dockerfile location_
default: ''
config-file:
description: Path to the [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#sample-configuration-file) (JSON)
default: .docker/config.json
snapshot-image:
description: Docker snapshot image
default: $CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG
release-image:
description: Docker release image
default: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
release-extra-tags-pattern:
description: |-
Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups)
Defaults to [SemVer](https://semver.org/) pattern.
default: ^v?(?P<major>[0-9]+)\.(?P<minor>[0-9]+)\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\.]+)?(?P<build>\+[0-9A-Za-z-\.]+)?)$
release-extra-tags:
description: |-
Defines extra tags to publish the _release_ image
Supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` (ex: `latest \g<major>.\g<minor> \g<major>`)
default: ''
build-args:
description: Additional docker/kaniko/buildah build arguments
default: ''
build-cache-disabled:
description: Disable the build cache
type: boolean
default: false
metadata:
description: Additional metadata to set as labels
default: >-
--label org.opencontainers.image.url=${CI_PROJECT_URL}
--label org.opencontainers.image.source=${CI_PROJECT_URL}
--label org.opencontainers.image.title=${CI_PROJECT_PATH}
--label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}
--label org.opencontainers.image.revision=${CI_COMMIT_SHA}
--label org.opencontainers.image.created=${CI_JOB_STARTED_AT}
publish-args:
description: Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)
default: ''
prod-publish-strategy:
description: Defines the publish to production strategy.
options:
- none
- manual
- auto
default: manual
semrel-release-disabled:
description: Disable integration with the [semantic release template](https://gitlab.com/to-be-continuous/semantic-release/)
type: boolean
default: false
registry-mirror:
description: |-
URL of a Docker registry mirror to use instead of default `https://index.docker.io`
_Used by `kaniko` and `dind` builds only_
default: ''
container-registries-config-file:
description: |-
The [registries.conf](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used
_Used by the `buildah` build only_
default: ''
kaniko-snapshot-image-cache:
description: |-
Snapshot image repository that will be used to store cached layers.
_Used by the `kaniko` build only_
default: ${DOCKER_SNAPSHOT_IMAGE%:*}/cache
lint-enabled:
description: Enable dockerfile-lint
type: boolean
default: false
lint-image:
description: The docker image to lint your Dockerfile
default: registry.hub.docker.com/projectatomic/dockerfile-lint:latest
lint-args:
description: Additional `dockerfile_lint` arguments
default: ''
hadolint-disabled:
description: Disable Hadolint
type: boolean
default: false
hadolint-image:
description: The docker image to lint your Dockerfile with Hadolint
default: registry.hub.docker.com/hadolint/hadolint:latest-alpine
hadolint-args:
description: Additional `hadolint` arguments
default: ''
healthcheck-disabled:
description: Disable Health Check
type: boolean
default: false
healthcheck-timeout:
description: When testing an image, how long (in seconds) wait for the HealthCheck status
type: number
default: 60
healthcheck-options:
description: Docker options for health check such as port mapping, environment...
default: ''
healthcheck-container-args:
description: Arguments sent to the running container for health check
default: ''
trivy-disabled:
description: Disable Trivy
type: boolean
default: false
trivy-image:
description: The docker image used to scan images with Trivy
default: registry.hub.docker.com/aquasec/trivy:latest
trivy-addr:
description: The Trivy server address
default: ''
trivy-security-level-threshold:
description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
options:
- UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
- LOW,MEDIUM,HIGH,CRITICAL
- MEDIUM,HIGH,CRITICAL
- HIGH,CRITICAL
- CRITICAL
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-args:
description: Additional `trivy client` arguments
default: --ignore-unfixed --vuln-type os --exit-on-eol 1
sbom-disabled:
description: Disable Software Bill of Materials
type: boolean
default: false
sbom-image:
default: registry.hub.docker.com/anchore/syft:debug
sbom-opts:
description: Options for syft used for SBOM analysis
default: --catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger
---
# default workflow rules: Merge Request pipelines # default workflow rules: Merge Request pipelines
workflow: workflow:
rules: rules:
...@@ -57,40 +234,36 @@ workflow: ...@@ -57,40 +234,36 @@ workflow:
variables: variables:
# variabilized tracking image # variabilized tracking image
TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master" TBC_TRACKING_IMAGE: registry.gitlab.com/to-be-continuous/tools/tracking:master
DOCKER_LINT_IMAGE: $[[ inputs.lint-image ]]
DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]
DOCKER_IMAGE: $[[ inputs.image ]]
DOCKER_DIND_IMAGE: $[[ inputs.dind-image ]]
DOCKER_KANIKO_IMAGE: $[[ inputs.kaniko-image ]]
DOCKER_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
DOCKER_BUILDAH_IMAGE: $[[ inputs.buildah-image ]]
DOCKER_HADOLINT_IMAGE: "registry.hub.docker.com/hadolint/hadolint:latest-alpine" DOCKER_FILE: $[[ inputs.file ]]
DOCKER_IMAGE: "registry.hub.docker.com/library/docker:latest" DOCKER_CONFIG_FILE: $[[ inputs.config-file ]]
DOCKER_DIND_IMAGE: "registry.hub.docker.com/library/docker:dind"
DOCKER_KANIKO_IMAGE: "gcr.io/kaniko-project/executor:debug"
DOCKER_SKOPEO_IMAGE: "quay.io/skopeo/stable:latest"
DOCKER_BUILDAH_IMAGE: "quay.io/buildah/stable:latest"
# for retro-compatibility (deprecated & undocumented)
DOCKER_DOCKERFILE_PATH: "."
DOCKER_FILE: "$DOCKER_DOCKERFILE_PATH/Dockerfile"
DOCKER_CONFIG_FILE: ".docker/config.json"
# When testing a Docker Health (test stage), how long (in seconds) wait for the HealthCheck status (https://docs.docker.com/engine/reference/builder/#healthcheck) # When testing a Docker Health (test stage), how long (in seconds) wait for the HealthCheck status (https://docs.docker.com/engine/reference/builder/#healthcheck)
DOCKER_HEALTHCHECK_TIMEOUT: "60" DOCKER_HEALTHCHECK_TIMEOUT: $[[ inputs.healthcheck-timeout ]]
# Default Docker config uses the internal GitLab registry # Default Docker config uses the internal GitLab registry
DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG" DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]]
DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME" DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]]
DOCKER_KANIKO_VERBOSITY: "info"
DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
DOCKER_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest" DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os --exit-on-eol 1" DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
# SBOM genenration image and arguments # SBOM genenration image and arguments
DOCKER_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug" DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
DOCKER_SBOM_OPTS: "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger" DOCKER_SBOM_OPTS: $[[ inputs.sbom-opts ]]
# default: one-click publish # default: one-click publish
DOCKER_PROD_PUBLISH_STRATEGY: manual DOCKER_PROD_PUBLISH_STRATEGY: $[[ inputs.prod-publish-strategy ]]
DOCKER_RELEASE_EXTRA_TAGS_PATTERN: "^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$" DOCKER_RELEASE_EXTRA_TAGS_PATTERN: $[[ inputs.release-extra-tags-pattern ]]
# default production ref name (pattern) # default production ref name (pattern)
PROD_REF: '/^(master|main)$/' PROD_REF: '/^(master|main)$/'
...@@ -98,22 +271,30 @@ variables: ...@@ -98,22 +271,30 @@ variables:
INTEG_REF: '/^develop$/' INTEG_REF: '/^develop$/'
# don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231) # don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231)
DOCKER_METADATA: >- DOCKER_METADATA: $[[ inputs.metadata ]]
--label org.opencontainers.image.url=${CI_PROJECT_URL}
--label org.opencontainers.image.source=${CI_PROJECT_URL}
--label org.opencontainers.image.title=${CI_PROJECT_PATH}
--label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}
--label org.opencontainers.image.revision=${CI_COMMIT_SHA}
--label org.opencontainers.image.created=${CI_JOB_STARTED_AT}
# default to kaniko, possible options : kaniko|buildah|dind # default to kaniko, possible options : kaniko|buildah|dind
DOCKER_BUILD_TOOL: DOCKER_BUILD_TOOL: $[[ inputs.build-tool ]]
value: "kaniko"
options: DOCKER_CONTEXT_PATH: $[[ inputs.context-path ]]
- "kaniko" DOCKER_RELEASE_EXTRA_TAGS: $[[ inputs.release-extra-tags ]]
- "buildah" DOCKER_BUILD_ARGS: $[[ inputs.build-args ]]
- "dind" DOCKER_BUILD_CACHE_DISABLED: $[[ inputs.build-cache-disabled ]]
description: "The build tool to use for building container image" DOCKER_PUBLISH_ARGS: $[[ inputs.publish-args ]]
DOCKER_SEMREL_RELEASE_DISABLED: $[[ inputs.semrel-release-disabled ]]
DOCKER_REGISTRY_MIRROR: $[[ inputs.registry-mirror ]]
CONTAINER_REGISTRIES_CONFIG_FILE: $[[ inputs.container-registries-config-file ]]
KANIKO_SNAPSHOT_IMAGE_CACHE: $[[ inputs.kaniko-snapshot-image-cache ]]
DOCKER_LINT_ENABLED: $[[ inputs.lint-enabled ]]
DOCKER_LINT_ARGS: $[[ inputs.lint-args ]]
DOCKER_HADOLINT_DISABLED: $[[ inputs.hadolint-disabled ]]
DOCKER_HADOLINT_ARGS: $[[ inputs.hadolint-args ]]
DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]]
DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]]
DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
# ================================================== # ==================================================
# Stages definition # Stages definition
...@@ -438,9 +619,9 @@ stages: ...@@ -438,9 +619,9 @@ stages:
kaniko_registry_mirror_option="--registry-mirror $(echo ${DOCKER_REGISTRY_MIRROR} | sed "s|^https*://||")" kaniko_registry_mirror_option="--registry-mirror $(echo ${DOCKER_REGISTRY_MIRROR} | sed "s|^https*://||")"
fi fi
log_info "Build & deploy image $docker_image" log_info "Build & deploy image $docker_image"
log_info "Kaniko command: /kaniko/executor --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} --verbosity $DOCKER_KANIKO_VERBOSITY $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS $*" log_info "Kaniko command: /kaniko/executor --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS $*"
# shellcheck disable=SC2086 # shellcheck disable=SC2086
/kaniko/executor --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} --verbosity $DOCKER_KANIKO_VERBOSITY $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@" /kaniko/executor ${TRACE+--verbosity debug} --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@"
} }
# Used by containers tools like buildah, skopeo. # Used by containers tools like buildah, skopeo.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment