Compare commits

..

10 Commits

Author SHA1 Message Date
9c6d4c69b8 feat: integrate into CI/CD, version 2.8.3 2024-03-20 18:27:22 +00:00
82e7afaa52 Merge commit 'ee0b0b756dd1a3a08cfdbd0e439a3ff86f1772c8' 2024-03-20 18:21:30 +00:00
ee0b0b756d Squashed '.ci/' changes from 79eebe4..2c44e4f
2c44e4f Disable concurrent builds
7144a42 Improve Trivy scanning logic
c1a48a6 Remove auto stash push / pop as being too dangerous
318c19e Add merge comment for subtree
22ed100 Fix custom branch docker tags
227e39f Allow custom GIT_TAG
38a9cda Debug CI pipeline
3efcc81 Debug CI pipeline
5023473 Make branch detection work for tagged commits
cdc32e0 Improve cleanup flow
8df60af Fix derp
748a4bd Migrate to :: to allow custom make steps, add generic stubs
955afa7 Apply pep8
5819ded Improve ECR public lifecycle handling via python script
5d4e4ad Make rm-remote-untagged less noisy
f00e541 Add cleanup step to remove untagged images by default
0821e91 Ensure tag names are valid for remote branches like PRs

git-subtree-dir: .ci
git-subtree-split: 2c44e4fd8550d30fba503a2bcccec8e0bac1c151
2024-03-20 18:21:30 +00:00
36b8805087 Latest Alpine base, incl. docker-registry 2.8.2-git 2023-05-24 16:46:04 +00:00
38a6113faa Squashed '.ci/' changes from 63421d1..79eebe4
79eebe4 add ARCH support for tests
aea1ccc Only add branch name to tags, if not part of actual tag
a5875db Make EXTRA_TAGS work again

git-subtree-dir: .ci
git-subtree-split: 79eebe4d3de843d921994db20e20dda801272934
2023-05-24 16:10:12 +00:00
f0f2633c9b Merge commit '38a6113faa064e9fd87a468880ed54a67440ed0e' 2023-05-24 16:10:12 +00:00
920b09208c Squashed '.ci/' changes from 5554972..63421d1
63421d1 fix: prevent branch_name equals tag
47140c2 feat: append branch into tags if not main
4b62ada chore: improve messaging
a49cc0c chore: improve messaging
194afb4 chore: get ci working again
8ec9769 chore: get ci working again
fef4968 fix: do NOT push PRs to registry, other fixes
50a6d67 feat: ensure ARCH is only set to defined values
8fb40c7 fix: adjust trivy call to local podman
7378ea9 fix: fix trivy scan task to match new flow, add BRANCH env to Makefile
38cf7ab fix: more podman/buildah cleanups
aece7fc fix: Improve multi-arch manifest handling
80dabc2 feat: remove implicit dependencies, add help target, cleanup

git-subtree-dir: .ci
git-subtree-split: 63421d1fab0d2546de343697cbd1424914db6c31
2023-04-20 21:16:24 +00:00
924e379b04 Merge commit '920b09208c9cab9ae6f89432e36f3a36e7672dc6' 2023-04-20 21:16:24 +00:00
eb6290a56a Squashed '.ci/' changes from ea9c914..5554972
5554972 feat: multi-arch container images
da15d68 feat: handle nothing to cleanup gracefully
01df38b feat: move ecr-login into its own task

git-subtree-dir: .ci
git-subtree-split: 55549729264a318c4c942957a36e8659553fece0
2022-10-11 15:17:21 +02:00
a6a738863a Merge commit 'eb6290a56a3c6cd31f428fda26616eb556280fea' 2022-10-11 15:17:21 +02:00
6 changed files with 181 additions and 64 deletions

63
.ci/ecr_public_lifecycle.py Executable file
View File

@ -0,0 +1,63 @@
#!/usr/bin/env python3
import argparse
import boto3
parser = argparse.ArgumentParser(
description='Implement basic public ECR lifecycle policy')
parser.add_argument('--repo', dest='repositoryName', action='store', required=True,
help='Name of the public ECR repository')
parser.add_argument('--keep', dest='keep', action='store', default=10, type=int,
help='number of tagged images to keep, default 10')
parser.add_argument('--dev', dest='delete_dev', action='store_true',
help='also delete in-development images only having tags like v0.1.1-commitNr-githash')
args = parser.parse_args()
client = boto3.client('ecr-public', region_name='us-east-1')
images = client.describe_images(repositoryName=args.repositoryName)[
"imageDetails"]
untagged = []
kept = 0
# actual Image
# imageManifestMediaType: 'application/vnd.oci.image.manifest.v1+json'
# image Index
# imageManifestMediaType: 'application/vnd.oci.image.index.v1+json'
# Sort by date uploaded
for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
# Remove all untagged
# if registry uses image index all actual images will be untagged anyways
if 'imageTags' not in image:
untagged.append({"imageDigest": image['imageDigest']})
# print("Delete untagged image {}".format(image["imageDigest"]))
continue
# check for dev tags
if args.delete_dev:
_delete = True
for tag in image["imageTags"]:
# Look for at least one tag NOT beign a SemVer dev tag
if "-" not in tag:
_delete = False
if _delete:
print("Deleting development image {}".format(image["imageTags"]))
untagged.append({"imageDigest": image['imageDigest']})
continue
if kept < args.keep:
kept = kept+1
print("Keeping tagged image {}".format(image["imageTags"]))
continue
else:
print("Deleting tagged image {}".format(image["imageTags"]))
untagged.append({"imageDigest": image['imageDigest']})
deleted_images = client.batch_delete_image(
repositoryName=args.repositoryName, imageIds=untagged)
if deleted_images["imageIds"]:
print("Deleted images: {}".format(deleted_images["imageIds"]))

View File

@ -1,62 +1,84 @@
# Parse version from latest git semver tag # Parse version from latest git semver tag
GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null) GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//') GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
# EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }') TAG ::= $(GIT_TAG)
# append branch name to tag if NOT main nor master
ifneq ($(TRIVY_REMOTE),) ifeq (,$(filter main master, $(GIT_BRANCH)))
TRIVY_OPTS := --server ${TRIVY_REMOTE} # If branch is substring of tag, omit branch name
ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
# only append branch name if not equal tag
ifneq ($(GIT_TAG), $(GIT_BRANCH))
# Sanitize GIT_BRANCH to allowed Docker tag character set
TAG = $(GIT_TAG)-$(shell echo $$GIT_BRANCH | sed -e 's/[^a-zA-Z0-9]/-/g')
endif
endif
endif endif
.PHONY: build test scan push clean ARCH ::= amd64
ALL_ARCHS ::= amd64 arm64
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
all: test ifneq ($(TRIVY_REMOTE),)
TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
endif
build: .SILENT: ; # no need for @
@docker image exists $(REGISTRY)/$(IMAGE):$(TAG) || \ .ONESHELL: ; # recipes execute in same shell
docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG) --build-arg TAG=$(TAG) . .NOTPARALLEL: ; # wait for this target to finish
.EXPORT_ALL_VARIABLES: ; # send all vars to shell
.PHONY: all # All targets are accessible for user
.DEFAULT: help # Running Make will run the help target
test: build rm-test-image help: ## Show Help
@test -f Dockerfile.test && \ grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
{ docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test . && \
docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-test; } || \
echo "No Dockerfile.test found, skipping test"
scan: build prepare:: ## custom step on the build agent before building
@echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG) using Trivy"
@trivy image $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG)
push: build fmt:: ## auto format source
@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
@for t in $(TAG) latest $(EXTRA_TAGS); do echo "tag and push: $$t"; docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$$t && docker push $(REGISTRY)/$(IMAGE):$$t; done
clean: rm-test-image rm-image lint:: ## Lint source
# Delete all untagged images build: ## Build the app
.PHONY: rm-remote-untagged buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
rm-remote-untagged:
@echo "Removing all untagged images from $(IMAGE) in $(REGION)" test:: ## test built artificats
@aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
scan: ## Scan image using trivy
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
# first tag and push all actual images
# create new manifest for each tag and add all available TAG-ARCH before pushing
push: ecr-login ## push images to registry
for t in $(TAG) latest $(EXTRA_TAGS); do \
echo "Tagging image with $(REGISTRY)/$(IMAGE):$${t}-$(ARCH)"
buildah tag $(IMAGE):$(TAG)-$(_ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(_ARCH); \
buildah manifest rm $(IMAGE):$$t || true; \
buildah manifest create $(IMAGE):$$t; \
for a in $(ALL_ARCHS); do \
buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$$a; \
done; \
echo "Pushing manifest $(IMAGE):$$t"
buildah manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t; \
done
ecr-login: ## log into AWS ECR public
aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
rm-remote-untagged: ## delete all remote untagged and in-dev images, keep 10 tagged
echo "Removing all untagged and in-dev images from $(IMAGE) in $(REGION)"
.ci/ecr_public_lifecycle.py --repo $(IMAGE) --dev
clean:: ## clean up source folder
.PHONY: rm-image
rm-image: rm-image:
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || docker image rm -f $(IMAGE):$(TAG) > /dev/null test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || echo "Error: Removing image failed" test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
# Ensure we run the tests by removing any previous runs ## some useful tasks during development
.PHONY: rm-test-image ci-pull-upstream: ## pull latest shared .ci subtree
rm-test-image: git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
# Convience task during dev of downstream projects create-repo: ## create new AWS ECR public repository
.PHONY: ci-pull-upstream
ci-pull-upstream:
git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
.PHONY: create-repo
create-repo:
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION) aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
.DEFAULT:
@echo "$@ not implemented. NOOP"

View File

@ -2,24 +2,33 @@
def call(Map config=[:]) { def call(Map config=[:]) {
pipeline { pipeline {
options {
disableConcurrentBuilds()
}
agent { agent {
node { node {
label 'podman-aws-trivy' label 'podman-aws-trivy'
} }
} }
stages { stages {
stage('Prepare') { stage('Prepare') {
// get tags
steps { steps {
sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}' sh 'mkdir -p reports'
// we set pull tags as project adv. options
// pull tags
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
// sh 'git fetch -q --tags ${GIT_URL}'
//}
// Optional project specific preparations
sh 'make prepare'
} }
} }
// Build using rootless podman // Build using rootless podman
stage('Build') { stage('Build') {
steps { steps {
sh 'make build' sh 'make build GIT_BRANCH=$GIT_BRANCH'
} }
} }
@ -31,13 +40,13 @@ def call(Map config=[:]) {
// Scan via trivy // Scan via trivy
stage('Scan') { stage('Scan') {
environment {
TRIVY_FORMAT = "template"
TRIVY_OUTPUT = "reports/trivy.html"
}
steps { steps {
sh 'mkdir -p reports' // we always scan and create the full json report
sh 'make scan' sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
// render custom full html report
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
publishHTML target: [ publishHTML target: [
allowMissing: true, allowMissing: true,
alwaysLinkToLastBuild: true, alwaysLinkToLastBuild: true,
@ -47,25 +56,33 @@ def call(Map config=[:]) {
reportName: 'TrivyScan', reportName: 'TrivyScan',
reportTitles: 'TrivyScan' reportTitles: 'TrivyScan'
] ]
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
// Scan again and fail on CRITICAL vulns, if not overridden // fail build if issues found above trivy threshold
script { script {
if (config.trivyFail == 'NONE') { if ( config.trivyFail ) {
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...' sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
} else {
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
} }
} }
} }
} }
// Push to ECR // Push to container registry if not PR
// incl. basic registry retention removing any untagged images
stage('Push') { stage('Push') {
when { not { changeRequest() } }
steps { steps {
sh 'make push' sh 'make push'
sh 'make rm-remote-untagged'
} }
} }
// generic clean
stage('cleanup') {
steps {
sh 'make clean'
}
}
} }
} }
} }

View File

@ -1,4 +1,4 @@
ARG ALPINE_VERSION=3.16 ARG ALPINE_VERSION=3.19
FROM alpine:${ALPINE_VERSION} FROM alpine:${ALPINE_VERSION}

5
Jenkinsfile vendored Normal file
View File

@ -0,0 +1,5 @@
library identifier: 'zdt-lib@master', retriever: modernSCM(
[$class: 'GitSCMSource',
remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
buildPodman name: 'docker-repository'

10
renovate.json Normal file
View File

@ -0,0 +1,10 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":label(renovate)",
":semanticCommits",
"group:allNonMajor"
],
"prHourlyLimit": 0
}