Compare commits
8 Commits
renovate/k
...
master
Author | SHA1 | Date |
---|---|---|
Stefan Reimer | 95ed3a6969 | |
Stefan Reimer | 40760d4a8e | |
Stefan Reimer | a488b14f97 | |
Stefan Reimer | 7cd1cd0c5e | |
Stefan Reimer | 48c816b32c | |
Renovate Bot | e0a24a0af9 | |
Renovate Bot | d0ed102d57 | |
Renovate Bot | bbeeb0db3d |
|
@ -1,25 +1,26 @@
|
|||
# Parse version from latest git semver tag
|
||||
GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
||||
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null | sed -e 's/[^a-zA-Z0-9]/-/g')
|
||||
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
|
||||
|
||||
TAG := $(GIT_TAG)
|
||||
TAG ::= $(GIT_TAG)
|
||||
# append branch name to tag if NOT main nor master
|
||||
ifeq (,$(filter main master, $(GIT_BRANCH)))
|
||||
# If branch is substring of tag, omit branch name
|
||||
ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
|
||||
# only append branch name if not equal tag
|
||||
ifneq ($(GIT_TAG), $(GIT_BRANCH))
|
||||
TAG = $(GIT_TAG)-$(GIT_BRANCH)
|
||||
# Sanitize GIT_BRANCH to allowed Docker tag character set
|
||||
TAG = $(GIT_TAG)-$(shell echo $$GIT_BRANCH | sed -e 's/[^a-zA-Z0-9]/-/g')
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
||||
ARCH := amd64
|
||||
ALL_ARCHS := amd64 arm64
|
||||
ARCH ::= amd64
|
||||
ALL_ARCHS ::= amd64 arm64
|
||||
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
|
||||
|
||||
ifneq ($(TRIVY_REMOTE),)
|
||||
TRIVY_OPTS := --server $(TRIVY_REMOTE)
|
||||
TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
|
||||
endif
|
||||
|
||||
.SILENT: ; # no need for @
|
||||
|
@ -45,7 +46,7 @@ test:: ## test built artificats
|
|||
|
||||
scan: ## Scan image using trivy
|
||||
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
||||
trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||
|
||||
# first tag and push all actual images
|
||||
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
||||
|
@ -77,7 +78,7 @@ rm-image:
|
|||
|
||||
## some useful tasks during development
|
||||
ci-pull-upstream: ## pull latest shared .ci subtree
|
||||
git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
|
||||
git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
|
||||
|
||||
create-repo: ## create new AWS ECR public repository
|
||||
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
def call(Map config=[:]) {
|
||||
pipeline {
|
||||
options {
|
||||
disableConcurrentBuilds()
|
||||
}
|
||||
agent {
|
||||
node {
|
||||
label 'podman-aws-trivy'
|
||||
|
@ -10,6 +13,8 @@ def call(Map config=[:]) {
|
|||
stages {
|
||||
stage('Prepare') {
|
||||
steps {
|
||||
sh 'mkdir -p reports'
|
||||
|
||||
// we set pull tags as project adv. options
|
||||
// pull tags
|
||||
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
||||
|
@ -35,12 +40,13 @@ def call(Map config=[:]) {
|
|||
|
||||
// Scan via trivy
|
||||
stage('Scan') {
|
||||
environment {
|
||||
TRIVY_FORMAT = "template"
|
||||
TRIVY_OUTPUT = "reports/trivy.html"
|
||||
}
|
||||
steps {
|
||||
sh 'mkdir -p reports && make scan'
|
||||
// we always scan and create the full json report
|
||||
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
|
||||
|
||||
// render custom full html report
|
||||
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
|
||||
|
||||
publishHTML target: [
|
||||
allowMissing: true,
|
||||
alwaysLinkToLastBuild: true,
|
||||
|
@ -50,13 +56,12 @@ def call(Map config=[:]) {
|
|||
reportName: 'TrivyScan',
|
||||
reportTitles: 'TrivyScan'
|
||||
]
|
||||
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
|
||||
|
||||
// Scan again and fail on CRITICAL vulns, if not overridden
|
||||
// fail build if issues found above trivy threshold
|
||||
script {
|
||||
if (config.trivyFail == 'NONE') {
|
||||
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
|
||||
} else {
|
||||
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
|
||||
if ( config.trivyFail ) {
|
||||
sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: v2
|
||||
description: KubeZero Argo - Events, Workflow, CD
|
||||
name: kubezero-argo
|
||||
version: 0.2.1
|
||||
version: 0.2.2
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
@ -22,7 +22,7 @@ dependencies:
|
|||
repository: https://argoproj.github.io/argo-helm
|
||||
condition: argo-events.enabled
|
||||
- name: argo-cd
|
||||
version: 6.7.10
|
||||
version: 6.9.2
|
||||
repository: https://argoproj.github.io/argo-helm
|
||||
condition: argo-cd.enabled
|
||||
- name: argocd-apps
|
||||
|
@ -30,7 +30,7 @@ dependencies:
|
|||
repository: https://argoproj.github.io/argo-helm
|
||||
condition: argo-cd.enabled
|
||||
- name: argocd-image-updater
|
||||
version: 0.9.6
|
||||
version: 0.10.0
|
||||
repository: https://argoproj.github.io/argo-helm
|
||||
condition: argocd-image-updater.enabled
|
||||
kubeVersion: ">= 1.26.0"
|
||||
|
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: kubezero-ci
|
||||
description: KubeZero umbrella chart for all things CI
|
||||
type: application
|
||||
version: 0.8.10
|
||||
version: 0.8.11
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
@ -22,7 +22,7 @@ dependencies:
|
|||
repository: https://dl.gitea.io/charts/
|
||||
condition: gitea.enabled
|
||||
- name: jenkins
|
||||
version: 5.1.6
|
||||
version: 5.1.18
|
||||
repository: https://charts.jenkins.io
|
||||
condition: jenkins.enabled
|
||||
- name: trivy
|
||||
|
@ -30,7 +30,7 @@ dependencies:
|
|||
repository: https://aquasecurity.github.io/helm-charts/
|
||||
condition: trivy.enabled
|
||||
- name: renovate
|
||||
version: 37.321.1
|
||||
version: 37.368.2
|
||||
repository: https://docs.renovatebot.com/helm-charts
|
||||
condition: renovate.enabled
|
||||
kubeVersion: ">= 1.25.0"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# kubezero-ci
|
||||
|
||||
![Version: 0.8.10](https://img.shields.io/badge/Version-0.8.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
![Version: 0.8.11](https://img.shields.io/badge/Version-0.8.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero umbrella chart for all things CI
|
||||
|
||||
|
@ -20,9 +20,9 @@ Kubernetes: `>= 1.25.0`
|
|||
|------------|------|---------|
|
||||
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 |
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||
| https://charts.jenkins.io | jenkins | 5.1.6 |
|
||||
| https://charts.jenkins.io | jenkins | 5.1.18 |
|
||||
| https://dl.gitea.io/charts/ | gitea | 10.1.4 |
|
||||
| https://docs.renovatebot.com/helm-charts | renovate | 37.321.1 |
|
||||
| https://docs.renovatebot.com/helm-charts | renovate | 37.368.2 |
|
||||
|
||||
# Jenkins
|
||||
- default build retention 10 builds, 32days
|
||||
|
@ -71,9 +71,7 @@ Kubernetes: `>= 1.25.0`
|
|||
| gitea.istio.enabled | bool | `false` | |
|
||||
| gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
||||
| gitea.istio.url | string | `"git.example.com"` | |
|
||||
| gitea.persistence.create | bool | `false` | |
|
||||
| gitea.persistence.enabled | bool | `true` | |
|
||||
| gitea.persistence.mount | bool | `true` | |
|
||||
| gitea.persistence.claimName | string | `"data-gitea-0"` | |
|
||||
| gitea.persistence.size | string | `"4Gi"` | |
|
||||
| gitea.postgresql-ha.enabled | bool | `false` | |
|
||||
| gitea.postgresql.enabled | bool | `false` | |
|
||||
|
|
|
@ -13,10 +13,7 @@ gitea:
|
|||
|
||||
# Since V9 they default to RWX and deployment, we default to old existing RWO from statefulset
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
create: false
|
||||
#claimName: <set per install>
|
||||
claimName: data-gitea-0
|
||||
size: 4Gi
|
||||
|
||||
securityContext:
|
||||
|
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: kubezero-telemetry
|
||||
description: KubeZero Umbrella Chart for OpenTelemetry, Jaeger etc.
|
||||
type: application
|
||||
version: 0.2.3
|
||||
version: 0.2.4
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
@ -18,11 +18,11 @@ dependencies:
|
|||
version: ">= 0.1.6"
|
||||
repository: https://cdn.zero-downtime.net/charts/
|
||||
- name: opentelemetry-collector
|
||||
version: 0.89.0
|
||||
version: 0.91.0
|
||||
repository: https://open-telemetry.github.io/opentelemetry-helm-charts
|
||||
condition: opentelemetry-collector.enabled
|
||||
- name: jaeger
|
||||
version: 3.0.3
|
||||
version: 3.0.7
|
||||
repository: https://jaegertracing.github.io/helm-charts
|
||||
condition: jaeger.enabled
|
||||
- name: fluentd
|
||||
|
|
Loading…
Reference in New Issue