Merge commit '8979d7466587753ec223244a4a18bbc99b0227c7'

2022-02-24 11:54:30 +01:00 · 2022-02-24 11:54:30 +01:00 · 31e50ae7c1
commit 31e50ae7c1
parent fa43d08276 8979d74665
3 changed files with 81 additions and 66 deletions
--- a/.ci/podman.mk
+++ b/.ci/podman.mk
@ -14,16 +14,20 @@ all: test


 build:
-	docker image exists $(IMAGE):$(TAG) || \
+	@docker image exists $(IMAGE):$(TAG) || \
 		docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) .

 test: build rm-test-image
-	docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test .
+	@test -f Dockerfile.test && \
+		{ docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . && \
+			docker run --rm --env-host -t $(IMAGE):$(TAG)-test; } || \
+		echo "No Dockerfile.test found, skipping test"

 scan: build
-	trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
+	@echo "Scanning $(IMAGE):$(TAG) using Trivy"
+	@trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)

-push: scan
+push: build
 	@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
 	@docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest
 	docker push $(REGISTRY)/$(IMAGE):$(TAG)
@ -34,7 +38,8 @@ clean: rm-test-image rm-image
 # Delete all untagged images
 .PHONY: rm-remote-untagged
 rm-remote-untagged:
-	aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
+	@echo "Removing all untagged images from $(IMAGE) in $(REGION)"
+	@aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)

 .PHONY: rm-image
 rm-image:
--- a/.ci/vars/buildPodman.goovy
+++ b/.ci/vars/buildPodman.goovy
@ -1,61 +0,0 @@
-// Common container builder by ZeroDownTime
-
-def call (Map: config) {
-	pipeline {
-		agent { node { label 'podman-aws-trivy' } }
-
-		stages {
-			stage('Prepare'){
-					// get tags
-					steps {
-							sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
-					}
-			}
-
-			// Build using rootless podman
-			stage('Build'){
-					steps {
-							sh 'make build'
-					}
-			}
-
-			stage('Test'){
-					steps {
-							sh 'make test'
-					}
-			}
-
-			// Scan via trivy
-			stage('Scan'){
-					environment { 
-							TRIVY_FORMAT = "template"
-							TRIVY_OUTPUT = "reports/trivy.html"
-					}
-					steps {
-							sh 'mkdir -p reports'
-							sh 'make scan'
-							publishHTML target : [
-									allowMissing: true,
-									alwaysLinkToLastBuild: true,
-									keepAll: true,
-									reportDir: 'reports',
-									reportFiles: 'trivy.html',
-									reportName: 'TrivyScan',
-									reportTitles: 'TrivyScan'
-							]
-
-							// Scan again and fail on CRITICAL vulns
-							sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
-					}
-			}
-
-			// Push to ECR
-			stage('Push'){
-					steps {
-							sh 'make push'
-					}
-			}
-		}
-	}
-
-}
--- a/.ci/vars/buildPodman.groovy
+++ b/.ci/vars/buildPodman.groovy
@ -0,0 +1,71 @@
+// Common container builder by ZeroDownTime
+
+def call(Map config=[:]) {
+    pipeline {
+      agent {
+        node {
+          label 'podman-aws-trivy'
+        }
+      }
+
+      stages {
+        stage('Prepare') {
+          // get tags
+          steps {
+            sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
+          }
+        }
+
+        // Build using rootless podman
+        stage('Build') {
+          steps {
+            sh 'make build'
+          }
+        }
+
+        stage('Test') {
+          steps {
+            sh 'make test'
+          }
+        }
+
+        // Scan via trivy
+        stage('Scan') {
+          environment {
+            TRIVY_FORMAT = "template"
+            TRIVY_OUTPUT = "reports/trivy.html"
+          }
+          steps {
+            sh 'mkdir -p reports'
+            sh 'make scan'
+            publishHTML target: [
+              allowMissing: true,
+              alwaysLinkToLastBuild: true,
+              keepAll: true,
+              reportDir: 'reports',
+              reportFiles: 'trivy.html',
+              reportName: 'TrivyScan',
+              reportTitles: 'TrivyScan'
+            ]
+
+            // Scan again and fail on CRITICAL vulns, if not overridden
+            script {
+              if (config.trivyFail == 'NONE') {
+                echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
+              } else {
+                sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
+              }
+            }
+          }
+        }
+
+        // Push to ECR
+        stage('Push') {
+          steps {
+            sh 'make push'
+          }
+        }
+
+      }
+    }
+  }