Compare commits
10 Commits
Author | SHA1 | Date |
---|---|---|
Stefan Reimer | 4cd0bc6a1f | |
Renovate Bot | 96ea05775a | |
Stefan Reimer | 5f6ddeb5e9 | |
Stefan Reimer | c91d908868 | |
Stefan Reimer | 32a341eeac | |
Stefan Reimer | 047e160d26 | |
Stefan Reimer | 03deaac4a2 | |
Stefan Reimer | 59c8f09285 | |
Stefan Reimer | f06971948d | |
Stefan Reimer | 7c3908d5a1 |
107
.ci/podman.mk
107
.ci/podman.mk
|
@ -1,64 +1,85 @@
|
|||
# Parse version from latest git semver tag
|
||||
GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
||||
TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
|
||||
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
|
||||
GIT_TAG := $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
||||
|
||||
# EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }')
|
||||
|
||||
ifeq ($(TRIVY_REMOTE),)
|
||||
TRIVY_OPTS := image
|
||||
else
|
||||
TRIVY_OPTS := client --remote ${TRIVY_REMOTE}
|
||||
# append branch name to tag if NOT main nor master
|
||||
TAG := $(GIT_TAG)
|
||||
ifeq (,$(filter main master, $(GIT_BRANCH)))
|
||||
ifneq ($(GIT_TAG), $(GIT_BRANCH))
|
||||
TAG = $(GIT_TAG)-$(GIT_BRANCH)
|
||||
endif
|
||||
endif
|
||||
|
||||
.PHONY: build test scan push clean
|
||||
# optionally set by the caller
|
||||
EXTRA_TAGS :=
|
||||
|
||||
all: test
|
||||
ARCH := amd64
|
||||
ALL_ARCHS := amd64 arm64
|
||||
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
|
||||
|
||||
build:
|
||||
@docker image exists $(REGISTRY)/$(IMAGE):$(TAG) || \
|
||||
docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
|
||||
ifneq ($(TRIVY_REMOTE),)
|
||||
TRIVY_OPTS := --server $(TRIVY_REMOTE)
|
||||
endif
|
||||
|
||||
test: build rm-test-image
|
||||
@test -f Dockerfile.test && \
|
||||
{ docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test . && \
|
||||
docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-test; } || \
|
||||
.SILENT: ; # no need for @
|
||||
.ONESHELL: ; # recipes execute in same shell
|
||||
.NOTPARALLEL: ; # wait for this target to finish
|
||||
.EXPORT_ALL_VARIABLES: ; # send all vars to shell
|
||||
.PHONY: all # All targets are accessible for user
|
||||
.DEFAULT: help # Running Make will run the help target
|
||||
|
||||
help: ## Show Help
|
||||
grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
|
||||
|
||||
build: ## Build the app
|
||||
buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
|
||||
|
||||
test: rm-test-image ## Execute Dockerfile.test
|
||||
test -f Dockerfile.test && \
|
||||
{ buildah build --rm --layers -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test --platform linux/$(_ARCH) . && \
|
||||
podman run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-$(_ARCH)-test; } || \
|
||||
echo "No Dockerfile.test found, skipping test"
|
||||
|
||||
scan: build
|
||||
@echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG) using Trivy"
|
||||
@trivy $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG)
|
||||
scan: ## Scan image using trivy
|
||||
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
||||
trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||
|
||||
push: build
|
||||
@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
|
||||
@for t in $(TAG) latest $(EXTRA_TAGS); do echo "tag and push: $$t"; docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$$t && docker push $(REGISTRY)/$(IMAGE):$$t; done
|
||||
# first tag and push all actual images
|
||||
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
||||
push: ecr-login ## push images to registry
|
||||
for t in $(TAG) latest $(EXTRA_TAGS); do \
|
||||
echo "Tagging image with $(REGISTRY)/$(IMAGE):$${t}-$(ARCH)"
|
||||
buildah tag $(IMAGE):$(TAG)-$(_ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(_ARCH); \
|
||||
buildah manifest rm $(IMAGE):$$t || true; \
|
||||
buildah manifest create $(IMAGE):$$t; \
|
||||
for a in $(ALL_ARCHS); do \
|
||||
buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$$a; \
|
||||
done; \
|
||||
echo "Pushing manifest $(IMAGE):$$t"
|
||||
buildah manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t; \
|
||||
done
|
||||
|
||||
clean: rm-test-image rm-image
|
||||
ecr-login: ## log into AWS ECR public
|
||||
aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
|
||||
|
||||
# Delete all untagged images
|
||||
.PHONY: rm-remote-untagged
|
||||
rm-remote-untagged:
|
||||
@echo "Removing all untagged images from $(IMAGE) in $(REGION)"
|
||||
@aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
|
||||
clean: rm-test-image rm-image ## delete local built container and test images
|
||||
|
||||
rm-remote-untagged: ## delete all remote untagged images
|
||||
echo "Removing all untagged images from $(IMAGE) in $(REGION)"
|
||||
IMAGE_IDS=$$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done) ; \
|
||||
[ -n "$$IMAGE_IDS" ] && aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$IMAGE_IDS || echo "No image to remove"
|
||||
|
||||
.PHONY: rm-image
|
||||
rm-image:
|
||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || docker image rm -f $(IMAGE):$(TAG) > /dev/null
|
||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || echo "Error: Removing image failed"
|
||||
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
|
||||
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
|
||||
|
||||
# Ensure we run the tests by removing any previous runs
|
||||
.PHONY: rm-test-image
|
||||
rm-test-image:
|
||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
|
||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
|
||||
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH)-test)" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH)-test > /dev/null
|
||||
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH)-test)" || echo "Error: Removing test image failed"
|
||||
|
||||
# Convience task during dev of downstream projects
|
||||
.PHONY: ci-pull-upstream
|
||||
ci-pull-upstream:
|
||||
ci-pull-upstream: ## pull latest shared .ci subtree
|
||||
git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
|
||||
|
||||
.PHONY: create-repo
|
||||
create-repo:
|
||||
create-repo: ## create new AWS ECR public repository
|
||||
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
|
||||
|
||||
.DEFAULT:
|
||||
@echo "$@ not implemented. NOOP"
|
||||
|
|
|
@ -7,12 +7,14 @@ def call(Map config=[:]) {
|
|||
label 'podman-aws-trivy'
|
||||
}
|
||||
}
|
||||
|
||||
stages {
|
||||
stage('Prepare') {
|
||||
// get tags
|
||||
steps {
|
||||
sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
|
||||
// pull tags
|
||||
withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
||||
sh 'git fetch -q --tags ${GIT_URL}'
|
||||
}
|
||||
sh 'make prepare || true'
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -36,8 +38,7 @@ def call(Map config=[:]) {
|
|||
TRIVY_OUTPUT = "reports/trivy.html"
|
||||
}
|
||||
steps {
|
||||
sh 'mkdir -p reports'
|
||||
sh 'make scan'
|
||||
sh 'mkdir -p reports && make scan'
|
||||
publishHTML target: [
|
||||
allowMissing: true,
|
||||
alwaysLinkToLastBuild: true,
|
||||
|
@ -59,8 +60,9 @@ def call(Map config=[:]) {
|
|||
}
|
||||
}
|
||||
|
||||
// Push to ECR
|
||||
// Push to container registry, skip if PR
|
||||
stage('Push') {
|
||||
when { not { changeRequest() } }
|
||||
steps {
|
||||
sh 'make push'
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
ARG ALPINE_VERSION=3.16
|
||||
ARG ALPINE_VERSION=3.17
|
||||
|
||||
FROM alpine:${ALPINE_VERSION}
|
||||
ARG ALPINE_VERSION
|
||||
|
@ -12,7 +12,7 @@ RUN cd /etc/apk/keys && \
|
|||
apk upgrade -U --available --no-cache && \
|
||||
apk add --no-cache \
|
||||
openvpn \
|
||||
nftables \
|
||||
iptables \
|
||||
bash \
|
||||
easy-rsa \
|
||||
openvpn-auth-pam \
|
||||
|
@ -25,7 +25,8 @@ RUN cd /etc/apk/keys && \
|
|||
ENV OPENVPN=/etc/openvpn
|
||||
ENV EASYRSA=/usr/share/easy-rsa \
|
||||
EASYRSA_CRL_DAYS=3650 \
|
||||
EASYRSA_PKI=$OPENVPN/pki
|
||||
EASYRSA_PKI=$OPENVPN/pki \
|
||||
EASYRSA_SILENT=1
|
||||
|
||||
VOLUME ["/etc/openvpn"]
|
||||
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
library identifier: 'zdt-lib@master', retriever: modernSCM(
|
||||
[$class: 'GitSCMSource',
|
||||
remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
|
||||
|
||||
buildPodman name: 'zdt-openvpn'
|
|
@ -25,9 +25,12 @@ if [ -f "$EASYRSA_PKI/issued/${cn}.crt" ]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
easyrsa build-client-full "$cn" nopass 1>/dev/null 2>&1
|
||||
cat << EOF | easyrsa build-client-full "$cn" nopass
|
||||
yes
|
||||
EOF
|
||||
|
||||
# Generate OpenVPN users via google authenticator
|
||||
mkdir -p /etc/openvpn/otp
|
||||
|
||||
# Skip confirmation if not running in interctive mode. Essential for integration tests.
|
||||
google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
|
||||
|
|
|
@ -6,6 +6,8 @@
|
|||
|
||||
if [ "$DEBUG" == "1" ]; then
|
||||
set -x
|
||||
else
|
||||
exec 2> /dev/null
|
||||
fi
|
||||
|
||||
set -e
|
||||
|
@ -15,7 +17,9 @@ mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPE
|
|||
touch $OPENVPN/otp/_empty $OPENVPN/ccd/_empty
|
||||
|
||||
# Finally generate server cert
|
||||
easyrsa build-server-full "$1" nopass
|
||||
cat << EOF | easyrsa build-server-full "$1" nopass
|
||||
yes
|
||||
EOF
|
||||
|
||||
# write server FQDN
|
||||
echo "$1" > $OPENVPN/server
|
||||
|
|
|
@ -6,6 +6,8 @@
|
|||
|
||||
if [ "$DEBUG" == "1" ]; then
|
||||
set -x
|
||||
else
|
||||
exec 2> /dev/null
|
||||
fi
|
||||
|
||||
set -e
|
||||
|
@ -20,3 +22,5 @@ easyrsa gen-dh
|
|||
openvpn --genkey secret $EASYRSA_PKI/ta.key
|
||||
|
||||
easyrsa gen-crl
|
||||
|
||||
echo "Successfully bootstrapped PKI"
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": [
|
||||
"config:recommended",
|
||||
":label(renovate)",
|
||||
":semanticCommits"
|
||||
],
|
||||
"prHourlyLimit": 0
|
||||
}
|
Loading…
Reference in New Issue