-
Notifications
You must be signed in to change notification settings - Fork 6
/
.one-pipeline.yaml
362 lines (306 loc) · 14.7 KB
/
.one-pipeline.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
version: "1"
setup:
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.15
script: |
#!/usr/bin/env bash
set_env S2I_URI "https://api.github.com/repos/openshift/source-to-image/releases/tags/v1.3.9"
set_env CEKIT_VERSION "4.9.1"
set_env LIBERTY_VERSION "24.0.0.12"
set_env CRA_VULNERABILITY_RESULTS_STATUS "success"
test:
abort_on_failure: false
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
script: |
#!/usr/bin/env bash
echo "in test"
PERIODIC_SCAN=$(get_env periodic-rescan)
PERIODIC_SCAN="$(echo "$PERIODIC_SCAN" | tr '[:upper:]' '[:lower:]')"
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping unit-tests. This is a periodic run that is only meant to produce CVE information."
exit 0
fi
static-scan:
dind: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
script: |
#!/usr/bin/env bash
# scan for open liberty and websphere liberty submodules?
PERIODIC_SCAN=$(get_env periodic-rescan)
PERIODIC_SCAN="$(echo "$PERIODIC_SCAN" | tr '[:upper:]' '[:lower:]')"
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping unit-tests. This is a periodic run that is only meant to produce CVE information."
exit 0
fi
read -r SONAR_HOST_URL <<< "$(get_env sonarqube | jq -r '.parameters.dashboard_url' | sed 's:/*$::')"
read -r SONAR_USER <<< "$(get_env sonarqube | jq -r '.parameters.user_login')"
SONARQUBE_INSTANCE_ID=$(get_env sonarqube | jq -r '.instance_id')
read -r SONAR_PASS <<< "$(jq -r --arg sonar_instance "$SONARQUBE_INSTANCE_ID" '[.services[] | select(."service_id"=="sonarqube")][] | select(."instance_id"==$sonar_instance) | .parameters.user_password' /toolchain/toolchain.json)"
touch "$WORKSPACE"/websphere-liberty-s2i/sonar-project.properties
cat << EOF > "$WORKSPACE"/websphere-liberty-s2i/sonar-project.properties
sonar.projectKey=liberty-eks-aws
sonar.host.url=$SONAR_HOST_URL
sonar.sources=.
sonar.login=$SONAR_USER
sonar.password=$SONAR_PASS
sonar.c.file.suffixes=-
sonar.cpp.file.suffixes=-
sonar.objc.file.suffixes=-
EOF
chmod -x "$WORKSPACE"/websphere-liberty-s2i/sonar-project.properties
#echo "$SONAR_PASS" >> /tmp/sonarqube-token
"${COMMONS_PATH}"/sonarqube/sonarqube_run.sh
containerize:
abort_on_failure: true
dind: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
script: |
#!/usr/bin/env bash
echo "*** OS release ***"
cat /etc/os-release
export PIPELINE_USERNAME=iamapikey
export PIPELINE_PASSWORD=$(get_env ibmcloud-api-key-staging)
export PIPELINE_REGISTRY=$(get_env pipeline-registry)
export PIPELINE_S2I_IMAGE=$(get_env pipeline-s2i-image)
env
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping build. This is a periodic run that is only meant to produce CVE information."
exit 0
else
if [[ "$PIPELINE_DEBUG" == 1 ]]; then
trap env EXIT
env
set -x
fi
fi
dnf -y install python3-devel krb5-devel
# Download cekit
CEKIT_VERSION=$(get_env CEKIT_VERSION)
pip3 install virtualenv
mkdir ~/cekit${CEKIT_VERSION}
python3 -m venv ~/cekit${CEKIT_VERSION}
pip3 install --upgrade pip
pip3 install cekit==${CEKIT_VERSION} docker==5.0.3 docker-squash==1.2.0 odcs behave lxml urllib3==1.26.15 requests
#pip3 install cekit==${CEKIT_VERSION} docker==5.0.3 docker-squash= odcs behave lxml setuptools_rust urllib3==1.26.15 packaging==21.3 requests
. ~/cekit${CEKIT_VERSION}/bin/activate
echo "***** Installed CEKIT version ${CEKIT_VERSION} *****"
cekit --version
# Install S2I Binary
echo ===== Installing s2i from $(get_env S2I_URI)=====
mkdir /tmp/s2i/ && cd /tmp/s2i/
curl -s $(get_env S2I_URI) \
| grep browser_download_url \
| grep linux-amd64 \
| cut -d '"' -f 4 \
| wget -qi -
if [ $? -eq 0 ]; then
echo "Downloaded S2I Binary"
else
echo "Failed to download S2I, exiting"
exit 1
fi
tar xvf source-to-image*.gz
mv s2i /usr/bin
echo "***** Installed S2I *****"
s2i version
cd -
echo "${PIPELINE_PASSWORD}" | docker login "${PIPELINE_REGISTRY}" -u "${PIPELINE_USERNAME}" --password-stdin
echo "***** Running Tests *****"
make -e test PROD_NAMESPACE=cp/olc
if [ $? -eq 0 ]; then
echo "S2I build was normal, pushing images to staging"
else
echo "S2I build failed, exiting"
exit 1
fi
echo "***** Available Docker Images *****"
docker image ls
LIBERTY_VERSION=$(get_env LIBERTY_VERSION)
JAVA8_IMAGE_VERSION=${LIBERTY_VERSION}-java8
JAVA8_RUNTIME_IMAGE_VERSION=${LIBERTY_VERSION}-runtime-java8
JAVA11_IMAGE_VERSION=${LIBERTY_VERSION}-java11
JAVA11_RUNTIME_IMAGE_VERSION=${LIBERTY_VERSION}-runtime-java11
JAVA17_IMAGE_VERSION=${LIBERTY_VERSION}-java17
JAVA17_RUNTIME_IMAGE_VERSION=${LIBERTY_VERSION}-runtime-java17
JAVA21_IMAGE_VERSION=${LIBERTY_VERSION}-java21
JAVA21_RUNTIME_IMAGE_VERSION=${LIBERTY_VERSION}-runtime-java21
NAMESPACE=cp/olc
PLATFORM=websphere-liberty-s2i
IMAGE_NAME=${NAMESPACE}/${PLATFORM}
echo Pushing the following versions of image ${IMAGE_NAME} to ${PIPELINE_REGISTRY}:
echo ${JAVA8_IMAGE_VERSION}, ${JAVA8_RUNTIME_IMAGE_VERSION}, ${JAVA11_IMAGE_VERSION}, ${JAVA11_RUNTIME_IMAGE_VERSION}, ${JAVA17_IMAGE_VERSION}, ${JAVA17_RUNTIME_IMAGE_VERSION}, ${JAVA21_IMAGE_VERSION}, ${JAVA21_RUNTIME_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA8_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA8_IMAGE_VERSION}
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA8_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA8_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:java8
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:java8
docker tag ${IMAGE_NAME}:${JAVA8_RUNTIME_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA8_RUNTIME_IMAGE_VERSION}
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA8_RUNTIME_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA8_RUNTIME_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:runtime-java8
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:runtime-java8
docker tag ${IMAGE_NAME}:${JAVA11_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA11_IMAGE_VERSION}
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA11_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA11_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:java11
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:java11
docker tag ${IMAGE_NAME}:${JAVA11_RUNTIME_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA11_RUNTIME_IMAGE_VERSION}
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA11_RUNTIME_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA11_RUNTIME_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:runtime-java11
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:runtime-java11
docker tag ${IMAGE_NAME}:${JAVA17_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA17_IMAGE_VERSION}
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA17_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA17_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:java17
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:java17
docker tag ${IMAGE_NAME}:${JAVA17_RUNTIME_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA17_RUNTIME_IMAGE_VERSION}
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA17_RUNTIME_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA17_RUNTIME_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:runtime-java17
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:runtime-java17
docker tag ${IMAGE_NAME}:${JAVA21_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA21_IMAGE_VERSION}
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA21_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA21_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:java21
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:java21
docker tag ${IMAGE_NAME}:${JAVA21_RUNTIME_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA21_RUNTIME_IMAGE_VERSION}
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:${JAVA21_RUNTIME_IMAGE_VERSION}
docker tag ${IMAGE_NAME}:${JAVA21_RUNTIME_IMAGE_VERSION} ${PIPELINE_REGISTRY}/${IMAGE_NAME}:runtime-java21
docker push ${PIPELINE_REGISTRY}/${IMAGE_NAME}:runtime-java21
echo "**** Saving Artifacts ****"
declare -a tags=("${JAVA8_IMAGE_VERSION}" "${JAVA11_IMAGE_VERSION}" "${JAVA17_IMAGE_VERSION}" "${JAVA21_IMAGE_VERSION}" "${JAVA8_RUNTIME_IMAGE_VERSION}" "${JAVA11_RUNTIME_IMAGE_VERSION}" "${JAVA17_RUNTIME_IMAGE_VERSION}" "${JAVA21_RUNTIME_IMAGE_VERSION}")
for i in "${tags[@]}"
do
IMAGE=$PIPELINE_REGISTRY/$NAMESPACE/$PIPELINE_S2I_IMAGE:$i
DIGEST="$(skopeo inspect docker://$IMAGE | grep Digest | grep -o 'sha[^\"]*')"
echo "Saving artifact s2i-$i name=$IMAGE digest=$DIGEST type=$TYPE"
save_artifact s2i-$i type="image" name="$IMAGE" "digest=$DIGEST" arch="amd64"
done
#
# iterate over all artifacts and print their image names
#
while read -r key; do
image=$(load_artifact $key name)
echo "Artifact saved as '$key' is named: '$image'"
done < <(list_artifacts)
echo "MEND unified agent scan"
chmod +x "${COMMONS_PATH}"/mend/mend_unified_agent_scan.sh
source "${COMMONS_PATH}"/mend/mend_unified_agent_scan.sh
sign-artifact:
abort_on_failure: false
image: icr.io/continuous-delivery/pipeline/image-signing:1.0.0@sha256:e9d8e354668ba3d40be2aaee08298d2aa7f0e1c8a1829cca4094ec93830e3e6a
script: |
#!/usr/bin/env bash
echo "sign-artifact"
PERIODIC_SCAN=$(get_env periodic-rescan)
PERIODIC_SCAN="$(echo "$PERIODIC_SCAN" | tr '[:upper:]' '[:lower:]')"
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping sign-artifact. This is a periodic run that is only meant to produce CVE information."
exit 0
fi
deploy:
abort_on_failure: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
script: |
#!/usr/bin/env bash
echo "in deploy"
PERIODIC_SCAN=$(get_env periodic-rescan)
PERIODIC_SCAN="$(echo "$PERIODIC_SCAN" | tr '[:upper:]' '[:lower:]')"
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping unit-tests. This is a periodic run that is only meant to produce CVE information."
exit 0
fi
dynamic-scan:
abort_on_failure: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
script: |
#!/usr/bin/env bash
echo "in dyn scan"
PERIODIC_SCAN=$(get_env periodic-rescan)
PERIODIC_SCAN="$(echo "$PERIODIC_SCAN" | tr '[:upper:]' '[:lower:]')"
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping unit-tests. This is a periodic run that is only meant to produce CVE information."
exit 0
fi
acceptance-test:
abort_on_failure: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
script: |
#!/usr/bin/env bash
echo "in setup"
PERIODIC_SCAN=$(get_env periodic-rescan)
PERIODIC_SCAN="$(echo "$PERIODIC_SCAN" | tr '[:upper:]' '[:lower:]')"
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping unit-tests. This is a periodic run that is only meant to produce CVE information."
exit 0
fi
scan-artifact:
abort_on_failure: false
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.15
script: |
#!/usr/bin/env bash
export PIPELINE_PASSWORD=$(get_env ibmcloud-api-key)
# ========== Security Scanner ==========
#./scripts/pipeline/ci_to_secure_pipeline_scan.sh
release:
abort_on_failure: false
dind: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12
script: |
#!/usr/bin/env bash
echo "**** Releasing ****"
PERIODIC_SCAN=$(get_env periodic-rescan)
PERIODIC_SCAN="$(echo "$PERIODIC_SCAN" | tr '[:upper:]' '[:lower:]')"
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping unit-tests. This is a periodic run that is only meant to produce CVE information."
exit 0
fi
RELEASE_FLAG=$(get_env release "false")
if [[ $RELEASE_FLAG != "true" ]]; then
echo "Skipping release stage; environment property 'release' is set to $RELEASE_FLAG"
exit 0
fi
SKIP_ALL_CHECKS=$(get_env SKIP_ALL_CHECKS "false")
echo "**** Running Evaluator ****"
./pipeline/evaluator.sh
if [[ $? == 0 || $SKIP_ALL_CHECKS == "true" ]]; then
if [[ $SKIP_ALL_CHECKS == "true" ]]; then
echo "Skipping image scan checks"
fi
APP_REPO=$(pwd)
echo "Application Repository: $APP_REPO"
INVENTORY_REPO=$(get_env inventory-repo)
echo "Cloning inventory repository: $INVENTORY_REPO"
cd "$WORKSPACE"
APP_TOKEN_PATH="$WORKSPACE/secrets/app-token"
. "${COMMONS_PATH}"/git/clone_repo \
"$INVENTORY_REPO" \
"master" \
"" \
"$APP_TOKEN_PATH"
REPO=${INVENTORY_REPO##*/}
NAME=${REPO%.*}
echo "Inventory name: $NAME"
cd $WORKSPACE/$NAME
if [ "$(ls )" ]; then
echo "Clearing inventory repository: $INVENTORY_REPO"
git config --global user.email "[email protected]"
git config --global user.name "Tekton"
git rm *
git commit -m "Delete contents of inventory repository - $PIPELINE_RUN_ID"
git push origin master
fi
cd $APP_REPO
./pipeline/release.sh
else
echo "Errors found. images will not be released"
fi
owasp-zap-api:
dind: true
abort_on_failure: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
script: |
#!/usr/bin/env bash
echo "in owasp"
PERIODIC_SCAN=$(get_env periodic-rescan)
PERIODIC_SCAN="$(echo "$PERIODIC_SCAN" | tr '[:upper:]' '[:lower:]')"
if [[ ! -z "$PERIODIC_SCAN" && "$PERIODIC_SCAN" != "false" && "$PERIODIC_SCAN" != "no" ]]; then
echo "Skipping unit-tests. This is a periodic run that is only meant to produce CVE information."
exit 0
fi