-
Notifications
You must be signed in to change notification settings - Fork 38
/
Copy path.one-pipeline-cd.yaml
144 lines (127 loc) · 5.45 KB
/
.one-pipeline-cd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Documentation on available configuration
# https://pages.github.ibm.com/one-pipeline/docs/custom-scripts.html
version: "1"
setup:
dind: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12
script: |
#!/usr/bin/env bash
echo "setup stage"
skopeo --version || exit 1
INVENTORY_PATH="$(get_env inventory-path)"
INVENTORY_ENTRIES_PATH="$WORKSPACE/$(get_env INVENTORY_ENTRIES_PATH)"
INVENTORY_ENTRIES=$(cat "${INVENTORY_ENTRIES_PATH}")
echo "$(get_env ibmcloud-api-key-staging)" | docker login "$(get_env staging-registry)" -u "$(get_env ibmcloud-api-user)" --password-stdin
for INVENTORY_ENTRY in $(echo "${INVENTORY_ENTRIES}" | jq -r '.[] '); do
APP=$(cat "${INVENTORY_PATH}/${INVENTORY_ENTRY}")
ARTIFACT=$(echo "${APP}" | jq -r '.artifact')
DIGEST=$(echo "${APP}" | jq -r '.sha256' )
echo "${ARTIFACT}"
echo "${DIGEST}"
echo "${APP}" | jq '.'
if [[ "${ARTIFACT}" == *"icr.io/appcafe/open-liberty/samples/"* ]];then
echo "Exclude samples from digest validation: ${ARTIFACT}"
continue
fi
SAVED_DIGEST="$(skopeo inspect docker://$ARTIFACT | jq '.Digest'| sed -e 's/"//g')"
if [[ ${DIGEST} == ${SAVED_DIGEST} ]]; then
echo "Image, $ARTIFACT, passes validation"
else
echo "Image, $ARTIFACT, does not exist or digests do not match"
exit 1
fi
done
deploy:
dind: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12
script: |
#!/usr/bin/env bash
if [[ "$PIPELINE_DEBUG" == 1 ]]; then
trap env EXIT
env
set -x
fi
echo "deploy stage"
skopeo --version || exit 1
TARGET_ENVIRONMENT="$(get_env environment)"
INVENTORY_PATH="$(get_env inventory-path)"
INVENTORY_ENTRIES_PATH="$WORKSPACE/$(get_env INVENTORY_ENTRIES_PATH)"
INVENTORY_ENTRIES=$(cat "${INVENTORY_ENTRIES_PATH}")
echo "Target environment: ${TARGET_ENVIRONMENT}"
echo "Inventory entries"
echo ""
echo "$INVENTORY_ENTRIES" | jq '.'
echo ""
echo "Inventory content"
echo ""
ls -la ${INVENTORY_PATH}
for INVENTORY_ENTRY in $(echo "${INVENTORY_ENTRIES}" | jq -r '.[] '); do
APP=$(cat "${INVENTORY_PATH}/${INVENTORY_ENTRY}")
ARTIFACT=$(echo "${APP}" | jq -r '.artifact')
echo "${ARTIFACT}"
if [[ "${ARTIFACT}" == *"icr.io/appcafe/open-liberty/samples/"* ]];then
echo "Exclude samples from publishing: ${ARTIFACT}"
continue
fi
NAME=$(echo "${APP}" | jq -r '.name')
DIGEST=$(echo "${APP}" | jq -r '.sha256' )
TYPE=$(echo "${APP}" | jq -r '.type' )
REPO=$(echo "${APP}" | jq -r '.repository_url' ).git
COMMIT=$(echo "${APP}" | jq -r '.commit_sha' )
#echo "${ARTIFACT##*/}"
IMAGE_NAME="${ARTIFACT##*/}"
echo "Image name: $IMAGE_NAME"
PRODUCTION_IMAGE=$(get_env production-registry)/$(get_env production-namespace)/$IMAGE_NAME
echo "Production image: $PRODUCTION_IMAGE"
echo "skopeo copy --all --src-creds $(get_env source-user):$(get_env source-key) --dest-creds $(get_env dest-user):$(get_env dest-key) docker://${ARTIFACT} docker://${PRODUCTION_IMAGE}"
skopeo copy --all --src-creds $(get_env source-user):$(get_env source-key) --dest-creds $(get_env dest-user):$(get_env dest-key) docker://${ARTIFACT} docker://${PRODUCTION_IMAGE}
save_artifact $NAME type=$TYPE name="${PRODUCTION_IMAGE}" digest="$DIGEST" source="${REPO}#${COMMIT}"
done
sign-artifact:
image: icr.io/continuous-delivery/toolchains/devsecops/csso-image-sign:7.0.0@sha256:e818a62c54f328752a94fd37f73b133e6586d9eb0271afb97ffc6a3faf77fede
script: |
#!/usr/bin/env bash
echo "sign-artifact stage"
# image-signing
set_env IMAGE_SIGNING_TASK_NAME "build-sign-artifact"
set_env IMAGE_SIGNING_STEP_NAME "run-stage"
"${COMMONS_PATH}"/ciso/sign_icr.sh
fingerprint=$(/opt/Garantir/bin/gpg --homedir $HOME/.gnupggrs/ --fingerprint --with-colons | grep fpr | tr -d 'fpr:')
echo "GNUPGHOME="$GNUPGHOME
gpg2 --homedir $HOME/.gnupggrs --output olo.pub --armor --export $fingerprint
save_file pub_file olo.pub
cat olo.pub
acceptance-test:
image: icr.io/continuous-delivery/toolchains/devsecops/csso-image-sign:7.0.0@sha256:e818a62c54f328752a94fd37f73b133e6586d9eb0271afb97ffc6a3faf77fede
script: |
#!/usr/bin/env bash
echo "acceptance-test stage"
load_file pub_file > olo.pub
gpg2 --import olo.pub
export fingerprint=$(gpg --fingerprint --with-colons | grep fpr | tr -d 'fpr:')
echo "fingerprint=$fingerprint"
mkdir -p images
if which list_artifacts >/dev/null; then
list_artifacts | while IFS= read -r artifact; do
image_name="$(load_artifact "$artifact" "name")"
type="$(load_artifact "$artifact" "type")"
echo "type="$type
if [[ "$type" == "image" ]]; then
echo "Verifying image ${image_name}"
skopeo copy --src-creds $(get_env dest-user):$(get_env dest-key) docker://${image_name} dir:./images
skopeo standalone-verify ./images/manifest.json ${image_name} ${fingerprint} ./images/signature-1
if [[ $? != 0 ]]; then
exit 1
fi
rm images/*
else
echo "Skipping image ${image_name}"
fi
done
fi
finish:
image: icr.io/continuous-delivery/toolchains/devsecops/baseimage@sha256:2132bf3187b63496d119f61d375bbb656d0b3e4a664970478c44b527c4c058c5
script: |
#!/usr/bin/env bash
echo "finish stage"
./scripts/pipeline/cd_finish