.one-pipeline-cd.yaml

# Documentation on available configuration
# https://pages.github.ibm.com/one-pipeline/docs/custom-scripts.html

version: "1"

setup:
  dind: true
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12
  script: |
    #!/usr/bin/env bash
    echo "setup stage"
    skopeo --version || exit 1
    INVENTORY_PATH="$(get_env inventory-path)"
    INVENTORY_ENTRIES_PATH="$WORKSPACE/$(get_env INVENTORY_ENTRIES_PATH)"
    INVENTORY_ENTRIES=$(cat "${INVENTORY_ENTRIES_PATH}")
    echo "$(get_env ibmcloud-api-key-staging)" | docker login "$(get_env staging-registry)"  -u "$(get_env ibmcloud-api-user)" --password-stdin
    for INVENTORY_ENTRY in $(echo "${INVENTORY_ENTRIES}" | jq -r '.[] '); do
      APP=$(cat "${INVENTORY_PATH}/${INVENTORY_ENTRY}")
      ARTIFACT=$(echo "${APP}" | jq -r '.artifact')
      DIGEST=$(echo "${APP}" | jq -r '.sha256' )

      echo "${ARTIFACT}"
      echo "${DIGEST}"
      echo "${APP}" | jq '.'

      SAVED_DIGEST="$(skopeo inspect docker://$ARTIFACT | grep Digest | grep -o 'sha[^\"]*')"
      if [[ ${DIGEST} == ${SAVED_DIGEST} ]]; then
        echo "Image, $ARTIFACT, passes validation"
      else
        echo "Image, $ARTIFACT, does not exist or digests do not match"
        exit 1
      fi
    done

deploy:
  dind: true
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12
  script: |
    #!/usr/bin/env bash
    if [[ "$PIPELINE_DEBUG" == 1 ]]; then
      trap env EXIT
      env
      set -x
    fi
    echo "deploy stage"
    skopeo --version || exit 1
    TARGET_ENVIRONMENT="$(get_env environment)"
    INVENTORY_PATH="$(get_env inventory-path)"
    INVENTORY_ENTRIES_PATH="$WORKSPACE/$(get_env INVENTORY_ENTRIES_PATH)"
    INVENTORY_ENTRIES=$(cat "${INVENTORY_ENTRIES_PATH}")

    echo "Target environment: ${TARGET_ENVIRONMENT}"
    echo "Inventory entries"
    echo ""

    echo "$INVENTORY_ENTRIES" | jq '.'

    echo ""
    echo "Inventory content"
    echo ""

    ls -la ${INVENTORY_PATH}

    for INVENTORY_ENTRY in $(echo "${INVENTORY_ENTRIES}" | jq -r '.[] '); do
      APP=$(cat "${INVENTORY_PATH}/${INVENTORY_ENTRY}")
      ARTIFACT=$(echo "${APP}" | jq -r '.artifact')
      NAME=$(echo "${APP}" | jq -r '.name')
      DIGEST=$(echo "${APP}" | jq -r '.sha256' )
      TYPE=$(echo "${APP}" | jq -r '.type' )
      REPO=$(echo "${APP}" | jq -r '.repository_url' ).git
      COMMIT=$(echo "${APP}" | jq -r '.commit_sha' )
      echo "${ARTIFACT}"
      #echo "${ARTIFACT##*/}"
      IMAGE_NAME="${ARTIFACT##*/}"
      echo "Image name: $IMAGE_NAME"
      PRODUCTION_IMAGE=$(get_env production-registry)/$(get_env production-namespace)/$IMAGE_NAME
      echo "Production image: $PRODUCTION_IMAGE"
      echo "skopeo copy --all --src-creds $(get_env ibmcloud-api-user):$(get_env ibmcloud-api-key-staging) --dest-creds $(get_env ibmcloud-api-user):$(get_env ibmcloud-api-key) docker://${ARTIFACT} docker://${PRODUCTION_IMAGE}"
      skopeo copy --all --src-creds $(get_env ibmcloud-api-user):$(get_env ibmcloud-api-key-staging) --dest-creds $(get_env ibmcloud-api-user):$(get_env ibmcloud-api-key) docker://${ARTIFACT} docker://${PRODUCTION_IMAGE}
      save_artifact $NAME type=$TYPE name="${PRODUCTION_IMAGE}" digest="$DIGEST" source="${REPO}#${COMMIT}"
    done

sign-artifact:
  image: icr.io/continuous-delivery/toolchains/devsecops/csso-image-sign:8.0.0@sha256:4fa72947d3b97c029b035f5c0b458184808f294a417b847b4935015d3c0744d3
  script: |
    #!/usr/bin/env bash
    echo "sign-artifact stage"
    # image-signing
    set_env IMAGE_SIGNING_TASK_NAME "build-sign-artifact"
    set_env IMAGE_SIGNING_STEP_NAME "run-stage"
    "${COMMONS_PATH}"/ciso/sign_icr.sh
    fingerprint=$(/opt/Garantir/bin/gpg --homedir $HOME/.gnupggrs/ --fingerprint --with-colons | grep fpr | tr -d 'fpr:')
    echo "GNUPGHOME="$GNUPGHOME
    gpg2 --homedir $HOME/.gnupggrs --output wls2i.pub --armor --export $fingerprint
    save_file pub_file wls2i.pub
    cat wls2i.pub

acceptance-test:
  image: icr.io/continuous-delivery/toolchains/devsecops/csso-image-sign:8.0.0@sha256:4fa72947d3b97c029b035f5c0b458184808f294a417b847b4935015d3c0744d3
  script: |
    #!/usr/bin/env bash
    echo "acceptance-test stage"
    load_file pub_file > wls2i.pub
    gpg2 --import wls2i.pub
    gpg --fingerprint --with-colons
    export fingerprint=$(gpg --fingerprint --with-colons | grep fpr | tail -n1 | tr -d 'fpr:')
    echo "fingerprint=$fingerprint"
    mkdir -p images
    if which list_artifacts >/dev/null; then
      list_artifacts
      list_artifacts | while IFS= read -r artifact; do
        image_name="$(load_artifact "$artifact" "name")"
        type="$(load_artifact "$artifact" "type")"
        echo "type="$type
        if [[ "${image_name}" == stg* ]]; then
           echo "Skipping staging image"           
        elif [[ "$type" == "image" ]]; then
          echo "Verifying image ${image_name}"
          skopeo copy --src-creds $(get_env ibmcloud-api-user):$(get_env ibmcloud-api-key) docker://${image_name} dir:./imgtemp
          echo "Image contents"
          find imgtemp
          skopeo standalone-verify ./imgtemp/manifest.json ${image_name} ${fingerprint} ./imgtemp/signature-1
          if [[ $? != 0 ]]; then
            exit 1
          fi
          rm imgtemp/*
        else
          echo "Skipping image ${image_name}"
        fi
      done
    fi

finish:
  image: icr.io/continuous-delivery/toolchains/devsecops/baseimage@sha256:2132bf3187b63496d119f61d375bbb656d0b3e4a664970478c44b527c4c058c5
  script: |
    #!/usr/bin/env bash
    echo "finish stage"
    ./pipeline/cd_finish