diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1d74e21 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode/ diff --git a/README.md b/README.md index a14ad18..19f1520 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,98 @@ # ploigos-gitlab-library +TODO, Section 1 (as pulled from top of workflow files): + +## - separatePlatformConfig: need separate runners for true/false scenarios (including documentation on how/why) + # /* Directory into which platform configuration is mounted, if applicable */ + # PLATFORM_CONFIG_DIR: "/opt/platform-config" + # + # /* Additional mounts for agent containers, if separatePlatformConfig == true */ + # String PLATFORM_MOUNTS = params.separatePlatformConfig ? """ + # - mountPath: ${PLATFORM_CONFIG_DIR}/config.yml + # name: ploigos-platform-config + # subPath: config.yml + # - mountPath: ${PLATFORM_CONFIG_DIR}/config-secrets.yml + # name: ploigos-platform-config-secrets + # subPath: config-secrets.yml + # """ : "" + # + # /* Additional volumes for the agent Pod, if separatePlatformConfig == true */ + # String PLATFORM_VOLUMES = params.separatePlatformConfig ? """ + # - name: ploigos-platform-config + # configMap: + # name: ploigos-platform-config + # - name: ploigos-platform-config-secrets + # secret: + # secretName: ploigos-platform-config-secrets + # """ : "" + + # /* Combine this app's local config with platform-level config, if separatePlatformConfig == true */ + # String PSR_CONFIG_ARG = params.separatePlatformConfig ? + # "${PLATFORM_CONFIG_DIR} ${params.stepRunnerConfigDir}" : "${params.stepRunnerConfigDir}" + +## - trustedCABundleConfig should be known at platform level, not app level; the runner should know this, not the pipeline + # /* Additional mount for agent containers, if trustedCaConfig == true */ + # String TLS_MOUNTS = params.trustedCABundleConfig ? """ + # - name: trusted-ca + # mountPath: /etc/pki/ca-trust/source/anchors + # readOnly: true + # """ : "" + + # /* Additional volume for agent containers, if trustedCaConfig == true */ + # String TLS_VOLUMES = params.trustedCABundleConfig ? """ + # - name: trusted-ca + # configMap: + # name: ${params.trustedCABundleConfigMapName} + # items: + # - key: ca-bundle.crt + # path: tls-ca-bundle.pem + # """ : "" + +## Other pod configs that look like they belong with runner?? Might be able to configure in pipeline... +## imagePullPolicy: "${params.workflowWorkersImagePullPolicy}" +## tty: true +## imagePullPolicy: "${params.workflowWorkersImagePullPolicy}" + +## - `command: ['sh', '-c', 'update-ca-trust && cat']`; how do we make this happen in GitLab + +## - Jenkins / Tekton workflows have pod labels based on variables, but GitLab doesn't carry the same functionality: +## - https://docs.gitlab.com/runner/install/kubernetes.html#set-pod-labels-to-ci-environment-variables-keys + +## +## +## NOTE: Branch-matching regex expressions are hard-coded and duplicated at the moment, due to an +## open issue with GitLab: https://gitlab.com/gitlab-org/gitlab/-/issues/35438 +## +## NOTE: Rules pulled in from the extends cannot be merged, so must duplicate here; see: +## https://docs.gitlab.com/ee/ci/yaml/#merge-details +## https://github.com/yaml/yaml/issues/48 + +TODO, Section 2: + + - DOCUMENTATION: This README needs to be super-awesome like the other two runners + + - DOCUMENTATION: Explicitly spell out what the minimal / standard pipeline look like, what the imported workflow looks like, and how the files in the repo with the workflow are laid out. + + - Separate out the `config/` dir to a separate repo, but be sure the necessary pieces are documented in this README + + - NOTE: See TODO section in gitlab-ci-minimal.yml (need to move TODOs out of there later anyway) + + - Need to manually add all dirs under '/builds' that need to pass from step to step, until GitLab Runner 13.12+ is installed (see the note on this below) + + - The "setup_workflow_step_runner" job mounts '/home/ploigos', but it's not dynamic, so pulls the previous build. Need to clean the folder, but the find+rm takes forever. Can't use rm -rf due to pipefail when trying to remove .* (attempts to remove . and .., then fails script). NOTE: Can we just rm -rf specific folders we know will be huge, *then* call the find+rm?? + + - DOCUMENTATION: List out hard-coded values that cannot be set as variables, and where they live (so far: URLs for include; regex for rules) + + - DOCUMENTATION: When setting up the GitLab CI Runner in OpenShift, load 'config.toml' into a ConfigMap (see config/config-toml.yml). + +NOTE: Until GitLab CI Runner 13.12+ can be loaded on OpenShift, artifacts will be passed between steps. As of 13.12, the `/builds` folder can be mounted in a PVC, and passed between jobs. + + +Considerations for setting up a GitLab CI Runner for Ploigos: + +* The runner tags MUST be hard-coded, and cannot use a variable value (see: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/24207 ). To work around this, one job can be created for each combination of tags. Rules can then be set based on the desired variables to pick up the correct job, which will have the appropriate tags hard-coded. + +* Unlike Jenkins/Tekton pipelines, the GitLab CI Ploigos implementation does not allow for the CA bundle to be dynamically chosen per pipeline; this should be decided upon as a platform-level config in advance, and baked into the Runner as appropriate. + + +NOTE: Human-readable job names can't be set; GitLab CI will always parse the job name, and possibly make minor changes to it (e.g., forced capitalization of the first letter of the job). See: https://gitlab.com/gitlab-org/gitlab/-/issues/23672 \ No newline at end of file diff --git a/config/config-toml.yml b/config/config-toml.yml new file mode 100644 index 0000000..135c720 --- /dev/null +++ b/config/config-toml.yml @@ -0,0 +1,111 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: gitlab-runner-ploigos-config-toml +data: + ## See: https://docs.gitlab.com/runner/executors/kubernetes.html + config.toml: | + ## TODO: Can we have concurrency right now, given the hard-coded volume names? + #concurrent = 4 + + [[runners]] + executor = "kubernetes" + + [runners.custom_build_dir] + enabled = true + + [runners.kubernetes] + ## TODO: Is this correct, or should be "always"? + pull_policy = "if-not-present" + + # Namespace to run Kubernetes jobs in. + namespace = "gitlab-runner" + + #namespace_overwrite_allowed = "ci-.*" + + #bearer_token_overwrite_allowed = true + + # Default Docker image to use for jobs when none is specified. + image = "ploigos/ploigos-base:latest" + + # A list of secrets that are used to authenticate Docker image pulling. + #image_pull_secrets = ["docker-registry-credentials"] + + [runners.kubernetes.pod_security_context] + run_as_non_root = true + run_as_user = 1001 + # NOTE: fs_group is not defaulting to 0; this must be done explicitly + fs_group = 0 + + #[runners.kubernetes.node_selector] + # gitlab = "true" + + #cpu_limit = "1" + #memory_limit = "1Gi" + #service_cpu_limit = "1" + #service_memory_limit = "1Gi" + #helper_cpu_limit = "500m" + #helper_memory_limit = "100Mi" + poll_interval = 5 + poll_timeout = 3600 + + ## Node Scheduling ## + + #[runners.kubernetes.node_selector] + # gitlab = "true" + + #[runners.kubernetes.node_tolerations] + # "node-role.kubernetes.io/master" = "NoSchedule" + # "custom.toleration=value" = "NoSchedule" + # "empty.value=" = "PreferNoSchedule" + # "onlyKey" = "" + + ## Volumes ## + + ## TODO: Do we need something besides the home dir? Until proven otherwise, using the larger PVC (below)! + [[runners.kubernetes.volumes.pvc]] + name = "gitlab-ci-pvc" + mount_path = "/home/ploigos" + + ######################################################################################### + ## TODO: + ## + ## THE FOLLOWING IS NEEDED, BUT CANNOT BE UNCOMMENTED W/O GITLAB RUNNER 13.12 OR LATER!!! + ######################################################################################### + + #[[runners.kubernetes.volumes.pvc]] + # name = "gitlab-ci-build-pvc" + # mount_path = "/builds" + + [[runners.kubernetes.volumes.secret]] + name = "pgp-keys-ploigos-workflow-ref-quarkus-mvn-gitlab-std-fruit" + mount_path = "/var/pgp-private-keys" + + #[[runners.kubernetes.volumes.config_map]] + # name = "trusted-ca" + # mount_path = "/etc/pki/ca-trust/source/anchors" + # read_only = true + # [runners.kubernetes.volumes.config_map.items] + # "key" = "ca-bundle.crt" + # "path" = "tls-ca-bundle.pem" + + ## TODO: Can we define /opt/platform-config as a var somewhere in the toml? + ## TODO: Need the following two to occur only when separatePlatformConfig == true + + #[[runners.kubernetes.volumes.config_map]] + # name = "ploigos-platform-config" + # mount_path = "/opt/platform-config/config.yml" + # sub_path = "config.yml" + + #[[runners.kubernetes.volumes.secret]] + # name = "ploigos-platform-config-secrets" + # mount_path = "/opt/platform-config/config-secrets.yml" + # sub_path = "config-secrets.yml" + +## TODO: Other vars in the Tekton CI script, that may or may not need to be translated here: + +## This flag also adds two workspaces to the pipeline template: +## - ploigos-platform-config: for mounting a ConfigMap +## - ploigos-platform-config-secrets: for mounting a Secret +#separatePlatformConfig: false + diff --git a/config/gitlab-runner.yaml b/config/gitlab-runner.yaml new file mode 100644 index 0000000..453e44d --- /dev/null +++ b/config/gitlab-runner.yaml @@ -0,0 +1,13 @@ +apiVersion: apps.gitlab.com/v1beta2 +kind: Runner +metadata: + name: gitlab-ploigos-runner +spec: + gitlabUrl: 'https://gitlab.apps.tssc.rht-set.com/' + buildImage: 'ploigos/ploigos-tool-maven:v0.16.0' + token: gitlab-runner-secret + tags: openshift + config: gitlab-runner-ploigos-config-toml + envVars: + - name: REGISTER_RUN_UNTAGGED + value: "true" diff --git a/config/rb-ploigos.yml b/config/rb-ploigos.yml new file mode 100644 index 0000000..cad44ab --- /dev/null +++ b/config/rb-ploigos.yml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gitlab-runner-sa-ploigos-run-as-user-1001 + namespace: gitlab-runner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ploigos-run-as-user-1001 +subjects: +- kind: ServiceAccount + name: gitlab-runner-sa diff --git a/ploigosWorkflowEverything.yml b/ploigosWorkflowEverything.yml new file mode 100644 index 0000000..bb8a5cb --- /dev/null +++ b/ploigosWorkflowEverything.yml @@ -0,0 +1,444 @@ +########################################### +## Ploigos GitLab CI Workflow - Standard ## +########################################### + +# Do not build tags, or the tag source step will rerun the pipeline +workflow: + rules: + - if: $CI_COMMIT_TAG + when: never + - when: always + +# Checkout on branch/tag (instead of commit hash) to prevent detached head +default: + before_script: + - 'git checkout $CI_COMMIT_REF_NAME' + +include: + ## TODO: Using variables in the 'include' is locked behind a (default off) feature flag -- see final comment of: + ## https://gitlab.com/gitlab-org/gitlab/-/issues/24811 + # - remote: '$remote_url/-/raw/$gitlabLibraryVersion/var/ploigos_variables.yml' + + # Ploigos + GitLab Runner variable setup + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/var/ploigos_variables.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/var/ploigos_gitlab_variables.yml' + + # Templates + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/ploigos_step_runner.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/setup_workflow_step_runner.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/setup_pgp_keys.yml' + +# These stages come from the includes above +stages: + # setup + - setup:setup_workflow_step_runner + - setup:setup_pgp_keys + # ci + - ci:generate_metadata + - ci:tag_source + - ci:run_unit_tests + - ci:package_application + - ci:static_code_analysis + - ci:push_application + - ci:create_container_image + - ci:static_image_scan + - ci:push_container + - ci:sign_container + - ci:generate_evidence + # dev + - dev:deploy + - dev:validate_environment + - dev:run_user_acceptance_tests + - dev:generate_evidence + # test + - test:deploy + - test:validate_environment + - test:run_user_acceptance_tests + - test:generate_evidence + # prod + - prod:deploy + - prod:validate_environment + - prod:generate_evidence + # report + - report + +########### +## SETUP ## +########### + +## TODO: Relying on first step to know if the pipeline should kick off or not, because the rules +## syntax has multiple issues, e.g.: can't merge rules between job & its 'extends'; rules not +## defaulting back to "when: on_success" if all other rule matches fail. See NOTE at top of +## file. These rules lives in the job being extended here. +## +## Cases where pipeline should not be run: +## 1. When a tag is pushed. If tag pushes are run, then the tag_source step in PSR will cause the +## pipeline to be run twice for the same commit. +## 2. When a merge request is opened. A merge request can only be opened for a commit that has +## been pushed -- which means that the pipeline will have already run for that commit. +setup_workflow_step_runner: + extends: + - .setup_workflow_step_runner + stage: setup:setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + +setup_pgp_keys: + extends: + - .setup_pgp_keys + stage: setup:setup_pgp_keys + dependencies: + - setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + +######## +## CI ## +######## + +generate_metadata: + extends: + - .ploigos_step_runner + stage: ci:generate_metadata + dependencies: + - setup_pgp_keys + - setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + variables: + stepName: 'generate-metadata' + +tag_source: + extends: + - .ploigos_step_runner + stage: ci:tag_source + dependencies: + - generate_metadata + image: '$workflowWorkerImageDefault' + variables: + stepName: 'tag-source' + +run_unit_tests: + extends: + - .ploigos_step_runner + stage: ci:run_unit_tests + dependencies: + - tag_source + image: '$workflowWorkerImageUnitTest' + variables: + stepName: 'unit-test' + +package_application: + extends: + - .ploigos_step_runner + stage: ci:package_application + dependencies: + - run_unit_tests + image: '$workflowWorkerImagePackage' + variables: + stepName: 'package' + +static_code_analysis: + extends: + - .ploigos_step_runner + stage: ci:static_code_analysis + dependencies: + - package_application + image: '$workflowWorkerImageStaticCodeAnalysis' + variables: + stepName: 'static-code-analysis' + +push_application: + extends: + - .ploigos_step_runner + stage: ci:push_application + dependencies: + - static_code_analysis + image: '$workflowWorkerImagePushArtifacts' + variables: + stepName: 'push-artifacts' + +create_container_image: + extends: + - .ploigos_step_runner + stage: ci:create_container_image + dependencies: + - push_application + image: '$workflowWorkerImageContainerOperations' + variables: + stepName: 'create-container-image' + +static_image_scan:compliance: + extends: + - .ploigos_step_runner + stage: ci:static_image_scan + dependencies: + - create_container_image + image: '$workflowWorkerImageContainerImageStaticComplianceScan' + variables: + stepName: 'container-image-static-compliance-scan' + +static_image_scan:vulnerability: + extends: + - .ploigos_step_runner + stage: ci:static_image_scan + dependencies: + - create_container_image + image: '$workflowWorkerImageContainerImageStaticVulnerabilityScan' + variables: + stepName: 'container-image-static-vulnerability-scan' + +push_container: + extends: + - .ploigos_step_runner + stage: ci:push_container + dependencies: + - static_image_scan:compliance + - static_image_scan:vulnerability + image: '$workflowWorkerImageContainerOperations' + variables: + stepName: 'push-container-image' + +sign_container: + extends: + - .ploigos_step_runner + stage: ci:sign_container + dependencies: + - push_container + image: '$workflowWorkerImageContainerOperations' + variables: + stepName: 'sign-container-image' + +generate_evidence: + extends: + - .ploigos_step_runner + stage: ci:generate_evidence + dependencies: + - generate_metadata + - tag_source + - run_unit_tests + - package_application + - static_code_analysis + - push_application + - create_container_image + - static_image_scan:compliance + - static_image_scan:vulnerability + - push_container + - sign_container + image: '$workflowWorkerImageAutomatedGovernance' + variables: + stepName: 'generate-evidence' + +######### +## DEV ## +######### + +deploy_to_dev: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^feature\/.+$|^PR-.+$/ +# - if: $CI_COMMIT_REF_NAME =~ /$devGitRefPatterns/ + when: on_success + stage: dev:deploy + dependencies: + - generate_evidence + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameDev + +validate_environment_dev: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^feature\/.+$|^PR-.+$/ +# - if: $CI_COMMIT_REF_NAME =~ /$devGitRefPatterns/ + when: on_success + stage: dev:validate_environment + dependencies: + - deploy_to_dev + image: '$workflowWorkerImageValidateEnvironmentConfiguration' + variables: + stepName: 'validate-environment-configuration' + environment: $envNameDev + +run_user_acceptance_tests_dev: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^feature\/.+$|^PR-.+$/ +# - if: $CI_COMMIT_REF_NAME =~ /$devGitRefPatterns/ + when: on_success + stage: dev:run_user_acceptance_tests + dependencies: + - validate_environment_dev + image: '$workflowWorkerImageUAT' + variables: + stepName: 'uat' + environment: $envNameDev + +generate_evidence_dev: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^feature\/.+$|^PR-.+$/ +# - if: $CI_COMMIT_REF_NAME =~ /$devGitRefPatterns/ + when: on_success + stage: dev:generate_evidence + dependencies: + - validate_environment_dev + - run_user_acceptance_tests_dev + image: '$workflowWorkerImageAutomatedGovernance' + variables: + stepName: 'generate-evidence' + environment: $envNameDev + +########## +## TEST ## +########## + +deploy_to_test: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: test:deploy + dependencies: + - generate_evidence + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameTest + +validate_environment_test: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: test:validate_environment + dependencies: + - deploy_to_test + image: '$workflowWorkerImageValidateEnvironmentConfiguration' + variables: + stepName: 'validate-environment-configuration' + environment: $envNameTest + +run_user_acceptance_tests_test: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: test:run_user_acceptance_tests + dependencies: + - validate_environment_test + image: '$workflowWorkerImageUAT' + variables: + stepName: 'uat' + environment: $envNameTest + +generate_evidence_test: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: test:generate_evidence + dependencies: + - validate_environment_test + - run_user_acceptance_tests_test + image: '$workflowWorkerImageAutomatedGovernance' + variables: + stepName: 'generate-evidence' + environment: $envNameTest + +########## +## PROD ## +########## + +deploy_to_prod: + extends: + - .ploigos_step_runner + stage: prod:deploy + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + dependencies: + - generate_evidence + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameProd + +validate_environment_prod: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: prod:validate_environment + dependencies: + - deploy_to_prod + image: '$workflowWorkerImageValidateEnvironmentConfiguration' + variables: + stepName: 'validate-environment-configuration' + environment: $envNameProd + +generate_evidence_prod: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: prod:generate_evidence + dependencies: + - validate_environment_prod + image: '$workflowWorkerImageAutomatedGovernance' + variables: + stepName: 'generate-evidence' + environment: $envNameProd + +############ +## REPORT ## +############ + +report: + extends: + - .ploigos_step_runner + stage: report + rules: + - when: always + dependencies: + - generate_metadata + - tag_source + - run_unit_tests + - package_application + - static_code_analysis + - push_application + - create_container_image + - static_image_scan:compliance + - static_image_scan:vulnerability + - push_container + - sign_container + - generate_evidence + - deploy_to_dev + - validate_environment_dev + - run_user_acceptance_tests_dev + - generate_evidence_dev + - deploy_to_test + - validate_environment_test + - run_user_acceptance_tests_test + - generate_evidence_test + - deploy_to_prod + - validate_environment_prod + - generate_evidence_prod + image: '$workflowWorkerImageAutomatedGovernance' + variables: + stepName: 'report' diff --git a/ploigosWorkflowMinimal.yml b/ploigosWorkflowMinimal.yml new file mode 100644 index 0000000..1debea4 --- /dev/null +++ b/ploigosWorkflowMinimal.yml @@ -0,0 +1,192 @@ +########################################## +## Ploigos GitLab CI Workflow - Minimal ## +########################################## + +# Do not build tags, or the tag source step will rerun the pipeline +workflow: + rules: + - if: $CI_COMMIT_TAG + when: never + - when: always + +# Checkout on branch/tag (instead of commit hash) to prevent detached head +default: + before_script: + - 'git checkout $CI_COMMIT_REF_NAME' + +include: + ## TODO: Using variables in the 'include' is locked behind a (default off) feature flag -- see final comment of: + ## https://gitlab.com/gitlab-org/gitlab/-/issues/24811 + # - remote: '$remote_url/-/raw/$gitlabLibraryVersion/var/ploigos_variables.yml' + + # Ploigos + GitLab Runner variable setup + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/var/ploigos_variables.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/var/ploigos_gitlab_variables.yml' + + # Templates + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/ploigos_step_runner.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/setup_workflow_step_runner.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/setup_pgp_keys.yml' + +# These stages come from the includes above +stages: + # setup + - setup:setup_workflow_step_runner + - setup:setup_pgp_keys + # ci + - ci:generate_metadata + - ci:package_application + - ci:create_container_image + - ci:push_container + # dev + - dev:deploy + # test + - test:deploy + # prod + - prod:deploy + # report + - report + +########### +## SETUP ## +########### + +## TODO: Relying on first step to know if the pipeline should kick off or not, because the rules +## syntax has multiple issues, e.g.: can't merge rules between job & its 'extends'; rules not +## defaulting back to "when: on_success" if all other rule matches fail. See NOTE at top of +## file. These rules lives in the job being extended here. +## +## Cases where pipeline should not be run: +## 1. When a tag is pushed. If tag pushes are run, then the tag_source step in PSR will cause the +## pipeline to be run twice for the same commit. +## 2. When a merge request is opened. A merge request can only be opened for a commit that has +## been pushed -- which means that the pipeline will have already run for that commit. +setup_workflow_step_runner: + extends: + - .setup_workflow_step_runner + stage: setup:setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + +setup_pgp_keys: + extends: + - .setup_pgp_keys + stage: setup:setup_pgp_keys + dependencies: + - setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + +######## +## CI ## +######## + +generate_metadata: + extends: + - .ploigos_step_runner + stage: ci:generate_metadata + dependencies: + - setup_pgp_keys + - setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + variables: + stepName: 'generate-metadata' + +package_application: + extends: + - .ploigos_step_runner + stage: ci:package_application + dependencies: + - generate_metadata + image: '$workflowWorkerImagePackage' + variables: + stepName: 'package' + +create_container_image: + extends: + - .ploigos_step_runner + stage: ci:create_container_image + dependencies: + - package_application + image: '$workflowWorkerImageContainerOperations' + variables: + stepName: 'create-container-image' + +push_container: + extends: + - .ploigos_step_runner + stage: ci:push_container + dependencies: + - create_container_image + image: '$workflowWorkerImageContainerOperations' + variables: + stepName: 'push-container-image' + +######### +## DEV ## +######### + +deploy_to_dev: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^feature\/.+$|^PR-.+$/ +# - if: $CI_COMMIT_REF_NAME =~ /$devGitRefPatterns/ + when: on_success + stage: dev:deploy + dependencies: + - push_container + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameDev + +########## +## TEST ## +########## + +deploy_to_test: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: test:deploy + dependencies: + - push_container + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameTest + +########## +## PROD ## +########## + +deploy_to_prod: + extends: + - .ploigos_step_runner + stage: prod:deploy + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + dependencies: + - push_container + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameProd + +############ +## REPORT ## +############ + +report: + extends: + - .ploigos_step_runner + stage: report + rules: + - when: always + image: '$workflowWorkerImageDefault' + variables: + stepName: 'report' diff --git a/ploigosWorkflowTypical.yml b/ploigosWorkflowTypical.yml new file mode 100644 index 0000000..ef6d281 --- /dev/null +++ b/ploigosWorkflowTypical.yml @@ -0,0 +1,279 @@ +########################################### +## Ploigos GitLab CI Workflow - Standard ## +########################################### + +# Do not build tags, or the tag source step will rerun the pipeline +workflow: + rules: + - if: $CI_COMMIT_TAG + when: never + - when: always + +# Checkout on branch/tag (instead of commit hash) to prevent detached head +default: + before_script: + - 'git checkout $CI_COMMIT_REF_NAME' + +include: + ## TODO: Using variables in the 'include' is locked behind a (default off) feature flag -- see final comment of: + ## https://gitlab.com/gitlab-org/gitlab/-/issues/24811 + # - remote: '$remote_url/-/raw/$gitlabLibraryVersion/var/ploigos_variables.yml' + + # Ploigos + GitLab Runner variable setup + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/var/ploigos_variables.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/var/ploigos_gitlab_variables.yml' + + # Templates + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/ploigos_step_runner.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/setup_workflow_step_runner.yml' + - remote: 'https://gitlab.apps.tssc.rht-set.com/ploigos/ploigos-gitlab-library/-/raw/main/templates/setup_pgp_keys.yml' + +# These stages come from the includes above +stages: + # setup + - setup:setup_workflow_step_runner + - setup:setup_pgp_keys + # ci + - ci:generate_metadata + - ci:tag_source + - ci:run_unit_tests + - ci:package_application + - ci:static_code_analysis + - ci:push_application + - ci:create_container_image + - ci:static_image_scan + - ci:push_container + # dev + - dev:deploy + - dev:run_user_acceptance_tests + # test + - test:deploy + - test:run_user_acceptance_tests + # prod + - prod:deploy + # report + - report + +########### +## SETUP ## +########### + +## TODO: Relying on first step to know if the pipeline should kick off or not, because the rules +## syntax has multiple issues, e.g.: can't merge rules between job & its 'extends'; rules not +## defaulting back to "when: on_success" if all other rule matches fail. See NOTE at top of +## file. These rules lives in the job being extended here. +## +## Cases where pipeline should not be run: +## 1. When a tag is pushed. If tag pushes are run, then the tag_source step in PSR will cause the +## pipeline to be run twice for the same commit. +## 2. When a merge request is opened. A merge request can only be opened for a commit that has +## been pushed -- which means that the pipeline will have already run for that commit. +setup_workflow_step_runner: + extends: + - .setup_workflow_step_runner + stage: setup:setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + +setup_pgp_keys: + extends: + - .setup_pgp_keys + stage: setup:setup_pgp_keys + dependencies: + - setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + +######## +## CI ## +######## + +generate_metadata: + extends: + - .ploigos_step_runner + stage: ci:generate_metadata + dependencies: + - setup_pgp_keys + - setup_workflow_step_runner + image: '$workflowWorkerImageDefault' + variables: + stepName: 'generate-metadata' + +tag_source: + extends: + - .ploigos_step_runner + stage: ci:tag_source + dependencies: + - generate_metadata + image: '$workflowWorkerImageDefault' + variables: + stepName: 'tag-source' + +run_unit_tests: + extends: + - .ploigos_step_runner + stage: ci:run_unit_tests + dependencies: + - tag_source + image: '$workflowWorkerImageUnitTest' + variables: + stepName: 'unit-test' + +package_application: + extends: + - .ploigos_step_runner + stage: ci:package_application + dependencies: + - run_unit_tests + image: '$workflowWorkerImagePackage' + variables: + stepName: 'package' + +static_code_analysis: + extends: + - .ploigos_step_runner + stage: ci:static_code_analysis + dependencies: + - package_application + image: '$workflowWorkerImageStaticCodeAnalysis' + variables: + stepName: 'static-code-analysis' + +push_application: + extends: + - .ploigos_step_runner + stage: ci:push_application + dependencies: + - static_code_analysis + image: '$workflowWorkerImagePushArtifacts' + variables: + stepName: 'push-artifacts' + +create_container_image: + extends: + - .ploigos_step_runner + stage: ci:create_container_image + dependencies: + - push_application + image: '$workflowWorkerImageContainerOperations' + variables: + stepName: 'create-container-image' + +static_image_scan:vulnerability: + extends: + - .ploigos_step_runner + stage: ci:static_image_scan + dependencies: + - create_container_image + image: '$workflowWorkerImageContainerImageStaticVulnerabilityScan' + variables: + stepName: 'container-image-static-vulnerability-scan' + +push_container: + extends: + - .ploigos_step_runner + stage: ci:push_container + dependencies: + - static_image_scan:vulnerability + image: '$workflowWorkerImageContainerOperations' + variables: + stepName: 'push-container-image' + +######### +## DEV ## +######### + +deploy_to_dev: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^feature\/.+$|^PR-.+$/ +# - if: $CI_COMMIT_REF_NAME =~ /$devGitRefPatterns/ + when: on_success + stage: dev:deploy + dependencies: + - push_container + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameDev + +run_user_acceptance_tests_dev: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^feature\/.+$|^PR-.+$/ +# - if: $CI_COMMIT_REF_NAME =~ /$devGitRefPatterns/ + when: on_success + stage: dev:run_user_acceptance_tests + dependencies: + - deploy_to_dev + image: '$workflowWorkerImageUAT' + variables: + stepName: 'uat' + environment: $envNameDev + +########## +## TEST ## +########## + +deploy_to_test: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: test:deploy + dependencies: + - push_container + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameTest + +run_user_acceptance_tests_test: + extends: + - .ploigos_step_runner + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + stage: test:run_user_acceptance_tests + dependencies: + - deploy_to_test + image: '$workflowWorkerImageUAT' + variables: + stepName: 'uat' + environment: $envNameTest + +########## +## PROD ## +########## + +deploy_to_prod: + extends: + - .ploigos_step_runner + stage: prod:deploy + rules: + - if: $CI_COMMIT_REF_NAME =~ /^main$/ +# - if: $CI_COMMIT_REF_NAME =~ /$releaseGitRefPatterns/ + when: on_success + dependencies: + - push_container + image: '$workflowWorkerImageDeploy' + variables: + stepName: 'deploy' + environment: $envNameProd + +############ +## REPORT ## +############ + +report: + extends: + - .ploigos_step_runner + stage: report + rules: + - when: always + image: '$workflowWorkerImageDefault' + variables: + stepName: 'report' diff --git a/templates/ploigos_step_runner.yml b/templates/ploigos_step_runner.yml new file mode 100644 index 0000000..b53e7c9 --- /dev/null +++ b/templates/ploigos_step_runner.yml @@ -0,0 +1,67 @@ +## Variables ## +# +# stepRunnerConfigDir: +# type: string +# description: +# Required. +# Path to the Step Runner configuration to pass to the +# Workflow Step Runner when running workflow steps. +# +# stepName: +# type: string +# description: | +# Required. +# Name of the Workflow step for the Workflow Step Runner to run. +# +# environment: +# type: string +# description: | +# Optional. +# Name of the environment to target when running the given step. +# +# This should be equal to one of the environment names used in one or more of the +# Step Runner configuration files in the given Step Runner configuration directory. + +.ploigos_step_runner: + rules: + # Do not build tags, or the tag source step will rerun the pipeline + - if: $CI_COMMIT_TAG + when: never + # Do not build on merge requests; pipeline will have already been run for this commit + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never + - when: on_success + tags: + - ploigos + retry: + max: 2 + when: + - scheduler_failure + ## TODO: Passing artifacts manually until GitLab Runner 13.12 is available for OCP + ## In GitLab Runner 13.12, the builds dir can be a PVC; before that, it cannot + ## (config.toml load will error out if you try) + ## Once the builds dir is in a PVC, these artifacts should be unnecessary + artifacts: + paths: + - step-runner-working/ + - target/ + # The following is needed for the 'report' stage to publish results when the pipeline fails + when: always + script: + - | + #!/bin/sh + + if [ "${verbose}" == "true" ]; then + set -x; + else + set +x; + fi + + set -eu -o pipefail + + source ${home}/${venvName}/bin/activate + + psr \ + --config ${stepRunnerConfigDir} \ + --step "${stepName}" \ + --environment "${environment}" diff --git a/templates/setup_pgp_keys.yml b/templates/setup_pgp_keys.yml new file mode 100644 index 0000000..a7e3ba1 --- /dev/null +++ b/templates/setup_pgp_keys.yml @@ -0,0 +1,30 @@ +# Variables that must be defined when importing script: +# - workflowWorkerImageDefault +# - venvName +# - verbose +.setup_pgp_keys: + # Do not build tags, or the tag source step will rerun the pipeline + rules: + - if: $CI_COMMIT_TAG + when: never + - when: on_success + tags: + - ploigos + script: + # TODO: per other scripts, do we need to ensure that values like 'TRUE', 'YES', 'N', 'F', etc. are acceptable? + - | + #!/bin/bash + + if [ "$verbose" == "true" ]; then + set -x; + else + set +x; + fi + + set -eu -o pipefail + + printf "*******************\n" + printf "* Import PGP Keys *\n" + printf "*******************\n" + + gpg --import /var/pgp-private-keys/* diff --git a/templates/setup_workflow_step_runner.yml b/templates/setup_workflow_step_runner.yml new file mode 100644 index 0000000..516968e --- /dev/null +++ b/templates/setup_workflow_step_runner.yml @@ -0,0 +1,89 @@ +# Variables that must be defined when importing script: +# - workflowWorkerImageDefault +# - venvName +# - verbose +# - stepRunnerUpdateLibrary +# - stepRunnerLibSourceUrl +# - stepRunnerLibExtraIndexUrl +# - stepRunnerLibVersion +# - stepRunnerPackageName +.setup_workflow_step_runner: + tags: + - ploigos + script: + # TODO: Determine if there is a more effective way to add blank lines, for readability: + # https://docs.gitlab.com/ee/ci/yaml/script.html + - | + #!/bin/bash + + if [ "$verbose" == "true" ]; then + set -x; + else + set +x; + fi + + set -eu -o pipefail + + #if [ "${PAUSE_FOR_DEBUG_BEFORE_STEP_RUN}" == "true" ]; then + # echo "********************" + # echo "* PAUSED FOR DEBUG *" + # echo "********************" + # echo "To continue:" + # echo "> touch ${home}/workflow-continue" + # while [ ! -f ${home}/workflow-continue ]; do + # sleep 2 + # done + # rm -f ${home}/workflow-continue + #fi + + ## TODO: Temporary hack due to GitLab CI's inability to dynamically generate PVCs + ## https://gitlab.com/gitlab-org/gitlab-runner/-/issues/21308 + ## NOTE: rm .* fails to remove `.` and `..`, triggering the pipefile + rm -rf $home/{,.[!.],..?}* + + printf '**********************\n' + printf '* Create Python venv *\n' + printf '**********************\n' + + python -m venv --system-site-packages --copies $home/$venvName + + - | + #!/bin/bash + if [[ $stepRunnerUpdateLibrary =~ true|True ]]; then + printf ' + *********************\n + * Update Python Pip *\n + *********************\n'; + source $home/$venvName/bin/activate; + python -m pip install --upgrade pip; + if [[ ${stepRunnerLibSourceUrl} ]]; then + STEP_RUNNER_LIB_INSTALL_CMD="python -m pip install --upgrade $stepRunnerLibSourceUrl"; + else + indexUrlFlag=""; + if [[ $stepRunnerLibIndexUrl ]]; then + indexUrlFlag="--index-url $stepRunnerLibIndexUrl"; + fi; + extraIndexUrlFlag=""; + if [[ $stepRunnerLibExtraIndexUrl ]]; then + extraIndexUrlFlag="--extra-index-url $stepRunnerLibExtraIndexUrl"; + fi; + STEP_RUNNER_LIB_INSTALL_CMD="python -m pip install --upgrade ${indexUrlFlag} ${extraIndexUrlFlag} $stepRunnerPackageName"; + if [[ $stepRunnerLibVersion ]]; then + STEP_RUNNER_LIB_INSTALL_CMD+="==$stepRunnerLibVersion"; + fi; + fi; + printf ' + *************************************\n + * Update Step Runner Python Package *\n + *************************************\n'; + ${STEP_RUNNER_LIB_INSTALL_CMD}; + else + printf 'Using pre-installed Workflow Step Runner library\n'; + fi + + printf ' + ****************************************************\n + * Installed Step Runner Python Package Information *\n + ****************************************************\n' + + python -m pip show $stepRunnerPackageName diff --git a/var/ploigos_gitlab_variables.yml b/var/ploigos_gitlab_variables.yml new file mode 100644 index 0000000..89e8b8f --- /dev/null +++ b/var/ploigos_gitlab_variables.yml @@ -0,0 +1,32 @@ +## This file contains variables specific to the implementation of Ploigos on the GitLab CI platform. +## There are two scenarios in which variables will end up here: +## +## 1. The variable cannot be defined uniformly across various CI platforms. For example, the +## defined workspace of `/home/ploigos` is hard-coded in multiple places as a `mountPath` in +## the Tekton Helm chart, but the Jenkins library holds that value for reuse in the variable +## `WORKFLOW_WORKER_WORKSPACE_HOME_PATH`. For the GitLab CI Runner, the `home` variable is +## used to match the name of the workspace defined for the Tekton workflow. +## +## 2. The variable is specific to GitLab. For example, `GIT_CLONE_PATH` is a GitLab CI variable +## that determines what directory to checkout to when running a specific job in a pipeline. +## This ensures that the absolute file path for Ploigos working files within any given pipeline +## will be the same when moving between different CI Runners. + +variables: + # Clone git repository to a directory that is guaranteed be the same across every job within a + # single pipeline, but unique to each individual pipeline + GIT_CLONE_PATH: '$CI_BUILDS_DIR/$CI_PROJECT_NAME-$CI_COMMIT_BRANCH-$CI_PIPELINE_ID' + + # The 'environment' variable is optional for the Ploigos Step Runner (i.e., the `psr` command), + # and should evaluate to a blank value when not provided. While this works for other CI platforms, + # the GitLab CI Runner throws an 'unbound variable' error for any undefined variable. To force + # optional values to evaluate as blank, they must be initialized with an empty value in advance. + environment: '' + + # Workspace for the container users home directory. + # Important because the home directory is where the python virtual environment will be setup + # to be shared with future steps. + home: '/home/ploigos' + + # Name of the virtual environment to set up in the given home workspace. + venvName: 'venv-ploigos' diff --git a/var/ploigos_variables.yml b/var/ploigos_variables.yml new file mode 100644 index 0000000..d7f51d1 --- /dev/null +++ b/var/ploigos_variables.yml @@ -0,0 +1,209 @@ +variables: + verbose: 'false' + # type: string + # description: log any *sh commands used during execution + + appRepoUrl: '' + # type: string + # description: URL to the application repository to run the pipeline for. + + appRepoRef: '' + # type: string + # description: Git reference (tag, branch) of the application repository to run the pipeline for. + + appCloneSSLVerify: 'true' + # type: string + # description: Passed to git-clone ClusterTask. + # Defines if http.sslVerify should be set to true or false in the global git config + + stepRunnerConfigDir: '' + # type: string + # description: Path to the Step Runner configuration to pass to the + # Workflow Step Runner when running workflow steps. + + pgpKeysSecretName: '' + # type: string + # description: Name of the Kubernetes Secret containing the PGP private keys to import for use by + # SOPS to decrypt encrypted Step Runner config. + + envNameDev: 'DEV' + # type: string + # description: Name of the "Development" environment used in the Step Runner configuration + # files and to pass to the Workflow Step Runner when running a step targeted to + # the "Development" environment. + + envNameTest: 'TEST' + # type: string + # description: Name of the "Test" environment used in the Step Runner configuration + # files and to pass to the Workflow Step Runner when running a step targeted to + # the "Test" environment. + + envNameProd: 'PROD' + # type: string + # description: Name of the "Production" environment used in the Step Runner configuration + # files and to pass to the Workflow Step Runner when running a step targeted to + # the "Production" environment. + + ciOnlyGitRefPatterns: '^$' + # type: string + # description: Regex pattern for git references that should only go through the + # Continuous Integration (CI) workflow. + + ## TODO: Determine if the / below needs to be escaped, once regex vars can be used + devGitRefPatterns: '^feature/.+$|^PR-.+$' + # type: string + # description: Regex pattern for git references that should go through the + # Continuous Integration (CI) workflow and then the deployment to + # "Development" environment(s) (IE: "DEV" environment) workflow. + + ## END LIST OF FAILED SCENARIOS ## + + releaseGitRefPatterns: '^main$' + # type: string + # description: Regex pattern for git references that should go through the + # Continues Integration (CI) workflow and then the deployment to + # "Release" environment(s) (IE: "TEST" and then "PROD" environments) workflow. + + stepRunnerPackageName: 'ploigos-step-runner' + # type: string + # description: Name of the python package to use as the Workflow Step Runner. + + stepRunnerUpdateLibrary: 'false' + # type: string + # description: If 'true', then pull the Workflow Step Runner library source code and build it. + # If 'false', use the version of the Workflow Step Runner library that is + # pre-installed in the CI worker images. + # + # If 'false' then the following parameters are ignored: + # - 'stepRunnerLibSourceUrl' + # - 'stepRunnerLibIndexUrl' + # - 'stepRunnerLibExtraIndexUrl' + # - 'stepRunnerLibVersion' + + stepRunnerLibIndexUrl: 'https://pypi.org/simple/' + # type: string + # description: If 'stepRunnerUpdateLibrary' is true and 'stepRunnerLibSourceUrl' is not supplied + # then this will be passed to pip as '--index-url' for installing the Workflow Step + # Runner library and its dependencies. + # + # NOTE + # ---- + # PIP is indeterminate whether it will pull packages from '--index-url' or + # '--extra-index-url', therefor be sure to specify 'stepRunnerLibVersion' + # if trying to pull a specific version from a specific index. + # + # SEE + # --- + # - https://pip.pypa.io/en/stable/reference/pip_install/#id48 + + stepRunnerLibExtraIndexUrl: 'https://pypi.org/simple/' + # type: string + # description: If 'stepRunnerUpdateLibrary' is true and 'stepRunnerLibSourceUrl' is not supplied + # then this will be passed to pip as '--extra-index-url' for installing the Workflow + # Step Runner library and its dependencies. + # + # NOTE + # ---- + # PIP is indeterminate whether it will pull packages from '--index-url' or + # '--extra-index-url', therefor be sure to specify 'stepRunnerLibVersion' + # if trying to pull a specific version from a specific index. + # + # SEE + # --- + # - https://pip.pypa.io/en/stable/reference/pip_install/#id48 + + stepRunnerLibVersion: '' + # type: string + # description: If 'stepRunnerUpdateLibrary' is true and 'stepRunnerLibSourceUrl' is not supplied + # then this will be passed to pip as as the version of the Workflow Step Runner + # library to install. + # + # NOTE + # ---- + # If not given pip will install the latest from either 'stepRunnerLibIndexUrl' or + # 'stepRunnerLibExtraIndexUrl' indeterminately. + + stepRunnerLibSourceUrl: '' + # type: string + # description: If none empty value given and 'stepRunnerUpdateLibrary' is true this will be used + # as the source location to install the Workflow Step Runner library from rather + # than from a PEP 503 compliant repository. + # + # If given then the following parameters are ignored: + # - 'stepRunnerLibIndexUrl' + # - 'stepRunnerLibExtraIndexUrl' + # - 'stepRunnerLibVersion' + # + # EXAMPLES + # -------- + # git+https://github.com/ploigos/ploigos-step-runner.git@feature/NAPSSPO-1018 + # installs from the public 'ploigos' fork from the 'feature/NAPSSPO-1018' branch. + # + # git+https://gitea.internal.example.xyz/tools/ploigos-step-runner.git@main + # installs from an internal fork of the step runner library from the 'main' branch. + + workflowWorkersImagePullPolicy: 'IfNotPresent' + # type: string + # description: Policy for pulling new versions of the imageTag for the CI worker images + # when running this pipeline. + + workflowWorkerImageDefault: 'ploigos/ploigos-base:latest' + # type: string + # description: Container image to use when creating a workflow worker + # to run pipeline steps when no other specific container image has been + # specified for that step. + + workflowWorkerImageSourceClone: 'gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.12.1' + # type: string + # description: Container image to use when creating a workflow worker + # to run pipeline steps when performing source clone step(s). + + workflowWorkerImageUnitTest: '' + # type: string + # description: Container image to use when creating a workflow worker + # to run pipeline steps when performing unit test step(s). + + workflowWorkerImagePackage: '' + # type: string + # description: Container image to use when creating a workflow worker + # to run pipeline steps when performing package application step(s). + + workflowWorkerImageStaticCodeAnalysis: 'ploigos/ploigos-tool-sonar:latest' + # type: string + # description: Container image to use when creating a workflow worker + # to run pipeline steps when performing static code analysis step(s). + + workflowWorkerImagePushArtifacts: '' + # type: string + # description: Container image to use when creating a workflow worker to run pipeline + # steps when performing push push packaged artifacts step(s). + + workflowWorkerImageContainerOperations: 'ploigos/ploigos-tool-containers:latest' + # type: string + # description: Container image to use when creating a workflow worker to run pipeline + # steps when performing container operations (build/push/etc) step(s). + + workflowWorkerImageContainerImageStaticComplianceScan: 'ploigos/ploigos-tool-openscap:latest' + # type: string + # description: Container image to use when creating a workflow worker to run pipeline + # steps when performing container image static compliance scan step(s). + + workflowWorkerImageContainerImageStaticVulnerabilityScan: 'ploigos/ploigos-tool-openscap:latest' + # type: string + # description: Container image to use when creating a workflow worker to run pipeline steps + # when performing container image static vulnerability scan step(s). + + workflowWorkerImageDeploy: 'ploigos/ploigos-tool-argocd:latest' + # type: string + # description: Container image to use when creating a workflow worker + # to run pipeline steps when performing deploy step(s). + + workflowWorkerImageValidateEnvironmentConfiguration: 'ploigos/ploigos-tool-config-lint:latest' + # type: string + # description: Container image to use when creating a workflow worker to run pipeline + # steps when performing validate environment configuration step(s). + + workflowWorkerImageUAT: '' + # type: string + # description: Container image to use when creating a workflow worker to run pipeline + # steps when performing user acceptance tests (UAT) step(s).