-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy path.one-pipeline-cd.yaml
150 lines (137 loc) · 6.16 KB
/
.one-pipeline-cd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Documentation on available configuration
# https://pages.github.ibm.com/one-pipeline/docs/custom-scripts.html
version: "1"
setup:
dind: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
script: |
#!/usr/bin/env bash
echo "setup stage"
# Download and install skopeo
if ! command -v skopeo &> /dev/null; then
PACKAGE_CACHE_URL=$(get_env package-cache-url)
wget "$PACKAGE_CACHE_URL/skopeo_1.2.2-2_amd64.deb"
wget "$PACKAGE_CACHE_URL/containers-common_1-22_all.deb"
wget http://archive.ubuntu.com/ubuntu/pool/main/g/gpgme1.0/libgpgme11_1.10.0-1ubuntu1_amd64.deb
sudo dpkg -i libgpgme11_1.10.0-1ubuntu1_amd64.deb
sudo dpkg -i containers-common_1-22_all.deb
sudo dpkg -i skopeo_1.2.2-2_amd64.deb
fi
skopeo --version || exit 1
INVENTORY_PATH="$(get_env inventory-path)"
INVENTORY_ENTRIES_PATH="$WORKSPACE/$(get_env INVENTORY_ENTRIES_PATH)"
INVENTORY_ENTRIES=$(cat "${INVENTORY_ENTRIES_PATH}")
echo "$(get_env ibmcloud-api-key-staging)" | docker login "$(get_env staging-registry)" -u "$(get_env ibmcloud-api-user)" --password-stdin
for INVENTORY_ENTRY in $(echo "${INVENTORY_ENTRIES}" | jq -r '.[] '); do
APP=$(cat "${INVENTORY_PATH}/${INVENTORY_ENTRY}")
ARTIFACT=$(echo "${APP}" | jq -r '.artifact')
DIGEST=$(echo "${APP}" | jq -r '.sha256' )
echo "${ARTIFACT}"
echo "${DIGEST}"
echo "${APP}" | jq '.'
SAVED_DIGEST="$(skopeo inspect docker://$ARTIFACT | grep Digest | grep -o 'sha[^\"]*')"
if [[ ${DIGEST} == ${SAVED_DIGEST} ]]; then
echo "Image, $ARTIFACT, passes validation"
else
echo "Image, $ARTIFACT, does not exist or digests do not match"
exit 1
fi
done
deploy:
dind: true
image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
script: |
#!/usr/bin/env bash
if [[ "$PIPELINE_DEBUG" == 1 ]]; then
trap env EXIT
env
set -x
fi
echo "deploy stage"
# Download and install skopeo
if ! command -v skopeo &> /dev/null; then
PACKAGE_CACHE_URL=$(get_env package-cache-url)
wget "$PACKAGE_CACHE_URL/skopeo_1.2.2-2_amd64.deb"
wget "$PACKAGE_CACHE_URL/containers-common_1-22_all.deb"
wget http://archive.ubuntu.com/ubuntu/pool/main/g/gpgme1.0/libgpgme11_1.10.0-1ubuntu1_amd64.deb
sudo dpkg -i libgpgme11_1.10.0-1ubuntu1_amd64.deb
sudo dpkg -i containers-common_1-22_all.deb
sudo dpkg -i skopeo_1.2.2-2_amd64.deb
fi
skopeo --version || exit 1
TARGET_ENVIRONMENT="$(get_env environment)"
INVENTORY_PATH="$(get_env inventory-path)"
INVENTORY_ENTRIES_PATH="$WORKSPACE/$(get_env INVENTORY_ENTRIES_PATH)"
INVENTORY_ENTRIES=$(cat "${INVENTORY_ENTRIES_PATH}")
echo "Target environment: ${TARGET_ENVIRONMENT}"
echo "Inventory entries"
echo ""
echo "$INVENTORY_ENTRIES" | jq '.'
echo ""
echo "Inventory content"
echo ""
ls -la ${INVENTORY_PATH}
for INVENTORY_ENTRY in $(echo "${INVENTORY_ENTRIES}" | jq -r '.[] '); do
APP=$(cat "${INVENTORY_PATH}/${INVENTORY_ENTRY}")
ARTIFACT=$(echo "${APP}" | jq -r '.artifact')
NAME=$(echo "${APP}" | jq -r '.name')
DIGEST=$(echo "${APP}" | jq -r '.sha256' )
TYPE=$(echo "${APP}" | jq -r '.type' )
REPO=$(echo "${APP}" | jq -r '.repository_url' ).git
COMMIT=$(echo "${APP}" | jq -r '.commit_sha' )
echo "${ARTIFACT}"
#echo "${ARTIFACT##*/}"
IMAGE_NAME="${ARTIFACT##*/}"
echo "Image name: $IMAGE_NAME"
PRODUCTION_IMAGE=$(get_env production-registry)/$(get_env production-namespace)/$IMAGE_NAME
echo "Production image: $PRODUCTION_IMAGE"
echo "skopeo copy --all --src-creds $(get_env source-user):$(get_env source-key) --dest-creds $(get_env dest-user):$(get_env dest-key) docker://${ARTIFACT} docker://${PRODUCTION_IMAGE}"
skopeo copy --all --src-creds $(get_env source-user):$(get_env source-key) --dest-creds $(get_env dest-user):$(get_env dest-key) docker://${ARTIFACT} docker://${PRODUCTION_IMAGE}
save_artifact $NAME type=$TYPE name="${PRODUCTION_IMAGE}" digest="$DIGEST" source="${REPO}#${COMMIT}"
done
sign-artifact:
image: wcp-compliance-automation-team-docker-local.artifactory.swg-devops.com/csso-image-sign:1.0.0@sha256:cb22e6ad6b3469155719f6bf09bde641208a1e349e5ccc09407204bb069f7b4e
script: |
#!/usr/bin/env bash
echo "sign-artifact stage"
# image-signing
set_env IMAGE_SIGNING_TASK_NAME "build-sign-artifact"
set_env IMAGE_SIGNING_STEP_NAME "run-stage"
"${COMMONS_PATH}"/ciso/sign_icr.sh
gpg2 --armor --output wlo.gpg --export $(get_env signing-alias)
save_file gpg_file wlo.gpg
acceptance-test:
image: wcp-compliance-automation-team-docker-local.artifactory.swg-devops.com/csso-image-sign:1.0.0@sha256:cb22e6ad6b3469155719f6bf09bde641208a1e349e5ccc09407204bb069f7b4e
script: |
#!/usr/bin/env bash
echo "acceptance-test stage"
load_file gpg_file > wlo.gpg
gpg2 --import wlo.gpg
fingerprint=$(gpg2 -k)
fingerprint=${fingerprint#*"[SCEA]"}
fingerprint=$(echo "$fingerprint" | tail -2 | head -1 | xargs)
echo "fingerprint=$fingerprint"
mkdir -p images
if which list_artifacts >/dev/null; then
list_artifacts | while IFS= read -r artifact; do
image_name="$(load_artifact "$artifact" "name")"
type="$(load_artifact "$artifact" "type")"
if [[ "$type" == "image" ]]; then
echo "Verifying image ${image_name}"
skopeo copy --src-creds $(get_env dest-user):$(get_env dest-key) docker://${image_name} dir:./images
skopeo standalone-verify ./images/manifest.json ${image_name} ${fingerprint} ./images/signature-1
if [[ $? != 0 ]]; then
exit 1
fi
rm images/*
else
echo "Skipping image ${image_name}"
fi
done
fi
finish:
image: icr.io/continuous-delivery/toolchains/devsecops/baseimage@sha256:2132bf3187b63496d119f61d375bbb656d0b3e4a664970478c44b527c4c058c5
script: |
#!/usr/bin/env bash
echo "finish stage"
./scripts/pipeline/cd_finish