mlamalle/mse-tekton
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

mise en place d'un pipeline de build d'image et mse

Browse Source
This commit is contained in:
Matthieu Lamalle 2024-03-20 13:36:01 +01:00
parent bcb8480880
commit 1bd773d409
18 changed files with 841 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
kustomization/base/tekton/event/imagebuild.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: imagebuild
spec:
serviceAccountName: tekton-robot
triggers:
- name: imagebuild-trigger
interceptors:
- ref:
name: "cel"
params:
- name: "filter"
value: "body.action != 'deleted'"
bindings:
- ref: imagebuild-binding
template:
ref: imagebuild-template

18
kustomization/base/tekton/event/msebuild.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: msebuild
spec:
serviceAccountName: tekton-robot
triggers:
- name: msebuild-trigger
interceptors:
- ref:
name: "cel"
params:
- name: "filter"
value: "body.action != 'deleted'"
bindings:
- ref: msebuild-binding
template:
ref: msebuild-template

127
kustomization/base/tekton/pipeline/imagebuild.yaml Normal file
View File

@ -0,0 +1,127 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: imagebuild
spec:
description: |
This pipeline clones a git repo, then echoes the README file to the stout.
params:
- name: url
type: string
description: The git repo URL to clone from.
- name: revision
type: string
description: The git repo branch to checkout.
- name: image
type: string
description: The image to build.
- name: apiurl
type: string
description: The gitea api url.
- name: requesttype
type: string
description: The gitea request type = pullrequet or release
- name: requestid
type: string
description: The gitea request id.
- name: access_token
type: string
description: The gitea access_token id.
- name: dockerfile
type: string
description: Path to the Dockerfile to build.
workspaces:
- name: shared-data
- name: config
- name: docker-credentials
tasks:
# ⭐ Image Tag Formater
- name: imageformater
taskRef:
name: imageformater
params:
- name: image
value: $(params.image)
# 📥 Clone du repo git
- name: gitclone
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.url)
- name: revision
value: $(params.revision)
- name: submodules
value: 'false'
- name: depth
value: '50'
# 🔨 Build de l'image
- name: kaniko-build
taskRef:
name: kaniko
runAfter: ["gitclone"]
params:
- name: IMAGE
value: $(tasks.imageformater.results.imagetag)
- name: BUILDER_IMAGE
value: gcr.io/kaniko-project/executor:v1.20.0
- name: DOCKERFILE
value: $(params.dockerfile)
- name: EXTRA_ARGS
value:
- --skip-tls-verify
- --insecure
- --no-push
- --tarPath=$(workspaces.source.path)/image.tar
- --destination=$(tasks.imageformater.results.imagetag)
workspaces:
- name: source
workspace: shared-data
- name: dockerconfig
workspace: docker-credentials
# 🔎 Scan de l'image
- name: trivy-scan
taskRef:
name: trivy-scanner
kind: Task
params:
- name: IMAGE_PATH
value: "$(workspaces.manifest-dir.path)/image.tar"
workspaces:
- name: manifest-dir
workspace: shared-data
runAfter:
- kaniko-build
# 🚀 Publication de l'image
- name: publish
taskRef:
name: crane-task
workspaces:
- name: source
workspace: shared-data
- name: dockerconfig
workspace: docker-credentials
params:
- name: IMAGE
value: $(tasks.imageformater.results.imagetag)
runAfter:
- trivy-scan
finally:
# 🧹 Cleanup
- name: cleanup-workspace
taskRef:
name: cleanup-workspace
kind: Task
workspaces:
- name: source
workspace: shared-data

102
kustomization/base/tekton/pipeline/msebuild.yaml Normal file
View File

@ -0,0 +1,102 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: imagebuild
spec:
description: |
This pipeline clones a git repo, then echoes the README file to the stout.
params:
- name: url
type: string
description: The git repo URL to clone from.
- name: revision
type: string
description: The git repo branch to checkout.
- name: image
type: string
description: The image to build.
- name: apiurl
type: string
description: The gitea api url.
- name: requesttype
type: string
description: The gitea request type = pullrequet or release
- name: requestid
type: string
description: The gitea request id.
- name: access_token
type: string
description: The gitea access_token id.
- name: dockerfile
type: string
description: Path to the Dockerfile to build.
workspaces:
- name: shared-data
- name: config
- name: docker-credentials
tasks:
- name: portal
pipelineRef:
name: imagebuild
params:
- name: dockerfile
value: misc/k8s/images/portal
- name: image
value: reg.cadoles.com/portal
- name: job-base
pipelineRef:
name: imagebuild
params:
- name: dockerfile
value: misc/k8s/images/job-base
- name: image
value: reg.cadoles.com/job-base
- name: mock
pipelineRef:
name: imagebuild
params:
- name: dockerfile
value: misc/k8s/images/mock
- name: image
value: reg.cadoles.com/mock
- name: ines
pipelineRef:
name: imagebuild
params:
- name: dockerfile
value: misc/k8s/images/ines
- name: image
value: reg.cadoles.com/ines
- name: shibboleth-sp
pipelineRef:
name: imagebuild
params:
- name: dockerfile
value: misc/k8s/images/sp
- name: image
value: reg.cadoles.com/shibboleth-sp
- name: hydra-dispatcher-mse-theme
pipelineRef:
name: imagebuild
params:
- name: dockerfile
value: misc/k8s/images/hydra-dispatcher-mse-theme
- name: image
value: reg.cadoles.com/hydra-dispatcher-mse-theme
- name: hydra-sql-mse-theme
pipelineRef:
name: imagebuild
params:
- name: dockerfile
value: misc/k8s/images/hydra-sql-mse-theme
- name: image
value: reg.cadoles.com/hydra-sql-mse-theme

39
kustomization/base/tekton/pipelinerun/pipelinerun.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: symfonyapp-run-
namespace: tekton
spec:
serviceAccountName: build-bot
pipelineRef:
name: symfonyapp
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: config
configmap:
name: config-php-cs-fixer
- name: docker-credentials
secret:
secretName: regcred
params:
- name: repo-url
value: https://forge.cadoles.com/CNOUS/mse.git
- name: revision
value: sprint-6
- name: destination
value: k8s
- name: image
value: reg.cadoles.com/mlamalle/testtekton
- name: dockerfile
value: ./misc/k8s/images/job-base/Dockerfile

24
kustomization/base/tekton/task/common/cleanup.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: cleanup-workspace
spec:
workspaces:
- name: source
steps:
- name: cleanup
image: alpine:latest
command:
- /bin/sh
args:
- '-c'
- |
#set -e
echo ""
echo "== CLEAN UP WORKSPACES ==================================="
rm -rf /workspace/*
echo ""
echo ""

32
kustomization/base/tekton/task/common/crane.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: crane-task
spec:
workspaces:
- name: source
- name: dockerconfig
params:
- name: IMAGE
type: string
description: "The image to push."
steps:
- name: push-image-tar
image: gcr.io/go-containerregistry/crane:debug
script: |
#!/busybox/sh
set -eu -o pipefail
echo ""
echo "== CONFIGURE CREDENTIALS ==================================="
mkdir ~/.docker
cp $(workspaces.dockerconfig.path)/config.json ~/.docker/config.json
echo ""
echo "== PUSH IMAGE ==================================="
crane push $(workspaces.source.path)/image.tar $(params.IMAGE)
echo ""
echo ""

53
kustomization/base/tekton/task/common/giteacomment.yaml Normal file
View File

@ -0,0 +1,53 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: giteacomment
spec:
description: Send file content to a comment of the pullrequest gitea
workspaces:
- name: source
params:
- name: apiurl
- name: requestid
- name: access_token
- name: title
- name: filepath
steps:
- name: exec
image: alpine
command:
- /bin/sh
args:
- '-c'
- |
#set -e
cd $(workspaces.source.path)
echo ""
echo "== INSTALL DEPENDENCIES ==================================="
apk add jq curl
echo ""
echo "== SEND COMMENT TO GITEA ================================="
if [[ -n "$(params.title)" ]]; then
sed -i '1i\# $(params.title)' $(params.filepath)
fi
RESULT=$(cat $(params.filepath))
rm -f $(params.filepath)
APIURL=$(params.apiurl)/issues/$(params.requestid)/comments?access_token=$(params.access_token)
RESULT_ESCAPED=$(jq --null-input --arg result "${RESULT}" '$result')
BODY="{\"body\": ${RESULT_ESCAPED}}"
echo ${BODY}
curl -X 'POST' \
${APIURL} \
-s \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d "${BODY}"
echo ""
echo ""

34
kustomization/base/tekton/task/common/imageformater.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: imageformater
spec:
description: transform image name to standart name
params:
- name: image
- name: tag
results:
- name: imagetag
steps:
- name: exec
image: alpine
command:
- /bin/sh
args:
- '-c'
- |
#set -e
echo ""
echo "== IMAGE NAME FORMATER ==================================="
echo "IMAGE TAG BEFORE = $(params.image):$(params.tag)"
temp="$(params.image):$(params.tag)"
lowercase=$(echo "$temp" | awk '{print tolower($0)}')
echo "IMAGE TAG AFTER = ${lowercase}"
echo -n "${lowercase}" > "$(results.imagetag.path)"
echo ""
echo ""

72
kustomization/base/tekton/task/common/trivy.yaml Normal file
View File

@ -0,0 +1,72 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: trivy-scanner
labels:
app.kubernetes.io/version: "0.2"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/categories: Security
tekton.dev/tags: CLI, trivy
tekton.dev/displayName: "trivy scanner"
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/390x"
spec:
description: >-
Trivy is a simple and comprehensive scanner for
vulnerabilities in container images,file systems
,and Git repositories, as well as for configuration issues.
This task can be used to scan for vulnenrabilities on the source code
in stand alone mode.
workspaces:
- name: manifest-dir
params:
- name: TRIVY_IMAGE
default: docker.io/aquasec/trivy@sha256:944a044451791617cc0ed2ee4d1942a4f66b790d527fcd0575a6b399ccbc05a1 # 0.43.1
description: Trivy scanner image to be used
- name: IMAGE_PATH
description: Image or Path to be scanned by trivy.
type: string
- name: AIR_GAPPED_ENABLED
default: "false"
description: a flag enabling Air-Gapped mode
type: string
steps:
- name: trivy-scan
image: $(params.TRIVY_IMAGE)
workingDir: $(workspaces.manifest-dir.path)
script: |
#!/usr/bin/env sh
echo ""
echo "== SCAN IMAGE ==================================="
cmd="trivy $* "
if [ "$(params.AIR_GAPPED_ENABLED)" = "true" ]; then
echo "Air-Gapped mode enabled"
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only
tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db
rm -rf "$TRIVY_TEMP_DIR"
mkdir -p "$HOME"/.cache/trivy/db
tar xvf ./db.tar.gz -C "$HOME"/.cache/trivy/db
cmd="${cmd}--skip-update "
fi
cmd="${cmd}$(params.IMAGE_PATH)"
echo "Running trivy task with command below"
echo "$cmd"
eval "$cmd"
cat temp_trivy.txt
args:
- "image"
- "--exit-code"
- "1"
- "--severity"
- "CRITICAL"
- "--no-progress"
- "-o"
- "temp_trivy.json"
- "--input"

28
kustomization/base/tekton/task/symfonyapp/phpcsfixer.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpcsfixer
spec:
description: PHP-CS-Fixer on modified code
workspaces:
- name: source
- name: config
steps:
- name: exec
image: ghcr.io/php-cs-fixer/php-cs-fixer:3-php8.3
command:
- /bin/sh
args:
- '-c'
- |
#set -e
cd $(workspaces.source.path)
echo ""
echo "== RUN PHP-CS-FIXER ======================================"
EXTRA_ARGS=$(printf -- '--path-mode=intersection -- %s' "${CHANGED_FILES}")
php-cs-fixer fix --dry-run --config=$(workspaces.config.path)/php-cs-fixer.dist.php ${EXTRA_ARGS} > temp_phpcsfixer.txt 2>&1
cat temp_phpcsfixer.txt
echo ""
echo ""

32
kustomization/base/tekton/task/symfonyapp/phpsecuritycheck.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpsecuritycheck
spec:
description: Check PHP security issues
workspaces:
- name: source
steps:
- name: exec
image: alpine:latest
script: |
#!/bin/sh
#set -e
echo ""
echo "== INSTALL PHP-SECURITY-CHECKER =========================="
export PHP_SECURITY_CHECKER_VERSION=1.0.0
export ARG JQ_VERSION=1.6
wget -O /usr/local/bin/local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v${PHP_SECURITY_CHECKER_VERSION}/local-php-security-checker_${PHP_SECURITY_CHECKER_VERSION}_linux_amd64 \
&& chmod +x /usr/local/bin/local-php-security-checker
echo ""
echo "== RUN PHP-SECURITY-CHECKER =============================="
cd $(workspaces.source.path)
local-php-security-checker --format=markdown > temp_phpsecuritychecker.txt 2>&1
RESULT=$(cat temp_phpsecuritychecker.txt)
echo "${RESULT}"
echo ""
echo ""

44
kustomization/base/tekton/task/symfonyapp/phpstan.yaml Normal file
View File

@ -0,0 +1,44 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpstan
spec:
description: PHP-CS-Fixer on modified code
workspaces:
- name: source
params:
- name: apiurl
- name: requestid
- name: access_token
steps:
- name: exec
image: ghcr.io/phpstan/phpstan:1
command:
- /bin/sh
args:
- '-c'
- |
#set -e
echo ""
echo "== INSTALL PHPSTAN ======================================="
composer require phpstan/phpstan-symfony
composer require phpstan/phpstan-doctrine
cat << EOF > /app/phpstan.neon
includes:
- /app/vendor/phpstan/phpstan-symfony/extension.neon
- /app/vendor/phpstan/phpstan-doctrine/extension.neon
- /app/vendor/phpstan/phpstan-doctrine/rules.neon
EOF
echo ""
echo "== RUN PHPSTAN ==========================================="
cd $(workspaces.source.path)
php $(which phpstan) analyse -l 1 --error-format=table src/ > temp_phpstan.txt
RESULT=$(cat temp_phpstan.txt)
echo "${RESULT}"
echo ""
echo ""

68
kustomization/base/tekton/task/symfonyapp/phpunittest.yaml Normal file
View File

@ -0,0 +1,68 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpunittest
spec:
description: PHP unit test with bdd sidecar
workspaces:
- name: source
sidecars:
- name: database
image: postgres:16
env:
- name: POSTGRES_PASSWORD
value: not_so_secret
- name: POSTGRES_HOST_AUTH_METHOD
value: trust
- name: redis
image: redis:4.0
steps:
- name: exec
image: reg.cadoles.com/cadoles/symfony:alpine-php-7.4-base-20230926
env:
- name: PHP_FPM_MEMORY_LIMIT
value: 512m
- name: MSE_DATABASE_DRIVER
value: pdo_pgsql
- name: MSE_DATABASE_HOST
value: localhost
- name: MSE_DATABASE_PORT
value: '5432'
- name: MSE_DATABASE_NAME
value: postgres
- name: MSE_DATABASE_USER
value: postgres
- name: MSE_DATABASE_PASSWORD
value: not_so_secret
- name: MSE_REDIS_SERVER
value: localhost
- name: MSE_REDIS_PORT
value: '6379'
command:
- /bin/sh
args:
- '-c'
- |
set -e
apk add bash=5.1.16-r0 \
postgresql-client \
php7-gd=7.4.33-r1 \
php7-xsl=7.4.33-r1 \
php7-pdo=7.4.33-r1 \
php7-pgsql=7.4.33-r1 \
php7-pdo_pgsql=7.4.33-r1 \
php7-soap=7.4.33-r1 \
php7-ldap=7.4.33-r1 \
php7-pdo_mysql=7.4.33-r1 \
php7-bcmath=7.4.33-r1 \
php7-intl=7.4.33-r1 \
php7-fileinfo=7.4.33-r1 \
php7-iconv=7.4.33-r1 \
php7-pecl-amqp=1.11.0-r0 \
php7-pecl-redis=5.3.6-r0
cd $(workspaces.source.path)
app/console doctrine:migrations:migrate -n
./scripts/run-php-tests.sh --group unit --stderr --testdox -d memory_limit=512M

19
kustomization/base/tekton/trigger/imagebuild-binding.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: symfonybuild-binding
spec:
params:
- name: url
value: $(body.repository.clone_url)
- name: revision
value: $(body.release.target_commitish)
- name: image
value: reg.cadoles.com/$(body.repository.full_name)
- name: tag
value: $(body.release.target_commitish)-$(body.release.tag_name)
- name: apiurl
value: $(body.release.url)
- name: requestid
value: $(body.release.id)

56
kustomization/base/tekton/trigger/imagebuild-template.yaml Normal file
View File

@ -0,0 +1,56 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: imagebuild-template
spec:
params:
- name: url
- name: revision
- name: image
- name: apiurl
- name: requestid
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: imagebuild-run-
namespace: tekton
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: config
configmap:
name: config-phpcsfixer
- name: docker-credentials
secret:
secretName: regcred
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: $(tt.params.image)
- name: apiurl
value: $(tt.params.apiurl)
- name: requesttype
value: "release"
- name: requestid
value: $(tt.params.requestid)
- name: access_token
value: 69f6d1db6cf1e47dc7958ac20a31e76abf1582ee
- name: dockerfile
value: misc/k8s/images/portal

17
kustomization/base/tekton/trigger/msebuild-binding.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: symfonybuild-binding
spec:
params:
- name: url
value: $(body.repository.clone_url)
- name: revision
value: $(body.release.target_commitish)
- name: tag
value: $(body.release.target_commitish)-$(body.release.tag_name)
- name: apiurl
value: $(body.release.url)
- name: requestid
value: $(body.release.id)

58
kustomization/base/tekton/trigger/msebuild-template.yaml Normal file
View File

@ -0,0 +1,58 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: msebuild-template
spec:
params:
- name: url
- name: revision
- name: image
- name: apiurl
- name: requestid
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msebuild-run-
namespace: tekton
spec:
serviceAccountName: build-bot
pipelineRef:
name: msebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: config
configmap:
name: config-phpcsfixer
- name: docker-credentials
secret:
secretName: regcred
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: portal
- name: tag
value: $(tt.params.tag)
- name: apiurl
value: $(tt.params.apiurl)
- name: requesttype
value: "release"
- name: requestid
value: $(tt.params.requestid)
- name: access_token
value: 69f6d1db6cf1e47dc7958ac20a31e76abf1582ee
- name: dockerfile
value: misc/k8s/images/portal