forked from F5Networks/k8s-bigip-ctlr
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure-pipelines.yaml
156 lines (152 loc) · 6.54 KB
/
azure-pipelines.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
branches:
include:
- master
tags:
include:
- v*
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: 'f5networks/k8s-bigip-ctlr-devel'
quayConnection: 'quay-bot'
redhatConnection: 'redhat-bot'
dockerConnection: 'docker-bot'
scanConnection: 'cis-scan-bot'
quay_path: 'quay.io/f5networks/k8s-bigip-ctlr-devel'
redhat_prj_name: 'cntr-ingress-svcs'
docker_repo: 'f5networks/k8s-bigip-ctlr'
chartPath: 'incubator'
chartRepoName: 'charts'
chartOrganization: F5Networks
helmVersion: 'v3.5.4'
chartsUpdated: False
operatorUpdated: False
operatorImageName: 'f5networks/f5-cis-operator-devel'
operatorBundleImageName: 'f5networks/f5-cis-operator-bundle-devel'
operatorIndexImage: 'f5networks/f5-cis-operator-index-devel'
goVersion: 1.21.4
stages:
- stage: PreCheck
jobs:
- job: Preverification
steps:
- task: GoTool@0
inputs:
version: $(goVersion)
displayName: Install Go 1.21.4
- task: CmdLine@2
displayName: Check Go format and Suspicious constructs
inputs:
script: 'make verify'
- task: CmdLine@2
displayName: Check documentation
inputs:
script: 'make docs'
- stage: ContainerImage
dependsOn: PreCheck
jobs:
- job: BuildContainerImage
steps:
- script: |
FILE_VALUE=$(cat next-version.txt)
echo "##vso[task.setvariable variable=BUILD_VERSION]$FILE_VALUE"
displayName: Set CIS Version
- script: echo $(BUILD_VERSION)
displayName: 'Display the variable value'
- task: Docker@2
displayName: Login to redhat registry
inputs:
command: login
containerRegistry: $(redhatConnection)
- task: Docker@2
displayName: Login to quay registry
inputs:
command: login
containerRegistry: $(quayConnection)
- task: Docker@2
displayName: Login to docker registry
condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')
inputs:
command: login
containerRegistry: $(dockerConnection)
- task: Docker@2
displayName: Login to scan registry
condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')
inputs:
command: login
containerRegistry: $(scanConnection)
- task: Docker@2
displayName: Build from Red Hat Universal Base Image
inputs:
command: build
containerRegistry: $(quayConnection)
repository: $(imageName)
Dockerfile: build-tools/Dockerfile.ubi
buildContext: .
tags: "$(BUILD_VERSION)-$(Build.SourceVersion)"
arguments: "--build-arg BUILD_INFO=azure-$(Build.BuildId)-$(Build.SourceVersion) --build-arg BUILD_VERSION=$(BUILD_VERSION) --build-arg RUN_TESTS=$(RUN_TESTS) --build-arg COVERALLS_TOKEN=$(COVERALLS_TOKEN)"
- task: Docker@2
displayName: Push image to Quay
inputs:
command: push
containerRegistry: $(quayConnection)
repository: $(imageName)
tags: "$(BUILD_VERSION)-$(Build.SourceVersion)"
- script: |
set -ex
podman pull --authfile $(DOCKER_CONFIG)/config.json $(quay_path):$(BUILD_VERSION)-$(Build.SourceVersion)
podman tag $(quay_path):$(BUILD_VERSION)-$(Build.SourceVersion) scan.connect.redhat.com/$(REDHAT_PRJ_ID)/$(redhat_prj_name):$(BUILD_VERSION)-ubi8
podman push --authfile $(DOCKER_CONFIG)/config.json scan.connect.redhat.com/$(REDHAT_PRJ_ID)/$(redhat_prj_name):$(BUILD_VERSION)-ubi8
condition: and(succeeded(), startsWith(variables['build.sourceBranch'], 'refs/tags/'))
displayName: 'Push image to Redhat'
continueOnError: true
- script: |
set -ex
docker pull $(quay_path):$(BUILD_VERSION)-$(Build.SourceVersion)
docker tag $(quay_path):$(BUILD_VERSION)-$(Build.SourceVersion) $(docker_repo):latest
docker tag $(quay_path):$(BUILD_VERSION)-$(Build.SourceVersion) $(docker_repo):$(BUILD_VERSION)
patch_version=`echo $(BUILD_VERSION) | awk -F '.' '{print $3}'`
if [ "${patch_version}" == "0" ] ; then
stripped_version=`echo $(BUILD_VERSION) | rev | cut -c3- | rev`
docker tag $(quay_path):$(BUILD_VERSION)-$(Build.SourceVersion) $(docker_repo):${stripped_version}
docker push $(docker_repo):${stripped_version}
fi
docker push $(docker_repo):latest
docker push $(docker_repo):$(BUILD_VERSION)
displayName: 'Push image to DockerHub'
condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')
- job: ScanContainerImage
dependsOn: BuildContainerImage
steps:
- script: |
FILE_VALUE=$(cat next-version.txt)
echo "##vso[task.setvariable variable=BUILD_VERSION]$FILE_VALUE"
displayName: Set CIS Version
- script: echo $(BUILD_VERSION)
displayName: 'Display the variable value'
- task: CmdLine@2
displayName: Install Trivy
inputs:
script: |
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- task: CmdLine@2
displayName: "Run trivy scan"
inputs:
script: |
trivy image --timeout 10m --format template --template "@junit.tpl" -o test.xml --severity HIGH,CRITICAL $(quay_path):$(BUILD_VERSION)-$(Build.SourceVersion)
- task: PublishTestResults@2
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: '**/test.xml'
mergeTestResults: true
failTaskOnFailedTests: false
testRunTitle: 'Trivy - Vulnerabilities Summary'