lemur/.gitlab-ci.yml at master · DataDog/lemur · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
variables:
  CURRENT_CI_IMAGE: registry.ddbuild.io/lemur-ci:0.2.5
  KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: lemur

stages:
  - test
  - build-stage-image
  - build-stage-image-fips
  - build-prod-image
  - build-prod-image-fips
  - gbilite

test:
  image: $CURRENT_CI_IMAGE
  stage: test
  timeout: 30m
  rules:
    - if: $GBILITE_GITLAB_ACTION != "gbilite-get-images" && $GBILITE_GITLAB_ACTION != "gbilite-build-image"
  tags: ["arch:amd64"]
  variables:
    POSTGRES_DB: lemur
    POSTGRES_USER: lemur
    POSTGRES_PASSWORD: lemur
    POSTGRES_HOST_AUTH_METHOD: trust
    # Enable colors in pytest output: https://github.com/pytest-dev/pytest/issues/7443
    PY_COLORS: 1
    # Enable colors in chalk output: https://github.com/chalk/chalk#chalklevel
    FORCE_COLOR: 1
  services:
    - registry.ddbuild.io/images/mirror/postgres:12.7
  script:
    # Setup virtualenv
    - python3 -m venv ~/env && \
    - source ~/env/bin/activate && \
    - python3 -m pip install --upgrade pip setuptools coveralls bandit
    # Install dd-source packages (not in lockfiles, managed separately)
    - python3 -m pip install -r requirements-dd-source.in
    # Run tests
    - make test
    - bandit -r . -ll -ii -x lemur/tests/,docs
    - xvfb-run make test-js

build-stage-image:
  image: $CURRENT_CI_IMAGE
  stage: build-stage-image
  when: on_success
  rules:
    - if: ($CI_COMMIT_TAG == null && $GBILITE_GITLAB_ACTION == null)
  timeout: 2h
  tags: ["arch:amd64"]
  variables:
    CI_ENABLE_CONTAINER_IMAGE_BUILDS: "true"
  id_tokens:
    DDSIGN_ID_TOKEN:
      aud: image-integrity
  script:
    - CHECKOUT_REF=$CI_COMMIT_SHA GBILITE_ENV=staging GBILITE_IMAGE_TO_BUILD="lemur:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}" /bin/bash .campaigns/build_and_push_image.sh

build-stage-image-fips:
  image: $CURRENT_CI_IMAGE
  stage: build-stage-image-fips
  when: on_success
  rules:
    - if: ($CI_COMMIT_TAG == null && $GBILITE_GITLAB_ACTION == null)
  timeout: 2h
  tags: ["arch:amd64"]
  variables:
    CI_ENABLE_CONTAINER_IMAGE_BUILDS: "true"
  id_tokens:
    DDSIGN_ID_TOKEN:
      aud: image-integrity
  script:
    - CHECKOUT_REF=$CI_COMMIT_SHA GBILITE_ENV=staging GBILITE_IMAGE_TO_BUILD="lemur:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips" /bin/bash .campaigns/build_and_push_image.sh

# build a prod-signed image on master commits and tags
build-prod-image:
  image: $CURRENT_CI_IMAGE
  stage: build-prod-image
  when: on_success
  timeout: 2h
  rules:
    - if: $CI_COMMIT_TAG
      variables:
        IMAGE_TAG: "$CI_COMMIT_TAG"
    - if: $CI_COMMIT_BRANCH == "master" && $GBILITE_GITLAB_ACTION == null
      variables:
        IMAGE_TAG: "v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}"
  tags: ["arch:amd64"]
  variables:
    CI_ENABLE_CONTAINER_IMAGE_BUILDS: "true"
  id_tokens:
    DDSIGN_ID_TOKEN:
      aud: image-integrity
  script:
    - CHECKOUT_REF=$CI_COMMIT_SHA GBILITE_ENV=prod GBILITE_IMAGE_TO_BUILD="lemur:$IMAGE_TAG" /bin/bash .campaigns/build_and_push_image.sh

build-prod-image-fips:
  image: $CURRENT_CI_IMAGE
  stage: build-prod-image-fips
  when: on_success
  timeout: 2h
  rules:
    - if: $CI_COMMIT_TAG
      variables:
        IMAGE_TAG: "$CI_COMMIT_TAG"
    - if: $CI_COMMIT_BRANCH == "master" && $GBILITE_GITLAB_ACTION == null
      variables:
        IMAGE_TAG: "v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}"
  tags: ["arch:amd64"]
  variables:
    CI_ENABLE_CONTAINER_IMAGE_BUILDS: "true"
  id_tokens:
    DDSIGN_ID_TOKEN:
      aud: image-integrity
  script:
    - CHECKOUT_REF=$CI_COMMIT_SHA GBILITE_ENV=prod GBILITE_IMAGE_TO_BUILD="lemur:$IMAGE_TAG-fips" /bin/bash .campaigns/build_and_push_image.sh

gbilite-get-images:
  image: $CURRENT_CI_IMAGE
  stage: gbilite
  rules:
    - if: $GBILITE_GITLAB_ACTION  == "gbilite-get-images"
  tags: ["arch:amd64"]
  script:
    - /bin/bash .campaigns/get_images.sh > .campaigns/allimages.txt
  artifacts:
    paths:
      - .campaigns/allimages.txt

gbilite-build-image:
  image: $CURRENT_CI_IMAGE
  stage: gbilite
  timeout: 2h
  rules:
    - if: $GBILITE_GITLAB_ACTION  == "gbilite-build-image"
  tags: ["arch:amd64"]
  script:
    - /bin/bash .campaigns/build_and_push_image.sh
  id_tokens:
    DDSIGN_ID_TOKEN:
      aud: image-integrity
  artifacts:
    paths:
      - .campaigns/image_info.txt