.gitlab-ci.yml

# This file is a template, and might need editing before it works on your project.
# Official framework image. Look for the different tagged releases at:
# https://hub.docker.com/r/library/node/tags/
image: docker:latest
# Pick zero or more services to be used on all builds.
# Only needed when using a docker container to run your tests in.
# Check out: http://docs.gitlab.com/ce/ci/docker/using_docker_images.html#what-is-a-service
# services:
#   - mysql:latest
#   - postgres:latest
#   - redis:latest

# This folder is cached between builds
# http://docs.gitlab.com/ce/ci/yaml/README.html#cache
cache:
  paths:
  - node_modules/

services:
  - docker:dind

test_async:
  stage: build
  image: node:10
  script:
   - npm install

build-master:
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  stage: build
  script:    
    - echo "Gitlab features"
    - echo $GITLAB_FEATURES
    - docker build --pull -t "$CI_REGISTRY_IMAGE" .
    - docker push "$CI_REGISTRY_IMAGE"
  only:
    - master

build:
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  stage: build
  script:
    - docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
  except:
    - master

dependency_scanning:
  stage: test
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
    - |
      docker run \
        --env DS_ANALYZER_IMAGES \
        --env DS_ANALYZER_IMAGE_PREFIX \
        --env DS_ANALYZER_IMAGE_TAG \
        --env DS_DEFAULT_ANALYZERS \
        --env DEP_SCAN_DISABLE_REMOTE_CHECKS \
        --env DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
        --env DS_PULL_ANALYZER_IMAGE_TIMEOUT \
        --env DS_RUN_ANALYZER_TIMEOUT \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_VERSION" /code
  artifacts:
    when: always
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bdependency_scanning\b/
  except:
    variables:
      - $DEPENDENCY_SCANNING_DISABLED


container_scanning:
  stage: test
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
    # Defining two new variables based on GitLab's CI/CD predefined variables
    # https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables
    CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
    CI_APPLICATION_TAG: $CI_COMMIT_SHA
    # Prior to this, you need to have the Container Registry running for your project and setup a build job
    # with at least the following steps:
    #
    # docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG .
    # docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
    #
    # Container Scanning deals with Docker images only so no need to import the project's Git repository:
    GIT_STRATEGY: none
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
    - apk add -U wget ca-certificates
    - docker pull $CI_REGISTRY_IMAGE #${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
    - retries=0
    - echo "Waiting for clair daemon to start"
    - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml $CI_REGISTRY_IMAGE || true
  artifacts:
    when: always
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED

sast:
  stage: test
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
    - |
      docker run \
        --env SAST_ANALYZER_IMAGES \
        --env SAST_ANALYZER_IMAGE_PREFIX \
        --env SAST_ANALYZER_IMAGE_TAG \
        --env SAST_DEFAULT_ANALYZERS \
        --env SAST_BRAKEMAN_LEVEL \
        --env SAST_GOSEC_LEVEL \
        --env SAST_FLAWFINDER_LEVEL \
        --env SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
        --env SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
        --env SAST_RUN_ANALYZER_TIMEOUT \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
  artifacts:
    when: always
    reports:
      sast: gl-sast-report.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/
  except:
    variables:
      - $SAST_DISABLED


variables:
  LICENSE_MANAGEMENT_SETUP_CMD: '' # If needed, specify a command to setup your environment with a custom package manager.

license_management:
  stage: test
  image:
    name: "registry.gitlab.com/gitlab-org/security-products/license-management:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable"
    entrypoint: [""]
  variables:
    SETUP_CMD: $LICENSE_MANAGEMENT_SETUP_CMD
  allow_failure: true
  script:
    - /run.sh analyze .
  artifacts:
    when: always
    reports:
      license_management: gl-license-management-report.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\blicense_management\b/
  except:
    variables:
      - $LICENSE_MANAGEMENT_DISABLED


deploy:
  stage: deploy
  image: dtzar/helm-kubectl
  script:
    - kubectl config set-cluster juju-cluster --server="${SERVER}"
    - kubectl config set clusters.k8s.certificate-authority-data ${CERTIFICATE_AUTHORITY_DATA}
    - kubectl config set-credentials admin --password="${USER_TOKEN}" --username="admin"
    - kubectl config set-context juju-context --cluster=juju-cluster --user=admin
    - kubectl config use-context juju-context
    - kubectl delete --insecure-skip-tls-verify -n sce deployment --ignore-not-found=true sce-ui
    - kubectl -n sce --insecure-skip-tls-verify apply -f deployment.yaml