diff options
Diffstat (limited to 'lib/gitlab/ci/templates')
24 files changed, 228 insertions, 109 deletions
diff --git a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml index adb5d430d46..89fd59d98f4 100644 --- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml @@ -179,3 +179,11 @@ include: - template: Security/License-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml - template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml + +# The latest build job generates a dotenv report artifact with a CI_APPLICATION_TAG +# that also includes the image digest. This configures Auto Deploy to receive +# this artifact and use the updated CI_APPLICATION_TAG for deployments. +.auto-deploy: + dependencies: [build] +dast_environment_deploy: + dependencies: [build] diff --git a/lib/gitlab/ci/templates/Django.gitlab-ci.yml b/lib/gitlab/ci/templates/Django.gitlab-ci.yml index f147ad9332d..426076c84a1 100644 --- a/lib/gitlab/ci/templates/Django.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Django.gitlab-ci.yml @@ -1,54 +1,76 @@ -# To contribute improvements to CI/CD templates, please follow the Development guide at: -# https://docs.gitlab.com/ee/development/cicd/templates.html -# This specific template is located at: -# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Django.gitlab-ci.yml - -# Official framework image. Look for the different tagged releases at: -# https://hub.docker.com/r/library/python -image: python:latest - -# Pick zero or more services to be used on all builds. -# Only needed when using a docker container to run your tests in. -# Check out: http://docs.gitlab.com/ee/ci/docker/using_docker_images.html#what-is-a-service -services: - - mysql:latest - - postgres:latest +# This example is for testing Django with MySQL. +# +# The test CI/CD variables MYSQL_DB, MYSQL_USER and MYSQL_PASS can be set in the project settings at: +# Settings --> CI/CD --> Variables +# +# The Django settings in settings.py, used in tests, might look similar to: +# +# DATABASES = { +# 'default': { +# 'ENGINE': 'django.db.backends.mysql', +# 'NAME': os.environ.get('MYSQL_DATABASE'), +# 'USER': os.environ.get('MYSQL_USER'), +# 'PASSWORD': os.environ.get('MYSQL_PASSWORD'), +# 'HOST': 'mysql', +# 'PORT': '3306', +# 'CONN_MAX_AGE':60, +# }, +# } +# +# It is possible to use '--settings' to specify a custom settings file on the command line below or use an environment +# variable to trigger an include on the bottom of your settings.py: +# if os.environ.get('DJANGO_CONFIG')=='test': +# from .settings_test import * +# +# It is also possible to hardcode the database name and credentials in the settings.py file and in the .gitlab-ci.yml file. +# +# The mysql service needs some variables too. See https://hub.docker.com/_/mysql for possible mysql env variables +# Note that when using a service in GitLab CI/CD that needs environment variables to run, only variables defined in +# .gitlab-ci.yml are passed to the service and variables defined in the GitLab UI are not. +# https://gitlab.com/gitlab-org/gitlab/-/issues/30178 variables: - POSTGRES_DB: database_name + # DJANGO_CONFIG: "test" + MYSQL_DATABASE: $MYSQL_DB + MYSQL_ROOT_PASSWORD: $MYSQL_PASS + MYSQL_USER: $MYSQL_USER + MYSQL_PASSWORD: $MYSQL_PASS -# This folder is cached between builds -# https://docs.gitlab.com/ee/ci/yaml/index.html#cache -cache: - paths: - - ~/.cache/pip/ +default: + image: ubuntu:20.04 + # + # Pick zero or more services to be used on all builds. + # Only needed when using a docker container to run your tests in. + # Check out: http://docs.gitlab.com/ee/ci/docker/using_docker_images.html#what-is-a-service + services: + - mysql:8.0 + # + # This folder is cached between builds + # http://docs.gitlab.com/ee/ci/yaml/README.html#cache + cache: + paths: + - ~/.cache/pip/ + before_script: + - apt -y update + - apt -y install apt-utils + - apt -y install net-tools python3.8 python3-pip mysql-client libmysqlclient-dev + - apt -y upgrade + - pip3 install -r requirements.txt -# This is a basic example for a gem or script which doesn't use -# services such as redis or postgres -before_script: - - python -V # Print out python version for debugging - # Uncomment next line if your Django app needs a JS runtime: - # - apt-get update -q && apt-get install nodejs -yqq - - pip install -r requirements.txt -# To get Django tests to work you may need to create a settings file using -# the following DATABASES: -# -# DATABASES = { -# 'default': { -# 'ENGINE': 'django.db.backends.postgresql_psycopg2', -# 'NAME': 'ci', -# 'USER': 'postgres', -# 'PASSWORD': 'postgres', -# 'HOST': 'postgres', -# 'PORT': '5432', -# }, -# } -# -# and then adding `--settings app.settings.ci` (or similar) to the test command +migrations: + stage: build + script: + - python3 manage.py makemigrations + # - python3 manage.py makemigrations myapp + - python3 manage.py migrate + - python3 manage.py check + -test: - variables: - DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/$POSTGRES_DB" +django-tests: + stage: test script: - - python manage.py test + # The MYSQL user only gets permissions for MYSQL_DB, so Django can't create a test database. + - echo "GRANT ALL on *.* to '${MYSQL_USER}';"| mysql -u root --password="${MYSQL_ROOT_PASSWORD}" -h mysql + # use python3 explicitly. see https://wiki.ubuntu.com/Python/3 + - python3 manage.py test diff --git a/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml index 56899614cc6..99fd9870b1d 100644 --- a/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml @@ -70,7 +70,7 @@ browser_performance: reports: browser_performance: browser-performance.json rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$BROWSER_PERFORMANCE_DISABLED' when: never diff --git a/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.latest.gitlab-ci.yml index 56899614cc6..99fd9870b1d 100644 --- a/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.latest.gitlab-ci.yml @@ -70,7 +70,7 @@ browser_performance: reports: browser_performance: browser-performance.json rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$BROWSER_PERFORMANCE_DISABLED' when: never diff --git a/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml index 6a3b0cfa9e7..211adc9bd5b 100644 --- a/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml @@ -3,7 +3,7 @@ # This template is scheduled for removal when testing is complete: https://gitlab.com/gitlab-org/gitlab/-/issues/337987 variables: - AUTO_BUILD_IMAGE_VERSION: 'v1.3.1' + AUTO_BUILD_IMAGE_VERSION: 'v1.5.0' build: stage: build @@ -23,6 +23,9 @@ build: export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_TAG} fi - /build/build.sh + artifacts: + reports: + dotenv: gl-auto-build-variables.env rules: - if: '$BUILD_DISABLED' when: never diff --git a/lib/gitlab/ci/templates/Jobs/CF-Provision.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/CF-Provision.gitlab-ci.yml index 31ca68c57d7..11f8376f0b4 100644 --- a/lib/gitlab/ci/templates/Jobs/CF-Provision.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/CF-Provision.gitlab-ci.yml @@ -9,6 +9,6 @@ cloud_formation: rules: - if: '($AUTO_DEVOPS_PLATFORM_TARGET != "EC2") || ($AUTO_DEVOPS_PLATFORM_TARGET != "ECS")' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$CI_COMMIT_TAG || $CI_COMMIT_BRANCH' diff --git a/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml index 65a58130962..28ac627f103 100644 --- a/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml @@ -1,5 +1,5 @@ variables: - DAST_AUTO_DEPLOY_IMAGE_VERSION: 'v2.14.0' + DAST_AUTO_DEPLOY_IMAGE_VERSION: 'v2.17.0' .dast-auto-deploy: image: "registry.gitlab.com/gitlab-org/cluster-integration/auto-deploy-image:${DAST_AUTO_DEPLOY_IMAGE_VERSION}" @@ -10,6 +10,7 @@ dast_environment_deploy: script: - auto-deploy check_kube_domain - auto-deploy download_chart + - auto-deploy use_kube_context || true - auto-deploy ensure_namespace - auto-deploy initialize_tiller - auto-deploy create_secret @@ -29,7 +30,7 @@ dast_environment_deploy: - if: $DAST_WEBSITE # we don't need to create a review app if a URL is already given when: never - if: $CI_COMMIT_BRANCH && - $CI_KUBERNETES_ACTIVE && + ($CI_KUBERNETES_ACTIVE || $KUBECONFIG) && $GITLAB_FEATURES =~ /\bdast\b/ stop_dast_environment: @@ -38,6 +39,7 @@ stop_dast_environment: variables: GIT_STRATEGY: none script: + - auto-deploy use_kube_context || true - auto-deploy initialize_tiller - auto-deploy delete environment: @@ -52,6 +54,6 @@ stop_dast_environment: - if: $DAST_WEBSITE # we don't need to create a review app if a URL is already given when: never - if: $CI_COMMIT_BRANCH && - $CI_KUBERNETES_ACTIVE && + ($CI_KUBERNETES_ACTIVE || $KUBECONFIG) && $GITLAB_FEATURES =~ /\bdast\b/ when: always diff --git a/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml index 58f13746a1f..973db26bf2d 100644 --- a/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml @@ -1,5 +1,5 @@ variables: - AUTO_DEPLOY_IMAGE_VERSION: 'v2.14.0' + AUTO_DEPLOY_IMAGE_VERSION: 'v2.17.0' .auto-deploy: image: "registry.gitlab.com/gitlab-org/cluster-integration/auto-deploy-image:${AUTO_DEPLOY_IMAGE_VERSION}" @@ -11,6 +11,7 @@ review: script: - auto-deploy check_kube_domain - auto-deploy download_chart + - auto-deploy use_kube_context || true - auto-deploy ensure_namespace - auto-deploy initialize_tiller - auto-deploy create_secret @@ -24,7 +25,7 @@ review: paths: [environment_url.txt, tiller.log] when: always rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' when: never @@ -38,6 +39,7 @@ stop_review: variables: GIT_STRATEGY: none script: + - auto-deploy use_kube_context || true - auto-deploy initialize_tiller - auto-deploy delete environment: @@ -45,7 +47,7 @@ stop_review: action: stop allow_failure: true rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' when: never @@ -66,6 +68,7 @@ staging: script: - auto-deploy check_kube_domain - auto-deploy download_chart + - auto-deploy use_kube_context || true - auto-deploy ensure_namespace - auto-deploy initialize_tiller - auto-deploy create_secret @@ -74,7 +77,7 @@ staging: name: staging url: http://$CI_PROJECT_PATH_SLUG-staging.$KUBE_INGRESS_BASE_DOMAIN rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never @@ -91,6 +94,7 @@ canary: script: - auto-deploy check_kube_domain - auto-deploy download_chart + - auto-deploy use_kube_context || true - auto-deploy ensure_namespace - auto-deploy initialize_tiller - auto-deploy create_secret @@ -101,7 +105,7 @@ canary: rules: - if: '$CI_DEPLOY_FREEZE != null' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never @@ -114,6 +118,7 @@ canary: script: - auto-deploy check_kube_domain - auto-deploy download_chart + - auto-deploy use_kube_context || true - auto-deploy ensure_namespace - auto-deploy initialize_tiller - auto-deploy create_secret @@ -132,7 +137,7 @@ production: rules: - if: '$CI_DEPLOY_FREEZE != null' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$STAGING_ENABLED' when: never @@ -150,7 +155,7 @@ production_manual: rules: - if: '$CI_DEPLOY_FREEZE != null' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$INCREMENTAL_ROLLOUT_ENABLED' when: never @@ -168,6 +173,7 @@ production_manual: script: - auto-deploy check_kube_domain - auto-deploy download_chart + - auto-deploy use_kube_context || true - auto-deploy ensure_namespace - auto-deploy initialize_tiller - auto-deploy create_secret @@ -188,7 +194,7 @@ production_manual: rules: - if: '$CI_DEPLOY_FREEZE != null' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$INCREMENTAL_ROLLOUT_MODE == "timed"' when: never @@ -203,7 +209,7 @@ production_manual: rules: - if: '$CI_DEPLOY_FREEZE != null' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$INCREMENTAL_ROLLOUT_MODE == "manual"' when: never diff --git a/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml index 530ab1d0f99..248040b8b18 100644 --- a/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml @@ -21,7 +21,7 @@ review: paths: [environment_url.txt, tiller.log] when: always rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' when: never @@ -42,7 +42,7 @@ stop_review: action: stop allow_failure: true rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' when: never @@ -71,7 +71,7 @@ staging: name: staging url: http://$CI_PROJECT_PATH_SLUG-staging.$KUBE_INGRESS_BASE_DOMAIN rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never @@ -96,7 +96,7 @@ canary: name: production url: http://$CI_PROJECT_PATH_SLUG.$KUBE_INGRESS_BASE_DOMAIN rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never @@ -125,7 +125,7 @@ canary: production: <<: *production_template rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$STAGING_ENABLED' when: never @@ -141,7 +141,7 @@ production_manual: <<: *production_template allow_failure: false rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$INCREMENTAL_ROLLOUT_ENABLED' when: never @@ -177,7 +177,7 @@ production_manual: resource_group: production allow_failure: true rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$INCREMENTAL_ROLLOUT_MODE == "timed"' when: never @@ -190,7 +190,7 @@ production_manual: .timed_rollout_template: &timed_rollout_template <<: *rollout_template rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$INCREMENTAL_ROLLOUT_MODE == "manual"' when: never diff --git a/lib/gitlab/ci/templates/Jobs/Deploy/EC2.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy/EC2.gitlab-ci.yml index 7efbcab221b..ab3bc511cba 100644 --- a/lib/gitlab/ci/templates/Jobs/Deploy/EC2.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Deploy/EC2.gitlab-ci.yml @@ -16,7 +16,7 @@ review_ec2: rules: - if: '$AUTO_DEVOPS_PLATFORM_TARGET != "EC2"' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$REVIEW_DISABLED' when: never @@ -32,7 +32,7 @@ production_ec2: rules: - if: '$AUTO_DEVOPS_PLATFORM_TARGET != "EC2"' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never diff --git a/lib/gitlab/ci/templates/Jobs/Deploy/ECS.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy/ECS.gitlab-ci.yml index 332c58c8695..9bb2ba69d84 100644 --- a/lib/gitlab/ci/templates/Jobs/Deploy/ECS.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Deploy/ECS.gitlab-ci.yml @@ -42,7 +42,7 @@ review_ecs: rules: - if: '$AUTO_DEVOPS_PLATFORM_TARGET != "ECS"' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$REVIEW_DISABLED' when: never @@ -58,7 +58,7 @@ stop_review_ecs: rules: - if: '$AUTO_DEVOPS_PLATFORM_TARGET != "ECS"' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$REVIEW_DISABLED' when: never @@ -77,7 +77,7 @@ review_fargate: rules: - if: '$AUTO_DEVOPS_PLATFORM_TARGET != "FARGATE"' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$REVIEW_DISABLED' when: never @@ -93,7 +93,7 @@ stop_review_fargate: rules: - if: '$AUTO_DEVOPS_PLATFORM_TARGET != "FARGATE"' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$REVIEW_DISABLED' when: never @@ -107,7 +107,7 @@ production_ecs: rules: - if: '$AUTO_DEVOPS_PLATFORM_TARGET != "ECS"' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never @@ -118,7 +118,7 @@ production_fargate: rules: - if: '$AUTO_DEVOPS_PLATFORM_TARGET != "FARGATE"' when: never - - if: '$CI_KUBERNETES_ACTIVE' + - if: '$CI_KUBERNETES_ACTIVE || $KUBECONFIG' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never diff --git a/lib/gitlab/ci/templates/Jobs/Helm-2to3.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Helm-2to3.gitlab-ci.yml index 1ec1aa60d88..d55c126eeb7 100644 --- a/lib/gitlab/ci/templates/Jobs/Helm-2to3.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Helm-2to3.gitlab-ci.yml @@ -72,7 +72,7 @@ rules: - if: '$MIGRATE_HELM_2TO3 != "true"' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' when: never @@ -89,7 +89,7 @@ review:helm-2to3:cleanup: rules: - if: '$MIGRATE_HELM_2TO3 != "true" && $CLEANUP_HELM_2TO3 == null' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' when: never @@ -104,7 +104,7 @@ review:helm-2to3:cleanup: rules: - if: '$MIGRATE_HELM_2TO3 != "true"' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never @@ -119,7 +119,7 @@ staging:helm-2to3:cleanup: rules: - if: '$MIGRATE_HELM_2TO3 != "true" && $CLEANUP_HELM_2TO3 == null' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH' when: never @@ -132,7 +132,7 @@ staging:helm-2to3:cleanup: rules: - if: '$MIGRATE_HELM_2TO3 != "true"' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' when: manual @@ -145,7 +145,7 @@ production:helm-2to3:cleanup: rules: - if: '$MIGRATE_HELM_2TO3 != "true" && $CLEANUP_HELM_2TO3 == null' when: never - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' when: manual diff --git a/lib/gitlab/ci/templates/Jobs/Load-Performance-Testing.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Load-Performance-Testing.gitlab-ci.yml index 9a7c513c25f..8e34388893a 100644 --- a/lib/gitlab/ci/templates/Jobs/Load-Performance-Testing.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Load-Performance-Testing.gitlab-ci.yml @@ -23,7 +23,7 @@ load_performance: reports: load_performance: load-performance.json rules: - - if: '$CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == ""' + - if: '($CI_KUBERNETES_ACTIVE == null || $CI_KUBERNETES_ACTIVE == "") && ($KUBECONFIG == null || $KUBECONFIG == "")' when: never - if: '$LOAD_PERFORMANCE_DISABLED' when: never diff --git a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml new file mode 100644 index 00000000000..b763705857e --- /dev/null +++ b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml @@ -0,0 +1,34 @@ +variables: + # Setting this variable will affect all Security templates + # (SAST, Dependency Scanning, ...) + SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" + SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" + +iac-sast: + stage: test + artifacts: + reports: + sast: gl-sast-report.json + rules: + - when: never + # `rules` must be overridden explicitly by each child job + # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 + variables: + SEARCH_MAX_DEPTH: 4 + allow_failure: true + script: + - /analyzer run + +kics-iac-sast: + extends: iac-sast + image: + name: "$SAST_ANALYZER_IMAGE" + variables: + SAST_ANALYZER_IMAGE_TAG: 0 + SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG" + rules: + - if: $SAST_DISABLED + when: never + - if: $SAST_EXCLUDED_ANALYZERS =~ /kics/ + when: never + - if: $CI_COMMIT_BRANCH diff --git a/lib/gitlab/ci/templates/Kaniko.gitlab-ci.yml b/lib/gitlab/ci/templates/Kaniko.gitlab-ci.yml new file mode 100644 index 00000000000..f1b1c20b4e0 --- /dev/null +++ b/lib/gitlab/ci/templates/Kaniko.gitlab-ci.yml @@ -0,0 +1,47 @@ +# To contribute improvements to CI/CD templates, please follow the Development guide at: +# https://docs.gitlab.com/ee/development/cicd/templates.html +# This specific template is located at: +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Kaniko.gitlab-ci.yml + +# Build and publish a tag/branch to Gitlab Docker Registry using Kaniko and Gitlab Docker executor. +# Kaniko can build Docker images without using Docker-In-Docker and it's permission +# drawbacks. No additional configuration required. +kaniko-build: + variables: + # Additional options for Kaniko executor. + # For more details see https://github.com/GoogleContainerTools/kaniko/blob/master/README.md#additional-flags + KANIKO_ARGS: "" + stage: build + image: + # For latest releases see https://github.com/GoogleContainerTools/kaniko/releases + # Only debug/*-debug versions of the Kaniko image are known to work within Gitlab CI + name: gcr.io/kaniko-project/executor:debug + entrypoint: [""] + script: + # Compose docker tag name + # Git Branch/Tag to Docker Image Tag Mapping + # * Default Branch: main -> latest + # * Branch: feature/my-feature -> branch-feature-my-feature + # * Tag: v1.0.0/beta2 -> v1.0.0-beta2 + - | + if [ "$CI_COMMIT_REF_NAME" = $CI_DEFAULT_BRANCH ]; then + VERSION="latest" + elif [ -n "$CI_COMMIT_TAG" ];then + NOSLASH=$(echo "$CI_COMMIT_TAG" | tr -s / - ) + SANITIZED="${NOSLASH//[^a-zA-Z0-9\-\.]/}" + VERSION="$SANITIZED" + else \ + NOSLASH=$(echo "$CI_COMMIT_REF_NAME" | tr -s / - ) + SANITIZED="${NOSLASH//[^a-zA-Z0-9\-]/}" + VERSION="branch-$SANITIZED" + fi + - echo $VERSION + - mkdir -p /kaniko/.docker + # Write credentials to access Gitlab Container Registry within the runner/ci + - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json + # Build and push the container. To disable push add --no-push + - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$VERSION $KANIKO_ARGS + # Run this job in a branch/tag where a Dockerfile exists + rules: + - exists: + - Dockerfile diff --git a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml index ceeefa8aea6..544774d3b06 100644 --- a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml @@ -1,7 +1,7 @@ # To contribute improvements to CI/CD templates, please follow the Development guide at: # https://docs.gitlab.com/ee/development/cicd/templates.html # This specific template is located at: -# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.lastest.gitlab-ci.yml +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/ # diff --git a/lib/gitlab/ci/templates/Security/Cluster-Image-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Cluster-Image-Scanning.gitlab-ci.yml index ed4876c2bcc..6b861510eef 100644 --- a/lib/gitlab/ci/templates/Security/Cluster-Image-Scanning.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/Cluster-Image-Scanning.gitlab-ci.yml @@ -12,7 +12,7 @@ # List of available variables: https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/#available-variables variables: - CIS_ANALYZER_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning:0 + CIS_ANALYZER_IMAGE: registry.gitlab.com/security-products/cluster-image-scanning:0 cluster_image_scanning: image: "$CIS_ANALYZER_IMAGE" diff --git a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml index 0802868d67f..0ecbe5e14b8 100644 --- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml @@ -51,7 +51,7 @@ dast: $REVIEW_DISABLED when: never - if: $CI_COMMIT_BRANCH && - $CI_KUBERNETES_ACTIVE && + ($CI_KUBERNETES_ACTIVE || $KUBECONFIG) && $GITLAB_FEATURES =~ /\bdast\b/ - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bdast\b/ diff --git a/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml index ac7d87a4cda..3d07674c377 100644 --- a/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml @@ -1,7 +1,7 @@ # To contribute improvements to CI/CD templates, please follow the Development guide at: # https://docs.gitlab.com/ee/development/cicd/templates.html # This specific template is located at: -# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST.lastest.gitlab-ci.yml +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml # To use this template, add the following to your .gitlab-ci.yml file: # @@ -52,7 +52,7 @@ dast: $DAST_API_SPECIFICATION == null when: never - if: $CI_COMMIT_BRANCH && - $CI_KUBERNETES_ACTIVE && + ($CI_KUBERNETES_ACTIVE || $KUBECONFIG) && $GITLAB_FEATURES =~ /\bdast\b/ - if: $CI_COMMIT_BRANCH && $DAST_WEBSITE diff --git a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml index aa7b394a13c..197ce2438e6 100644 --- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml @@ -74,6 +74,9 @@ gemnasium-maven-dependency_scanning: # override the analyzer image with a custom value. This may be subject to change or # breakage across GitLab releases. DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION" + # Stop reporting Gradle as "maven". + # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252 + DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false" rules: - if: $DEPENDENCY_SCANNING_DISABLED when: never @@ -97,6 +100,9 @@ gemnasium-python-dependency_scanning: # override the analyzer image with a custom value. This may be subject to change or # breakage across GitLab releases. DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION" + # Stop reporting Pipenv and Setuptools as "pip". + # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252 + DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false" rules: - if: $DEPENDENCY_SCANNING_DISABLED when: never diff --git a/lib/gitlab/ci/templates/Security/SAST-IaC.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST-IaC.latest.gitlab-ci.yml new file mode 100644 index 00000000000..8c0d72ff282 --- /dev/null +++ b/lib/gitlab/ci/templates/Security/SAST-IaC.latest.gitlab-ci.yml @@ -0,0 +1,2 @@ +include: + template: Jobs/SAST-IaC.latest.gitlab-ci.yml diff --git a/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml index 081a3a6cc78..e554742735c 100644 --- a/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml @@ -7,20 +7,17 @@ include: - template: Terraform/Base.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml stages: - - init - validate - build - deploy - - cleanup - -init: - extends: .terraform:init fmt: extends: .terraform:fmt + needs: [] validate: extends: .terraform:validate + needs: [] build: extends: .terraform:build diff --git a/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml index 3a70e6bc4b8..a0ec07e61e1 100644 --- a/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml @@ -21,18 +21,11 @@ cache: paths: - ${TF_ROOT}/.terraform/ -.terraform:init: &terraform_init - stage: init - script: - - cd ${TF_ROOT} - - gitlab-terraform init - .terraform:fmt: &terraform_fmt stage: validate - needs: [] script: - cd ${TF_ROOT} - - gitlab-terraform fmt -check -recursive + - gitlab-terraform fmt allow_failure: true .terraform:validate: &terraform_validate @@ -60,10 +53,9 @@ cache: - cd ${TF_ROOT} - gitlab-terraform apply resource_group: ${TF_STATE_NAME} - when: manual - only: - variables: - - $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + rules: + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + when: manual .terraform:destroy: &terraform_destroy stage: cleanup diff --git a/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml b/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml index 22c40d8a8b8..4f63ff93d4d 100644 --- a/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml @@ -13,7 +13,7 @@ stages: a11y: stage: accessibility - image: registry.gitlab.com/gitlab-org/ci-cd/accessibility:5.3.0-gitlab.3 + image: registry.gitlab.com/gitlab-org/ci-cd/accessibility:6.0.1 script: /gitlab-accessibility.sh $a11y_urls allow_failure: true artifacts: |