feat(Templates): Ideal eXXcellent Pipeline

documentation/chapters/templates/container/container-publish.adoc

@@ -8,10 +8,9 @@ Needs a build container on the path `image.tar`. Use one of the Container build
 .Variables
 |===
 |Name |Description | Default Value
-| CONTAINER_REGISTRY | The address of the Container Registry | $CI_REGISTRY
-| CONTAINER_REGISTRY_IMAGE | The address of the project’s Container Registry.   | $CI_REGISTRY_IMAGE
+| CONTAINER_REGISTRY | Url to the remote Registry   | $CI_REGISTRY_IMAGE
 | CONTAINER_REGISTRY_USER | the user that should be used  | $CI_REGISTRY_USER
-| CONTAINER_REGISTRY_PASSWORD | the password for the remote registry  | $CI_REGISTRY_PASSWORD
+| CONTAINER_REGISTRY_PASSWORD | the passwort for the remote registry  | $CI_REGISTRY_PASSWORD
 | EXTRA_PATH | Extra path that should be between the registry path and the image tag | ""
 | IMAGE_TAG | the Tag the image should be found on | Depends on the current path. Look at the rules of the Job.
 |===

documentation/chapters/templates/container/container-scan.adoc

@@ -28,8 +28,6 @@ Wenn 0 benutzt wird, läuft die CI weiter.
 Benutzte `allow_failure: true` damit die CI weiter läuft aber ein Failure angezeigt wird.
 | -
 |GRADLE_CLI_OPTS | Zusätzliche CLI Opts für Gradle | ""
-
-|KANIKO_EXTRA_ARGS | Extra Arguments for the build of the image with Kaniko | ""
 |===
 
 .container scan template

pipelines/java-maven.gitlab-ci.yml

@@ -3,6 +3,12 @@ include:
   - '/templates/java/maven/maven-build.gitlab-ci.yml'
   - '/templates/java/maven/maven-verify.gitlab-ci.yml'
   - '/templates/java/maven/maven-database-diff.gitlab-ci.yml'
+  - '/templates/static-analysis/repo-cve-scan-trivy.gitlab-ci.yml'
+  - '/templates/static-analysis/sonar.gitlab-ci.yml'
+
+# todo doc welche Variablen gesetzt werden müssen.before_script:
+#  variables:
+#    SONAR_PROJECT_KEY: "gilde.ci.cd.restservice:java-backend-template"
 
 Dependencies-Java:
   extends: .maven-dependencies
@@ -30,10 +36,8 @@ Repo-CVE-Scan:
   allow_failure: true
   extends: .repo-cve-scan-trivy
 
-sonar:
+Sonar:
   extends: .sonar-maven
   needs:
     - job: "Build-Java"
       artifacts: true
-  variables:
-    SONAR_PROJECT_KEY: "gilde.ci.cd.restservice:java-backend-template"

templates/container/container-build.gitlab-ci.yml

@@ -30,14 +30,8 @@
     entrypoint: [ "" ]
   variables:
     DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile
-    REGISTRY_MIRROR: --registry-mirror nexus.corp.exxcellent.de:18000 --skip-tls-verify-registry nexus.corp.exxcellent.de:18000
+    REGISTRY_MIRROR: --registry-mirror nexus.corp.exxcellent.de:18000 --skip-tls-verify-registry nexus.corp.exxcellent.de:18000 --skip-tls-verify
   script:
-    - >-
-      /kaniko/executor 
-      --context $CONTEXT_LOCATION 
-      --dockerfile $DOCKERFILE_LOCATION 
-      --no-push 
-      --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA 
-      $EXTRA_ARGS 
-      $REGISTRY_MIRROR 
-      --tarPath image.tar
+    - mkdir -p /kaniko/.docker
+    - echo "{\"auths\":{\"$DOCKER_REGISTRY\":{\"username\":\"$DOCKER_REGISTRY_USER\",\"password\":\"$DOCKER_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+    - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --no-push --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA $EXTRA_ARGS $REGISTRY_MIRROR --tarPath image.tar

templates/container/container-publish.gitlab-ci.yml

@@ -4,8 +4,7 @@
     name: quay.io/containers/skopeo:v1.5.2
     entrypoint: [ "" ]
   variables:
-    CONTAINER_REGISTRY: $CI_REGISTRY
-    CONTAINER_REGISTRY_IMAGE: $CI_REGISTRY_IMAGE
+    CONTAINER_REGISTRY: $CI_REGISTRY_IMAGE
     CONTAINER_REGISTRY_USER: $CI_REGISTRY_USER
     CONTAINER_REGISTRY_PASSWORD: $CI_REGISTRY_PASSWORD
     EXTRA_PATH: ""
@@ -19,11 +18,9 @@
         EXTRA_PATH: "/snapshot"
     - if: $CI_COMMIT_REF_NAME ~= "feat"
       variables:
-        IMAGE_TAG: $CI_COMMIT_SHORT_SHA
+        IMAGE_TAG: "latest"
         EXTRA_PATH: "/feat/$CI_COMMIT_REF_NAME"
     - when: never
   script:
-    - skopeo login --username $CONTAINER_REGISTRY_USER --password $CONTAINER_REGISTRY_PASSWORD $CONTAINER_REGISTRY_IMAGE --tls-verify=false
-    - skopeo copy "docker-archive:image.tar" "docker://${CONTAINER_REGISTRY_IMAGE}${EXTRA_PATH}:${IMAGE_TAG}" --dest-tls-verify=false
-
-#TODO wir müssen noch den aktuell Tag bekommen damit wir den setzen können. (in default oder feat ausgeführt wird)
+    - skopeo login --username $CONTAINER_REGISTRY_USER --password $CONTAINER_REGISTRY_PASSWORD $CONTAINER_REGISTRY --tls-verify=false
+    - skopeo copy "docker-archive:image.tar" "docker://${CONTAINER_REGISTRY}${EXTRA_PATH}:${IMAGE_TAG}" --dest-tls-verify=false

templates/container/container-scan.gitlab-ci.yml

@@ -1,6 +1,6 @@
 .container-scan-trivy:
   image:
-    name: docker.io/aquasec/trivy:0.24.2
+    name: docker.io/aquasec/trivy:0.25.0
     entrypoint: [ "" ]
   stage: verify
   variables:

templates/java/gradle/gradle-build.gitlab-ci.yml

@@ -2,7 +2,10 @@
   stage: build
   image: $GRADLE_IMAGE
   script:
-    #    todo increase version like maven set. OR Define Gradle skript to use ENV
+    #    todo increase version like maven set. OR Define Gradle skript to use ENV Ideen:
+    #    wir überlassen den Projekten das wie sie die Version hoch zählen.
+    #    wir definieren eine Variable die beim aufruf von gradle gesetzt werden kann um die Version zu bekommen.
+    #    wir sagen das hier das plugin von palantir benutzt werden soll.
     - "./gradlew --build-cache assemble $GRADLE_CLI_OPTS"
   artifacts:
     expire_in: 2 weeks

templates/static-analysis/repo-cve-scan-trivy.gitlab-ci.yml

@@ -1,6 +1,6 @@
 .repo-cve-scan-trivy:
   image:
-    name: docker.io/aquasec/trivy:0.25.1
+    name: docker.io/aquasec/trivy:0.25.0
     entrypoint: [ "" ]
   stage: verify
   needs: []