adrien/ansible-docker
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Compare commits

base: adrien:bca3f9b9c4bcb84fe41394f3adb583fd2c7a5dfa
Branches Tags
adrien:master
..
compare: adrien:eb5021441b24e87b7fb8afddd05f696a21140589
Branches Tags
adrien:master

No commits in common. "bca3f9b9c4bcb84fe41394f3adb583fd2c7a5dfa" and "eb5021441b24e87b7fb8afddd05f696a21140589" have entirely different histories.
bca3f9b9c4 ... eb5021441b

2 changed files with 28 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

71
.gitlab-ci.yml
View file

@ -1,76 +1,29 @@
include:
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
stages: stages:
- test - verify
- build - build
- trivy
variables: variables:
STORAGE_DRIVER: vfs IMAGE_NAME: "$CI_REGISTRY_IMAGE"
BUILDAH_FORMAT: docker
BUILDAH_ISOLATION: chroot image: docker:latest
# Beyond this point, each top level item is a Job name (beside templates) # Beyond this point, each top level item is a Job name (beside templates)
# NB: each job is run on a separate container # NB: each job is run on a separate container
docker:lint: docker:lint:
stage: test stage: verify
image: projectatomic/dockerfile-lint image: projectatomic/dockerfile-lint
script: script:
- dockerfile_lint -p -f ansible.Dockerfile - dockerfile_lint -p -f ansible.Dockerfile
build: build:
stage: build stage: build
image: fedora image: docker:latest
script: script:
- dnf install -y podman buildah git - docker login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY"
- sed -i '/^mountopt =.*/d' /etc/containers/storage.conf - export DATE=$(date +%Y%m%d)
- podman login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY" - docker build -f ansible.Dockerfile -t $CI_REGISTRY_IMAGE:$DATE .
- podman pull "$CI_REGISTRY_IMAGE:latest" - docker push $CI_REGISTRY_IMAGE:$DATE
- export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`") - docker build -f ansible.Dockerfile -t $CI_REGISTRY_IMAGE:latest .
- podman build --cache-from "$CI_REGISTRY_IMAGE:latest" -f ansible.Dockerfile -t ${CI_REGISTRY_IMAGE}:$DATE -t ${CI_REGISTRY_IMAGE}:latest . - docker push $CI_REGISTRY_IMAGE:latest
- podman push ${CI_REGISTRY_IMAGE}:$DATE
- podman push ${CI_REGISTRY_IMAGE}:latest
# Scan with Trivy. Normaly image is at ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
#container_scanning:trivy:
trivy:
stage: trivy
image: docker.io/aquasec/trivy:latest
allow_failure: true
interruptible: true
variables:
GIT_STRATEGY: fetch
CI_APPLICATION_REPOSITORY: ""
CI_APPLICATION_TAG: ""
TRIVY_USERNAME: "$CI_REGISTRY_USER"
TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
TRIVY_AUTH_URL: "$CI_REGISTRY"
TRIVY_SEVERITY: "HIGH,CRITICAL"
script:
- export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
- trivy --version
# Build report
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl" -o gl-container-scanning-report.json ${CI_REGISTRY_IMAGE}:$DATE
# Print report
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
# Fail on high and critical vulnerabilities
- trivy --exit-code 1 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
cache:
paths:
- .trivycache/
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependencies: []
# only:
# refs:
# - branches
# variables:
# - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
except:
variables:
- $CONTAINER_SCANNING_DISABLED

17
ansible.Dockerfile
View file

@ -19,6 +19,21 @@ RUN apk --no-cache --update add ca-certificates bash curl openssh-client openssl
# apk --no-cache upgrade && \ # apk --no-cache upgrade && \
ln -s /usr/local/bin/python3 /usr/bin/python3 ln -s /usr/local/bin/python3 /usr/bin/python3
#RUN VAULT_VERSION=1.7.3 && \
# wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
# unzip vault_${VAULT_VERSION}_linux_amd64.zip && \
# install vault /usr/local/bin/vault -o root -g root -m 0755 && \
# rm -f vault vault_${VAULT_VERSION}_linux_amd64.zip && \
RUN KUBECTL_VERSION=v1.21.3 && HELM_VERSION=v3.6.2 && \
wget https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
install kubectl /usr/local/bin/kubectl -o root -g root -m 0755 && \
rm -f kubectl && \
wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz && \
tar -zxf helm-${HELM_VERSION}-linux-amd64.tar.gz && \
install -o root -g root -m 0755 linux-amd64/helm /usr/local/bin/helm && \
rm -fr helm-${HELM_VERSION}-linux-amd64.tar.gz linux-amd64 && \
helm plugin install https://github.com/databus23/helm-diff
RUN apk --update add --virtual build-dependencies gcc rust cargo musl-dev libffi-dev openssl-dev build-base libvirt-dev postgresql-dev && \ RUN apk --update add --virtual build-dependencies gcc rust cargo musl-dev libffi-dev openssl-dev build-base libvirt-dev postgresql-dev && \
pip3 install ansible asn1crypto bcrypt cachetools certifi cffi chardet cryptography dictdiffer \ pip3 install ansible asn1crypto bcrypt cachetools certifi cffi chardet cryptography dictdiffer \
docker-py google-auth httplib2 hvac idna ipaddress Jinja2 jmespath jsonpatch jsonpointer jsonschema \ docker-py google-auth httplib2 hvac idna ipaddress Jinja2 jmespath jsonpatch jsonpointer jsonschema \
@ -33,6 +48,6 @@ RUN apk --update add --virtual build-dependencies gcc rust cargo musl-dev libffi
echo "localhost" >> /etc/ansible/hosts echo "localhost" >> /etc/ansible/hosts
#RUN update-ca-certificates #RUN update-ca-certificates
#RUN ansible-galaxy collection install kubernetes.core ansible.posix community.general community.libvirt ngine_io.cloudstack google.cloud community.digitalocean RUN ansible-galaxy collection install kubernetes.core ansible.posix community.general community.libvirt ngine_io.cloudstack google.cloud community.digitalocean
CMD ["ansible"] CMD ["ansible"]