Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3852aa7fa8 | |||
| 2618c694d9 | |||
| 90de06c85c | |||
| 5ab54edea1 | |||
| ec883f6b16 | |||
| b5f95d3fc9 | |||
| 77d5158659 | |||
| c418a6ce4b | |||
| b6904e4ed2 | |||
| 118baa38f8 |
100
.woodpecker.yml
100
.woodpecker.yml
@ -1,36 +1,90 @@
|
||||
steps:
|
||||
build:
|
||||
build_api_modules:
|
||||
image: openapitools/openapi-generator-cli:v7.12.0
|
||||
commands:
|
||||
- DESTDIR=.
|
||||
- docker-entrypoint.sh generate -i https://dtrack-api.hottis.de/api/openapi.json -g python -o $DESTDIR/dependencytrack-client --package-name dependencytrack_api
|
||||
- docker-entrypoint.sh generate -i https://defectdojo.hottis.de/api/v2/oa3/schema/?format=json -g python -o $DESTDIR/defectdojo-client --package-name defectdojo_api
|
||||
- tar -cvzf api-artifacts.tgz $DESTDIR/dependencytrack-client $DESTDIR/defectdojo-client
|
||||
when:
|
||||
- event: [push, tag]
|
||||
|
||||
prepare_application:
|
||||
image: alpine:3.21
|
||||
when:
|
||||
- event: [push, tag]
|
||||
commands:
|
||||
- pwd
|
||||
- tar -xzf --strip-components=1 -xzf api-artifacts.tgz
|
||||
- ls -la
|
||||
|
||||
|
||||
|
||||
|
||||
scan:
|
||||
image: quay.io/wollud1969/woodpecker-helper:0.5.1
|
||||
environment:
|
||||
TRIVY_TOKEN:
|
||||
from_secret: trivy_token
|
||||
TRIVY_URL:
|
||||
from_secret: trivy_url
|
||||
DTRACK_API_KEY:
|
||||
from_secret: dtrack_api_key
|
||||
DTRACK_API_URL:
|
||||
from_secret: dtrack_api_url
|
||||
commands:
|
||||
- export GOPATH=/woodpecker/go # the export is required, otherwise trivy will not consider the variable
|
||||
- HOME=/home/`id -nu`
|
||||
- TAG="${CI_COMMIT_TAG:-$CI_COMMIT_SHA}"
|
||||
- |
|
||||
trivy fs \
|
||||
--server $TRIVY_URL \
|
||||
--token $TRIVY_TOKEN \
|
||||
--format cyclonedx \
|
||||
--scanners license \
|
||||
--output /tmp/sbom.xml \
|
||||
.
|
||||
- cat /tmp/sbom.xml
|
||||
- |
|
||||
curl -X "POST" \
|
||||
-H "Content-Type: multipart/form-data" \
|
||||
-H "X-Api-Key: $DTRACK_API_KEY" \
|
||||
-F "autoCreate=true" \
|
||||
-F "projectName=$CI_REPO" \
|
||||
-F "projectVersion=$TAG" \
|
||||
-F "bom=@/tmp/sbom.xml"\
|
||||
"$DTRACK_API_URL/api/v1/bom"
|
||||
when:
|
||||
- event: [tag]
|
||||
|
||||
dockerize:
|
||||
image: plugins/kaniko
|
||||
settings:
|
||||
repo: ${FORGE_NAME}/${CI_REPO}
|
||||
registry:
|
||||
registry:
|
||||
from_secret: container_registry
|
||||
tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG}
|
||||
username:
|
||||
username:
|
||||
from_secret: container_registry_username
|
||||
password:
|
||||
password:
|
||||
from_secret: container_registry_password
|
||||
dockerfile: Dockerfile
|
||||
when:
|
||||
- event: [push, tag]
|
||||
scan_image:
|
||||
image: aquasec/trivy
|
||||
- event: [tag]
|
||||
|
||||
deploy:
|
||||
image: quay.io/wollud1969/woodpecker-helper:0.5.1
|
||||
environment:
|
||||
KUBE_CONFIG_CONTENT:
|
||||
from_secret: kube_config
|
||||
ENCRYPTION_KEY:
|
||||
from_secret: encryption_key
|
||||
MD5_CHECKSUM:
|
||||
from_secret: secrets_checksum
|
||||
commands:
|
||||
- trivy image $FORGE_NAME/$CI_REPO:$CI_COMMIT_SHA --quiet --exit-code 1
|
||||
when:
|
||||
- event: [push, tag]
|
||||
build:
|
||||
image: plugins/kaniko
|
||||
settings:
|
||||
repo: quay.io/wollud1969/k8s-admin-helper
|
||||
registry: quay.io
|
||||
tags:
|
||||
- latest
|
||||
- ${CI_COMMIT_TAG}
|
||||
username:
|
||||
from_secret: quay_username
|
||||
password:
|
||||
from_secret: quay_password
|
||||
dockerfile: Dockerfile
|
||||
- export IMAGE_TAG=$CI_COMMIT_TAG
|
||||
- printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
|
||||
- export KUBECONFIG=/tmp/kubeconfig
|
||||
- ./deployment/deploy.sh
|
||||
when:
|
||||
- event: [tag]
|
||||
|
||||
@ -2,11 +2,14 @@ FROM alpine:latest
|
||||
|
||||
ARG USER="user"
|
||||
|
||||
RUN apk add --no-cache kubectl gpg gpg-agent bash && \
|
||||
RUN \
|
||||
echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
|
||||
apk add --no-cache kubectl openssl gpg gpg-agent bash trivy@testing curl helm && \
|
||||
addgroup $USER && \
|
||||
adduser -G $USER -D $USER
|
||||
|
||||
COPY decrypt-secrets.sh /usr/local/bin/
|
||||
|
||||
USER $USER
|
||||
WORKDIR /home/$USER
|
||||
|
||||
|
||||
|
||||
21
decrypt-secrets.sh
Executable file
21
decrypt-secrets.sh
Executable file
@ -0,0 +1,21 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# Set the environment variable GPG_PASSPHRASE
|
||||
# Pipe the encrypted data and
|
||||
# - redirect the output into the destination file or
|
||||
# - directly eval the output, in this case make sure ONLY variable definitions are in the file
|
||||
#
|
||||
# The second option would be
|
||||
# eval "`cat secrets.asc | ./decrypt-secrets.sh`"
|
||||
#
|
||||
# To create the encrypted file use
|
||||
# gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
|
||||
# where secrets.txt is the cleartext file and secrets.asc will be the encrypted file.
|
||||
# Make sure to use a good passphrase, make sure to store the passphrase safely.
|
||||
#
|
||||
# Adding the encrypted file secrets.asc to a source code repository is secure.
|
||||
#
|
||||
|
||||
|
||||
gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output -
|
||||
Reference in New Issue
Block a user