docker-toolkit.yml

---
variables:
  DOCKER_DRIVER: "overlay2"
  DOCKER_TLS_CERTDIR: "/certs"
  DOCKERFILE: "Dockerfile"

.get-latest-trivy:
  stage: .pre
  tags:
    - docker
    - miquido
  before_script:
    - apk add jq
    - apk add curl
  script:
    - |
      if [ -z ${GITHUB_TOKEN+x} ];
        then
          echo "GITHUB_TOKEN is unset";
          echo "TRIVY_VERSION=0.19.2" >> build.env
        else
          TRIVY_VERSION=$(curl -H "Authorization: token $GITHUB_TOKEN" \
            https://api.github.com/repos/aquasecurity/trivy/releases/latest \
                  | jq --raw-output '.tag_name' | cut -c 2-)
        echo "Latest trivy version = $TRIVY_VERSION"
        echo "TRIVY_VERSION=$TRIVY_VERSION" >> build.env
      fi
  artifacts:
    reports:
      dotenv: build.env

.get-latest-hadolint:
  stage: .pre
  tags:
    - docker
    - miquido
  before_script:
    - apk add jq
    - apk add curl
  script:
    - |
      if [ -z ${GITHUB_TOKEN+x} ];
        then
          echo "GITHUB_TOKEN is unset";
          echo "HADOLINT_VERSION=2.6.0" >> build.env
        else
          HADOLINT_VERSION=$(curl -H "Authorization: token $GITHUB_TOKEN" \
            https://api.github.com/repos/hadolint/hadolint/releases/latest \
                  | jq --raw-output '.tag_name' | cut -c 2-)
        echo "Latest hadolint version = $HADOLINT_VERSION"
        echo "HADOLINT_VERSION=$HADOLINT_VERSION" >> build.env
      fi
  artifacts:
    reports:
      dotenv: build.env

.docker_compose: &docker_compose
  image: docker/compose:alpine-1.28.5
  before_script:
    - docker version
    - docker-compose version
    - docker-compose down --volumes --remove-orphans
  after_script:
    - docker-compose down --volumes --remove-orphans
  tags:
    - docker
    - miquido

.validate-docker-compose:
  <<: *docker_compose
  stage: .pre
  script:
    - docker-compose config

.docker-lint:
  variables:
    # ignore rules from: https://github.com/hadolint/hadolint#rules (ignore exact version pinning for apt/apk)
    DEFAULT_IGNORES: DL3018 DL3008
    DOCKERFILE: "Dockerfile"
    HADOLINT_VERSION: "2.6.0"

  tags:
    - docker
    - miquido
  image: hadolint/hadolint:v$HADOLINT_VERSION-debian
  script:
    - |
      IFS=' ' #setting space as delimiter
      read -ra DEFAULT_IGNORES <<<"$DEFAULT_IGNORES"
      read -ra EXTRA_IGNORES <<<"$EXTRA_IGNORES"
      IGNORES=()

      for value in "${DEFAULT_IGNORES[@]}"
      do
        IGNORES+=("--ignore")
        IGNORES+=("$value")
      done
      for value in "${EXTRA_IGNORES[@]}"
      do
        IGNORES+=("--ignore")
        IGNORES+=("$value")
      done

    - hadolint "${IGNORES[@]}" $DOCKERFILE

.container-scanning:
  <<: *docker_compose
  variables:
    TRIVY_VERSION: "0.19.2"
    DOCKER_BUILD_IMAGE: $CI_REGISTRY_IMAGE:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA
  tags:
    - docker
    - miquido
  stage: test
  before_script:
    - \[ ! -n "$DOCKER_BUILD_IMAGE" \] && echo "Missing $DOCKER_BUILD_IMAGE variable. Exiting"
  cache:
    paths:
      - .trivycache/
  script:
    - !reference [.gitlab-docker-login, script]
    # Download trivy
    - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -  # yamllint disable-line rule:line-length
    - docker pull $DOCKER_BUILD_IMAGE
    # Build report
    - |
      ./trivy image --exit-code 0 --vuln-type os --ignore-unfixed \
      --no-progress --format template --template "@contrib/gitlab.tpl" \
      -o gl-container-scanning-report.json ${DOCKER_BUILD_IMAGE}
    - |
      ./trivy image --exit-code 0 --vuln-type os --ignore-unfixed \
      --no-progress --format template --template "@contrib/html.tpl" \
      -o container-scanning-report.html ${DOCKER_BUILD_IMAGE}
    - |
      ./trivy image --exit-code 0 --vuln-type os --ignore-unfixed \
      --no-progress --format json -o container-scanning-report.json ${DOCKER_BUILD_IMAGE}
    # Build full report
    - |
      ./trivy image --exit-code 0 --vuln-type os \
      --no-progress --format template --template "@contrib/gitlab.tpl" \
      -o gl-container-scanning-report-full.json ${DOCKER_BUILD_IMAGE}
    - |
      ./trivy image --exit-code 0 --vuln-type os \
      --no-progress --format template --template "@contrib/html.tpl" \
      -o container-scanning-report-full.html ${DOCKER_BUILD_IMAGE}
    - |
      ./trivy image --exit-code 0 --vuln-type os \
      --no-progress --format json -o container-scanning-report-full.json ${DOCKER_BUILD_IMAGE}
    # Print full report
    - |
      ./trivy image --exit-code 0 --vuln-type os \
      --no-progress --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL ${DOCKER_BUILD_IMAGE}
    # Fail on severe vulnerabilities
    - |
      ./trivy image --exit-code 1 --vuln-type os --ignore-unfixed \
      --no-progress --ignore-unfixed --severity HIGH,CRITICAL ${DOCKER_BUILD_IMAGE}
  artifacts:
    paths:
      - gl-container-scanning-report.json
      - container-scanning-report.html
      - container-scanning-report.json
    reports:
      container_scanning: gl-container-scanning-report.json

.push:
  tags:
    - docker
    - miquido
  variables:
    ADDITIONAL_TAG: ""
    DOCKER_BUILD_IMAGE: $CI_REGISTRY_IMAGE:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA
  image: miquido/docker-compose-aws-cli:docker-compose-1.28.5-aws-cli-1.19.25
  script:
    - docker pull $DOCKER_BUILD_IMAGE
    - docker tag $DOCKER_BUILD_IMAGE $ECR_REPOSITORY:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA
    - aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_ID
    - docker push $ECR_REPOSITORY:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA
    - |
      if [ "$ADDITIONAL_TAG" != "" ]; then
          echo "Additionally pushing ${ADDITIONAL_TAG} ...:"
          docker tag $DOCKER_BUILD_IMAGE $ECR_REPOSITORY:$ADDITIONAL_TAG
          docker push $ECR_REPOSITORY:$ADDITIONAL_TAG
      fi
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: manual

.deploy:
  tags:
    - docker
    - miquido
  image:
    name: docker.io/fabfuel/ecs-deploy:1.13.1
  stage: deploy
  resource_group: deploy
  script:
    - |
      ecs deploy $ECS_CLUSTER_NAME $ECS_SERVICE_NAME \
      --image $CONTAINER_NAME $ECR_REPOSITORY:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA --timeout=1200 --rollback
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

.deploy-oidc:
  tags:
    - docker
    - miquido
  image:
    name: docker.io/fabfuel/ecs-deploy:1.15.0
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
  stage: deploy
  before_script:
    - apk add aws-cli
    - !reference [.oidc-login, script]
  script:
    - |
      ecs deploy $ECS_CLUSTER_NAME $ECS_SERVICE_NAME \
      --image $CONTAINER_NAME $ECR_REPOSITORY:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA --timeout=1200 --rollback
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

.last-deploy-check-oidc:
  tags:
    - docker
    - miquido
  image:
    name: amazon/aws-cli:2.22.20
    entrypoint: [""]
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
  before_script:
    - !reference [.oidc-login, script]
    - yum install jq -y
  script:
    - |
      RESULT=`aws ecs list-service-deployments \
      --service $ECS_SERVICE_NAME --cluster $ECS_CLUSTER_NAME | jq '.serviceDeployments[0].status' -r`
    - |
      if [ "$RESULT" != "SUCCESSFUL" ]; then
        REASON=`aws ecs list-service-deployments \
      --service $ECS_SERVICE_NAME --cluster $ECS_CLUSTER_NAME | jq '.serviceDeployments[0].statusReason' -r`
        echo -e "\033[31m${REASON}\033[0m"
        exit 1
      fi

.push-miquido-hub:
  image: docker:20.10.6
  variables:
    BASE_DOCKER_IMAGE: "<ENTER_VAR>"
    DOCKERHUB_IMAGE: "<ENTER_VAR>"
    DOCKER_KEY: "<ENTER_VAR>"
    DOCKER_USER: "<ENTER_VAR>"
  stage: .post
  tags:
    - docker
    - miquido
  before_script:
    - docker version
  script:
    - TXT_RED="\e[31m"
    - |
      if [ "$BASE_DOCKER_IMAGE" = "<ENTER_VAR>" ] && [ -z "$DOCKER_IMAGE_VERSION" ]; then
        echo -e "${TXT_RED}Please provide BASE_DOCKER_IMAGE or DOCKER_IMAGE_VERSION variable"
        exit 1
      fi;
    - |
      if [ "$DOCKERHUB_IMAGE" = "<ENTER_VAR>" ]; then
        echo -e "${TXT_RED}Please provide DOCKERHUB_IMAGE variable"
        exit 1
      fi;
    - |
      if [ "$DOCKER_KEY" = "<ENTER_VAR>" ]; then
        echo -e "${TXT_RED}Please provide DOCKER_KEY variable"
        exit 1
      fi;
    - |
      if [ "$DOCKER_USER" = "<ENTER_VAR>" ]; then
        echo -e "${TXT_RED}Please provide DOCKER_USER variable"
        exit 1
      fi;
    - |
      if [ -z "$DOCKER_IMAGE_VERSION" ]; then
        FROM_DOCKER=$(cat Dockerfile | grep $BASE_DOCKER_IMAGE)
        DOCKER_IMAGE_VERSION=${FROM_DOCKER##*:}
      fi;
    - docker build -t $DOCKERHUB_IMAGE:$DOCKER_IMAGE_VERSION .
    - echo $DOCKER_KEY | docker login --username $DOCKER_USER --password-stdin
    - docker push $DOCKERHUB_IMAGE:$DOCKER_IMAGE_VERSION
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

#########
# Build #
#########

.build-multiarch:
  image: miquido/docker-with-buildx:stable
  variables:
    DOCKER_BUILD_IMAGE: $CI_REGISTRY_IMAGE:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA
    DOCKERFILE_PATH: .
    DOCKERFILE_NAME: $DOCKERFILE_PATH/Dockerfile
    PLATFORMS: linux/arm/v7,linux/arm64/v8,linux/386,linux/amd64
  script:
    - |
      if grep_args=$(env | grep ARG); then
          args=$(env | grep ARG | sed 's/ARG_//g' | tr '\n' ',')
          IFS=',' read -r -a array <<< "$args"

          for elem in "${array[@]}"; do
              build_args+=( --build-arg="$elem" )
          done
      fi
    - !reference [.gitlab-docker-login, script]
    - docker buildx create --use
    - docker pull $CI_REGISTRY_IMAGE:latest || true
    - |
      DOCKER_BUILDKIT=1 docker buildx build --cache-from $CI_REGISTRY_IMAGE:latest --build-arg BUILDKIT_INLINE_CACHE=1 \
      "${build_args[@]}" \
      --file $DOCKERFILE_NAME \
      --push \
      --platform $PLATFORMS \
      --tag $DOCKER_BUILD_IMAGE \
      --tag $CI_REGISTRY_IMAGE:latest \
      $DOCKERFILE_PATH
  after_script:
    - docker buildx rm $BUILDER_NAME
  tags:
    - docker
    - miquido


#########
# Login #
#########

.dockerhub-login:
  script:
    - \[ ! -n "$DOCKER_USER" \] && echo "Missing DOCKER_USER variable. Exiting" && exit 1
    - \[ ! -n "$DOCKER_KEY" \] && echo "Missing DOCKER_KEY variable. Exiting" && exit 1
    - docker login -u $DOCKER_USER -p $DOCKER_KEY

.gitlab-docker-login:
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

.ecr-login:
  script:
    - \[ ! -n "$ECR_ID" \] && echo "Missing ECR_ID variable. Exiting" && exit 1
    - aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_ID

.oidc-login:
  script:
    - \[ ! -n "ROLE_ARN" \] && echo "Missing ROLE_ARN variable. Exiting" && exit 1
    - \[ ! -n "GITLAB_OIDC_TOKEN" \] && echo "Missing GITLAB_OIDC_TOKEN variable. Exiting" && exit 1
    - >
      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
      $(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${GITLAB_OIDC_TOKEN}
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))

#########
# Push #
#########

.gitlab-dockerhub-push:
  extends: .gitlab-push
  script:
    - \[ ! -n "$DOCKER_IMAGE_DESTINATION" \] && echo "Missing DOCKER_IMAGE_DESTINATION variable. Exiting" && exit 1
    - !reference [.dockerhub-login, script]
    - !reference [.gitlab-push, script]

.gitlab-ecr-push:
  extends: .gitlab-push
  variables:
    DOCKER_IMAGE_DESTINATION: $ECR_REPOSITORY:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA
  script:
    - \[ ! -n "$DOCKER_IMAGE_DESTINATION" \] && echo "Missing DOCKER_IMAGE_DESTINATION variable. Exiting" && exit 1
    - !reference [.ecr-login, script]
    - !reference [.gitlab-push, script]

.gitlab-ecr-push-oidc:
  extends: .gitlab-push
  variables:
    DOCKER_IMAGE_DESTINATION: $ECR_REPOSITORY:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
  script:
    - \[ ! -n "$DOCKER_IMAGE_DESTINATION" \] && echo "Missing DOCKER_IMAGE_DESTINATION variable. Exiting" && exit 1
    - !reference [.oidc-login, script]
    - !reference [.ecr-login, script]
    - !reference [.gitlab-push, script]


.gitlab-push:
  image: docker:20.10.14
  variables:
    # REQUIRED
    DOCKER_BUILD_IMAGE: $CI_REGISTRY_IMAGE:$CI_PIPELINE_ID-$CI_COMMIT_SHORT_SHA
  before_script:
    - |
      apk add --no-cache \
              curl \
              jq \
              python3 \
              py3-pip \
            && pip3 install --upgrade pip \
            && pip3 install --no-cache-dir \
                awscli \
            && rm -rf /var/cache/apk/*
    - curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 > regctl
    - chmod 755 regctl
    - mkdir ~/.docker
  script:
    - !reference [.gitlab-docker-login, script]
    - ./regctl image inspect $DOCKER_BUILD_IMAGE
    - ./regctl image copy $DOCKER_BUILD_IMAGE $DOCKER_IMAGE_DESTINATION
    - ./regctl image inspect $DOCKER_IMAGE_DESTINATION
    - |
      if [ -n "$DOCKER_IMAGE_SECONDARY_DESTINATION" ]; then
         ./regctl image copy $DOCKER_BUILD_IMAGE $DOCKER_IMAGE_SECONDARY_DESTINATION
      fi

  tags:
    - miquido
    - docker
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success