Merge pull request #411 from application-stacks/pipeline-modernize

RCO Pipeline modernize to WLO

Author: arturdzm

.one-pipeline.yaml

@@ -13,20 +13,18 @@ test:
   script: |
     #!/usr/bin/env bash
     # Download and configure golang
-    wget --header "Accept: application/octet-stream"  "https://golang.org/dl/go1.16.linux-amd64.tar.gz" 
-    rm -rf /usr/local/go && tar -C /usr/local -xf go1.16.linux-amd64.tar.gz
+    GO_VERSION=$(get_env go-version)
+    wget --header "Accept: application/octet-stream"  "https://golang.org/dl/go$GO_VERSION.linux-amd64.tar.gz" 
+    rm -rf /usr/local/go && tar -C /usr/local -xf go*.linux-amd64.tar.gz
     export PATH=$PATH:/usr/local/go/bin
     apt-get update
-    apt-get -y install build-essential 
-    # Run unit tests
-    #export DOCKER_USERNAME=$(get_env docker-username)
-    #export DOCKER_PASSWORD=$(get_env docker-password)
+    apt-get -y install build-essential
+
     make unit-test
-    #make docker-login
-    #make build-image
 
 static-scan:
   dind: true
+  abort_on_failure: false
   image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
   script: |
     #!/usr/bin/env bash
@@ -47,7 +45,9 @@ static-scan:
     EOF
     chmod -x "$WORKSPACE"/runtime-component-operator/sonar-project.properties
     #echo "$SONAR_PASS" >> /tmp/sonarqube-token
-    "${ONE_PIPELINE_PATH}"/internal/sonarqube/sonarqube_run    
+    "${COMMONS_PATH}"/static-scan/run.sh
+    ## Perform static lint
+    ./scripts/pipeline/static-linter-scan.sh --git-token $(get_env git-token) --static-linter-version $(get_env static-linter-version)
 containerize:
   dind: true
   abort_on_failure: true  
@@ -79,7 +79,7 @@ containerize:
     fi  
     # Build images
     export PIPELINE_USERNAME=$(get_env ibmcloud-api-user)
-    export PIPELINE_PASSWORD=$(get_env ibmcloud-api-key)  
+    export PIPELINE_PASSWORD=$(get_env ibmcloud-api-key-staging)  
     PIPELINE_REGISTRY=$(get_env pipeline-registry)
     PIPELINE_OPERATOR_IMAGE=$(get_env pipeline-operator-image)  
     # Build amd64 image
@@ -111,6 +111,13 @@ containerize:
       save_artifact $i type=image name="$IMAGE" "digest=$DIGEST" "arch=$ARCH"   
     done
 
+sign-artifact:
+  abort_on_failure: false
+  image: icr.io/continuous-delivery/pipeline/image-signing:1.0.0@sha256:e9d8e354668ba3d40be2aaee08298d2aa7f0e1c8a1829cca4094ec93830e3e6a
+  script: |
+    #!/usr/bin/env bash
+    echo "sign-artifact"
+
 deploy:
   image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
   script: |
@@ -129,10 +136,6 @@ dynamic-scan:
   script: |
     #!/usr/bin/env bash
     echo "dynamic-scan"
-    #export APP_URL=$(cat ../app-url)
-    # feature preivew this until evidence locker v2 usage is full feature ready 
-    # can be triggered, and owasp will run for preview purposes 
-    #source scripts/zap/trigger_api_scan.sh
 
 acceptance-test:
   dind: true  
@@ -141,21 +144,27 @@ acceptance-test:
   script: |
     #!/usr/bin/env bash
     echo "acceptance-test"
-    # Download and configure golang
-    wget --header "Accept: application/octet-stream"  "https://golang.org/dl/go1.16.linux-amd64.tar.gz" 
-    rm -rf /usr/local/go && tar -C /usr/local -xf go1.16.linux-amd64.tar.gz
-    export PATH=$PATH:/usr/local/go/bin
-    apt-get update
-    apt-get -y install build-essential    
-    export PIPELINE_USERNAME=$(get_env ibmcloud-api-user)
-    export PIPELINE_PASSWORD=$(get_env ibmcloud-api-key)  
-    export DOCKER_USERNAME=$(get_env docker-username)
-    export DOCKER_PASSWORD=$(get_env docker-password)    
-    export CLUSTER_URL=$(get_env test-cluster-url)
-    export CLUSTER_TOKEN=$(get_env test-cluster-token) 
-    export TRAVIS_BUILD_NUMBER=$BUILD_NUMBER   
-    make setup
-    make test-pipeline-e2e
+    GO_VERSION=$(get_env go-version)
+    export SKIP_KIND_E2E_TEST=$(get_env SKIP_KIND_E2E_TEST)
+    if [[ $SKIP_KIND_E2E_TEST != "true" ]]; then
+      # Download and configure golang
+      wget --header "Accept: application/octet-stream"  "https://golang.org/dl/go$GO_VERSION.linux-amd64.tar.gz" 
+      rm -rf /usr/local/go && tar -C /usr/local -xf go1.16.linux-amd64.tar.gz
+      export PATH=$PATH:/usr/local/go/bin
+      apt-get update
+      apt-get -y install build-essential    
+      export PIPELINE_USERNAME=$(get_env ibmcloud-api-user)
+      export PIPELINE_PASSWORD=$(get_env ibmcloud-api-key-staging)  
+      export DOCKER_USERNAME=$(get_env docker-username)
+      export DOCKER_PASSWORD=$(get_env docker-password)    
+      export CLUSTER_URL=$(get_env test-cluster-url)
+      export CLUSTER_TOKEN=$(get_env test-cluster-token) 
+      export TRAVIS_BUILD_NUMBER=$BUILD_NUMBER   
+      make setup
+      make test-pipeline-e2e
+    else
+      echo "skipping Acceptance test"
+    fi
 
 scan-artifact:
   abort_on_failure: false
@@ -181,25 +190,64 @@ scan-artifact:
       done
     fi
 
+    echo "aqua scan"
+    # install docker
+    curl -fsSL https://get.docker.com -o get-docker.sh
+    sudo sh get-docker.sh
+    # get aqua scan executables
+    git clone https://$(get_env git-token)@github.ibm.com/CICD-CPP/cpp-pipelines.git
+    chmod -R +x cpp-pipelines
+    # setup and execute aqua scan
+    cd cpp-pipelines
+    export CUSTOM_SCRIPTS_PATH=/workspace/app/one-pipeline-config-repo/cpp-pipelines
+    ./commons/aqua/aqua-local-scan
+
+    source "${COMMONS_PATH}/whitesource/whitesource_unified_agent_scan.sh"
+
 release:
   abort_on_failure: false
-  image: wcp-compliance-automation-team-docker-local.artifactory.swg-devops.com/ibm-compliance-automation:1.9.1@sha256:3f3e344a1efb160d83c48cf2ee878a39cbad058c8640c423472e0546316232fd
+  image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
   script: |
     #!/usr/bin/env bash
-    echo "release" 
-    set_env ibmcloud-api-key $(get_env ibmcloud-api-key-prod)
-
-#owasp-zap-api:
-#  dind: true
-#  abort_on_failure: false
-#  image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.12@sha256:ff4053b0bca784d6d105fee1d008cfb20db206011453071e86b69ca3fde706a4
-#  script: |
-#    !/usr/bin/env bash
-#    if [[ "$PIPELINE_DEBUG" == 1 ]]; then
-#      trap env EXIT
-#      env
-#      set -x
-#    fi
-    
-#    source scripts/zap/setup_api_scan.sh
-#    source scripts/zap/run_api_scan.sh
+
+    RELEASE_FLAG=$(get_env release "false")
+
+    if [[ $RELEASE_FLAG != "true" ]]; then
+      echo "Skipping release stage; environment property 'release' is set to $RELEASE_FLAG"
+      exit 0
+    fi
+
+    SKIP_ALL_CHECKS=$(get_env SKIP_ALL_CHECKS "false")
+    ./scripts/pipeline/evaluator.sh      
+    if [[ $? == 0 || $SKIP_ALL_CHECKS == "true" ]]; then
+      if [[  $SKIP_ALL_CHECKS == "true" ]]; then
+        echo "Skipping image scan checks"
+      fi
+      APP_REPO=$(pwd)
+      echo "Application Repository: $APP_REPO"
+      INVENTORY_REPO=$(get_env inventory-repo)
+      echo "Cloning inventory repository: $INVENTORY_REPO"
+      cd "$WORKSPACE"
+      APP_TOKEN_PATH="$WORKSPACE/secrets/app-token"
+      . "${ONE_PIPELINE_PATH}"/git/clone_repo \
+        "$INVENTORY_REPO" \
+        "master"  \
+        "" \
+        "$APP_TOKEN_PATH"
+      REPO=${INVENTORY_REPO##*/}
+      NAME=${REPO%.*}
+      echo "Inventory name: $NAME"
+      cd $WORKSPACE/$NAME
+      if [ "$(ls )" ]; then
+        echo "Clearing inventory repository: $INVENTORY_REPO"
+        git config --global user.email "tekton@example.com"
+        git config --global user.name "Tekton"
+        git rm *
+        git commit -m "Delete contents of inventory repository - $PIPELINE_RUN_ID"
+        git push origin master
+      fi
+      cd $APP_REPO
+      ./scripts/pipeline/release.sh
+    else
+      echo "Errors found.  images will not be released"
+    fi

scripts/pipeline/cd_finish

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+if [ "$PIPELINE_DEBUG" == 1 ]; then
+  pwd
+  env
+  trap env EXIT
+  set -x
+fi
+
+export WORKSPACE
+
+. "${ONE_PIPELINE_PATH}"/internal/pipeline/variables_config
+. "${ONE_PIPELINE_PATH}"/tools/retry
+
+cd "$WORKSPACE"
+
+pipeline_data="${WORKSPACE}/pipeline.data"
+source "$pipeline_data"
+
+#
+# start
+#
+
+INVENTORY_REPO="$(cat /config/inventory-url)"
+GHE_ORG=${INVENTORY_REPO%/*}
+GHE_ORG=${GHE_ORG##*/}
+GHE_REPO=${INVENTORY_REPO##*/}
+
+curl  -H "Accept: application/vnd.github.v3+json"  -H "Authorization: token $(get_env git-token)" https://github.ibm.com/api/v3/repos/${GHE_ORG}/${GHE_REPO}/releases -d "{\"tag_name\": \"$(get_env version)\",\"name\": \"$(get_env version)\",\"draft\": false,\"prerelease\": false}"
+
+set_env ibmcloud-api "cloud.ibm.com"
+. "${ONE_PIPELINE_PATH}"/internal/security-compliance/scan
+
+. "${ONE_PIPELINE_PATH}"/internal/doi/publish_acceptance_test
+
+#publish_acceptance_test "$(get_env ACCEPTANCE_TESTS_TASK_NAME)" "$(get_env ACCEPTANCE_TESTS_STEP_NAME)" "com.ibm.acceptance_tests"
+
+# collector_cd
+echo "Processing 'build-image-signing' ..."
+. "${ONE_PIPELINE_PATH}"/internal/evidence/collector \
+  "$(get_env IMAGE_SIGNING_TASK_NAME)"               `# task_name` \
+  "$(get_env IMAGE_SIGNING_STEP_NAME)"               `# step_name` \
+  "sign-artifact"                                    `# stage` \
+  "success"                                          `# excepted_status` \
+  "$(get_env STAGE_SIGN_ARTIFACT_STATUS)"            `# actual_status` \
+  "image-signing"                                    `# evidence_name` \
+  "com.ibm.cloud.image_signing"                      `# evidence_type` \
+  "1.0.0"                                            `# evidence_type_version` \
+  "cd"                                               `# namespace` \
+  ""                                                 `# artifacts`
+
+echo "Processing 'acceptance-test' ..."
+. "${ONE_PIPELINE_PATH}"/internal/evidence/collector \
+  "$(get_env ACCEPTANCE_TESTS_TASK_NAME)"            `# task_name` \
+  "$(get_env ACCEPTANCE_TESTS_STEP_NAME)"            `# step_name` \
+  "acceptance-test"                                  `# stage` \
+  "success"                                          `# excepted_status` \
+  "$(get_env STAGE_ACCEPTANCE_TEST_STATUS)"          `# actual_status` \
+  "acceptance-test"                                  `# evidence_name` \
+  "com.ibm.acceptance_tests"                         `# evidence_type` \
+  "1.0.0"                                            `# evidence_type_version` \
+  "cd"                                               `# namespace` \
+  ""                                                 `# artifacts`
+
+echo -e "\n"
+
+#. "${ONE_PIPELINE_PATH}"/internal/evidence/create_summary "from-every-inventory-entry" "include_cd_evidence"
+
+#. "${ONE_PIPELINE_PATH}"/internal/evidence/upload_summary
+
+# collector_cd_final
+. "${ONE_PIPELINE_PATH}"/internal/evidence/upload_pipeline_data
+
+printf "\n\nCollect and upload pipeline logs\n\n" >&2
+upload_pipeline_task_logs "cd"
+
+printf "\n\nCollect and upload pipeline run data\n\n" >&2
+upload_pipeline_run_data "cd"
+
+echo -e "\n"
+
+"${ONE_PIPELINE_PATH}/internal/slack/generate_cd_end_message.py" | "${ONE_PIPELINE_PATH}/internal/slack/post_message.py" || true
+
+#. "${ONE_PIPELINE_PATH}"/internal/pipeline/evaluator_cd

scripts/pipeline/evaluator.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+function evaluate() {
+  name=$1
+  expected_status=$2
+  actual_status=$3
+  task_name=$4
+  skip_task=$5
+
+  if [[ $skip_task == 'true' ]]; then
+    echo "Task '${name}' has been skipped."
+    echo "Actual: '${actual_status}' | Expected: '${expected_status}'."
+  elif [ "$expected_status" != "$actual_status" ]; then
+    echo "Task '${name}' has failed"
+    echo "The actual result value did not match expected value."
+    echo "Actual: '${actual_status}' | Expected: '${expected_status}'."
+    export PIPELINE_EXIT+=1
+  else
+    export PIPELINE_EXIT+=0
+  fi  
+}  
+
+printf "\n\nEvaluating Pipeline Task results \n\n" >&2
+
+evaluate \
+  "detect-secrets"                                   `# name` \
+  "success"                                          `# expected_status` \
+  "$(get_env DETECT_SECRETS_STATUS)"                 `# actual_status` \
+  "$(get_env DETECT_SECRET_TASK_NAME)"               `# task_name` 
+
+evaluate \
+  "unit-tests"                                       `# name` \
+  "success"                                          `# expected_status` \
+  "$(get_env STAGE_TEST_STATUS)"                     `# actual_status` \
+  "$(get_env UNIT_TESTS_TASK_NAME)"                  `# task_name` 
+
+enable_sonar=$(get_env opt-in-sonar "")
+enable_gosec=$(get_env opt-in-gosec "")
+if [[ -n $enable_sonar || -n $enable_gosec ]]; then
+  evaluate \
+    "static-scan"                                    `# name` \
+    "success"                                        `# expected_status` \
+    "$(get_env STAGE_STATIC_SCAN_STATUS)"            `# actual_status` \
+    "$(get_env STATIC_SCAN_TASK_NAME)"               `# task_name` 
+fi
+
+evaluate \
+  "vulnerability-scan"                               `# name` \
+  "success"                                          `# expected_status` \
+  "$(get_env CRA_VULNERABILITY_RESULTS_STATUS)"      `# actual_status` \
+  "$(get_env CRA_VULNERABILITY_TASK_NAME)"           `# task_name` 
+
+evaluate \
+  "cis-check"                                        `# name` \
+  "success"                                          `# expected_status` \
+  "$(get_env CIS_CHECK_VULNERABILITY_RESULTS_STATUS)"`# actual_status` \
+  "$(get_env CIS_CHECK_TASK_NAME)"                   `# task_name`                
+
+evaluate \
+  "bom-check"                                        `# name` \
+  "success"                                          `# expected_status` \
+  "$(get_env CRA_BOM_CHECK_RESULTS_STATUS)"          `# actual_status` \
+  "$(get_env BOM_CHECK_TASK_NAME)"                   `# task_name` 
+
+evaluate \
+  "branch-protection"                                `# name` \
+  "success"                                          `# expected_status` \
+  "$(get_env BRANCH_PROTECTION_STATUS)"              `# actual_status` \
+  "$(get_env BRANCH_PROTECTION_TASK_NAME)"           `# task_name` \
+  "$(get_env SKIP_BRANCH_PROTECTION 'false')"           
+
+evaluate \
+  "vulnerability-advisor"                            `# name` \
+  "success"                                          `# expected_status` \
+  "$(get_env STAGE_SCAN_ARTIFACT_STATUS)"            `# actual_status` \
+  "$(get_env VULNERABILITY_ADVISOR_TASK_NAME)"       `# task_name` \
+  "$(get_env SKIP_VA 'false')"      
+
+evaluate \
+  "acceptance-tests"                                 `# name` \
+  "success"                                          `# expected_status` \
+  "$(get_env STAGE_ACCEPTANCE_TEST_STATUS)"          `# actual_status` \
+  "$(get_env ACCEPTANCE_TESTS_TASK_NAME)"            `# task_name` 
+
+if [[ "$PIPELINE_EXIT" == *"1"* ]]; then
+  exit 1
+else
+  echo "Every Task result passed the check!"
+  exit 0
+fi