.gitlab-ci.yml

# This file is a template, and might need editing before it works on your project.
# Auto DevOps
# This CI/CD configuration provides a standard pipeline for
# * building a Docker image (using a buildpack if necessary),
# * storing the image in the container registry,
# * running tests from a buildpack,
# * running code quality analysis,
# * creating a review app for each topic branch,
# * and continuous deployment to production
#
# Test jobs may be disabled by setting environment variables:
# * test: TEST_DISABLED
# * code_quality: CODE_QUALITY_DISABLED
# * license_management: LICENSE_MANAGEMENT_DISABLED
# * performance: PERFORMANCE_DISABLED
# * sast: SAST_DISABLED
# * dependency_scanning: DEPENDENCY_SCANNING_DISABLED
# * container_scanning: CONTAINER_SCANNING_DISABLED
# * dast: DAST_DISABLED
# * review: REVIEW_DISABLED
# * stop_review: REVIEW_DISABLED
#
# In order to deploy, you must have a Kubernetes cluster configured either
# via a project integration, or via group/project variables.
# KUBE_INGRESS_BASE_DOMAIN must also be set on the cluster settings,
# as a variable at the group or project level, or manually added below.
#
# Continuous deployment to production is enabled by default.
# If you want to deploy to staging first, set STAGING_ENABLED environment variable.
# If you want to enable incremental rollout, either manual or time based,
# set INCREMENTAL_ROLLOUT_MODE environment variable to "manual" or "timed".
# If you want to use canary deployments, set CANARY_ENABLED environment variable.
#
# If Auto DevOps fails to detect the proper buildpack, or if you want to
# specify a custom buildpack, set a project variable `BUILDPACK_URL` to the
# repository URL of the buildpack.
# e.g. BUILDPACK_URL=https://github.com/heroku/heroku-buildpack-ruby.git#v142
# If you need multiple buildpacks, add a file to your project called
# `.buildpacks` that contains the URLs, one on each line, in order.
# Note: Auto CI does not work with multiple buildpacks yet

image: alpine:latest

variables:
  # KUBE_INGRESS_BASE_DOMAIN is the application deployment domain and should be set as a variable at the group or project level.
  # KUBE_INGRESS_BASE_DOMAIN: domain.example.com

  KUBERNETES_VERSION: 1.11.7
  HELM_VERSION: 2.12.3

  DOCKER_DRIVER: overlay2

stages:
  - build
  - test
  - review
  - dast
  - production
  - performance
  - cleanup

build:
  stage: build
  image: "registry.gitlab.com/gitlab-org/cluster-integration/auto-build-image/master:stable"
  services:
    - docker:stable-dind
  script:
    - /build/build.sh
  only:
    - branches
    - tags

test:
  variables:
    POSTGRES_DB: test
  stage: test
  image: gliderlabs/herokuish:latest
  allow_failure: true     # tests mostly handled by travis for now
  script:
#    - setup_test_db
    - cp -R . /tmp/app
    - /bin/herokuish buildpack test
  only:
    - branches
    - tags
  except:
    variables:
      - $TEST_DISABLED

code_quality:
  stage: test
  image: docker:stable
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - setup_docker
    - code_quality
  artifacts:
    paths: [gl-code-quality-report.json]
  only:
    - branches
    - tags
  except:
    variables:
      - $CODE_QUALITY_DISABLED

license_management:
  stage: test
  image:
    name: "registry.gitlab.com/gitlab-org/security-products/license-management:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable"
    entrypoint: [""]
  allow_failure: true
  script:
    - license_management
  artifacts:
    paths: [gl-license-management-report.json]
  only:
    refs:
      - branches
      - tags
    variables:
      - $GITLAB_FEATURES =~ /\blicense_management\b/
  except:
    variables:
      - $LICENSE_MANAGEMENT_DISABLED

performance:
  stage: performance
  image: docker:stable
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - setup_docker
    - performance
  artifacts:
    paths:
    - performance.json
    - sitespeed-results/
  only:
    refs:
      - branches
      - tags
    kubernetes: active
  except:
    variables:
      - $PERFORMANCE_DISABLED

sast:
  stage: test
  image: docker:stable
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - setup_docker
    - sast
  artifacts:
    reports:
      sast: gl-sast-report.json
  only:
    refs:
      - branches
      - tags
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/
  except:
    variables:
      - $SAST_DISABLED

dependency_scanning:
  stage: test
  image: docker:stable
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - setup_docker
    - dependency_scanning
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
  only:
    refs:
      - branches
      - tags
    variables:
      - $GITLAB_FEATURES =~ /\bdependency_scanning\b/
  except:
    variables:
      - $DEPENDENCY_SCANNING_DISABLED

container_scanning:
  stage: test
  image: docker:stable
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - setup_docker
    - container_scanning
  artifacts:
    paths: [gl-container-scanning-report.json]
  only:
    refs:
      - branches
      - tags
    variables:
      - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED

dast:
  stage: dast
  allow_failure: true
  image: registry.gitlab.com/gitlab-org/security-products/zaproxy
  variables:
    POSTGRES_DB: "false"
  script:
    - dast
  artifacts:
    paths: [gl-dast-report.json]
  only:
    refs:
      - branches
      - tags
    kubernetes: active
    variables:
      - $GITLAB_FEATURES =~ /\bdast\b/
  except:
    refs:
      - master
    variables:
      - $DAST_DISABLED

review:
  stage: review
  script:
    - check_kube_domain
    - install_dependencies
    - ensure_namespace
    - initialize_tiller
    - create_secret
    - deploy
    - persist_environment_url
  environment:
    name: review/$CI_COMMIT_REF_NAME
    url: https://$CI_PROJECT_PATH_SLUG-$CI_ENVIRONMENT_SLUG.$KUBE_INGRESS_BASE_DOMAIN
    on_stop: stop_review
  artifacts:
    paths: [environment_url.txt]
  only:
    refs:
      - branches
      - tags
    kubernetes: active
  except:
    refs:
      - master
    variables:
      - $REVIEW_DISABLED

stop_review:
  stage: cleanup
  variables:
    GIT_STRATEGY: none
  script:
    - install_dependencies
    - initialize_tiller
    - delete
  environment:
    name: review/$CI_COMMIT_REF_NAME
    action: stop
  when: manual
  allow_failure: true
  only:
    refs:
      - branches
      - tags
    kubernetes: active
  except:
    refs:
      - master
    variables:
      - $REVIEW_DISABLED

production:
  stage: production
  script:
    - install_dependencies
    - update_prod
  environment:
    name: production
  artifacts:
    paths: [environment_url.txt]
  only:
    refs:
      - master
    kubernetes: active

# ---------------------------------------------------------------------------

.auto_devops: &auto_devops |
  # Auto DevOps variables and functions
  [[ "$TRACE" ]] && set -x
  auto_database_url=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${CI_ENVIRONMENT_SLUG}-postgres:5432/${POSTGRES_DB}
  export DATABASE_URL=${DATABASE_URL-$auto_database_url}
  if [[ -z "$CI_COMMIT_TAG" ]]; then
    export CI_APPLICATION_REPOSITORY=$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
    export CI_APPLICATION_TAG=$CI_COMMIT_SHA
  else
    export CI_APPLICATION_REPOSITORY=$CI_REGISTRY_IMAGE
    export CI_APPLICATION_TAG=$CI_COMMIT_TAG
  fi
  export TILLER_NAMESPACE=$KUBE_NAMESPACE
  # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products
  export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')

  function registry_login() {
    if [[ -n "$CI_REGISTRY_USER" ]]; then
      echo "Logging to GitLab Container Registry with CI credentials..."
      docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
      echo ""
    fi
  }

  function container_scanning() {
    registry_login

    docker run -d --name db arminc/clair-db:latest
    docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
    apk add -U wget ca-certificates
    docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
    wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    mv clair-scanner_linux_amd64 clair-scanner
    chmod +x clair-scanner
    touch clair-whitelist.yml
    retries=0
    echo "Waiting for clair daemon to start"
    while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
  }

  function code_quality() {
    docker run --env SOURCE_CODE="$PWD" \
               --volume "$PWD":/code \
               --volume /var/run/docker.sock:/var/run/docker.sock \
               "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
  }

  function license_management() {
    /run.sh analyze .
  }

  function sast() {
    case "$CI_SERVER_VERSION" in
      *-ee)

        # Deprecation notice for CONFIDENCE_LEVEL variable
        if [ -z "$SAST_CONFIDENCE_LEVEL" -a "$CONFIDENCE_LEVEL" ]; then
          SAST_CONFIDENCE_LEVEL="$CONFIDENCE_LEVEL"
          echo "WARNING: CONFIDENCE_LEVEL is deprecated and MUST be replaced with SAST_CONFIDENCE_LEVEL"
        fi

        docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" \
                   --volume "$PWD:/code" \
                   --volume /var/run/docker.sock:/var/run/docker.sock \
                   "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
        ;;
      *)
        echo "GitLab EE is required"
        ;;
    esac
  }

  function dependency_scanning() {
    case "$CI_SERVER_VERSION" in
      *-ee)
        docker run --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}" \
                   --volume "$PWD:/code" \
                   --volume /var/run/docker.sock:/var/run/docker.sock \
                   "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
        ;;
      *)
        echo "GitLab EE is required"
        ;;
    esac
  }

  # Extracts variables prefixed with K8S_SECRET_
  # and creates a Kubernetes secret.
  #
  # e.g. If we have the following environment variables:
  #   K8S_SECRET_A=value1
  #   K8S_SECRET_B=multi\ word\ value
  #
  # Then we will create a secret with the following key-value pairs:
  #   data:
  #     A: dmFsdWUxCg==
  #     B: bXVsdGkgd29yZCB2YWx1ZQo=
  function create_application_secret() {
    track="${1-stable}"
    export APPLICATION_SECRET_NAME=$(application_secret_name "$track")

    env | sed -n "s/^K8S_SECRET_\(.*\)$/\1/p" > k8s_prefixed_variables

    kubectl create secret \
      -n "$KUBE_NAMESPACE" generic "$APPLICATION_SECRET_NAME" \
      --from-env-file k8s_prefixed_variables -o yaml --dry-run |
      kubectl replace -n "$KUBE_NAMESPACE" --force -f -

    export APPLICATION_SECRET_CHECKSUM=$(cat k8s_prefixed_variables | sha256sum | cut -d ' ' -f 1)

    rm k8s_prefixed_variables
  }

  function deploy_name() {
    name="$CI_ENVIRONMENT_SLUG"
    track="${1-stable}"

    if [[ "$track" != "stable" ]]; then
      name="$name-$track"
    fi

    echo $name
  }

  function application_secret_name() {
    track="${1-stable}"
    name=$(deploy_name "$track")

    echo "${name}-secret"
  }

  function deploy() {
    track="${1-stable}"
    name_collab=col-$(deploy_name "$track")
    name_connex=con-$(deploy_name "$track")

    replicas="1"

    if [[ "$CI_PROJECT_VISIBILITY" != "public" ]]; then
      secret_name='gitlab-registry'
    else
      secret_name=''
    fi

    create_application_secret "$track"

    env_slug=$(echo ${CI_ENVIRONMENT_SLUG//-/_} | tr -s '[:lower:]' '[:upper:]')
    eval env_ADDITIONAL_HOSTS=\$${env_slug}_ADDITIONAL_HOSTS
    if [ -n "$env_ADDITIONAL_HOSTS" ]; then
      additional_hosts="{$env_ADDITIONAL_HOSTS}"
    elif [ -n "$ADDITIONAL_HOSTS" ]; then
      additional_hosts="{$ADDITIONAL_HOSTS}"
    fi

    # collab type init
    echo "Deploying new collab-flavour release..."
    helm upgrade --install \
      --wait \
      --set image.repository="$CI_APPLICATION_REPOSITORY" \
      --set image.tag="$CI_APPLICATION_TAG" \
      --set image.pullPolicy=IfNotPresent \
      --set application.secretName="$APPLICATION_SECRET_NAME" \
      --set application.secretChecksum="$APPLICATION_SECRET_CHECKSUM" \
      --set url="https://gccollab-${CI_ENVIRONMENT_URL:8:100}" \
      --set replicaCount="$replicas" \
      --set mariadb.auth.user=collab \
      --set mariadb.auth.password=connex \
      --set env.init="gccollab" \
      --namespace="$KUBE_NAMESPACE" \
      "$name_collab" \
      .chart/collab/

  # connex type init
    echo "Deploying new connex-flavour release..."
    helm upgrade --install \
      --wait \
      --set image.repository="$CI_APPLICATION_REPOSITORY" \
      --set image.tag="$CI_APPLICATION_TAG" \
      --set image.pullPolicy=IfNotPresent \
      --set application.secretName="$APPLICATION_SECRET_NAME" \
      --set application.secretChecksum="$APPLICATION_SECRET_CHECKSUM" \
      --set url="https://gcconnex-${CI_ENVIRONMENT_URL:8:100}" \
      --set replicaCount="$replicas" \
      --set mariadb.auth.user=collab \
      --set mariadb.auth.password=connex \
      --set env.init="gcconnex" \
      --namespace="$KUBE_NAMESPACE" \
      "$name_connex" \
      .chart/collab/

    echo "$ROLLOUT_RESOURCE_TYPE/$name_collab status-collab status:"
    kubectl rollout status -n "$KUBE_NAMESPACE" -w "deploy/$name_collab-collab"

    echo "$ROLLOUT_RESOURCE_TYPE/$name_connex status-collab status:"
    kubectl rollout status -n "$KUBE_NAMESPACE" -w "deploy/$name_connex-collab"
  }

  function update_prod() {
    kubectl version
  }

  function install_dependencies() {
    apk add -U openssl curl tar gzip bash ca-certificates git
    curl -L -o /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
    curl -L -O https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.28-r0/glibc-2.28-r0.apk
    apk add glibc-2.28-r0.apk
    rm glibc-2.28-r0.apk

    curl "https://kubernetes-helm.storage.googleapis.com/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | tar zx
    mv linux-amd64/helm /usr/bin/
    mv linux-amd64/tiller /usr/bin/
    helm version --client
    tiller -version

    curl -L -o /usr/bin/kubectl "https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl"
    chmod +x /usr/bin/kubectl
    kubectl version --client
  }

  function setup_docker() {
    if ! docker info &>/dev/null; then
      if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
        export DOCKER_HOST='tcp://localhost:2375'
      fi
    fi
  }

  function setup_test_db() {
    if [ -z ${KUBERNETES_PORT+x} ]; then
      DB_HOST=postgres
    else
      DB_HOST=localhost
    fi
    export DATABASE_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${DB_HOST}:5432/${POSTGRES_DB}"
  }


  function ensure_namespace() {
    kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE"
  }


  # Function to ensure backwards compatibility with AUTO_DEVOPS_DOMAIN
  function ensure_kube_ingress_base_domain() {
    if [ -z ${KUBE_INGRESS_BASE_DOMAIN+x} ] && [ -n "$AUTO_DEVOPS_DOMAIN" ] ; then
      export KUBE_INGRESS_BASE_DOMAIN=$AUTO_DEVOPS_DOMAIN
    fi
  }

  function check_kube_domain() {
    ensure_kube_ingress_base_domain

    if [ -z ${KUBE_INGRESS_BASE_DOMAIN+x} ]; then
      echo "In order to deploy or use Review Apps,"
      echo "AUTO_DEVOPS_DOMAIN or KUBE_INGRESS_BASE_DOMAIN variables must be set"
      echo "From 11.8, you can set KUBE_INGRESS_BASE_DOMAIN in cluster settings"
      echo "or by defining a variable at group or project level."
      echo "You can also manually add it in .gitlab-ci.yml"
      echo "AUTO_DEVOPS_DOMAIN support will be dropped on 12.0"
      false
    else
      true
    fi
  }

  function initialize_tiller() {
    echo "Checking Tiller..."

    export HELM_HOST="localhost:44134"
    tiller -listen ${HELM_HOST} -alsologtostderr > /dev/null 2>&1 &
    echo "Tiller is listening on ${HELM_HOST}"

    if ! helm version --debug; then
      echo "Failed to init Tiller."
      return 1
    fi
    echo ""
  }

  function create_secret() {
    echo "Create secret..."
    if [[ "$CI_PROJECT_VISIBILITY" == "public" ]]; then
      return
    fi

    kubectl create secret -n "$KUBE_NAMESPACE" \
      docker-registry gitlab-registry \
      --docker-server="$CI_REGISTRY" \
      --docker-username="${CI_DEPLOY_USER:-$CI_REGISTRY_USER}" \
      --docker-password="${CI_DEPLOY_PASSWORD:-$CI_REGISTRY_PASSWORD}" \
      --docker-email="$GITLAB_USER_EMAIL" \
      -o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f -
  }

  function dast() {
    export CI_ENVIRONMENT_URL=$(cat environment_url.txt)

    mkdir /zap/wrk/
    /zap/zap-baseline.py -J gl-dast-report.json -t "$CI_ENVIRONMENT_URL" || true
    cp /zap/wrk/gl-dast-report.json .
  }

  function performance() {
    export CI_ENVIRONMENT_URL=$(cat environment_url.txt)

    mkdir gitlab-exporter
    wget -O gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/10-5/index.js

    mkdir sitespeed-results

    if [ -f .gitlab-urls.txt ]
    then
      sed -i -e 's@^@'"$CI_ENVIRONMENT_URL"'@' .gitlab-urls.txt
      docker run --shm-size=1g --rm -v "$(pwd)":/sitespeed.io sitespeedio/sitespeed.io:6.3.1 --plugins.add ./gitlab-exporter --outputFolder sitespeed-results .gitlab-urls.txt
    else
      docker run --shm-size=1g --rm -v "$(pwd)":/sitespeed.io sitespeedio/sitespeed.io:6.3.1 --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "$CI_ENVIRONMENT_URL"
    fi

    mv sitespeed-results/data/performance.json performance.json
  }

  function persist_environment_url() {
      #use connex site for dast / perf since it doesn't require login for most pages
      echo https://gcconnex-${CI_ENVIRONMENT_URL:8:100} > environment_url.txt
  }

  function delete() {
    track="${1-stable}"
    name_collab=col-$(deploy_name "$track")
    name_connex=con-$(deploy_name "$track")

    if [[ -n "$(helm ls -q "^$name_collab$")" ]]; then
      helm delete --purge "$name_collab"
    fi

    if [[ -n "$(helm ls -q "^$name_connex$")" ]]; then
      helm delete --purge "$name_connex"
    fi

    secret_name=$(application_secret_name "$track")
    kubectl delete secret --ignore-not-found -n "$KUBE_NAMESPACE" "$secret_name"
  }

before_script:
  - *auto_devops