Pour tout problème contactez-nous par mail : support@froggit.fr | La FAQ :grey_question: | Rejoignez-nous sur le Chat :speech_balloon:

Skip to content
Snippets Groups Projects
Commit b8e3e390 authored by Benoît's avatar Benoît
Browse files

Add ARM64 architecture

parent 36fab8ae
No related branches found
No related tags found
1 merge request!1Add ARM64 architecture
......@@ -7,17 +7,25 @@ include:
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
# run parallel builds for the desired architectures
parallel:
matrix:
- ARCH: amd64
- ARCH: arm64
tags:
# run each build on a suitable, preconfigured runner (must match the target architecture)
- ${ARCH}
script:
- |
if [[ -n "${CI_COMMIT_TAG}" ]]; then
DOCKER_HUB_OPTIONS="--destination=${DOCKER_HUB_DESTINATION}:${CI_APPLICATION_TAG} --destination=${DOCKER_HUB_DESTINATION}:latest"
DOCKER_HUB_OPTIONS="--destination=${DOCKER_HUB_DESTINATION}:${CI_APPLICATION_TAG}-${ARCH} --destination=${DOCKER_HUB_DESTINATION}:latest-${ARCH}"
fi
/kaniko/executor --context ${CI_PROJECT_DIR}/${IMAGE_NAME} \
--dockerfile Dockerfile \
--destination ${CI_IMAGE} \
--destination ${CI_IMAGE}-${ARCH} \
${DOCKER_HUB_OPTIONS} \
--digest-file=/dev/termination-log \
--image-name-with-digest-file=image-digest.txt \
--image-name-with-digest-file=image-digest-${ARCH}.txt \
--label org.opencontainers.image.created=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--label "org.opencontainers.image.authors=${CI_COMMIT_AUTHOR}" \
--label org.opencontainers.image.url=${CI_PROJECT_URL} \
......@@ -28,7 +36,38 @@ include:
--label "org.opencontainers.image.vendor=${CI_COMMIT_AUTHOR}" \
--label org.opencontainers.image.licenses="MIT License" \
--label org.opencontainers.image.title=${IMAGE_NAME}
- cat image-digest.txt
- cat image-digest-${ARCH}.txt
artifacts:
paths:
- image-digest.txt
- image-digest-${ARCH}.txt
.tpl:container:build:merge_manifests:
extends: .tpl:container:lib:docker-configuration
stage: build
# all containers must be build before merging them
# alternatively the job may be configured to run in a later stage
#needs:
# - job: container-build
# artifacts: false
image:
name: mplatform/manifest-tool:alpine
script:
- |
mkdir -p ${HOME}/.docker
cp /kaniko/.docker/config.json ${HOME}/.docker/config.json
manifest-tool push from-args \
--platforms linux/amd64,linux/arm64 \
--template ${CI_IMAGE}-ARCH \
--target ${CI_IMAGE}
- |
if [[ -n "${CI_COMMIT_TAG}" ]]; then
manifest-tool push from-args \
--platforms linux/amd64,linux/arm64 \
--template ${DOCKER_HUB_DESTINATION}:${CI_APPLICATION_TAG}-ARCH \
--target ${DOCKER_HUB_DESTINATION}:${CI_APPLICATION_TAG}
manifest-tool push from-args \
--platforms linux/amd64,linux/arm64 \
--template ${DOCKER_HUB_DESTINATION}:${CI_APPLICATION_TAG}-ARCH \
--target ${DOCKER_HUB_DESTINATION}:latest
fi
......@@ -19,4 +19,4 @@
fi
export CI_IMAGE=${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
export CS_IMAGE=${CI_IMAGE}
echo "Destination image ${CI_IMAGE}"
\ No newline at end of file
echo "Destination image ${CI_IMAGE}"
......@@ -5,24 +5,32 @@ include:
.tpl:container:sign:sign-image:
extends: .tpl:container:lib:docker-configuration
stage: sign
parallel:
matrix:
- ARCH: amd64
- ARCH: arm64
script:
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/${CI_SERVER_HOST}/login role=${CI_PROJECT_NAME} token_ttl=60 jwt=$CI_JOB_JWT)"
- mkdir -p ${HOME}/.docker
- mv /kaniko/.docker/config.json ${HOME}/.docker/config.json
- |
for digest in $(cat image-digest.txt); do
for digest in $(cat image-digest-${ARCH}.txt); do
cosign sign -a sig=gitlab-ci -y --upload=true --tlog-upload=true --key hashivault://cosign ${digest}
done
.tpl:container:sign:attest-image:
extends: .tpl:container:lib:docker-configuration
stage: sign
parallel:
matrix:
- ARCH: amd64
- ARCH: arm64
script:
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/${CI_SERVER_HOST}/login role=${CI_PROJECT_NAME} token_ttl=600 jwt=$CI_JOB_JWT)"
- mkdir -p ${HOME}/.docker
- mv /kaniko/.docker/config.json ${HOME}/.docker/config.json
- |
for digest in $(cat image-digest.txt); do
for digest in $(cat image-digest-${ARCH}.txt); do
echo "Scanning image digest ${digest}"
skopeo inspect docker://${digest}
trivy image --output /tmp/image.sbom --format cosign-vuln --ignore-unfixed --severity HIGH,CRITICAL ${digest}
......
......@@ -39,7 +39,7 @@ include:
export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_TAG}
export DOCKER_HUB_DESTINATION=captnbp/${IMAGE_NAME:-$CI_PROJECT_NAME}
fi
export CI_IMAGE=${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
export CI_IMAGE=${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}-amd64
export CS_IMAGE=${CI_IMAGE}
echo "Destination image ${CI_IMAGE}"
variables:
......@@ -73,6 +73,10 @@ include:
.tpl:container:test:mr-note:
stage: scan
parallel:
matrix:
- ARCH: amd64
- ARCH: arm64
before_script:
- |
if [[ -z "${CI_COMMIT_TAG}" ]]; then
......@@ -87,15 +91,15 @@ include:
export CS_IMAGE=${CI_IMAGE}
echo "Destination image ${CI_IMAGE}"
script:
- trivy image --ignore-unfixed --severity HIGH,CRITICAL ${CS_IMAGE}
- trivy image --ignore-unfixed --severity HIGH,CRITICAL ${CS_IMAGE}-${ARCH}
- |
if [[ -z "${CI_MERGE_REQUEST_IID}" ]]; then
export CI_MERGE_REQUEST_IID=$(echo $CI_OPEN_MERGE_REQUESTS | cut -d'!' -f2)
fi
trivy image --format template --template @/usr/local/share/trivy/templates/trivy-markdown-json.tpl --ignore-unfixed --severity HIGH,CRITICAL ${CS_IMAGE} > /tmp/output.json
trivy image --format template --template @/usr/local/share/trivy/templates/trivy-markdown-json.tpl --ignore-unfixed --severity HIGH,CRITICAL ${CS_IMAGE}-${ARCH} > /tmp/output.json
cat /tmp/output.json
echo "Push a MR note with trivy result:"
curl --request POST --header "PRIVATE-TOKEN: $GITLAB_TOKEN" --header "Content-Type: application/json" "https://lab.frogg.it/api/v4/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/notes" --data @/tmp/output.json
rules:
- if: $GITLAB_TOKEN && $CI_OPEN_MERGE_REQUESTS
- if: $GITLAB_TOKEN && $CI_MERGE_REQUEST_IID
\ No newline at end of file
- if: $GITLAB_TOKEN && $CI_MERGE_REQUEST_IID
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment