Skip to content

Commit

Permalink
add command configuration (#34)
Browse files Browse the repository at this point in the history
* add command configuration

* removed the unnecessary comment lines
  • Loading branch information
hnadiminti-equinix authored Feb 7, 2024
1 parent 258055a commit 797b067
Show file tree
Hide file tree
Showing 8 changed files with 159 additions and 92 deletions.
110 changes: 98 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,27 +21,46 @@ make deb
# Usage
Here's how you can generate the buildkite template
```
$ ./dynamic-buildkite-template
$ go run main.go
steps:
- command: ls
plugins:
- equinixmetal-buildkite/cosign#v0.1.0:
- equinixmetal-buildkite/docker-build#v1.1.0:
build-args:
- NAME=REPO_NAME
push: true
- ssh://[email protected]/equinixmetal/ssm-buildkite-plugin#v1.0.4:
parameters:
COSIGN_KEY_SECRET : test-secret
COSIGN_PASSWORD : passwd
- equinixmetal-buildkite/cosign#main:
image: ghcr.io/my-project/my-image:latest
keyless-config:
fulcio-url: https://fulcio.sigstore.dev
rekor-url: https://rekor.sigstore.dev
cosign-version: v0.1.0
keyless : false
keyed-config:
key: cosign.key
cosign-version: main
- equinixmetal-buildkite/trivy#v1.18.3:
timeout : 5m0s
severity: HIGH,CRITICAL
exit-code: 0
timeout : "5m0s"
severity: "HIGH,CRITICAL"
ignore-unfixed: true
security-checks: vuln,config
security-checks: "vuln,config"
skip-files: ""
skip-dirs: ""
image-ref: ""
- equinixmetal-buildkite/docker-metadata#v1.0.0:
images:
- "my-org/my-image"
- "image2"
extra_tags:
- "latest"
- "tag2"
```
## Configuration and Overrides
* Configurations are stored in `resources/config/conf.yaml` and it has default values.
* Configurations from the file `resources/config/conf.yaml` can be overridden by command line flags by using the yaml configuration path as below:
* Configurations are stored in `conf.yaml` and it has default values.
* Configurations from the file `conf.yaml` can be overridden by command line flags by using the yaml configuration path as below:
```
$ ./dynamic-buildkite-template --overrides plugins.trivy.skip-files="x.txt,y.txt" --overrides plugins.cosign.keyless=false
$ go run main.go --overrides plugins.trivy.skip-files="x.txt,y.txt" --overrides plugins.cosign.keyless=false
steps:
- command: ls
plugins:
Expand All @@ -58,6 +77,73 @@ steps:
security-checks: vuln,config
skip-files: 'x.txt,y.txt'
```
```
$ go run main.go --overrides plugins.trivy.skip-files="x.txt,y.txt" --overrides plugins.cosign.keyless=true
steps:
- command: ls
plugins:
- equinixmetal-buildkite/docker-build#v1.1.0:
build-args:
- NAME=REPO_NAME
push: true
- equinixmetal-buildkite/cosign#main:
image: ghcr.io/my-project/my-image:latest
keyless-config:
fulcio-url:
rekor-url:
cosign-version: main
- equinixmetal-buildkite/trivy#v1.18.3:
exit-code: 0
timeout : "5m0s"
severity: "HIGH,CRITICAL"
ignore-unfixed: true
security-checks: "vuln,config"
skip-files: "x.txt,y.txt"
skip-dirs: ""
image-ref: ""
- equinixmetal-buildkite/docker-metadata#v1.0.0:
images:
- "my-org/my-image"
- "image2"
extra_tags:
- "latest"
- "tag2"
```
### Default conf.yaml for example
```
plugins:
trivy:
exit-code: 0
timeout: 5m0s
severity: HIGH,CRITICAL
ignore-unfixed: true
security-checks: vuln,config
skip-files: ""
skip-dirs: ""
image-ref: ""
version: ""
helm-overrides-files: ""
```

Execute this command to run through a docker run
```
$ docker run --mount type=bind,source=${PWD}/conf.yaml,target=/go/src/workspace/dynamic-buildkite-template/conf.yaml ghcr.io/equinixmetal-buildkite/dynamic-buildkite-template:latest
output:
steps:
- command: ls
plugins:
- equinixmetal-buildkite/trivy#v1.18.3:
exit-code: 0
timeout : "5m0s"
severity: "HIGH,CRITICAL"
ignore-unfixed: true
security-checks: "vuln,config"
skip-files: ""
skip-dirs: ""
image-ref: ""
```
If you notice you can provide multiple `--overrides` flags and this would in turn collate to a `map[string]string` being passed to the program. The keys in override are in the yaml path format. So for a given config override you can check the path hierarchy in the `conf.yaml` and mention the override accordingly.

For long term config changes, it's suggested to update the `conf.yaml` file itself.
16 changes: 16 additions & 0 deletions cmd/command.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
package cmd

import (
"github.com/spf13/cobra"
)

// LoadCosignConfigs loads cosign plugin configuration from conf.yaml using "plugins.cosign" key
func LoadCommandConfigs(cmd *cobra.Command) {
m, _ := cmd.Flags().GetStringToString("overrides")
for k, v := range m {
if k == "command" {
g.CommandConfig.CommandConfig = v
g.CommandConfigEnable = true
}
}
}
1 change: 1 addition & 0 deletions cmd/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ This Program generates step for the provided plugins with configurations
LoadDockerBuildConfigs()
// load SSM plugin
LoadSSMDataConfigs()
LoadCommandConfigs(cmd)
// generate the build template
err := generator.GenerateBuildSteps(g, os.Stdout, util.TemplateFilePath)
if err != nil {
Expand Down
35 changes: 0 additions & 35 deletions conf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,40 +10,5 @@ plugins:
image-ref: ""
version: ""
helm-overrides-files: ""
cosign:
image: "ghcr.io/my-project/my-image:latest"
keyless: false
keyless-config:
fulcio_url: "https://fulcio.sigstore.dev"
rekor_url: "https://rekor.sigstore.dev"
keyed-config:
key: "sample-key"
cosign-version: "v0.1.0"
docker-metadata:
images: ["my-org/my-image","image2"]
extra_tags: ["latest","tag2"]
title: "sample"
licenses: ""
vendor: "abc"
debug: true
docker-metadata-version: ""
ssm-buildkite-plugin:
ssm-buildkite-version: "v1.0.4"
parameters:
COSIGN_KEY_SECRET: "test-secret"
COSIGN_PASSWORD: "passwd"
GITHUB_TOKEN: "token"
docker-build:
dockerfile: "Dockerfile"
context: "."
secret-file: "id=mysecret,src=secret-file"
tags:
- "my-org/my-image:latest"
labels:
- "org.opencontainers.image.source=$BUILDKITE_REPO"
build-args:
- "FOO=bar"
- "BAZ=qux"
push: false

# --overrides plugins.trivy.skip-files="x.txt,y.txt" --overrides plugins.cosign.keyless=false
5 changes: 5 additions & 0 deletions generator/command-config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
package generator

type CommandConfig struct {
CommandConfig string `mapstructure:"command"`
}
6 changes: 1 addition & 5 deletions generator/common-pipeline_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -156,11 +156,7 @@ func TestCosignStep(t *testing.T) {
}
expected := `
steps:
- label: ":docker: get cosign key"
key: "getkey"
command: |
#!/bin/bash
echo "\$COSIGN_KEY_SECRET" > ${COSIGN_KEY_PATH}
- command: ls
plugins:
- ssh://[email protected]/equinixmetal/ssm-buildkite-plugin#:
parameters:
Expand Down
2 changes: 2 additions & 0 deletions generator/generator.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ type Generator struct {
DockerMetadataPluginEnabled bool
SSMPluginEnabled bool
DockerBuildPluginEnabled bool
CommandConfigEnable bool
TPConfig TrivyPluginConfig
CosignConfig CosignPluginConfig
DockerMetadataConfig DockerMetadataPluginConfig
SSMConfig SSMPluginConfig
DockerBuildConfig DockerBuildConfig
CommandConfig CommandConfig
}
76 changes: 36 additions & 40 deletions templates/plugins-step.tmpl
Original file line number Diff line number Diff line change
@@ -1,17 +1,46 @@
steps:
{{- if .CosignPluginEnabled }}
{{- if not .CosignConfig.Keyless }}
- label: ":docker: get cosign key"
key: "getkey"
command: |
{{- if .CommandConfigEnable }}
- command: |
#!/bin/bash
echo "\$COSIGN_KEY_SECRET" > ${COSIGN_KEY_PATH}
{{ .CommandConfig.CommandConfig }}
plugins:
{{- end }}
{{- else }}
- command: ls
plugins:
{{- end }}
{{- if .DockerBuildPluginEnabled }}
- equinixmetal-buildkite/docker-build#{{ .DockerBuildConfig.Version }}:
{{- if .DockerBuildConfig.Dockerfile}}
dockerfile: {{ .DockerBuildConfig.Dockerfile }}
{{- end }}
{{- if .DockerBuildConfig.Context}}
context : {{ .DockerBuildConfig.Context }}
{{- end }}
{{- if .DockerBuildConfig.SecretFile}}
secret-file: {{ .DockerBuildConfig.SecretFile }}
{{- end }}
{{- if .DockerBuildConfig.Tags}}
tags:
{{- range .DockerBuildConfig.Tags }}
- {{ . }}
{{- end }}
{{- end }}
{{- if .DockerBuildConfig.Labels}}
labels:
{{- range .DockerBuildConfig.Labels }}
- {{ . }}
{{- end }}
{{- end }}
{{- if .DockerBuildConfig.BuildArgs}}
build-args:
{{- range .DockerBuildConfig.BuildArgs }}
- {{ . }}
{{- end }}
{{- end }}
{{- if .DockerBuildConfig.Push}}
push: {{ .DockerBuildConfig.Push }}
{{- end }}
{{- end}}
{{- if .CosignPluginEnabled }}
{{- if not .CosignConfig.Keyless }}
- ssh://[email protected]/equinixmetal/ssm-buildkite-plugin#{{ .SSMConfig.Version }}:
Expand Down Expand Up @@ -101,36 +130,3 @@ steps:
debug: "{{ .DockerMetadataConfig.Debug }}"
{{- end}}
{{- end}}
{{- if .DockerBuildPluginEnabled }}
- equinixmetal-buildkite/docker-build#{{ .DockerBuildConfig.Version }}:
{{- if .DockerBuildConfig.Dockerfile}}
dockerfile: {{ .DockerBuildConfig.Dockerfile }}
{{- end }}
{{- if .DockerBuildConfig.Context}}
context : {{ .DockerBuildConfig.Context }}
{{- end }}
{{- if .DockerBuildConfig.SecretFile}}
secret-file: {{ .DockerBuildConfig.SecretFile }}
{{- end }}
{{- if .DockerBuildConfig.Tags}}
tags:
{{- range .DockerBuildConfig.Tags }}
- {{ . }}
{{- end }}
{{- end }}
{{- if .DockerBuildConfig.Labels}}
labels:
{{- range .DockerBuildConfig.Labels }}
- {{ . }}
{{- end }}
{{- end }}
{{- if .DockerBuildConfig.BuildArgs}}
build-args:
{{- range .DockerBuildConfig.BuildArgs }}
- {{ . }}
{{- end }}
{{- end }}
{{- if .DockerBuildConfig.Push}}
push: {{ .DockerBuildConfig.Push }}
{{- end }}
{{- end}}

0 comments on commit 797b067

Please sign in to comment.