-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add command configuration * removed the unnecessary comment lines
- Loading branch information
1 parent
258055a
commit 797b067
Showing
8 changed files
with
159 additions
and
92 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,27 +21,46 @@ make deb | |
# Usage | ||
Here's how you can generate the buildkite template | ||
``` | ||
$ ./dynamic-buildkite-template | ||
$ go run main.go | ||
steps: | ||
- command: ls | ||
plugins: | ||
- equinixmetal-buildkite/cosign#v0.1.0: | ||
- equinixmetal-buildkite/docker-build#v1.1.0: | ||
build-args: | ||
- NAME=REPO_NAME | ||
push: true | ||
- ssh://[email protected]/equinixmetal/ssm-buildkite-plugin#v1.0.4: | ||
parameters: | ||
COSIGN_KEY_SECRET : test-secret | ||
COSIGN_PASSWORD : passwd | ||
- equinixmetal-buildkite/cosign#main: | ||
image: ghcr.io/my-project/my-image:latest | ||
keyless-config: | ||
fulcio-url: https://fulcio.sigstore.dev | ||
rekor-url: https://rekor.sigstore.dev | ||
cosign-version: v0.1.0 | ||
keyless : false | ||
keyed-config: | ||
key: cosign.key | ||
cosign-version: main | ||
- equinixmetal-buildkite/trivy#v1.18.3: | ||
timeout : 5m0s | ||
severity: HIGH,CRITICAL | ||
exit-code: 0 | ||
timeout : "5m0s" | ||
severity: "HIGH,CRITICAL" | ||
ignore-unfixed: true | ||
security-checks: vuln,config | ||
security-checks: "vuln,config" | ||
skip-files: "" | ||
skip-dirs: "" | ||
image-ref: "" | ||
- equinixmetal-buildkite/docker-metadata#v1.0.0: | ||
images: | ||
- "my-org/my-image" | ||
- "image2" | ||
extra_tags: | ||
- "latest" | ||
- "tag2" | ||
``` | ||
## Configuration and Overrides | ||
* Configurations are stored in `resources/config/conf.yaml` and it has default values. | ||
* Configurations from the file `resources/config/conf.yaml` can be overridden by command line flags by using the yaml configuration path as below: | ||
* Configurations are stored in `conf.yaml` and it has default values. | ||
* Configurations from the file `conf.yaml` can be overridden by command line flags by using the yaml configuration path as below: | ||
``` | ||
$ ./dynamic-buildkite-template --overrides plugins.trivy.skip-files="x.txt,y.txt" --overrides plugins.cosign.keyless=false | ||
$ go run main.go --overrides plugins.trivy.skip-files="x.txt,y.txt" --overrides plugins.cosign.keyless=false | ||
steps: | ||
- command: ls | ||
plugins: | ||
|
@@ -58,6 +77,73 @@ steps: | |
security-checks: vuln,config | ||
skip-files: 'x.txt,y.txt' | ||
``` | ||
``` | ||
$ go run main.go --overrides plugins.trivy.skip-files="x.txt,y.txt" --overrides plugins.cosign.keyless=true | ||
steps: | ||
- command: ls | ||
plugins: | ||
- equinixmetal-buildkite/docker-build#v1.1.0: | ||
build-args: | ||
- NAME=REPO_NAME | ||
push: true | ||
- equinixmetal-buildkite/cosign#main: | ||
image: ghcr.io/my-project/my-image:latest | ||
keyless-config: | ||
fulcio-url: | ||
rekor-url: | ||
cosign-version: main | ||
- equinixmetal-buildkite/trivy#v1.18.3: | ||
exit-code: 0 | ||
timeout : "5m0s" | ||
severity: "HIGH,CRITICAL" | ||
ignore-unfixed: true | ||
security-checks: "vuln,config" | ||
skip-files: "x.txt,y.txt" | ||
skip-dirs: "" | ||
image-ref: "" | ||
- equinixmetal-buildkite/docker-metadata#v1.0.0: | ||
images: | ||
- "my-org/my-image" | ||
- "image2" | ||
extra_tags: | ||
- "latest" | ||
- "tag2" | ||
``` | ||
### Default conf.yaml for example | ||
``` | ||
plugins: | ||
trivy: | ||
exit-code: 0 | ||
timeout: 5m0s | ||
severity: HIGH,CRITICAL | ||
ignore-unfixed: true | ||
security-checks: vuln,config | ||
skip-files: "" | ||
skip-dirs: "" | ||
image-ref: "" | ||
version: "" | ||
helm-overrides-files: "" | ||
``` | ||
|
||
Execute this command to run through a docker run | ||
``` | ||
$ docker run --mount type=bind,source=${PWD}/conf.yaml,target=/go/src/workspace/dynamic-buildkite-template/conf.yaml ghcr.io/equinixmetal-buildkite/dynamic-buildkite-template:latest | ||
output: | ||
steps: | ||
- command: ls | ||
plugins: | ||
- equinixmetal-buildkite/trivy#v1.18.3: | ||
exit-code: 0 | ||
timeout : "5m0s" | ||
severity: "HIGH,CRITICAL" | ||
ignore-unfixed: true | ||
security-checks: "vuln,config" | ||
skip-files: "" | ||
skip-dirs: "" | ||
image-ref: "" | ||
``` | ||
If you notice you can provide multiple `--overrides` flags and this would in turn collate to a `map[string]string` being passed to the program. The keys in override are in the yaml path format. So for a given config override you can check the path hierarchy in the `conf.yaml` and mention the override accordingly. | ||
|
||
For long term config changes, it's suggested to update the `conf.yaml` file itself. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
package cmd | ||
|
||
import ( | ||
"github.com/spf13/cobra" | ||
) | ||
|
||
// LoadCosignConfigs loads cosign plugin configuration from conf.yaml using "plugins.cosign" key | ||
func LoadCommandConfigs(cmd *cobra.Command) { | ||
m, _ := cmd.Flags().GetStringToString("overrides") | ||
for k, v := range m { | ||
if k == "command" { | ||
g.CommandConfig.CommandConfig = v | ||
g.CommandConfigEnable = true | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
package generator | ||
|
||
type CommandConfig struct { | ||
CommandConfig string `mapstructure:"command"` | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -156,11 +156,7 @@ func TestCosignStep(t *testing.T) { | |
} | ||
expected := ` | ||
steps: | ||
- label: ":docker: get cosign key" | ||
key: "getkey" | ||
command: | | ||
#!/bin/bash | ||
echo "\$COSIGN_KEY_SECRET" > ${COSIGN_KEY_PATH} | ||
- command: ls | ||
plugins: | ||
- ssh://[email protected]/equinixmetal/ssm-buildkite-plugin#: | ||
parameters: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,46 @@ | ||
steps: | ||
{{- if .CosignPluginEnabled }} | ||
{{- if not .CosignConfig.Keyless }} | ||
- label: ":docker: get cosign key" | ||
key: "getkey" | ||
command: | | ||
{{- if .CommandConfigEnable }} | ||
- command: | | ||
#!/bin/bash | ||
echo "\$COSIGN_KEY_SECRET" > ${COSIGN_KEY_PATH} | ||
{{ .CommandConfig.CommandConfig }} | ||
plugins: | ||
{{- end }} | ||
{{- else }} | ||
- command: ls | ||
plugins: | ||
{{- end }} | ||
{{- if .DockerBuildPluginEnabled }} | ||
- equinixmetal-buildkite/docker-build#{{ .DockerBuildConfig.Version }}: | ||
{{- if .DockerBuildConfig.Dockerfile}} | ||
dockerfile: {{ .DockerBuildConfig.Dockerfile }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.Context}} | ||
context : {{ .DockerBuildConfig.Context }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.SecretFile}} | ||
secret-file: {{ .DockerBuildConfig.SecretFile }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.Tags}} | ||
tags: | ||
{{- range .DockerBuildConfig.Tags }} | ||
- {{ . }} | ||
{{- end }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.Labels}} | ||
labels: | ||
{{- range .DockerBuildConfig.Labels }} | ||
- {{ . }} | ||
{{- end }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.BuildArgs}} | ||
build-args: | ||
{{- range .DockerBuildConfig.BuildArgs }} | ||
- {{ . }} | ||
{{- end }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.Push}} | ||
push: {{ .DockerBuildConfig.Push }} | ||
{{- end }} | ||
{{- end}} | ||
{{- if .CosignPluginEnabled }} | ||
{{- if not .CosignConfig.Keyless }} | ||
- ssh://[email protected]/equinixmetal/ssm-buildkite-plugin#{{ .SSMConfig.Version }}: | ||
|
@@ -101,36 +130,3 @@ steps: | |
debug: "{{ .DockerMetadataConfig.Debug }}" | ||
{{- end}} | ||
{{- end}} | ||
{{- if .DockerBuildPluginEnabled }} | ||
- equinixmetal-buildkite/docker-build#{{ .DockerBuildConfig.Version }}: | ||
{{- if .DockerBuildConfig.Dockerfile}} | ||
dockerfile: {{ .DockerBuildConfig.Dockerfile }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.Context}} | ||
context : {{ .DockerBuildConfig.Context }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.SecretFile}} | ||
secret-file: {{ .DockerBuildConfig.SecretFile }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.Tags}} | ||
tags: | ||
{{- range .DockerBuildConfig.Tags }} | ||
- {{ . }} | ||
{{- end }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.Labels}} | ||
labels: | ||
{{- range .DockerBuildConfig.Labels }} | ||
- {{ . }} | ||
{{- end }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.BuildArgs}} | ||
build-args: | ||
{{- range .DockerBuildConfig.BuildArgs }} | ||
- {{ . }} | ||
{{- end }} | ||
{{- end }} | ||
{{- if .DockerBuildConfig.Push}} | ||
push: {{ .DockerBuildConfig.Push }} | ||
{{- end }} | ||
{{- end}} |