Merge branch 'feat/sast-cascading-policy' into 'master' (ddd64c22) · Commits · to be continuous... / Helm

templates/gitlab-ci-helm.yml

+83 −135

Original line number	Diff line number	Diff line
		@@ -707,14 +707,54 @@ stages:
		- .cache
		- .config

		.helm-values-lint:
		helm-values-lint:
		extends: .helm-base
		image:
		name: $HELM_YAMLLINT_IMAGE
		entrypoint: [""]
		stage: test
		parallel:
		matrix:
		- VAR_PREFIX: COMMON
		- VAR_PREFIX: REVIEW
		- VAR_PREFIX: INTEG
		- VAR_PREFIX: STAGING
		- VAR_PREFIX: PROD
		script:
		- values_file=$(eval echo "\$HELM_${VAR_PREFIX}_VALUES")
		- awkenvsubst < "$values_file" > generated-values.yml
		- yamllint -d "$HELM_YAMLLINT_CONFIG" $HELM_YAMLLINT_ARGS generated-values.yml
		rules:
		# exclude tags
		- if: $CI_COMMIT_TAG
		when: never
		# exclude when $HELM_YAMLLINT_DISABLED is set
		- if: '$HELM_YAMLLINT_DISABLED == "true"'
		when: never
		# exclude common if $HELM_COMMON_VALUES unset
		- if: '$VAR_PREFIX == "COMMON" && ($HELM_COMMON_VALUES == null \|\| $HELM_COMMON_VALUES == "")'
		when: never
		# exclude review if $HELM_REVIEW_VALUES unset
		- if: '$VAR_PREFIX == "REVIEW" && ($HELM_REVIEW_VALUES == null \|\| $HELM_REVIEW_VALUES == "")'
		when: never
		# exclude review on integration or prod branch
		- if: '$VAR_PREFIX == "REVIEW" && ($CI_COMMIT_REF_NAME =~ $INTEG_REF \|\| $CI_COMMIT_REF_NAME =~ $PROD_REF)'
		when: never
		# exclude integration if $HELM_INTEG_VALUES unset
		- if: '$VAR_PREFIX == "INTEG" && ($HELM_INTEG_VALUES == null \|\| $HELM_INTEG_VALUES == "")'
		when: never
		# exclude integration on prod branch
		- if: '$VAR_PREFIX == "INTEG" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
		when: never
		# exclude staging if $HELM_STAGING_VALUES unset
		- if: '$VAR_PREFIX == "STAGING" && ($HELM_STAGING_VALUES == null \|\| $HELM_STAGING_VALUES == "")'
		when: never
		# exclude production if $HELM_PROD_VALUES unset
		- if: '$VAR_PREFIX == "PROD" && ($HELM_PROD_VALUES == null \|\| $HELM_PROD_VALUES == "")'
		when: never
		- !reference [.test-policy, rules]

		.helm-score:
		helm-score:
		extends: .helm-base
		image:
		name: $HELM_KUBE_SCORE_IMAGE
		@@ -736,6 +776,47 @@ stages:
		log_error "You need at least one Chart.yaml or external deploy chart reference"
		exit 1
		fi
		parallel:
		matrix:
		- ENV_TYPE: review
		VAR_PREFIX: REVIEW
		- ENV_TYPE: integration
		VAR_PREFIX: INTEG
		- ENV_TYPE: staging
		VAR_PREFIX: STAGING
		- ENV_TYPE: production
		VAR_PREFIX: PROD
		script:
		- awkenvsubst < "${HELM_COMMON_VALUES:-/dev/null}" > generated-values-common.yml
		- env_values=$(eval echo "\$HELM_${VAR_PREFIX}_VALUES")
		- awkenvsubst < "$env_values" > generated-values-env.yml
		- helm template $helm_package --values generated-values-common.yml --values generated-values-env.yml \| kube-score score ${HELM_KUBE_SCORE_ARGS} -
		rules:
		# exclude tags
		- if: $CI_COMMIT_TAG
		when: never
		# exclude when $HELM_SCORE_DISABLED is set
		- if: '$HELM_KUBE_SCORE_DISABLED == "true"'
		when: never
		# exclude review if $HELM_REVIEW_VALUES unset
		- if: '$ENV_TYPE == "review" && ($HELM_REVIEW_VALUES == null \|\| $HELM_REVIEW_VALUES == "")'
		when: never
		# exclude review on integration or prod branch
		- if: '$ENV_TYPE == "review" && ($CI_COMMIT_REF_NAME =~ $INTEG_REF \|\| $CI_COMMIT_REF_NAME =~ $PROD_REF)'
		when: never
		# exclude integration if $HELM_INTEG_VALUES unset
		- if: '$ENV_TYPE == "integration" && ($HELM_INTEG_VALUES == null \|\| $HELM_INTEG_VALUES == "")'
		when: never
		# exclude integration on prod branch
		- if: '$ENV_TYPE == "integration" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
		when: never
		# exclude staging if $HELM_STAGING_VALUES unset
		- if: '$ENV_TYPE == "staging" && ($HELM_STAGING_VALUES == null \|\| $HELM_STAGING_VALUES == "")'
		when: never
		# exclude production if $HELM_PROD_VALUES unset
		- if: '$ENV_TYPE == "production" && ($HELM_PROD_VALUES == null \|\| $HELM_PROD_VALUES == "")'
		when: never
		- !reference [.test-policy, rules]

		# ==================================================
		# Stage: check
		@@ -757,139 +838,6 @@ helm-lint:
		- exists:
		- "**/Chart.yaml"

		# yamllint-job is used to check the syntax of the values files.
		helm-values-common-lint:
		extends: .helm-values-lint
		script:
		- awkenvsubst < "$HELM_COMMON_VALUES" > generated-values-common.yml
		- yamllint -d "$HELM_YAMLLINT_CONFIG" $HELM_YAMLLINT_ARGS generated-values-common.yml
		rules:
		- if: '$HELM_YAMLLINT_DISABLED == "true"'
		when: never
		- if: '$HELM_COMMON_VALUES == null \|\| $HELM_COMMON_VALUES == ""'
		when: never
		- !reference [.test-policy, rules]

		helm-values-review-lint:
		extends: .helm-values-lint
		script:
		- awkenvsubst < "$HELM_REVIEW_VALUES" > generated-values-review.yml
		- yamllint -d "$HELM_YAMLLINT_CONFIG" $HELM_YAMLLINT_ARGS generated-values-review.yml
		rules:
		- if: '$HELM_YAMLLINT_DISABLED == "true"'
		when: never
		- if: '$HELM_REVIEW_VALUES == null \|\| $HELM_REVIEW_VALUES == ""'
		when: never
		# only on non-production, non-integration branches
		- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF \|\| $CI_COMMIT_REF_NAME =~ $INTEG_REF'
		when: never
		- !reference [.test-policy, rules]

		helm-values-integration-lint:
		extends: .helm-values-lint
		script:
		- awkenvsubst < "$HELM_INTEG_VALUES" > generated-values-integration.yml
		- yamllint -d "$HELM_YAMLLINT_CONFIG" $HELM_YAMLLINT_ARGS generated-values-integration.yml
		rules:
		- if: '$HELM_YAMLLINT_DISABLED == "true"'
		when: never
		- if: '$HELM_INTEG_VALUES == null \|\| $HELM_INTEG_VALUES == ""'
		when: never
		# only on non-production branches
		- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF'
		when: never
		- !reference [.test-policy, rules]

		helm-values-staging-lint:
		extends: .helm-values-lint
		script:
		- awkenvsubst < "$HELM_STAGING_VALUES" > generated-values-staging.yml
		- yamllint -d "$HELM_YAMLLINT_CONFIG" $HELM_YAMLLINT_ARGS generated-values-staging.yml
		rules:
		- if: '$HELM_YAMLLINT_DISABLED == "true"'
		when: never
		- if: '$HELM_STAGING_VALUES == null \|\| $HELM_STAGING_VALUES == ""'
		when: never
		- !reference [.test-policy, rules]

		helm-values-prod-lint:
		extends: .helm-values-lint
		script:
		- awkenvsubst < "$HELM_PROD_VALUES" > generated-values-prod.yml
		- yamllint -d "$HELM_YAMLLINT_CONFIG" $HELM_YAMLLINT_ARGS generated-values-prod.yml
		rules:
		- if: '$HELM_YAMLLINT_DISABLED == "true"'
		when: never
		- if: '$HELM_PROD_VALUES == null \|\| $HELM_PROD_VALUES == ""'
		when: never
		- !reference [.test-policy, rules]

		helm-review-score:
		extends: .helm-score
		script:
		- if [ -z "$HELM_COMMON_VALUES" ]; then HELM_COMMON_VALUES=/dev/null; fi
		- awkenvsubst < "$HELM_COMMON_VALUES" > generated-values-common.yml
		- awkenvsubst < "$HELM_REVIEW_VALUES" > generated-values-review.yml
		- helm template $helm_package --values generated-values-common.yml --values generated-values-review.yml \| kube-score score ${HELM_KUBE_SCORE_ARGS} -
		rules:
		# exclude when $HELM_KUBE_SCORE_DISABLED is set
		- if: '$HELM_KUBE_SCORE_DISABLED == "true"'
		when: never
		- if: '$HELM_REVIEW_VALUES == null \|\| $HELM_REVIEW_VALUES == ""'
		when: never
		# only on non-production, non-integration branches
		- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF \|\| $CI_COMMIT_REF_NAME =~ $INTEG_REF'
		when: never
		- !reference [.test-policy, rules]

		helm-integration-score:
		extends: .helm-score
		script:
		- if [ -z "$HELM_COMMON_VALUES" ]; then HELM_COMMON_VALUES=/dev/null; fi
		- awkenvsubst < "$HELM_COMMON_VALUES" > generated-values-common.yml
		- awkenvsubst < "$HELM_INTEG_VALUES" > generated-values-integration.yml
		- helm template $helm_package --values generated-values-common.yml --values generated-values-integration.yml \| kube-score score ${HELM_KUBE_SCORE_ARGS} -
		rules:
		# exclude when $HELM_SCORE_DISABLED is set
		- if: '$HELM_KUBE_SCORE_DISABLED == "true"'
		when: never
		- if: '$HELM_INTEG_VALUES == null \|\| $HELM_INTEG_VALUES == ""'
		when: never
		# only on non-production branches
		- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF'
		when: never
		- !reference [.test-policy, rules]

		helm-staging-score:
		extends: .helm-score
		script:
		- if [ -z "$HELM_COMMON_VALUES" ]; then HELM_COMMON_VALUES=/dev/null; fi
		- awkenvsubst < "$HELM_COMMON_VALUES" > generated-values-common.yml
		- awkenvsubst < "$HELM_STAGING_VALUES" > generated-values-staging.yml
		- helm template $helm_package --values generated-values-common.yml --values generated-values-staging.yml \| kube-score score ${HELM_KUBE_SCORE_ARGS} -
		rules:
		# exclude when $HELM_SCORE_DISABLED is set
		- if: '$HELM_KUBE_SCORE_DISABLED == "true"'
		when: never
		- if: '$HELM_STAGING_VALUES == null \|\| $HELM_STAGING_VALUES == ""'
		when: never
		- !reference [.test-policy, rules]

		helm-prod-score:
		extends: .helm-score
		script:
		- if [ -z "$HELM_COMMON_VALUES" ]; then HELM_COMMON_VALUES=/dev/null; fi
		- awkenvsubst < "$HELM_COMMON_VALUES" > generated-values-common.yml
		- awkenvsubst < "$HELM_PROD_VALUES" > generated-values-prod.yml
		- helm template $helm_package --values generated-values-common.yml --values generated-values-prod.yml \| kube-score score ${HELM_KUBE_SCORE_ARGS} -
		rules:
		# exclude when $HELM_SCORE_DISABLED is set
		- if: '$HELM_KUBE_SCORE_DISABLED == "true"'
		when: never
		- if: '$HELM_PROD_VALUES == null \|\| $HELM_PROD_VALUES == ""'
		when: never
		- !reference [.test-policy, rules]

		# ==================================================
		# Stage: package-build
		# ==================================================