Commit a78432f1 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/sast-cascading-policy' into 'master' 

feat(score): run score against cascading environments

See merge request to-be-continuous/kubernetes!50
parents b2ce8899 07dbbae7

templates/gitlab-ci-k8s.yml

+34 −77
Original line number Diff line number Diff line
@@ -596,7 +596,8 @@ stages: 
    - *k8s-scripts

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"



.k8s-score:

# Kube-Score job as parallel matrix

k8s-score:

  extends: .k8s-base

  stage: package-test

  image:
@@ -604,6 +605,38 @@ stages: 
    entrypoint: [""]

  script:

    - score "$ENV_TYPE"

  parallel:

    matrix:

      - ENV_TYPE: review

      - ENV_TYPE: integration

      - ENV_TYPE: staging

      - ENV_TYPE: production

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $K8S_SCORE_DISABLED is set

    - if: '$K8S_SCORE_DISABLED == "true"'

      when: never

    # exclude review if $K8S_REVIEW_SPACE unset

    - if: '$ENV_TYPE == "review" && ($K8S_REVIEW_SPACE == null || $K8S_REVIEW_SPACE == "")'

      when: never

    # exclude review on integration or prod branch

    - if: '$ENV_TYPE == "review" && ($CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF)'

      when: never

    # exclude integration if $K8S_INTEG_SPACE unset

    - if: '$ENV_TYPE == "integration" && ($K8S_INTEG_SPACE == null || $K8S_INTEG_SPACE == "")'

      when: never

    # exclude integration on prod branch

    - if: '$ENV_TYPE == "integration" && $CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    # exclude staging if $K8S_STAGING_SPACE unset

    - if: '$ENV_TYPE == "staging" && ($K8S_STAGING_SPACE == null || $K8S_STAGING_SPACE == "")'

      when: never

    # exclude production if $K8S_PROD_SPACE unset

    - if: '$ENV_TYPE == "production" && ($K8S_PROD_SPACE == null || $K8S_PROD_SPACE == "")'

      when: never

    - !reference [.test-policy, rules]





# Deploy job prototype
@@ -668,25 +701,6 @@ stages: 
  environment:

    action: stop



k8s-score-review:

  extends: .k8s-score

  variables:

    ENV_TYPE: review

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $K8S_SCORE_DISABLED is set

    - if: '$K8S_SCORE_DISABLED == "true"'

      when: never

    # exclude if $K8S_REVIEW_SPACE unset

    - if: '$K8S_REVIEW_SPACE == null || $K8S_REVIEW_SPACE == ""'

      when: never

    # only on non-production, non-integration branches

    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'

      when: never

    - !reference [.test-policy, rules]



k8s-review:

  extends: .k8s-deploy

  variables:
@@ -734,25 +748,6 @@ k8s-cleanup-review: 
      when: manual

      allow_failure: true



k8s-score-integration:

  extends: .k8s-score

  variables:

    ENV_TYPE: integration

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $K8S_SCORE_DISABLED is set

    - if: '$K8S_SCORE_DISABLED == "true"'

      when: never

    # exclude if $K8S_INTEG_SPACE unset

    - if: '$K8S_INTEG_SPACE == null || $K8S_INTEG_SPACE == ""'

      when: never

    # only on integration branch

    - if: '$CI_COMMIT_REF_NAME !~ $INTEG_REF'

      when: never

    - !reference [.test-policy, rules]



k8s-integration:

  extends: .k8s-deploy

  variables:
@@ -778,25 +773,6 @@ k8s-integration: 
# only manually promote to production, enable this job by setting

# $K8S_STAGING_SPACE.



k8s-score-staging:

  extends: .k8s-score

  variables:

    ENV_TYPE: staging

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $K8S_SCORE_DISABLED is set

    - if: '$K8S_SCORE_DISABLED == "true"'

      when: never

    # exclude if $K8S_STAGING_SPACE unset

    - if: '$K8S_STAGING_SPACE == null || $K8S_STAGING_SPACE == ""'

      when: never

    # only on prod branch

    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]



k8s-staging:

  extends: .k8s-deploy

  variables:
@@ -815,25 +791,6 @@ k8s-staging: 
    # only on production branch(es), with $K8S_STAGING_SPACE set

    - if: '$K8S_STAGING_SPACE && $CI_COMMIT_REF_NAME =~ $PROD_REF'



k8s-score-production:

  extends: .k8s-score

  variables:

    ENV_TYPE: production

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $K8S_SCORE_DISABLED is set

    - if: '$K8S_SCORE_DISABLED == "true"'

      when: never

    # exclude if $K8S_PROD_SPACE unset

    - if: '$K8S_PROD_SPACE == null || $K8S_PROD_SPACE == ""'

      when: never

    # only on prod branch

    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]



# deploy to production if on branch master and variable K8S_PROD_SPACE defined and AUTODEPLOY_TO_PROD is set

k8s-production:

  extends: .k8s-deploy