Commit c8d52c6b authored by Clement Bois's avatar Clement Bois
Browse files

Merge branch 'move-validation-to-components' into 'main' 

feat: add variables and allow to use as component

Closes #10

See merge request to-be-continuous/tools/gitlab-ci!7
parents c819f757 28ccef5c

README.md

+105 −7
Original line number Diff line number Diff line
@@ -2,15 +2,78 @@ 


## Overview



This template provides a jobs to validate your template syntax.

This template provides jobs to validate your template syntax.



## Template Extraction



The template extracts shell scripts embedded between `BEGSCRIPT` and `ENDSCRIPT`

within `GITLAB_CI_FILES` variable (GitLab CI files pattern(s) to analyze).



It store it into an artifacts inside `script.sh` file for analysis.



### Use Extract as a CI/CD Component



Add the following to your `.gitlab-ci.yml`:



```yaml

stages:

  - build



include:

  # 1: include the component

  - component: $CI_SERVER_FQDN/to-be-continuous/tools/gitlab-ci/debian/extract

    # 2: set/override component inputs

    inputs:

      # ⚠ this is only an example

      gitlab-ci-files: "templates/*.yml"

```



### Use Extract as a CI/CD Template (Legacy)



Add the following to your `.gitlab-ci.yml`:



```yaml

include:

  - project: 'to-be-continuous/tools/gitlab-ci'

    file: '/templates/extract.yml'



stages:

  - build



variables:

  GITLAB_CI_FILES: "templates/*.yml"

```



## Template Validation



The template implements validation jobs of the CI:



* `gitlab-ci-lint` job, enabled with `GITLAB_CI_FILES` variable (GitLab CI files pattern(s) to analyze).

* `check-links` job, validating links in files defined via `CHECK_LINKS_FILES` variable

* `tbc-check` job, which will check that `kicker.json` file is consistent with template when it exists



It uses the [GitLab CI Lint API](https://docs.gitlab.com/api/lint/).



## Template validation

### Use Validation as a CI/CD Component



The template implements a `gitlab-ci-lint` job, enabled with `GITLAB_CI_FILES` variable (GitLab CI files pattern(s) to analyse).

Add the following to your `.gitlab-ci.yml`:



Example of a `.gitlab-ci.yml` file for a GitLab CI template project:

```yaml

stages:

  - build



include:

  # 1: include the component

  - component: $CI_SERVER_FQDN/to-be-continuous/tools/gitlab-ci/debian/validation

    # 2: set/override component inputs

    inputs:

      # ⚠ this is only an example

      gitlab-ci-files: "templates/*.yml"

```



### Use Validation as a CI/CD Template (Legacy)



Add the following to your `.gitlab-ci.yml`:



```yaml

include:
@@ -23,6 +86,42 @@ stages: 
variables:

  GITLAB_CI_FILES: "templates/*.yml"

```



## Jobs



### `gitlab-ci-lint` Job



The job validates GitLab CI files.



It uses the following variables:



| Input / Variable  | Description                            | Default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `gitlab-ci-lint-image` / `GITLAB_CI_LINT_IMAGE` | The Docker image used to run CI validation | `docker.io/badouralix/curl-jq:latest` |

| `gitlab-ci-files` / `GITLAB_CI_FILES` | GitLab CI files pattern(s) to analyze | **must be defined to launch job** |



### `check-links` Job



The job check that links in files are still existent



It uses the following variables:



| Input / Variable  | Description                            | Default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `check-links-image` / `CHECK_LINKS_IMAGE` | The Docker image used to run link check with lychee | `docker.io/lycheeverse/lychee:latest` |

| `gitlab-ci-files` / `GITLAB_CI_FILES` | files pattern(s) to analyze | `*.md` |

| `lychee-extra-opts` / `LYCHEE_EXTRA_OPTS` | extra options for lychee | _none_ |



### `tbc-check` Job



The job checks that `kicker.json` file is consistent with template when it exists



It uses the following variables:



| Input / Variable  | Description                            | Default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `tbc-check-image` / `TBC_CHECK_IMAGE` | The Docker image used to run tbc check | `registry.gitlab.com/to-be-continuous/tools/tbc-check:latest` |



## Variants



The default validation template is designed to work on untagged runners, without any proxy configuration using Docker images
@@ -40,7 +139,7 @@ In order to be able to communicate with the Vault server, the variant requires t 


| Input / Variable  | Description                            | Default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |

| `tbc-vault-image` / `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |

| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url          | **must be defined** |

| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |

| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
@@ -82,4 +181,3 @@ variables: 
  # Secrets managed by Vault

  GITLAB_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-infra/gitlab?field=token"

```

templates/extract.yml

+12 −1
Original line number Diff line number Diff line 
spec:

  inputs:

    tbc-extract-image:

      description: "Docker image to use for extracting the shell script from TBC templates"

      default: "docker.io/library/alpine:latest"

    gitlab-ci-files:

      description: "Glob pattern for GitLab CI YAML files to lint (e.g. .gitlab-ci.yml or ci/*.yml)"

      default: ""



---

variables:

  # base image used to extract the shell script part from TBC templates

  TBC_EXTRACT_IMAGE: docker.io/library/alpine

  TBC_EXTRACT_IMAGE: $[[ inputs.tbc-extract-image ]]

  GITLAB_CI_FILES: $[[ inputs.gitlab-ci-files ]]



# this job extracts the bash script from the given template(s)

extract-script:

templates/validation-vault.yml

+7 −4
Original line number Diff line number Diff line
@@ -3,6 +3,9 @@ 
# ====================================================================================================================

spec:

  inputs:

    tbc-vault-image:

      description: Docker image to use for Vault secrets provider

      default: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest

    vault-base-url:

      description: The Vault server base API url

      default: ''
@@ -12,7 +15,7 @@ spec: 
---

variables:

  # variabilized vault-secrets-provider image

  TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest

  TBC_VAULT_IMAGE: $[[ inputs.tbc-vault-image ]]

  # variables have to be explicitly declared in the YAML to be exported to the service

  VAULT_ROLE_ID: $VAULT_ROLE_ID

  VAULT_SECRET_ID: $VAULT_SECRET_ID

templates/validation.yml

+40 −5
Original line number Diff line number Diff line 
spec:

  inputs:

    gitlab-ci-lint-image:

      description: "Docker image to use for GitLab CI linting"

      default: "docker.io/badouralix/curl-jq:latest"

    gitlab-ci-files:

      description: "Glob pattern for GitLab CI YAML files to lint (e.g. .gitlab-ci.yml or ci/*.yml)"

      default: ""

    check-links-image:

      description: "Docker image to use for checking links with lychee"

      default: "docker.io/lycheeverse/lychee:latest"

    check-links-files:

      description: "Glob pattern for files to check links in with lychee (e.g. docs/**/*.md)"

      default: "*.md"

    lychee-extra-opts:

      description: "Extra options to pass to lychee when checking links (e.g. --timeout 10)"

      default: ""

    tbc-check-image:

      description: "Docker image to use for checking to be continuous"

      default: "registry.gitlab.com/to-be-continuous/tools/tbc-check:latest"

---



.lint-scripts: &lint-scripts |

  set -e

  function log_info() {
@@ -221,6 +243,19 @@ 
  unscope_variables

  eval_all_secrets



variables:

  # Default GitLab CI image (can be overridden)

  GITLAB_CI_LINT_IMAGE: $[[ inputs.gitlab-ci-lint-image ]]

  GITLAB_CI_FILES: $[[ inputs.gitlab-ci-files ]]

  # Default Check links image (can be overridden)

  CHECK_LINKS_IMAGE: $[[ inputs.check-links-image  ]]

  CHECK_LINKS_FILES: $[[ inputs.check-links-files  ]]

  # Extra options to pass to lychee

  LYCHEE_EXTRA_OPTS: $[[ inputs.lychee-extra-opts  ]]

  # Default to be continuous check image (can be overridden)

  TBC_CHECK_IMAGE: $[[ inputs.tbc-check-image  ]]





.gitlab-ci-base:

  before_script:

    - !reference [.lint-scripts]
@@ -229,7 +264,7 @@ 
gitlab-ci-lint:

  extends: .gitlab-ci-base

  stage: build

  image: docker.io/badouralix/curl-jq:latest

  image: $GITLAB_CI_LINT_IMAGE

  script:

    - ci_lint

  rules:
@@ -239,7 +274,7 @@ gitlab-ci-lint: 
check-links:

  extends: .gitlab-ci-base

  image:

    name: docker.io/lycheeverse/lychee:latest

    name: $CHECK_LINKS_IMAGE

    entrypoint: [""]

  stage: build

  script:
@@ -252,11 +287,11 @@ check-links: 
        --exclude-path SECURITY.md \

        --accept '100..=103,200..=299,429,500' \

        $LYCHEE_EXTRA_OPTS \

        *.md

        $CHECK_LINKS_FILES



tbc-check:

  image:

    name: registry.gitlab.com/to-be-continuous/tools/tbc-check:latest

    name: $TBC_CHECK_IMAGE

    entrypoint: [""]

  stage: build

  script: