Merge branch 'master' into centos8

.gitlab/ci/startx-library.sh

@@ -271,6 +271,50 @@ function DoImagePushImage {
     fi
 }
 
+# Execute a cosign on the image
+function DoImageSignImage {
+    echo "INFO: Signing image $1"
+    local image=${1:-"quay.io/startx/fedora:latest"}
+    local keyfile=${SXDI_COSIGN_KEY_FILE:-"/tmp/cosign.key"}
+    if [ "$SXDI_COSIGN_KEY_RAW64" != "" ]; then
+        if [ "$SX_DEBUG" != "false" ]; then
+            echo "DEBUG: Found SXDI_COSIGN_KEY_RAW64 environment, generating key file ${keyfile}"
+        fi
+        echo "${SXDI_COSIGN_KEY_RAW64}" | base64 -d > "${keyfile}"
+        chmod u+rw "${keyfile}" &> /dev/null
+        chmod go-rwx "${keyfile}" &> /dev/null
+    fi
+    if [ -f "$keyfile" ]; then
+        if [ "$SX_DEBUG" != "false" ]; then
+            echo "DEBUG: Found ${keyfile} cosign key"
+        fi
+    fi
+    if cosign version &> /dev/null
+    then
+        if [ "$SX_DEBUG" != "false" ]; then
+            echo "DEBUG: Signing image is possible because cosign is found"
+        fi
+        if [[ "$DOCKER_USER" != "" && "$DOCKER_PASS" != "" ]]; then
+            echo "DEBUG: Cosign login to registry docker.io with user ${DOCKER_USER}"
+            cosign login docker.io -u "$DOCKER_USER" -p "$DOCKER_PASS" 
+        fi
+        if [[ "$QUAY_USER" != "" && "$QUAY_PASS" != "" ]]; then
+            echo "DEBUG: Cosign login to registry quay.io with user ${QUAY_USER}"
+            cosign login quay.io -u "$QUAY_USER" -p "$QUAY_PASS" 
+        fi
+        if [[ "$CI_REGISTRY" != "" && "$CI_REGISTRY_USER" != "" ]]; then
+            echo "DEBUG: Cosign login to registry ${CI_REGISTRY} with user ${CI_REGISTRY_USER}"
+            cosign login "$CI_REGISTRY" -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" 
+        fi
+        echo "INFO: Signing image ${image}"
+        cosign sign --key "${keyfile}" "${image}"
+    else
+        if [ "$SX_DEBUG" != "false" ]; then
+            echo "DEBUG: Signing image is not possible because cosign is not found"
+        fi
+    fi
+}
+
 # Set the tag according the the gitlab environment variables
 function DoSetImagetagFromGitlab {
     local isLatest="${1:-no}"

.gitlab/ci/startx-library.yaml

@@ -33,6 +33,23 @@ image: "quay.io/startx/runner-bash:alpine3"
     - DoImageBuildPublish "quay.io/startx/${SXDI_QUAYNAME}:${SXDI_TAG}" startx_"${SXDI_DOCKERNAME}"_"${SXDI_TAG}"
     - DoImageBuildPublish "${CI_REGISTRY}/startx1/containers/${SXDI_QUAYNAME}:${SXDI_TAG}" startx_"${SXDI_DOCKERNAME}"_"${SXDI_TAG}"
 
+# Library used to sign images in remotes repo
+.build-image-sign-latest:
+  variables:
+    SXDI_PATH: 'OS' # default to OS image
+    SXDI_DOCKERNAME: 'fedora' # image name in docker.io registry
+    SXDI_QUAYNAME: 'fedora' # image name in quay.io registry
+    SXDI_ENGINE: docker
+  image: registry.gitlab.com/jitesoft/dockerfiles/cosign:latest
+  stage: build
+  before_script: 
+    - "source .gitlab/ci/startx-library.sh"
+  script:
+    - DoSetImagetagFromGitlab yes
+    - DoImageSignImage "docker.io/startx/${SXDI_DOCKERNAME}:${SXDI_TAG}"
+    - DoImageSignImage "quay.io/startx/${SXDI_QUAYNAME}:${SXDI_TAG}" 
+    - DoImageSignImage "${CI_REGISTRY}/startx1/containers/${SXDI_QUAYNAME}:${SXDI_TAG}"
+
 .build-image:
   variables:
     SXDI_PATH: 'OS' # default to OS image
@@ -56,6 +73,23 @@ image: "quay.io/startx/runner-bash:alpine3"
     - DoImageBuildPublish "quay.io/startx/${SXDI_QUAYNAME}:${SXDI_TAG}" startx_"${SXDI_DOCKERNAME}"_"${SXDI_TAG}"
     - DoImageBuildPublish "${CI_REGISTRY}/startx1/containers/${SXDI_QUAYNAME}:${SXDI_TAG}" startx_"${SXDI_DOCKERNAME}"_"${SXDI_TAG}"
 
+.build-image-sign:
+  variables:
+    SXDI_PATH: 'OS' # default to OS image
+    SXDI_DOCKERNAME: 'fedora' # image name in docker.io registry
+    SXDI_QUAYNAME: 'fedora' # image name in quay.io registry
+    SXDI_TAG: ${CI_COMMIT_BRANCH:-latest} # image tag name
+    SXDI_ENGINE: docker
+  image: registry.gitlab.com/jitesoft/dockerfiles/cosign:latest
+  stage: build
+  before_script: 
+    - "source .gitlab/ci/startx-library.sh"
+  script:
+    - DoSetImagetagFromGitlab
+    - DoImageSignImage "docker.io/startx/${SXDI_DOCKERNAME}:${SXDI_TAG}"
+    - DoImageSignImage "quay.io/startx/${SXDI_QUAYNAME}:${SXDI_TAG}" 
+    - DoImageSignImage "${CI_REGISTRY}/startx1/containers/${SXDI_QUAYNAME}:${SXDI_TAG}"
+
 # Library used to merge branch in a local repo
 .git-merge:
   variables:

.gitlab/ci/step-build-application.yaml

@@ -14,6 +14,19 @@ build-application-phpmyadmin-latest:
     SXDI_ENGINE: docker
   only:
     - master
+build-application-phpmyadmin-latest-sign:
+  stage: "build Application"
+  extends: .build-image-sign-latest
+  needs: 
+    - "build-application-phpmyadmin-latest"
+  allow_failure: true
+  variables:
+    SXDI_PATH: "Applications/phpmyadmin"
+    SXDI_DOCKERNAME: "app-phpmyadmin"
+    SXDI_QUAYNAME: "phpmyadmin"
+    SXDI_ENGINE: docker
+  only:
+    - master
 build-application-phpmyadmin:
   stage: "build Application"
   extends: .build-image
@@ -35,17 +48,29 @@ build-application-phpmyadmin:
     - fc35
     - fc34
     - fc33
-    - fc32
-    - fc31
-    - fc30
-    - fc29
-    - fc28
-    - fc27
-    - fc26
-    - fc25
-    - fc24
-    - fc23
-    - fc22
+build-application-phpmyadmin-sign:
+  stage: "build Application"
+  extends: .build-image-sign
+  needs: 
+    - "build-application-phpmyadmin"
+  allow_failure: true
+  variables:
+    SXDI_PATH: "Applications/phpmyadmin"
+    SXDI_DOCKERNAME: "app-phpmyadmin"
+    SXDI_QUAYNAME: "phpmyadmin"
+    SXDI_ENGINE: docker
+  only:
+    - alma
+    - rocky
+    - centos8
+    - centos7
+    - centos6
+    - alpine
+    - ubi8
+    - fc36
+    - fc35
+    - fc34
+    - fc33
 
 # Build the ocp-reliability application image
 build-application-ocp-reliability-latest:
@@ -59,6 +84,19 @@ build-application-ocp-reliability-latest:
     SXDI_ENGINE: docker
   only:
     - master
+build-application-ocp-reliability-latest-sign:
+  stage: "build Application"
+  extends: .build-image-sign-latest
+  needs: 
+    - "build-application-ocp-reliability-latest"
+  allow_failure: true
+  variables:
+    SXDI_PATH: "Applications/ocp-reliability"
+    SXDI_DOCKERNAME: "app-ocp-reliability"
+    SXDI_QUAYNAME: "ocp-reliability"
+    SXDI_ENGINE: docker
+  only:
+    - master
 build-application-ocp-reliability:
   stage: "build Application"
   extends: .build-image
@@ -78,3 +116,24 @@ build-application-ocp-reliability:
     - ubi8
     - fc36
     - fc35
+build-application-ocp-reliability-sign:
+  stage: "build Application"
+  extends: .build-image-sign
+  needs: 
+    - "build-application-ocp-reliability"
+  allow_failure: true
+  variables:
+    SXDI_PATH: "Applications/ocp-reliability"
+    SXDI_DOCKERNAME: "app-ocp-reliability"
+    SXDI_QUAYNAME: "ocp-reliability"
+    SXDI_ENGINE: docker
+  only:
+    - alma
+    - rocky
+    - centos8
+    - centos7
+    - centos6
+    - alpine
+    - ubi8
+    - fc36
+    - fc35

.gitlab/ci/step-build-basic.yaml

@@ -13,6 +13,18 @@ build-apache-latest:
     SXDI_ENGINE: docker
   only:
     - master
+build-apache-latest-sign:
+  stage: "build basic"
+  extends: .build-image-sign-latest
+  needs: 
+    - "build-apache-latest"
+  variables:
+    SXDI_PATH: "Services/apache"
+    SXDI_DOCKERNAME: "sv-apache"
+    SXDI_QUAYNAME: "apache"
+    SXDI_ENGINE: docker
+  only:
+    - master
 build-apache:
   stage: "build basic"
   extends: .build-image
@@ -46,6 +58,28 @@ build-apache:
     - fc22
     - fc21
     - fc20
+build-apache-sign:
+  stage: "build basic"
+  extends: .build-image-sign
+  needs: 
+    - "build-apache"
+  variables:
+    SXDI_PATH: "Services/apache"
+    SXDI_DOCKERNAME: "sv-apache"
+    SXDI_QUAYNAME: "apache"
+    SXDI_ENGINE: docker
+  only:
+    - centos8
+    - centos7
+    - centos6
+    - alma
+    - rocky
+    - alpine
+    - ubi8
+    - fc36
+    - fc35
+    - fc34
+    - fc33
 
 # Build the nodejs image
 build-nodejs-latest:
@@ -59,6 +93,19 @@ build-nodejs-latest:
     SXDI_ENGINE: docker
   only:
     - master
+build-nodejs-latest-sign:
+  stage: "build basic"
+  extends: .build-image-sign-latest
+  needs: 
+    - "build-nodejs-latest"
+  allow_failure: true
+  variables:
+    SXDI_PATH: "Services/nodejs"
+    SXDI_DOCKERNAME: "sv-nodejs"
+    SXDI_QUAYNAME: "nodejs"
+    SXDI_ENGINE: docker
+  only:
+    - master
 build-nodejs:
   stage: "build basic"
   extends: .build-image
@@ -93,6 +140,29 @@ build-nodejs:
     - fc22
     - fc21
     - fc20
+build-nodejs-sign:
+  stage: "build basic"
+  extends: .build-image-sign
+  needs: 
+    - "build-nodejs"
+  allow_failure: true
+  variables:
+    SXDI_PATH: "Services/nodejs"
+    SXDI_DOCKERNAME: "sv-nodejs"
+    SXDI_QUAYNAME: "nodejs"
+    SXDI_ENGINE: docker
+  only:
+    - centos8
+    - centos7
+    - centos6
+    - alma
+    - rocky
+    - alpine
+    - ubi8
+    - fc36
+    - fc35
+    - fc34
+    - fc33
 
 # Build the bash gitlab-runner image
 build-runner-bash-latest:
@@ -106,6 +176,19 @@ build-runner-bash-latest:
     SXDI_ENGINE: docker
   only:
     - master
+build-runner-bash-latest-sign:
+  stage: "build basic"
+  extends: .build-image-sign-latest
+  needs: 
+    - "build-runner-bash-latest"
+  allow_failure: true
+  variables:
+    SXDI_PATH: "GitlabRunner/bash"
+    SXDI_DOCKERNAME: "runner-bash"
+    SXDI_QUAYNAME: "runner-bash"
+    SXDI_ENGINE: docker
+  only:
+    - master
 build-runner-bash:
   stage: "build basic"
   extends: .build-image
@@ -133,3 +216,25 @@ build-runner-bash:
     - fc28
     - fc27
     - fc26
+build-runner-bash-sign:
+  stage: "build basic"
+  extends: .build-image-sign
+  needs: 
+    - "build-runner-bash"
+  allow_failure: true
+  variables:
+    SXDI_PATH: "GitlabRunner/bash"
+    SXDI_DOCKERNAME: "runner-bash"
+    SXDI_QUAYNAME: "runner-bash"
+    SXDI_ENGINE: docker
+  only:
+    - centos8
+    - centos7
+    - alma
+    - rocky
+    - alpine
+    - ubi8
+    - fc36
+    - fc35
+    - fc34
+    - fc33