feat: support gitlab (#283)

Co-authored-by: Eric Wyles <23637493+ericwyles@users.noreply.github.com>
Co-authored-by: Jordan McClintock <jordan@defenseunicorns.com>
Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
Co-authored-by: Eric Wyles <eric@defenseunicorns.com>

.gitlab-ci.yml

@@ -0,0 +1,58 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+include:
+  - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/commitlint@$CI_COMMIT_SHA
+  - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/lint@$CI_COMMIT_SHA
+  - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/test@$CI_COMMIT_SHA
+    inputs:
+      # if you have additional report artifacts to add to the gitlab
+      # artifact zip file you can add the path here and the entire directory
+      # will be included
+      #reports-path: sample-reports/playwright
+      runs-on: gitlab-runner-4c-${ARCH}
+      flavor: $FLAVOR
+      type: $TYPE
+  - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/publish@$CI_COMMIT_SHA
+    inputs:
+      runs-on: gitlab-runner-4c-${ARCH}
+      flavor: $FLAVOR
+      # if you have additional report artifacts to add to the gitlab
+      # artifact zip file you can add the path here and the entire directory
+      # will be included
+      #reports-path: sample-reports/playwright
+
+      # if setting target repo, this will be used directly for the oci publish
+      #target-repo: ${CI_REGISTRY}/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}
+
+      # if you override team here it will be included in the determined target repo
+      # for the oci publish (default is uds)
+      # only used if target-repo is not set
+      #team: my-team
+  - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/scorecard@$CI_COMMIT_SHA
+
+test:
+  artifacts:
+    # if you have specific report types that are natively supported by
+    # gitlab you can include those here and they'll be included in addition to the
+    # artifact containing debug logs, oscal, etc.
+    # (e.g. Junit tests, sast reports, etc)
+    # see: https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html
+    # reports:
+    #   junit: sample-reports/junit.xml
+  parallel:
+    matrix:
+      - FLAVOR: [upstream, unicorn]
+        ARCH: [amd64, arm64]
+        TYPE: [install, upgrade]
+      - FLAVOR: [registry1]
+        ARCH: [amd64]
+        TYPE: [install, upgrade]
+
+publish:
+  parallel:
+    matrix:
+      - FLAVOR: [upstream, unicorn]
+        ARCH: [amd64, arm64]
+      - FLAVOR: [registry1]
+        ARCH: [amd64]

release-please-config.json

@@ -12,6 +12,7 @@
       "versioning": "default",
       "extra-files": [
         "bundle/uds-bundle.yaml",
+        "releaser.yaml",
         "tasks.yaml",
         "zarf.yaml"
       ]

releaser.yaml

@@ -0,0 +1,16 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+flavors:
+  - name: upstream
+    # x-release-please-start-version
+    version: 1.1.2
+    # x-release-please-end
+  - name: registry1
+    # x-release-please-start-version
+    version: 1.1.2
+    # x-release-please-end
+  - name: unicorn
+    # x-release-please-start-version
+    version: 1.1.2
+    # x-release-please-end

tasks.yaml

@@ -13,6 +13,12 @@ includes:
   - badge: ./tasks/badge.yaml
   - actions: ./tasks/actions.yaml
 
+variables:
+  - name: VERSION
+    # x-release-please-start-version
+    default: 1.1.2
+    # x-release-please-end
+
 tasks:
   - name: default
     description: Create and deploy the nginx package on a fresh cluster
@@ -150,6 +156,4 @@ tasks:
       - description: Publish the packages
         task: publish:package
         with:
-          # x-release-please-start-version
-          version: 1.1.2
-          # x-release-please-end
+          version: ${VERSION}

tasks/README.md

@@ -110,10 +110,13 @@ There are multiple task files available in this repository with different object
 
 | Name | Description |
 |------|-------------|
+| **authenticate-registries** | Log in to the registries for testing and publishing UDS Packages |
 | **debug-output** | Print debug output from a k8s cluster |
 | **clean-gh-runner** | Cleanup unneeded files to free space on a GitHub runner |
+| **install-deps** | Install the runner dependencies for testing UDS Packages |
 | **save-logs** | Save Pod and Node logs from a cluster and fix permissions |
 | **setup-environment** | Setup the runner environment for testing UDS Packages |
 | **test-deploy** | Test a deployment of a UDS package/bundle |
 | **verify-badge** | Perform verification to assist with UDS badge certification |
 | **determine-arch** | Determine the architecture of the current machine |
+| **registry-login** | Log in to an OCI registry |

tasks/actions.yaml

@@ -8,8 +8,16 @@ variables:
     default: ""
   - name: GH_TOKEN
     default: ""
+  - name: GITLAB_REGISTRY_USER
+    default: ""
+  - name: GITLAB_REGISTRY_URL
+    default: ""
+  - name: GITLAB_REGISTRY_TOKEN
+    default: ""
   - name: CHAINGUARD_IDENTITY
     default: ""
+  - name: CHAINGUARD_TOKEN
+    default: ""
   - name: CHART_PATH
     default: chart/
   - name: GROUP_NAME
@@ -22,6 +30,8 @@ variables:
     default: ""
   - name: OPTIONS
     default: ""
+  - name: LOG_DIR
+    default: /tmp
   - name: GO_VERSION
     default: 1.23.1
 
@@ -32,19 +42,19 @@ tasks:
       - description: Print basic debug info for a k8s cluster
         cmd: |
           echo "::group::kubectl get all"
-          uds zarf tools kubectl get all -A || echo "failed" | tee /tmp/debug-k-get-all.log
+          uds zarf tools kubectl get all -A || echo "failed" | tee ${{ .variables.LOG_DIR }}/debug-k-get-all.log
           echo "::endgroup::"
           echo "::group::kubectl get pv,pvc"
-          uds zarf tools kubectl get pv,pvc -A || echo "failed" | tee /tmp/debug-k-get-pv-pvc.log
+          uds zarf tools kubectl get pv,pvc -A || echo "failed" | tee ${{ .variables.LOG_DIR }}/debug-k-get-pv-pvc.log
           echo "::endgroup::"
           echo "::group::kubectl get package"
-          uds zarf tools kubectl get package -A || echo "failed" | tee /tmp/debug-k-get-package.log
+          uds zarf tools kubectl get package -A || echo "failed" | tee ${{ .variables.LOG_DIR }}/debug-k-get-package.log
           echo "::endgroup::"
           echo "::group::kubectl get events"
-          uds zarf tools kubectl get events -A --sort-by='.lastTimestamp' || echo "failed" | tee /tmp/debug-k-get-events.log
+          uds zarf tools kubectl get events -A --sort-by='.lastTimestamp' || echo "failed" | tee ${{ .variables.LOG_DIR }}/debug-k-get-events.log
           echo "::endgroup::"
           echo "::group::kubectl describe nodes"
-          uds zarf tools kubectl describe nodes k3d-uds-server-0 || echo "failed" | tee /tmp/debug-k-describe-node.log
+          uds zarf tools kubectl describe nodes k3d-uds-server-0 || echo "failed" | tee ${{ .variables.LOG_DIR }}/debug-k-describe-node.log
           echo "::endgroup::"
 
   - name: clean-gh-runner
@@ -70,24 +80,32 @@ tasks:
           CONTAINER_NAME="k3d-uds-server-0"
           if docker ps | grep -q "$CONTAINER_NAME"; then
             echo "Container $CONTAINER_NAME is running. Proceeding with log copy..."
-            docker cp "${CONTAINER_NAME}:/var/log/" /tmp/uds-containerd-logs
+            docker cp "${CONTAINER_NAME}:/var/log/" ${{ .variables.LOG_DIR }}/uds-containerd-logs
           else
             echo "Container $CONTAINER_NAME is not running. Skipping log copy."
           fi
 
       - description: Dump Node Logs
         cmd: |
           docker ps --filter "name=k3d" --format "{{.Names}}" | while read -r line; do
-            docker logs "$line" 2> "/tmp/$line.log"
+            docker logs "$line" 2> "${{ .variables.LOG_DIR }}/$line.log"
           done
 
       - description: Fix log permissions
         cmd: |
-          sudo chown "$USER" /tmp/zarf-*.log || echo ""
-          sudo chown "$USER" /tmp/uds-*.log || echo ""
+          sudo chown "$USER" ${{ .variables.LOG_DIR }}/zarf-*.log || echo ""
+          sudo chown "$USER" ${{ .variables.LOG_DIR }}/uds-*.log || echo ""
 
   - name: setup-environment
     description: Setup the runner environment for testing UDS Packages
+    actions:
+      - description: Install dependencies
+        task: install-deps
+      - description: authenticate to the registries
+        task: authenticate-registries
+
+  - name: install-deps
+    description: Install the runner dependencies for testing UDS Packages
     actions:
       - description: Install k3d
         env:
@@ -107,33 +125,58 @@ tasks:
           "https://github.com/defenseunicorns/lula/releases/download/${LULA_VERSION}/lula_${LULA_VERSION}_$(uname -s)_${{ .variables.ARCH }}" \
           && chmod +x /usr/local/bin/lula
 
+  - name: authenticate-registries
+    description: Log in to the registries for testing and publishing UDS Packages
+    actions:
       - description: Iron Bank Login
         if: ${{ ne .variables.REGISTRY1_USERNAME "" }}
-        cmd: |
-          echo "${{ .variables.REGISTRY1_PASSWORD }}" | ./uds zarf tools registry login -u "${{ .variables.REGISTRY1_USERNAME }}" --password-stdin registry1.dso.mil
+        task: registry-login
+        with:
+          registry: registry1.dso.mil
+          registry_username: ${{ .variables.REGISTRY1_USERNAME }}
+          registry_token: ${{ .variables.REGISTRY1_PASSWORD }}
 
       - description: Chainguard Login
         if: ${{ ne .variables.CHAINGUARD_IDENTITY "" }}
         cmd: |
-          curl -o /usr/local/bin/chainctl -L \
-          "https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/aarch64/arm64/')" \
-          && chmod +x /usr/local/bin/chainctl
+          if [ -z "$GITLAB_CI" ]; then
+            curl -o /usr/local/bin/chainctl -L \
+            "https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/aarch64/arm64/')" \
+            && chmod +x /usr/local/bin/chainctl
+          fi
+
+          LOGIN_ARGS="--identity \"${{ .variables.CHAINGUARD_IDENTITY }}\""
+          TOKEN=${{ .variables.CHAINGUARD_TOKEN }}
+          if [ -n "$TOKEN" ]; then
+            LOGIN_ARGS="$LOGIN_ARGS --identity-token \"$TOKEN\""
+          fi
 
-          if chainctl auth login --identity "${{ .variables.CHAINGUARD_IDENTITY }}" -v=0; then
+          if eval chainctl auth login "$LOGIN_ARGS" -v=0; then
             echo Logged in as ${{ .variables.CHAINGUARD_IDENTITY }}!
           else
             echo Unable to assume the identity ${{ .variables.CHAINGUARD_IDENTITY }}.
           exit 1
           fi
-          if ! chainctl auth configure-docker --identity "${{ .variables.CHAINGUARD_IDENTITY }}" -v=0; then
+          if ! eval chainctl auth configure-docker "$LOGIN_ARGS" -v=0; then
             echo Unable to register credential helper as ${{ .variables.CHAINGUARD_IDENTITY }}.
             exit 1
           fi
 
-      - description: GHCR Login
+      - description: GHCR Registry Login
         if: ${{ ne .variables.GH_TOKEN "" }}
-        cmd: |
-          echo "${{ .variables.GH_TOKEN }}" | uds zarf tools registry login -u "dummy" --password-stdin ghcr.io
+        task: registry-login
+        with:
+          registry: ghcr.io
+          registry_username: dummy
+          registry_token: ${{ .variables.GH_TOKEN }}
+
+      - description: Gitlab Registry Login
+        if: ${{ ne .variables.GITLAB_REGISTRY_USER "" }}
+        task: registry-login
+        with:
+          registry: ${{ .variables.GITLAB_REGISTRY_URL }}
+          registry_username: ${{ .variables.GITLAB_REGISTRY_USER }}
+          registry_token: ${{ .variables.GITLAB_REGISTRY_TOKEN }}
 
       - description: Package Specific CI Setup
         cmd: |
@@ -179,7 +222,7 @@ tasks:
             --set GROUP_NAME="${{ .variables.GROUP_NAME }}" \
             --set COMMON_ZARF="${{ .variables.COMMON_ZARF }}"
 
-  # Common task
+  # Common tasks
   - name: determine-arch
     description: Determine the architecture of the current machine
     actions:
@@ -191,3 +234,22 @@ tasks:
           darwin: bash
         setVariables:
           - name: ARCH
+
+  - name: registry-login
+    description: Log in to an OCI registry
+    inputs:
+      registry:
+        description: The registry to log in to
+        required: true
+      registry_username:
+        description: The username to log in with
+        required: true
+        default: replace-me
+      registry_token:
+        description: The token to log in with
+        required: true
+    actions:
+      - description: Registry Login
+        cmd: |
+          set -x
+          echo "${{ .inputs.registry_token }}" | ./uds zarf tools registry login -u "${{ .inputs.registry_username }}" --password-stdin "${{ .inputs.registry }}"

tasks/lint.yaml

@@ -112,6 +112,7 @@ tasks:
             fi
           }
 
+          shopt -s nullglob # if nothing matches the glob expand to nothing
           # Lint all scripts in Maru tasks
           for yaml_file in tasks.yaml tasks/*.yaml; do
 
@@ -129,11 +130,13 @@ tasks:
               lint_scripts "$yaml_file" "$raw_scripts"
             fi
           done
+          shopt -u nullglob #reset nullglob behavior
 
           # Lint all .sh files in the current directory
           echo "Processing .sh files..."
           find . -type f -name "*.sh" -exec shellcheck {} +
 
+          shopt -s nullglob # if nothing matches the glob expand to nothing
           # Lint all scripts in GitHub workflows
           for yaml_file in .github/workflows/*.yaml; do
 
@@ -151,6 +154,7 @@ tasks:
               lint_scripts "$yaml_file" "$raw_scripts"
             fi
           done
+          shopt -u nullglob #reset nullglob behavior
 
   - name: license
     description: Lint for the SPDX license identifier being in source files

tasks/publish.yaml

@@ -7,6 +7,8 @@ includes:
 variables:
   - name: FLAVOR
     default: upstream
+  - name: TEAM
+    default: uds
 
 tasks:
   - name: package
@@ -30,7 +32,7 @@ tasks:
     actions:
       - task: utils:determine-repo
         with:
-          team: ${{.inputs.team}}
+          team: ${{.variables.TEAM}}
       - description: Get the current Zarf package name
         cmd: cat ${{ .inputs.path }}/zarf.yaml | ./uds zarf tools yq .metadata.name
         setVariables:

tasks/setup.yaml

@@ -52,7 +52,7 @@ tasks:
   - name: create-doug-user
     description: Creates a user named 'doug' in the uds realm of keycloak (using the default admin account)
     actions:
-      - description: Creating the 'doug' user int he 'uds' realm
+      - description: Creating the 'doug' user in the 'uds' realm
         cmd: |
           KEYCLOAK_ADMIN_PASSWORD=$(./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath='{.data.password}' | base64 -d)
           KEYCLOAK_ADMIN_TOKEN=$(curl -s --location "https://keycloak.admin.uds.dev/realms/master/protocol/openid-connect/token" \

tasks/utils.yaml

@@ -4,6 +4,7 @@
 variables:
   - name: FLAVOR
     default: upstream
+  - name: TARGET_REPO
 
 tasks:
   - name: determine-repo
@@ -22,7 +23,12 @@ tasks:
         description: Whether this is a snapshot release
         default: "false"
     actions:
+      - description: Use existing TARGET_REPO value from variable
+        # if the caller explicitly set a value for TARGET_REPO we'll use it
+        if: ${{ ne .variables.TARGET_REPO "" }}
+        cmd: echo "Using supplied value TARGET_REPO=${TARGET_REPO}"
       - description: Determine repository for the given flavor/type of release
+        if: ${{ eq .variables.TARGET_REPO "" }}
         cmd: |
           repo="${{.inputs.base_repo}}"
           # unicorn flavor = private repository