feat: stage支持质量红线的准入准出 TencentBlueKing#4732 合入master

README.md

@@ -15,8 +15,9 @@ bk-ci是一个免费并开源的CI服务，可助你自动化构建-测试-发
 - 运行测试用例，及时发现BUG
 - 部署与发布
 
-bk-ci提供了流水线、代码库、凭证管理、环境管理、研发商店5大核心服务，多重组合，满足企业不同场景的需求：
+bk-ci提供了流水线、代码检查、代码库、凭证管理、环境管理、研发商店大核心服务，多重组合，满足企业不同场景的需求：
 - **流水线**：将团队现有的研发流程以可视化方式呈现出来，编译、测试、部署，一条流水线搞定
+- **代码检查**：提供专业的代码检查解决方案，检查缺陷、安全漏洞、规范等多种维度代码问题，为产品质量保驾护航。
 - **代码库**：将企业内已有的代码托管服务关联至bk-ci
 - **凭证管理**：为代码库、流水线等服务提供不同类型的凭据、证书管理功能
 - **环境管理**：可以将企业内部的开发编译机托管至bk-ci
@@ -34,6 +35,7 @@ bk-ci提供了流水线、代码库、凭证管理、环境管理、研发商店
 - 分布式: bk-ci可以便捷的管控多台构建机，助你更快的跨多平台构建、测试和部署
 - 流水线插件: bk-ci拥有完善的插件开发体系，其具备了低门槛、灵活可扩展等特性
 - 流水线模板: 流水线模板将是企业内部推行研发规范的一大助力
+- 代码检查规则集：沉淀团队的代码要求，并能跨项目共享和升级
 
 ## Experience
 - [bk-ci in docker](https://hub.docker.com/r/blueking/bk-ci)

README_EN.md

@@ -15,14 +15,16 @@ bk-ci removes all the tedious tasks in R&D process and enables you to focus on c
 - Running test cases to find bugs in time
 - Deployment and release
 
-bk-ci provides five core services, namely Process, Repository, Ticket, Environment and Store. They can be combined in multiple ways to meet business needs in different scenarios.
+bk-ci provides six core services, namely Process, CodeCheck, Repository, Ticket, Environment and Store. They can be combined in multiple ways to meet business needs in different scenarios.
 
 - **Process**: It visualizes current R&D process of the team. One pipeline can handle compilation, testing and deployment.
+- **CodeCheck**：Provide professional code-check solutions to check multiple dimensions of code issues such as defects, security vulnerabilities, code styles, etc., to promote product quality.
 - **Repository**: It links current source code hosting service of the enterprise to bk-ci.
 - **Ticket**: It provides the management of various kinds of tickets and certificates for services like Repository and Process.
 - **Environment**: It can host the internal agents of the enterprise on bk-ci.
 - **Store**: It consists of pipeline plugins and pipeline templates. Plugins are used to integrate with various third-party services of the enterprise and templates help to standardize its internal R&D process.
 
+
 ## Overview
 
 - [Architecture](docs/overview/architecture.en.md)
@@ -37,6 +39,7 @@ bk-ci provides five core services, namely Process, Repository, Ticket, Environme
 - Distributed system: bk-ci can manage multiple agents easily to help you perform cross-platform build, testing and deployment in a faster manner.
 - Pipeline plugins: bk-ci has a complete plugin development system with properties like low barrier to entry and scalability.
 - Pipeline templates: It promotes the standardization of R&D within the enterprise.
+- CodeCheck rule set：accumulate the team's code requirements, and can be shared and upgraded across projects or teams.
 
 ## Experience
 

scripts/bk-ci-install.sh

@@ -105,6 +105,9 @@ install_ci__ms_common (){
     echo "install $BK_CI_SRC_DIR/$f to $BK_CI_HOME."
     rsync -ra "$BK_CI_SRC_DIR/${f%/}" "$BK_CI_HOME"
   done
+  echo "change mode for agent-package dir."
+  find "$BK_CI_HOME/agent-package/" -type d -exec chmod -c a+rx {} \;
+  find "$BK_CI_HOME/agent-package/" -type f -exec chmod -c a+r {} \;
   # 保持微服务部分子目录的强一致性.
   rsync -ra --del "$BK_CI_SRC_DIR/$MS_NAME/lib" "$BK_CI_SRC_DIR/$MS_NAME/com" "$BK_CI_HOME/$MS_NAME"
 }

scripts/bk-ci-reg-paas-app.sh

@@ -7,6 +7,7 @@ on_ERR (){
 }
 
 source ${CTRL_DIR:-/data/install}/load_env.sh
+source ${CTRL_DIR:-/data/install}/bin/04-final/ci.env
 cmd_mysql="mysql -h${BK_PAAS_MYSQL_HOST} -u${BK_PAAS_MYSQL_USER} -P $BK_PAAS_MYSQL_PORT open_paas"
 export MYSQL_PWD=$BK_PAAS_MYSQL_PASSWORD
 

scripts/bk-ci-utils-https.sh

@@ -132,7 +132,7 @@ tip_file_exist "$nginx_ci_conf"
 patt_ssl_config_commented='/^ *# *### ssl config begin ###/,/^ *# *### ssl config end ###/'
 patt_ssl_config_nocomment='/^ *### ssl config begin ###/,/^ *### ssl config end ###/'
 if [ "$target_schema" = https ]; then
-  sed -i "${patt_ssl_config_commented:-^#####}s/^#//" "$nginx_ci_conf"  # 移除注释
+  sed -ri "${patt_ssl_config_commented:-^#####}s/^( *)#/\\1/" "$nginx_ci_conf"  # 移除注释
   nginx_ci_ssl="$BK_CI_SRC_DIR/support-files/templates/gateway#core#devops.ssl"
   sed -e "s@^ssl_certificate .*@ssl_certificate $ci_gateway_cert;@" \
       -e "s@^ssl_certificate_key .*@ssl_certificate_key $ci_gateway_certkey;@" \
@@ -169,6 +169,6 @@ if [ "$target_schema" = https ]; then
 fi
 
 echo "刷新 PaaS 工作台的注册信息."
-$CTRL_DIR/bin/bk-ci-reg-paas-app.sh
+$BK_CI_SRC_DIR/scripts/bk-ci-reg-paas-app.sh
 
 echo "配置 $target_schema 成功. 请检查更新其他env文件中相应的变量."

scripts/bkci-op.sh

@@ -11,8 +11,8 @@ CTRL_DIR=${CTRL_DIR:-/data/install}
 
 dispatch_api_prefix="http://127.0.0.1:21938/api/op/dispatchDocker"
 
-jq_filter_get=".id,.dockerIp,.dockerHostPort,.enable,.capacity,.createTime"
-jq_filter_get_v=".id,.dockerIp,.dockerHostPort,.enable,.grayEnv,.specialOn,.capacity,.usedNum,.averageCpuLoad,.averageMemLoad,.averageDiskLoad,.averageDiskIOLoad,.createTime"
+jq_filter_get=".id,.dockerIp,.dockerHostPort,.enable,.capacity,.createTime,.clusterType"
+jq_filter_get_v=".id,.dockerIp,.dockerHostPort,.enable,.grayEnv,.specialOn,.capacity,.usedNum,.averageCpuLoad,.averageMemLoad,.averageDiskLoad,.averageDiskIOLoad,.createTime,.clusterType"
 
 header_uid="X-DEVOPS-UID: admin"
 header_json="Content-Type: application/json"
@@ -67,23 +67,23 @@ cmd_del (){
   curl_helper "DELETE" "$dispatch_api_prefix/delete/$ip" | pretty_json
 }
 
-usage_cmd_add="$0 add IP enable=true|false [dockerHostPort=21923] [capacity=100]"
-kvpatt_cmd_add="^(dockerHostPort|capacity|enable)="
-json_tpl_cmd_add='[{"dockerIp":"%s","dockerHostPort":%d,"capacity":%d,"enable":%s,"createTime":"%s"}]'
+usage_cmd_add="$0 add IP enable=true|false [dockerHostPort=21923] [capacity=100] [clusterType=COMMON|AGENT_LESS]"
+kvpatt_cmd_add="^(dockerHostPort|capacity|enable|clusterType)="
+json_tpl_cmd_add='[{"dockerIp":"%s","dockerHostPort":%d,"capacity":%d,"enable":%s,"createTime":"%s", "clusterType": "%s"}]'
 cmd_add (){
   local ip=$1
   shift
   [ -z "$ip" -o $# -eq 0 ] && die "Usage: $usage_cmd_add"
   local e=0
-  local _data enable dockerHostPort capacity
+  local _data enable dockerHostPort capacity clusterType
   for kv in "$@"; do
     [[ "$kv" =~ $kvpatt_cmd_add ]] || { tip "unknow kv: kv($kv) does NOT match patt($kvpatt_cmd_add)."; let e++; continue; }
     local $kv
   done
   [ "$enable" = "true" -o "$enable" = "false" ] || die "enable must set to true or false."
   [ $e -gt 0 ] && die "arg parse error. quit."
   printf -v _data "$json_tpl_cmd_add" "$ip" "${dockerHostPort:-21923}" \
-    "${capacity:-100}" "$enable" "$today"
+    "${capacity:-100}" "$enable" "$today" "${clusterType:-COMMON}"
   curl_helper POST "$dispatch_api_prefix/add" -d "$_data" | pretty_json
 }
 

scripts/deploy-codecc/bk-codecc-utils-https.sh

@@ -0,0 +1,171 @@
+#!/bin/bash
+# bk-codecc 启用或禁用https.
+set -eu
+trap "on_ERR;" ERR
+on_ERR (){
+  local fn=$0 ret=$? lineno=${BASH_LINENO:-$LINENO}
+  echo >&2 "ERROR $fn exit with $ret at line $lineno: $(sed -n ${lineno}p $0)."
+}
+
+codecc_env_default="bin/default/codecc.env"
+codecc_env_03="bin/03-userdef/codecc.env"
+codecc_env_04="bin/04-final/codecc.env"
+
+CTRL_DIR="${CTRL_DIR:-/data/install}"
+BK_PKG_SRC_PATH="${BK_PKG_SRC_PATH:-/data/src}"
+bk_cert_source="$BK_PKG_SRC_PATH/cert/bk_domain.crt"
+bk_certkey_source="$BK_PKG_SRC_PATH/cert/bk_domain.key"
+BK_PKG_SRC_PATH=${BK_CODECC_SRC_DIR:-/data/src}
+BK_CODECC_SRC_DIR="${BK_CODECC_SRC_DIR:-$BK_PKG_SRC_PATH/codecc}"  # codecc安装源
+
+ip add | grep -qwf .controller_ip || {
+  echo "本脚本应该在蓝鲸中控机运行."
+  exit 1
+}
+cd "$CTRL_DIR" || {
+  echo "ABORT: failed to cd $CTRL_DIR."
+  exit 1
+}
+
+tip_file_exist (){
+  local m="文件存在" e=0
+  [ -f "$1" ] || { m="文件不存在"; e=1; }
+  echo "$m: $1."
+  return $e
+}
+
+pcmd (){
+  ./pcmd.sh "$@"
+  return $?
+}
+
+check_codecc_env_by_patt (){
+  local patt="$1"
+  local var value patt_failed_var="" e=0
+  shift
+  for var in "$@"; do
+    value="${!var}"
+    echo -n "检查 $var($value) 应匹配正则($patt). "
+    if echo "$value" | grep -Eq "$patt"; then
+      echo "通过"
+    else
+      echo "失败";
+      patt_failed_var="$patt_failed_var|$var";
+      let ++e;
+    fi
+  done
+  if [ $e -gt 0 ]; then
+    echo "本脚本自动修改 $codecc_env_03 后未能生效, 可能如下文件中覆盖了对应变量, 请人工修正."
+    grep -E "^(${patt_failed_var#|})=" ./bin/*/*.env
+    return 1
+  fi
+}
+
+echo "${1:-}" | grep -qxE "https?" || {
+  echo "Usage: $0 https|http -- setup codecc-gateway https mode or fallback to http only."
+  exit 1
+}
+target_schema="$1"
+
+codecc_schema_vars="BK_HTTP_SCHEMA BK_CODECC_PUBLIC_URL BK_CI_PUBLIC_URL"
+
+source "$CTRL_DIR/load_env.sh"
+echo "配置 codecc-gateway 为 $target_schema."
+tip_file_exist "$codecc_env_default"
+tip_file_exist "$codecc_env_03"
+echo "修改env03文件: $codecc_env_03"
+if grep -q "[$]BK_CI_PUBLIC_URL" "$codecc_env_03"; then
+  echo "检查到 \$BK_CI_PUBLIC_URL 变量引用, 自动替换."
+  sed -ri "s@[$]BK_CI_PUBLIC_URL@$BK_CI_PUBLIC_URL@" "$codecc_env_03"  # 替换默认设置的变量引用.
+fi
+patt_codecc_schema_vars="^(${codecc_schema_vars// /|})="
+grep -E "$patt_codecc_schema_vars" "$codecc_env_03"
+if [ "$target_schema" = https ]; then
+  echo "启用https后, 原 HTTP 入口依旧存在, 一般无需回退."
+  sed -ri "/$patt_codecc_schema_vars/{s@\<http\>@https@;s@:80/@:443/@;}" "$codecc_env_03"
+else
+  echo "禁用https后, 如果因浏览器缓存HTTP重定向到https入口, 请清空浏览器站点数据."
+  sed -ri "/$patt_codecc_schema_vars/{s@\<https\>@http@;s@:443/@:80/@;}" "$codecc_env_03"
+fi
+grep -E "$patt_codecc_schema_vars" "$codecc_env_03"
+echo "合并env文件."
+./bin/merge_env.sh codecc >/dev/null || true
+
+echo "加载env文件: $codecc_env_04"
+source "$codecc_env_04" || {
+  echo "ERROR: 加载环境变量失败, 请在蓝鲸中控机执行. 或根据报错修正问题."
+  exit 1
+}
+echo "检查codecc env"
+check_codecc_env_by_patt "^$target_schema\\>" $codecc_schema_vars
+
+if [ "$target_schema" = https ]; then
+  echo "检查证书文件"
+  tip_file_exist "$bk_cert_source"
+  tip_file_exist "$bk_certkey_source"
+  # 基于 BK_CODECC_FQDN 生成证书主体检查模式. 允许通配符.
+  echo "检查证书域名"
+  patt_cert_subject="$(sed -r \
+    -e 's/^([^.]+)(.*)/(Subject: .*CN=|DNS:)([*]|\1)\2/' \
+    -e 's/[.]/[.]/g' <<< "$BK_CODECC_FQDN")"
+  # 需要精确匹配: -w.
+  openssl x509 -text -noout -in "$bk_cert_source" | grep -wE "$patt_cert_subject" || {
+    echo "证书可能有误, 证书文件 $bk_cert_source 中未能匹配到 '$patt_cert_subject'. 证书支持包含的名称如下:"
+    openssl x509 -text -noout -in "$bk_cert_source" | grep -E "^ *(Subject|DNS):"
+    exit 1
+  }
+  echo "同步并安装证书"
+  ./bkcli sync cert
+  ./bkcli install cert
+  echo "检查安装后的证书"
+  codecc_gateway_cert="$BK_HOME/cert/bk_domain.crt"
+  codecc_gateway_certkey="$BK_HOME/cert/bk_domain.key"
+  pcmd -m codecc_gateway "ls -l $codecc_gateway_cert $codecc_gateway_certkey"
+fi
+
+echo "修改 codecc-gateway 模板"
+nginx_codecc_conf="$BK_CODECC_SRC_DIR/support-files/templates/gateway#core#vhosts#codecc.server.conf"
+tip_file_exist "$nginx_codecc_conf"
+patt_ssl_config_commented='/^ *# *### ssl config begin ###/,/^ *# *### ssl config end ###/'
+patt_ssl_config_nocomment='/^ *### ssl config begin ###/,/^ *### ssl config end ###/'
+if [ "$target_schema" = https ]; then
+  sed -ri "${patt_ssl_config_commented:-^#####}s/^( *)#/\\1/" "$nginx_codecc_conf"  # 移除注释
+  nginx_codecc_ssl="$BK_CODECC_SRC_DIR/support-files/templates/gateway#core#devops.ssl"
+  sed -e "s@^ssl_certificate .*@ssl_certificate $codecc_gateway_cert;@" \
+      -e "s@^ssl_certificate_key .*@ssl_certificate_key $codecc_gateway_certkey;@" \
+      support-files/templates/nginx/bk.ssl > "$nginx_codecc_ssl"
+  echo "检查修改结果."
+  sed -n "${patt_ssl_config_nocomment:-^#####}p" "$nginx_codecc_conf" | grep "^ *listen [_A-Z0-9].* ssl;"
+else
+  sed -i "${patt_ssl_config_nocomment:-^#####}s/^/#/" "$nginx_codecc_conf"
+  echo "检查修改结果."
+  sed -n "${patt_ssl_config_commented:-^#####}p" "$nginx_codecc_conf" | grep "^ *# *listen [_A-Z0-9].* ssl;"
+fi
+
+echo "重新配置 codecc-gateway"
+./bkcli sync common
+./bkcli sync codecc
+pcmd -m codecc_gateway 'source ${CTRL_DIR:-/data/install}/load_env.sh; export LAN_IP ${!BK_*}; ${BK_PKG_SRC_PATH:-/data/src}/codecc/scripts/deploy-codecc/bk-codecc-setup.sh gateway'
+
+echo "reload 或 启动服务"
+pcmd -m codecc_gateway 'systemctl reload bk-codecc-gateway || systemctl start bk-codecc-gateway'
+
+if [ "$target_schema" = https ]; then
+  echo "测试全部 codecc_gateway 节点是否能访问本机的 https 服务."
+  curl_cmd="curl -sSvko /dev/null --resolv $BK_CODECC_FQDN:${BK_CODECC_HTTPS_PORT:-443}:127.0.0.1 $BK_CODECC_PUBLIC_URL"
+  if ! pcmd -m codecc_gateway "$curl_cmd 2>&1 | grep -vE '^([><]|[*] Expire)'; exit \${PIPESTATUS[0]}"; then
+    echo "部分或全部节点无法在本机访问 $target_schema 服务, 请排除故障后重试. 或使用本脚本回退到http."
+    exit 1
+  fi
+
+  echo "测试 ci-gateway 节点是否能访问本机的 https 服务."
+  curl_cmd="curl -sSvko /dev/null --resolv $BK_CI_FQDN:${BK_CI_HTTPS_PORT:-443}:127.0.0.1 $BK_CI_PUBLIC_URL"
+  if ! pcmd -m ci_gateway "$curl_cmd 2>&1 | grep -vE '^([><]|[*] Expire)'; exit \${PIPESTATUS[0]}"; then
+    echo "注意: 可能 CI 未启用 $target_schema, 请及时修正."
+  fi
+fi
+
+echo "刷新 ci-nav ."
+${BK_PKG_SRC_PATH:-/data/src}/codecc/scripts/deploy-codecc/bk-codecc-reg-ci-nav.sh
+
+echo "配置 $target_schema 成功. 请检查更新其他env文件中相应的变量."

scripts/deploy-codecc/codecc.properties

@@ -1,4 +1,4 @@
-# ci.env template, generated at 2021-07-13 16:26:30
+# ci.env template, generated at 2021-08-03 22:19:02
 
 ##########
 # 0-依赖声明
@@ -33,6 +33,10 @@ BK_CODECC_FQDN=codecc.$BK_DOMAIN
 BK_CODECC_HOME=$BK_HOME/codecc/
 # BK_CODECC_HOST默认为bk-codecc.service.consul. 无需修改. CODECC在蓝鲸集群内的主机名.
 BK_CODECC_HOST=bk-codecc.service.consul
+# BK_CODECC_HTTPS_PORT默认为443. 无需修改. BK_HTTP_SCHEMA 为https时有效.
+BK_CODECC_HTTPS_PORT=443
+# BK_CODECC_HTTP_PORT默认为80. 无需修改. 集群一般使用http端口互联.
+BK_CODECC_HTTP_PORT=80
 # BK_CODECC_LOGS_DIR默认为$BK_HOME/logs/codecc. 无需修改. CodeCC日志主目录, 各proj会自动创建子目录.
 BK_CODECC_LOGS_DIR=$BK_HOME/logs/codecc
 # BK_CODECC_PRIVATE_URL默认为http://bk-codecc.service.consul. 无需修改. codecc为集群外访问提供的URL. 如修改过端口, 请更新这里.

scripts/deploy-codecc/packager-codecc.sh

@@ -68,6 +68,8 @@ prepare_reports (){
   cp -r "$codecc_pkg_dir/defect" "$codecc_pkg_dir/report"
   echo "copy defect/ to asyncreport/."
   cp -r "$codecc_pkg_dir/defect" "$codecc_pkg_dir/asyncreport"
+  # asyncreport 加载代码需要大量内存.
+  sed -i 's/MEM_OPTS=.*/MEM_OPTS="-Xms512m -Xms2048m"/' "$codecc_pkg_dir/asyncreport/service.env"
 }
 
 packager_codecc (){

src/backend/ci/core/common/common-pipeline/src/main/kotlin/com/tencent/devops/common/pipeline/pojo/element/ElementAdditionalOptions.kt

@@ -59,5 +59,6 @@ enum class RunCondition {
     CUSTOM_VARIABLE_MATCH, // 自定义变量全部满足时运行
     CUSTOM_VARIABLE_MATCH_NOT_RUN, // 自定义变量全部满足时不运行
     CUSTOM_CONDITION_MATCH, // 满足以下自定义条件时运行 [未实现]
-    PARENT_TASK_CANCELED_OR_TIMEOUT // 父任务取消或者超时时才运行
+    PARENT_TASK_CANCELED_OR_TIMEOUT, // 父任务取消或者超时时才运行
+    PARENT_TASK_FINISH // 父任务结束就运行
 }

src/backend/ci/core/common/common-redis/src/main/kotlin/com/tencent/devops/common/redis/RedisLock.kt

@@ -112,7 +112,7 @@ open class RedisLock(
      * @return
      */
     private fun set(key: String, value: String, seconds: Long): String? {
-        val finalLockKey = getFinalLockKey(key)
+        val finalLockKey = redisOperation.getKeyByRedisName(key)
         return redisOperation.execute(RedisCallback { connection ->
             val result =
                 when (val nativeConnection = connection.nativeConnection) {
@@ -139,11 +139,6 @@ open class RedisLock(
         })
     }
 
-    private fun getFinalLockKey(key: String): String {
-        val redisName = redisOperation.getRedisName()
-        return if (!redisName.isNullOrBlank()) "$redisName:$key" else key
-    }
-
     /**
      * 解锁
      * <p>
@@ -159,7 +154,7 @@ open class RedisLock(
 //            logger.info("Start to unlock the key($lockKey) of value($lockValue)")
             return redisOperation.execute(RedisCallback { connection ->
                 val nativeConnection = connection.nativeConnection
-                val finalLockKey = getFinalLockKey(lockKey)
+                val finalLockKey = redisOperation.getKeyByRedisName(lockKey)
                 val keys = arrayOf(finalLockKey.toByteArray())
                 val result =
                     when (nativeConnection) {
@@ -186,7 +181,7 @@ open class RedisLock(
                     }
                 locked = result == 0L
                 result == 1L
-            })
+            }) ?: false
         } else {
             logger.info("It's already unlock")
         }

src/backend/ci/core/common/common-redis/src/main/kotlin/com/tencent/devops/common/redis/RedisLockByValue.kt

@@ -200,7 +200,7 @@ class RedisLockByValue(
                         }
                     }
                 queryResult == 1L
-            })
+            }) ?: false
         }
         return result
     }