Image Builder (Gitlab CI/CD)
The image builder template builds the following images and pushes them to any Docker registry:
- backend
- frontend
- documentation
- guacamole
Please add the following section to your .gitlab-ci.yml
:
include:
- remote: https://raw.githubusercontent.com/DSD-DBS/capella-collab-manager/${CAPELLA_COLLABORATION_MANAGER_REVISION}/ci-templates/gitlab/image-builder.yml
The build images are tagged with the revision they were build with (e.g., when
running for main the tag would be :main
) All characters matching the regex
[^a-za-z0-9.] will be replaced with -.
You have to add the following environment variables on repository level. Make sure to enable the "Expand variable reference" flag.
PRIVATE_GPG_PATH
: Path to the private GPG key used to decrypt thesecret.docker.json
file (More about this file below)- Variables speciying how to name each image:
FRONTEND_IMAGE_NAME
(defaults to capella/collab/frontend)BACKEND_IMAGE_NAME
(default to capella/collab/backend)DOCS_IMAGE_NAME
(defaults to capella/collab/docs)GUACAMOLE_IMAGE_NAME
(defaults to capella/collab/guacamole)
In addition you can adjust the following variables when running a pipeline:
- Variables specifying whether to build an image (default to 1):
FRONTEND
: Build the frontend image?BACKEND
: Build the backend image?DOCS
: Build the docs image?GUACAMOLE
: Build the guacamole image?TARGET
: The target for which you want to build the images (More information why this is important below)
This is the (minimal) configuration. For more advanced configuration options, please refer to the image-builder Gitlab template.
Docker SOPS File
We make use of Mozilla SOPS files to store
secrets used in the image builder template. Therefore you need to have a
directory $TARGET
for each target with a secret.docker.json
inside. You can
create the secret.docker.json
by running the following command:
sops -e --output ./<target>/secret.docker.json input.json
The input.json
in this command is a placeholder for your own input file,
which should have the following structure:
{
"registry_unencrypted": "<registry>",
"username_unencrypted": "<username>",
"password": "<unencrypted password>"
}
Verify that you can open the secret file with
sops ./<target>/secret.docker.json
. When it works, delete the input.json
!
In addition, you will need a .sops.yaml
at the root level having the
following structure:
creation_rules:
- path_regex: .*
key_groups:
- pgp:
- <GPG fingerprint>
Any time you update the .sops.yaml
(i.e., adding or removing a fingerprint)
you will have to run sops updatekeys ./<target>/secret.docker.json
to ensure
that only authorized persons can decrypt the secret file.
Lastly, please ensure that your Gitlab runners GPG fingerprint is present in
the .sops.yaml
such that it can use the secret values.