pipedawg 0.6.0 → 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (18) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +13 -10
  3. data/lib/pipedawg/job/helm/copy.rb +106 -0
  4. data/lib/pipedawg/job/helm.rb +16 -0
  5. data/lib/pipedawg/job/kaniko/build.rb +98 -0
  6. data/lib/pipedawg/job/kaniko.rb +16 -0
  7. data/lib/pipedawg/job/qualys/scan.rb +125 -0
  8. data/lib/pipedawg/job/qualys.rb +12 -0
  9. data/lib/pipedawg/job/skopeo/copy.rb +71 -0
  10. data/lib/pipedawg/job/skopeo.rb +16 -0
  11. data/lib/pipedawg/job.rb +13 -1
  12. data/lib/pipedawg/version.rb +1 -1
  13. data/lib/pipedawg.rb +8 -4
  14. metadata +10 -6
  15. data/lib/pipedawg/helm_copy_job.rb +0 -115
  16. data/lib/pipedawg/kaniko_build_job.rb +0 -108
  17. data/lib/pipedawg/qualys_scan_job.rb +0 -127
  18. data/lib/pipedawg/skopeo_copy_job.rb +0 -81
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b2e0ba1c718b0efe498f222720490aeb2566a6f5c4e6fb1f0b56e5e9874669a5
4
- data.tar.gz: 5545deb6f783e71bb5b35bb6633aed7939a9ac0e74aefb50200020976c1b6489
3
+ metadata.gz: 9962c4432a04670a43c15dbb1e22c62807b921e1cbe4a83de50b53e014603fc5
4
+ data.tar.gz: 91e25ca901474b36886cc88b3ebd6a0c152c47521124d05025f33ce85ea5d83b
5
5
  SHA512:
6
- metadata.gz: 17fbfd9bb667f808c44e636d7133fa379d115b650102162d35b5e0fd7b6594466493663c7193ef8092d3e55c2480737bbf4e4bf5923260096ae7706200320d04
7
- data.tar.gz: 338192888145922229beba1e38fa3794e2f1d7d4e197987de1b5ae7425df29f2239f47a011846b10df20723d43c93a26d26813755a33d2b193780b0812429f74
6
+ metadata.gz: 672ff4caa57036582d2d5cda45876064cb126794e2e31c380a8042bf5e69de086a2b643f363958cd754230712bc283ab74850c39b6351a78e181ba468f478d97
7
+ data.tar.gz: 3bf61de4b736048a34b089861fa341bce57896e52a947f545576e6157827f8311800ee2a154e29b46ab58e1c2bc01f6ae43bc950204b6b6628017d40404760c5
data/README.md CHANGED
@@ -32,7 +32,6 @@ Example:
32
32
  #!/usr/bin/env ruby
33
33
  # frozen_string_literal: true
34
34
 
35
- # print_pipeline.rb
36
35
  require 'pipedawg'
37
36
 
38
37
  gem_job = Pipedawg::Job.new(
@@ -42,31 +41,32 @@ gem_job = Pipedawg::Job.new(
42
41
  script: ['bundle install', 'gem build *.gemspec']
43
42
  )
44
43
 
45
- kaniko_build_job = Pipedawg::KanikoBuildJob.new(
44
+ kaniko_build_job = Pipedawg::Job::Kaniko::Build.new(
46
45
  'build:kaniko',
47
- {needs: ['build:gem'], retry: 2},
48
- {context:'${CI_PROJECT_DIR}/docker',external_files: {'*.gem':'gems'}}
46
+ needs: ['build:gem'],
47
+ retry: 2,
48
+ context:'${CI_PROJECT_DIR}/docker',
49
+ external_files: {'*.gem':'gems'},
50
+ debug: false
49
51
  )
50
52
 
51
53
  pipeline = Pipedawg::Pipeline.new 'build:image', jobs: [gem_job, kaniko_build_job]
52
54
  puts pipeline.to_yaml
55
+ pipeline.to_yaml_file('/tmp/pipeline.yaml')
53
56
  ```
54
57
 
55
58
  ```console
56
- $ chmod +x print_pipeline.rb
57
- $ ./print_pipeline.rb
59
+ $ cat /tmp/pipeline.yaml
58
60
  ---
59
61
  stages:
60
62
  - '1'
61
63
  - '2'
62
- workflow: {}
63
64
  build:gem:
64
65
  artifacts:
65
66
  - "*.gem"
66
67
  cache: {}
67
68
  image: ruby
68
69
  needs: []
69
- rules: []
70
70
  script:
71
71
  - bundle install
72
72
  - gem build *.gemspec
@@ -75,16 +75,19 @@ build:gem:
75
75
  build:kaniko:
76
76
  artifacts: {}
77
77
  cache: {}
78
+ image:
79
+ entrypoint:
80
+ - ''
81
+ name: gcr.io/kaniko-project/executor:debug
78
82
  needs:
79
83
  - build:gem
80
84
  retry: 2
81
- rules: []
82
85
  script:
83
86
  - echo "{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}"
84
87
  > "/kaniko/.docker/config.json"
85
88
  - cp "*.gem" "${CI_PROJECT_DIR}/docker/gems"
86
89
  - '"/kaniko/executor" --context "${CI_PROJECT_DIR}/docker" --dockerfile "Dockerfile"
87
- --no-push'
90
+ --destination ${CI_REGISTRY_IMAGE}:latest'
88
91
  stage: '2'
89
92
  tags: []
90
93
  ```
data/lib/pipedawg/job/helm/copy.rb ADDED
@@ -0,0 +1,106 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pipedawg
4
+ class Job
5
+ class Helm
6
+ # Pipedawg::Job::Helm::Copy class
7
+ class Copy < Job::Helm
8
+ def initialize(name, opts = {})
9
+ opts = {
10
+ chart: name,
11
+ destinations: [{ user: nil, password: nil, url: nil }],
12
+ password: nil, url: nil, user: nil, version: nil
13
+ }.merge(opts)
14
+ super name, opts
15
+ update
16
+ end
17
+
18
+ def update
19
+ opts[:script] = debug + pull + (opts[:destinations].map { |d| push(d) }).flatten(1)
20
+ end
21
+
22
+ private
23
+
24
+ def pull
25
+ case opts[:url]
26
+ when nil
27
+ []
28
+ when %r{^oci://}
29
+ pull_oci
30
+ else
31
+ pull_classic
32
+ end
33
+ end
34
+
35
+ def push(destination)
36
+ case destination[:url]
37
+ when nil
38
+ []
39
+ when %r{^oci://}
40
+ push_oci(destination)
41
+ else
42
+ push_classic(destination)
43
+ end
44
+ end
45
+
46
+ def pull_oci # rubocop:disable Metrics/AbcSize
47
+ script = []
48
+ if opts[:url] && opts[:chart] && opts[:version]
49
+ script = ['export HELM_EXPERIMENTAL_OCI=1']
50
+ script << login_oci(opts) if opts[:user] && opts[:password]
51
+ script << "\"#{opts[:command]}\" pull \"#{opts[:url]}/#{opts[:chart]}\" --version \"#{opts[:version]}\""
52
+ end
53
+ script
54
+ end
55
+
56
+ def push_oci(destination) # rubocop:disable Metrics/AbcSize
57
+ script = []
58
+ if destination[:url] && opts[:chart] && opts[:version]
59
+ script = ['export HELM_EXPERIMENTAL_OCI=1']
60
+ script << login_oci(destination) if destination[:user] && destination[:password]
61
+ script << "\"#{opts[:command]}\" push \"#{opts[:chart]}-#{opts[:version]}.tgz\" \"#{destination[:url]}\""
62
+ end
63
+ script
64
+ end
65
+
66
+ def login_oci(login_opts)
67
+ require 'uri'
68
+ "echo \"#{login_opts[:password]}\" | \"#{opts[:command]}\" registry login --username \"#{login_opts[:user]}\" --password-stdin \"#{URI(login_opts[:url]).host}\"" # rubocop:disable Layout/LineLength
69
+ end
70
+
71
+ def pull_classic # rubocop:disable Metrics/AbcSize
72
+ script = []
73
+ if opts[:url] && opts[:chart] && opts[:version]
74
+ suffix = login_classic(opts)
75
+ script << "\"#{opts[:command]}\" repo add source \"#{opts[:url]}\"#{suffix}"
76
+ script << "\"#{opts[:command]}\" repo update"
77
+ script << "\"#{opts[:command]}\" pull \"source/#{opts[:chart]}\" --version \"#{opts[:version]}\""
78
+ end
79
+ script
80
+ end
81
+
82
+ def push_classic(destination)
83
+ script = []
84
+ if destination[:url] && opts[:chart] && opts[:version]
85
+ script << plugin_classic
86
+ suffix = login_classic(destination)
87
+ script << "\"#{opts[:command]}\" cm-push \"#{opts[:chart]}-#{opts[:version]}.tgz\" \"#{destination[:url]}\"#{suffix}" # rubocop:disable Layout/LineLength
88
+ end
89
+ script
90
+ end
91
+
92
+ def login_classic(login_opts)
93
+ if login_opts[:user] && login_opts[:password]
94
+ " --username \"#{login_opts[:user]}\" --password \"#{login_opts[:password]}\""
95
+ else
96
+ ''
97
+ end
98
+ end
99
+
100
+ def plugin_classic
101
+ "\"#{opts[:command]}\" plugin list | grep -q cm-push || \"#{opts[:command]}\" plugin install https://github.com/chartmuseum/helm-push"
102
+ end
103
+ end
104
+ end
105
+ end
106
+ end
data/lib/pipedawg/job/helm.rb ADDED
@@ -0,0 +1,16 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pipedawg
4
+ class Job
5
+ # Pipedawg::Job::Helm class
6
+ class Helm < Job
7
+ def initialize(name, opts = {})
8
+ opts = {
9
+ command: 'helm',
10
+ image: { entrypoint: [''], name: 'alpine/helm' }
11
+ }.merge(opts)
12
+ super name, opts
13
+ end
14
+ end
15
+ end
16
+ end
data/lib/pipedawg/job/kaniko/build.rb ADDED
@@ -0,0 +1,98 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pipedawg
4
+ class Job
5
+ class Kaniko
6
+ # Pipedawg::Job::Kaniko::Build class
7
+ class Build < Job::Kaniko
8
+ def initialize(name, opts = {}) # rubocop:disable Metrics/MethodLength
9
+ opts = {
10
+ build_args: {},
11
+ config: { '$CI_REGISTRY': { username: '$CI_REGISTRY_USER', password: '$CI_REGISTRY_PASSWORD' } },
12
+ config_file: '/kaniko/.docker/config.json', context: '${CI_PROJECT_DIR}',
13
+ destinations: ['${CI_REGISTRY_IMAGE}:latest'], dockerfile: 'Dockerfile', external_files: {}, flags: [],
14
+ ignore_paths: [], insecure_registries: [], options: {}, registry_certificates: {}, registry_mirrors: [],
15
+ skip_tls_verify_registry: [], trusted_ca_cert_source_files: [],
16
+ trusted_ca_cert_target_file: '/kaniko/ssl/certs/ca-certificates.crt'
17
+ }.merge(opts)
18
+ super name, opts
19
+ update
20
+ end
21
+
22
+ def update
23
+ require 'json'
24
+ opts[:script] = debug + config + cert_copies + file_copies + Array(kaniko_cmd)
25
+ end
26
+
27
+ private
28
+
29
+ def config
30
+ ["echo #{opts[:config].to_json.inspect} > \"#{opts[:config_file]}\""]
31
+ end
32
+
33
+ def cert_copies
34
+ Array(opts[:trusted_ca_cert_source_files]).map do |cert|
35
+ "cat \"#{cert}\" >> \"#{opts[:trusted_ca_cert_target_file]}\""
36
+ end
37
+ end
38
+
39
+ def file_copies
40
+ opts[:external_files].map do |source, dest|
41
+ "cp \"#{source}\" \"#{opts[:context]}/#{dest}\""
42
+ end
43
+ end
44
+
45
+ def kaniko_cmd # rubocop:disable Metrics/AbcSize
46
+ ["\"#{opts[:command]}\" --context \"#{opts[:context]}\"",
47
+ "--dockerfile \"#{opts[:dockerfile]}\"", flags, options, build_args,
48
+ ignore_paths, insecure_registries, registry_certificates, registry_mirrors,
49
+ destinations, skip_tls_verify_registries].reject(&:empty?).join(' ')
50
+ end
51
+
52
+ def flags
53
+ flags = opts[:flags].clone
54
+ flags << 'no-push' if opts[:destinations].empty?
55
+ flags.uniq.map { |f| "--#{f}" }.join(' ')
56
+ end
57
+
58
+ def options
59
+ opts[:options].map { |k, v| "--#{k}=\"#{v}\"" }.join(' ')
60
+ end
61
+
62
+ def build_args
63
+ opts[:build_args].map { |k, v| "--build-arg #{k}=\"#{v}\"" }.join(' ')
64
+ end
65
+
66
+ def ignore_paths
67
+ Array(opts[:ignore_paths]).map { |p| "--ignore-path #{p}" }.join(' ')
68
+ end
69
+
70
+ def insecure_registries
71
+ Array(opts[:insecure_registries]).map do |r|
72
+ "--insecure-registry #{r}"
73
+ end.join(' ')
74
+ end
75
+
76
+ def registry_certificates
77
+ opts[:registry_certificates].map do |k, v|
78
+ "--registry-certificate #{k}=\"#{v}\""
79
+ end.join(' ')
80
+ end
81
+
82
+ def registry_mirrors
83
+ Array(opts[:registry_mirrors]).map { |r| "--registry-mirror #{r}" }.join(' ')
84
+ end
85
+
86
+ def destinations
87
+ opts[:destinations].map { |d| "--destination #{d}" }.join(' ')
88
+ end
89
+
90
+ def skip_tls_verify_registries
91
+ Array(opts[:skip_tls_verify_registry]).map do |r|
92
+ "--skip-tls-verify-registry #{r}"
93
+ end.join(' ')
94
+ end
95
+ end
96
+ end
97
+ end
98
+ end
data/lib/pipedawg/job/kaniko.rb ADDED
@@ -0,0 +1,16 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pipedawg
4
+ class Job
5
+ # Pipedawg::Job::Kaniko class
6
+ class Kaniko < Job
7
+ def initialize(name, opts = {})
8
+ opts = {
9
+ command: '/kaniko/executor',
10
+ image: { entrypoint: [''], name: 'gcr.io/kaniko-project/executor:debug' }
11
+ }.merge(opts)
12
+ super name, opts
13
+ end
14
+ end
15
+ end
16
+ end
data/lib/pipedawg/job/qualys/scan.rb ADDED
@@ -0,0 +1,125 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pipedawg
4
+ class Job
5
+ class Qualys
6
+ # Pipedawg::Job::Qualys::Scan class
7
+ class Scan < Job::Qualys # rubocop:disable Metrics/ClassLength
8
+ def initialize(name, opts = {})
9
+ opts = {
10
+ acceptable_risk: '${QUALYS_ACCEPTABLE_IMAGE_RISK}',
11
+ artifacts: { expire_in: '1 month', paths: ['software.json', 'vulnerabilities.json'], when: 'always' },
12
+ config: { '$CI_REGISTRY': { username: '$CI_REGISTRY_USER', password: '$CI_REGISTRY_PASSWORD' } },
13
+ gateway: '${QUALYS_GATEWAY}', image: nil, password: '${QUALYS_PASSWORD}', rules: nil,
14
+ scan_image: '${QUALYS_IMAGE}', scan_target_prefix: 'qualys_scan_target', tags: nil,
15
+ user: '${QUALYS_USERNAME}', variables: { GIT_STRATEGY: 'clone' }
16
+ }.merge(opts)
17
+ super name, opts
18
+ update
19
+ end
20
+
21
+ def update # rubocop:disable Metrics/AbcSize
22
+ require 'json'
23
+ opts[:script] =
24
+ debug + config + image + clean_config + token + scan_start +
25
+ scan_complete + artifacts + severities + outputs
26
+ end
27
+
28
+ private
29
+
30
+ def debug # rubocop:disable Metrics/MethodLength
31
+ if opts[:debug]
32
+ super + [
33
+ 'echo Qualys settings:', "echo Qualys gateway: \"#{opts[:gateway]}\"",
34
+ "echo Qualys username: \"#{opts[:user]}\"",
35
+ "if [ \"#{opts[:password]}\" != '' ]; then " \
36
+ 'echo Qualys password is not empty; else ' \
37
+ 'echo Qualys password is not set; exit 1; fi'
38
+ ]
39
+ else
40
+ []
41
+ end
42
+ end
43
+
44
+ def config
45
+ ['export CONFIG=$(mktemp -d)', "echo #{opts[:config].to_json.inspect} > \"${CONFIG}/config.json\""]
46
+ end
47
+
48
+ def image
49
+ [
50
+ "image_target=\"#{opts[:scan_target_prefix]}:$(echo #{opts[:scan_image]} | sed 's/^[^/]*\\///'| sed 's/[:/]/-/g')\"", # rubocop:disable Layout/LineLength
51
+ "docker --config=\"${CONFIG}\" pull \"#{opts[:scan_image]}\"",
52
+ "docker image tag \"#{opts[:scan_image]}\" \"${image_target}\"",
53
+ "image_id=$(docker inspect --format=\"{{index .Id}}\" \"#{opts[:scan_image]}\" | cut -c8-19)",
54
+ 'echo "Image ID: ${image_id}"'
55
+ ]
56
+ end
57
+
58
+ def clean_config
59
+ [
60
+ 'rm -f "${CONFIG}/config.json"',
61
+ 'rmdir "${CONFIG}"'
62
+ ]
63
+ end
64
+
65
+ def token
66
+ ["token=$(curl -s --location --request POST \"https://#{opts[:gateway]}/auth\" --header \"Content-Type: application/x-www-form-urlencoded\" --data-urlencode \"username=#{opts[:user]}\" --data-urlencode \"password=#{opts[:password]}\" --data-urlencode \"token=true\")"] # rubocop:disable Layout/LineLength
67
+ end
68
+
69
+ def scan_start
70
+ [
71
+ 'while true; do ' \
72
+ "result=$(curl -s -o /dev/null -w ''%{http_code}'' --location --request GET \"https://#{opts[:gateway]}/csapi/v1.2/images/$image_id\" --header \"Authorization: Bearer $token\"); " + # rubocop:disable Layout/LineLength, Style/FormatStringToken
73
+ 'echo "Waiting for scan to start..."; ' \
74
+ 'echo " Result: ${result}"; ' \
75
+ 'if [ "${result}" = "200" ]; then break; fi; ' \
76
+ 'sleep 10; done'
77
+ ]
78
+ end
79
+
80
+ def scan_complete
81
+ [
82
+ 'while true; do ' \
83
+ "result=$(curl -s --location --request GET \"https://#{opts[:gateway]}/csapi/v1.2/images/$image_id\" --header \"Authorization: Bearer $token\" | jq -r '.scanStatus'); " + # rubocop:disable Layout/LineLength
84
+ 'echo "Waiting for scan to complete..."; ' \
85
+ 'echo " Result: ${result}"; ' \
86
+ 'if [ "${result}" = "SUCCESS" ]; then break; fi; ' \
87
+ 'sleep 10; done; sleep 30'
88
+ ]
89
+ end
90
+
91
+ def artifacts
92
+ [
93
+ "curl -s --location --request GET \"https://#{opts[:gateway]}/csapi/v1.2/images/$image_id/software\" --header \"Authorization: Bearer $token\" | jq . > software.json", # rubocop:disable Layout/LineLength
94
+ "curl -s --location --request GET \"https://#{opts[:gateway]}/csapi/v1.2/images/$image_id/vuln\" --header \"Authorization: Bearer $token\" | jq . > vulnerabilities.json" # rubocop:disable Layout/LineLength
95
+ ]
96
+ end
97
+
98
+ def severities
99
+ [
100
+ "response=$(curl -s --location --request GET \"https://#{opts[:gateway]}/csapi/v1.2/images/$image_id/vuln/count\" --header \"Authorization: Bearer $token\")", # rubocop:disable Layout/LineLength
101
+ 'severity5=$(jq -r ".severity5Count" <<< "${response}")',
102
+ 'severity4=$(jq -r ".severity4Count" <<< "${response}")'
103
+ ]
104
+ end
105
+
106
+ def outputs # rubocop:disable Metrics/MethodLength
107
+ [
108
+ 'if [ "$severity5" = "null" ]; then ' \
109
+ 'echo "ERROR: Wrong ImageID or problem during vulnerabilities count." >&2; ' \
110
+ 'exit 1; fi',
111
+ 'if [ "$severity4" = "null" ]; then ' \
112
+ 'echo "ERROR: Wrong ImageID or problem during vulnerabilities count." >&2; ' \
113
+ 'exit 1; fi',
114
+ 'echo "Severity5: $severity5, Severity4: $severity4"',
115
+ 'risk=$((($severity5*3)+($severity4)))',
116
+ 'echo "Risk: $risk"',
117
+ "if (($risk > \"#{opts[:acceptable_risk]}\")); then " \
118
+ 'echo "Too many vulnerabilities. Severity5: $severity5, Severity4: $severity4" >&2; ' \
119
+ 'exit 1; fi'
120
+ ]
121
+ end
122
+ end
123
+ end
124
+ end
125
+ end
data/lib/pipedawg/job/qualys.rb ADDED
@@ -0,0 +1,12 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pipedawg
4
+ class Job
5
+ # Pipedawg::Job::Qualys class
6
+ class Qualys < Job
7
+ def initialize(name, opts = {})
8
+ super name, opts
9
+ end
10
+ end
11
+ end
12
+ end
data/lib/pipedawg/job/skopeo/copy.rb ADDED
@@ -0,0 +1,71 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pipedawg
4
+ class Job
5
+ class Skopeo
6
+ # Pipedawg::Job::Skopeo::Copy class
7
+ class Copy < Job::Skopeo
8
+ def initialize(name, opts = {})
9
+ opts = {
10
+ config: {}, copy_image: name, destinations: [{ copy_image: nil, flags: [], options: {} }], flags: [],
11
+ logins: {}, options: {}, stage: '${CI_PROJECT_DIR}/stage', trusted_ca_cert_source_files: [],
12
+ trusted_ca_cert_target_file: '/etc/docker/certs.d/ca.crt'
13
+ }.merge(opts)
14
+ super name, opts
15
+ update
16
+ end
17
+
18
+ def update # rubocop:disable Metrics/AbcSize
19
+ require 'json'
20
+ opts[:script] = debug + config + cert_copies + login + mkstage + pull + (
21
+ opts[:destinations].map { |d| push(d) }
22
+ ).flatten(1)
23
+ end
24
+
25
+ private
26
+
27
+ def config
28
+ ['export CONFIG=$(mktemp -d)', "echo #{opts[:config].to_json.inspect} > \"${CONFIG}/config.json\""]
29
+ end
30
+
31
+ def cert_copies
32
+ ["mkdir -p $(dirname \"#{opts[:trusted_ca_cert_target_file]}\")"] +
33
+ Array(opts[:trusted_ca_cert_source_files]).map do |cert|
34
+ "cat \"#{cert}\" >> \"#{opts[:trusted_ca_cert_target_file]}\""
35
+ end
36
+ end
37
+
38
+ def login
39
+ opts.fetch(:logins, {}).map do |k, v|
40
+ "echo \"#{v['password']}\" | #{opts[:command]} login --authfile \"${CONFIG}/config.json\" --username \"#{v['username']}\" --password-stdin \"#{k}\"" # rubocop:disable Layout/LineLength
41
+ end
42
+ end
43
+
44
+ def mkstage
45
+ ["mkdir -p \"#{opts[:stage]}\""]
46
+ end
47
+
48
+ def pull
49
+ copy(opts, "docker://#{opts[:copy_image]}", "\"dir://#{opts[:stage]}\"")
50
+ end
51
+
52
+ def push(destination_opts)
53
+ copy(destination_opts, "\"dir://#{opts[:stage]}\"", "docker://#{destination_opts[:copy_image]}")
54
+ end
55
+
56
+ def copy(copy_opts, source, destination)
57
+ Array(["#{opts[:command]} copy --authfile \"${CONFIG}/config.json\"", flags(copy_opts), options(copy_opts),
58
+ source, destination].reject(&:empty?).join(' '))
59
+ end
60
+
61
+ def flags(opts)
62
+ opts.fetch(:flags, []).uniq.map { |f| "--#{f}" }.join(' ')
63
+ end
64
+
65
+ def options(opts)
66
+ opts.fetch(:options, {}).map { |k, v| "--#{k} \"#{v}\"" }.join(' ')
67
+ end
68
+ end
69
+ end
70
+ end
71
+ end
data/lib/pipedawg/job/skopeo.rb ADDED
@@ -0,0 +1,16 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pipedawg
4
+ class Job
5
+ # Pipedawg::Job::Skopeo class
6
+ class Skopeo < Job
7
+ def initialize(name, opts = {})
8
+ opts = {
9
+ command: 'skopeo',
10
+ image: { entrypoint: [''], name: 'quay.io/skopeo/stable:latest' }
11
+ }.merge(opts)
12
+ super name, opts
13
+ end
14
+ end
15
+ end
16
+ end
data/lib/pipedawg/job.rb CHANGED
@@ -10,6 +10,7 @@ module Pipedawg
10
10
  @opts = {
11
11
  artifacts: {},
12
12
  cache: {},
13
+ debug: true,
13
14
  image: { name: 'ruby:2.5' },
14
15
  needs: [],
15
16
  retry: nil,
@@ -21,7 +22,18 @@ module Pipedawg
21
22
  end
22
23
 
23
24
  def to_hash
24
- { "#{name}": opts.compact }
25
+ keys = %i[artifacts cache image needs retry rules script stage tags]
26
+ { "#{name}": opts.slice(*keys).compact }
27
+ end
28
+
29
+ private
30
+
31
+ def debug
32
+ if opts[:debug]
33
+ Pipedawg::Util.echo_proxy_vars
34
+ else
35
+ []
36
+ end
25
37
  end
26
38
  end
27
39
  end
data/lib/pipedawg/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Pipedawg
4
- VERSION = '0.6.0'
4
+ VERSION = '1.0.0'
5
5
  end
data/lib/pipedawg.rb CHANGED
@@ -1,11 +1,15 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'pipedawg/job'
4
- require 'pipedawg/helm_copy_job'
5
- require 'pipedawg/kaniko_build_job'
4
+ require 'pipedawg/job/helm'
5
+ require 'pipedawg/job/helm/copy'
6
+ require 'pipedawg/job/kaniko'
7
+ require 'pipedawg/job/kaniko/build'
8
+ require 'pipedawg/job/qualys'
9
+ require 'pipedawg/job/qualys/scan'
10
+ require 'pipedawg/job/skopeo'
11
+ require 'pipedawg/job/skopeo/copy'
6
12
  require 'pipedawg/pipeline'
7
- require 'pipedawg/qualys_scan_job'
8
- require 'pipedawg/skopeo_copy_job'
9
13
  require 'pipedawg/util'
10
14
  require 'pipedawg/version'
11
15
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pipedawg
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 1.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - harbottle
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-02-24 00:00:00.000000000 Z
11
+ date: 2022-03-23 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Generate GitLab CI pipelines.
14
14
  email:
@@ -20,12 +20,16 @@ files:
20
20
  - LICENSE.txt
21
21
  - README.md
22
22
  - lib/pipedawg.rb
23
- - lib/pipedawg/helm_copy_job.rb
24
23
  - lib/pipedawg/job.rb
25
- - lib/pipedawg/kaniko_build_job.rb
24
+ - lib/pipedawg/job/helm.rb
25
+ - lib/pipedawg/job/helm/copy.rb
26
+ - lib/pipedawg/job/kaniko.rb
27
+ - lib/pipedawg/job/kaniko/build.rb
28
+ - lib/pipedawg/job/qualys.rb
29
+ - lib/pipedawg/job/qualys/scan.rb
30
+ - lib/pipedawg/job/skopeo.rb
31
+ - lib/pipedawg/job/skopeo/copy.rb
26
32
  - lib/pipedawg/pipeline.rb
27
- - lib/pipedawg/qualys_scan_job.rb
28
- - lib/pipedawg/skopeo_copy_job.rb
29
33
  - lib/pipedawg/util.rb
30
34
  - lib/pipedawg/version.rb
31
35
  homepage: https://github.com/liger1978/pipedawg
data/lib/pipedawg/helm_copy_job.rb DELETED
@@ -1,115 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Pipedawg
4
- # helm_copy_job class
5
- class HelmCopyJob < Job
6
- attr_accessor :helm_opts
7
-
8
- def initialize(name = 'build', opts = {}, helm_opts = {})
9
- @helm_opts = {
10
- chart: name, debug: true,
11
- destinations: [{ user: nil, password: nil, url: nil }],
12
- helm: 'helm',
13
- image: { entrypoint: [''], name: 'alpine/helm' },
14
- password: nil, url: nil, user: nil, version: nil
15
- }.merge(helm_opts)
16
- super name, opts
17
- update
18
- end
19
-
20
- def update # rubocop:disable Metrics/AbcSize
21
- opts[:image] = helm_opts[:image] if helm_opts[:image]
22
- opts[:script] = debug + pull + (helm_opts[:destinations].map { |d| push(d) }).flatten(1)
23
- end
24
-
25
- private
26
-
27
- def debug
28
- if helm_opts[:debug]
29
- Pipedawg::Util.echo_proxy_vars
30
- else
31
- []
32
- end
33
- end
34
-
35
- def pull
36
- case helm_opts[:url]
37
- when nil
38
- []
39
- when %r{^oci://}
40
- pull_oci
41
- else
42
- pull_classic
43
- end
44
- end
45
-
46
- def push(destination)
47
- case destination[:url]
48
- when nil
49
- []
50
- when %r{^oci://}
51
- push_oci(destination)
52
- else
53
- push_classic(destination)
54
- end
55
- end
56
-
57
- def pull_oci # rubocop:disable Metrics/AbcSize
58
- script = []
59
- if helm_opts[:url] && helm_opts[:chart] && helm_opts[:version]
60
- script = ['export HELM_EXPERIMENTAL_OCI=1']
61
- script << login_oci(helm_opts) if helm_opts[:user] && helm_opts[:password]
62
- script << "\"#{helm_opts[:helm]}\" pull \"#{helm_opts[:url]}/#{helm_opts[:chart]}\" --version \"#{helm_opts[:version]}\"" # rubocop:disable Layout/LineLength
63
- end
64
- script
65
- end
66
-
67
- def push_oci(destination) # rubocop:disable Metrics/AbcSize
68
- script = []
69
- if destination[:url] && helm_opts[:chart] && helm_opts[:version]
70
- script = ['export HELM_EXPERIMENTAL_OCI=1']
71
- script << login_oci(destination) if destination[:user] && destination[:password]
72
- script << "\"#{helm_opts[:helm]}\" push \"#{helm_opts[:chart]}-#{helm_opts[:version]}.tgz\" \"#{destination[:url]}\"" # rubocop:disable Layout/LineLength
73
- end
74
- script
75
- end
76
-
77
- def login_oci(login_opts)
78
- require 'uri'
79
- "echo \"#{login_opts[:password]}\" | \"#{helm_opts[:helm]}\" registry login --username \"#{login_opts[:user]}\" --password-stdin \"#{URI(login_opts[:url]).host}\"" # rubocop:disable Layout/LineLength
80
- end
81
-
82
- def pull_classic # rubocop:disable Metrics/AbcSize
83
- script = []
84
- if helm_opts[:url] && helm_opts[:chart] && helm_opts[:version]
85
- suffix = login_classic(helm_opts)
86
- script << "\"#{helm_opts[:helm]}\" repo add source \"#{helm_opts[:url]}\"#{suffix}"
87
- script << "\"#{helm_opts[:helm]}\" repo update"
88
- script << "\"#{helm_opts[:helm]}\" pull \"source/#{helm_opts[:chart]}\" --version \"#{helm_opts[:version]}\""
89
- end
90
- script
91
- end
92
-
93
- def push_classic(destination)
94
- script = []
95
- if destination[:url] && helm_opts[:chart] && helm_opts[:version]
96
- script << plugin_classic
97
- suffix = login_classic(destination)
98
- script << "\"#{helm_opts[:helm]}\" cm-push \"#{helm_opts[:chart]}-#{helm_opts[:version]}.tgz\" \"#{destination[:url]}\"#{suffix}" # rubocop:disable Layout/LineLength
99
- end
100
- script
101
- end
102
-
103
- def login_classic(login_opts)
104
- if login_opts[:user] && login_opts[:password]
105
- " --username \"#{login_opts[:user]}\" --password \"#{login_opts[:password]}\""
106
- else
107
- ''
108
- end
109
- end
110
-
111
- def plugin_classic
112
- "\"#{helm_opts[:helm]}\" plugin list | grep -q cm-push || \"#{helm_opts[:helm]}\" plugin install https://github.com/chartmuseum/helm-push"
113
- end
114
- end
115
- end
data/lib/pipedawg/kaniko_build_job.rb DELETED
@@ -1,108 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Pipedawg
4
- # kaniko_build_job class
5
- class KanikoBuildJob < Job
6
- attr_accessor :kaniko_opts
7
-
8
- def initialize(name = 'build', opts = {}, kaniko_opts = {}) # rubocop:disable Metrics/MethodLength
9
- @kaniko_opts = {
10
- build_args: {},
11
- config: {
12
- '$CI_REGISTRY': { username: '$CI_REGISTRY_USER', password: '$CI_REGISTRY_PASSWORD' }
13
- },
14
- config_file: '/kaniko/.docker/config.json', context: '${CI_PROJECT_DIR}', debug: true,
15
- destinations: [], dockerfile: 'Dockerfile', executor: '/kaniko/executor', external_files: {},
16
- flags: [], ignore_paths: [], insecure_registries: [],
17
- image: { entrypoint: [''], name: 'gcr.io/kaniko-project/executor:debug' }, options: {},
18
- registry_certificates: {}, registry_mirrors: [], skip_tls_verify_registry: [],
19
- trusted_ca_cert_source_files: [], trusted_ca_cert_target_file: '/kaniko/ssl/certs/ca-certificates.crt'
20
- }.merge(kaniko_opts)
21
- super name, opts
22
- update
23
- end
24
-
25
- def update # rubocop:disable Metrics/AbcSize
26
- require 'json'
27
- opts[:image] = kaniko_opts[:image] if kaniko_opts[:image]
28
- opts[:script] = debug + config + cert_copies + file_copies + Array(kaniko_cmd)
29
- end
30
-
31
- private
32
-
33
- def debug
34
- if kaniko_opts[:debug]
35
- Pipedawg::Util.echo_proxy_vars
36
- else
37
- []
38
- end
39
- end
40
-
41
- def config
42
- ["echo #{kaniko_opts[:config].to_json.inspect} > \"#{kaniko_opts[:config_file]}\""]
43
- end
44
-
45
- def cert_copies
46
- Array(kaniko_opts[:trusted_ca_cert_source_files]).map do |cert|
47
- "cat \"#{cert}\" >> \"#{kaniko_opts[:trusted_ca_cert_target_file]}\""
48
- end
49
- end
50
-
51
- def file_copies
52
- kaniko_opts[:external_files].map do |source, dest|
53
- "cp \"#{source}\" \"#{kaniko_opts[:context]}/#{dest}\""
54
- end
55
- end
56
-
57
- def kaniko_cmd # rubocop:disable Metrics/AbcSize
58
- ["\"#{kaniko_opts[:executor]}\" --context \"#{kaniko_opts[:context]}\"",
59
- "--dockerfile \"#{kaniko_opts[:dockerfile]}\"", flags, options, build_args,
60
- ignore_paths, insecure_registries, registry_certificates, registry_mirrors,
61
- destinations, skip_tls_verify_registries].reject(&:empty?).join(' ')
62
- end
63
-
64
- def flags
65
- flags = kaniko_opts[:flags].clone
66
- flags << 'no-push' if kaniko_opts[:destinations].empty?
67
- flags.uniq.map { |f| "--#{f}" }.join(' ')
68
- end
69
-
70
- def options
71
- kaniko_opts[:options].map { |k, v| "--#{k}=\"#{v}\"" }.join(' ')
72
- end
73
-
74
- def build_args
75
- kaniko_opts[:build_args].map { |k, v| "--build-arg #{k}=\"#{v}\"" }.join(' ')
76
- end
77
-
78
- def ignore_paths
79
- Array(kaniko_opts[:ignore_paths]).map { |p| "--ignore-path #{p}" }.join(' ')
80
- end
81
-
82
- def insecure_registries
83
- Array(kaniko_opts[:insecure_registries]).map do |r|
84
- "--insecure-registry #{r}"
85
- end.join(' ')
86
- end
87
-
88
- def registry_certificates
89
- kaniko_opts[:registry_certificates].map do |k, v|
90
- "--registry-certificate #{k}=\"#{v}\""
91
- end.join(' ')
92
- end
93
-
94
- def registry_mirrors
95
- Array(kaniko_opts[:registry_mirrors]).map { |r| "--registry-mirror #{r}" }.join(' ')
96
- end
97
-
98
- def destinations
99
- kaniko_opts[:destinations].map { |d| "--destination #{d}" }.join(' ')
100
- end
101
-
102
- def skip_tls_verify_registries
103
- Array(kaniko_opts[:skip_tls_verify_registry]).map do |r|
104
- "--skip-tls-verify-registry #{r}"
105
- end.join(' ')
106
- end
107
- end
108
- end
data/lib/pipedawg/qualys_scan_job.rb DELETED
@@ -1,127 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Pipedawg
4
- # qualys_scan_job class
5
- class QualysScanJob < Job # rubocop:disable Metrics/ClassLength
6
- attr_accessor :qualys_opts
7
-
8
- def initialize(name = 'build', opts = {}, qualys_opts = {})
9
- @qualys_opts = {
10
- acceptable_risk: '${QUALYS_ACCEPTABLE_IMAGE_RISK}',
11
- artifacts: { expire_in: '1 month', paths: ['software.json', 'vulnerabilities.json'], when: 'always' },
12
- config: { '$CI_REGISTRY': { username: '$CI_REGISTRY_USER', password: '$CI_REGISTRY_PASSWORD' } },
13
- debug: true, gateway: '${QUALYS_GATEWAY}', image: nil, password: '${QUALYS_PASSWORD}', rules: nil,
14
- scan_image: '${QUALYS_IMAGE}', scan_target_prefix: 'qualys_scan_target', tags: nil, user: '${QUALYS_USERNAME}',
15
- variables: { GIT_STRATEGY: 'clone' }
16
- }.merge(qualys_opts)
17
- super name, opts
18
- update
19
- end
20
-
21
- def update # rubocop:disable Metrics/AbcSize
22
- require 'json'
23
- opts[:artifacts] = qualys_opts[:artifacts] if qualys_opts[:artifacts]
24
- opts[:image] = qualys_opts[:image]
25
- opts[:rules] = qualys_opts[:rules] if qualys_opts[:rules]
26
- opts[:tags] = qualys_opts[:tags] if qualys_opts[:tags]
27
- opts[:variables] = qualys_opts[:variables] if qualys_opts[:variables]
28
- opts[:script] =
29
- debug + config + image + clean_config + token + scan_start + scan_complete + artifacts + severities + outputs
30
- end
31
-
32
- private
33
-
34
- def debug # rubocop:disable Metrics/MethodLength
35
- if qualys_opts[:debug]
36
- Pipedawg::Util.echo_proxy_vars + [
37
- 'echo Qualys settings:', "echo Qualys gateway: \"#{qualys_opts[:gateway]}\"",
38
- "echo Qualys username: \"#{qualys_opts[:user]}\"",
39
- "if [ \"#{qualys_opts[:password]}\" != '' ]; then " \
40
- 'echo Qualys password is not empty; else ' \
41
- 'echo Qualys password is not set; exit 1; fi'
42
- ]
43
- else
44
- []
45
- end
46
- end
47
-
48
- def config
49
- ['export CONFIG=$(mktemp -d)', "echo #{qualys_opts[:config].to_json.inspect} > \"${CONFIG}/config.json\""]
50
- end
51
-
52
- def image
53
- [
54
- "image_target=\"#{qualys_opts[:scan_target_prefix]}:$(echo #{qualys_opts[:scan_image]} | sed 's/^[^/]*\\///'| sed 's/[:/]/-/g')\"", # rubocop:disable Layout/LineLength
55
- "docker --config=\"${CONFIG}\" pull \"#{qualys_opts[:scan_image]}\"",
56
- "docker image tag \"#{qualys_opts[:scan_image]}\" \"${image_target}\"",
57
- "image_id=$(docker inspect --format=\"{{index .Id}}\" \"#{qualys_opts[:scan_image]}\" | cut -c8-19)",
58
- 'echo "Image ID: ${image_id}"'
59
- ]
60
- end
61
-
62
- def clean_config
63
- [
64
- 'rm -f "${CONFIG}/config.json"',
65
- 'rmdir "${CONFIG}"'
66
- ]
67
- end
68
-
69
- def token
70
- ["token=$(curl -s --location --request POST \"https://#{qualys_opts[:gateway]}/auth\" --header \"Content-Type: application/x-www-form-urlencoded\" --data-urlencode \"username=#{qualys_opts[:user]}\" --data-urlencode \"password=#{qualys_opts[:password]}\" --data-urlencode \"token=true\")"] # rubocop:disable Layout/LineLength
71
- end
72
-
73
- def scan_start
74
- [
75
- 'while true; do ' \
76
- "result=$(curl -s -o /dev/null -w ''%{http_code}'' --location --request GET \"https://#{qualys_opts[:gateway]}/csapi/v1.2/images/$image_id\" --header \"Authorization: Bearer $token\"); " + # rubocop:disable Layout/LineLength, Style/FormatStringToken
77
- 'echo "Waiting for scan to start..."; ' \
78
- 'echo " Result: ${result}"; ' \
79
- 'if [ "${result}" = "200" ]; then break; fi; ' \
80
- 'sleep 10; done'
81
- ]
82
- end
83
-
84
- def scan_complete
85
- [
86
- 'while true; do ' \
87
- "result=$(curl -s --location --request GET \"https://#{qualys_opts[:gateway]}/csapi/v1.2/images/$image_id\" --header \"Authorization: Bearer $token\" | jq -r '.scanStatus'); " + # rubocop:disable Layout/LineLength
88
- 'echo "Waiting for scan to complete..."; ' \
89
- 'echo " Result: ${result}"; ' \
90
- 'if [ "${result}" = "SUCCESS" ]; then break; fi; ' \
91
- 'sleep 10; done; sleep 30'
92
- ]
93
- end
94
-
95
- def artifacts
96
- [
97
- "curl -s --location --request GET \"https://#{qualys_opts[:gateway]}/csapi/v1.2/images/$image_id/software\" --header \"Authorization: Bearer $token\" | jq . > software.json", # rubocop:disable Layout/LineLength
98
- "curl -s --location --request GET \"https://#{qualys_opts[:gateway]}/csapi/v1.2/images/$image_id/vuln\" --header \"Authorization: Bearer $token\" | jq . > vulnerabilities.json" # rubocop:disable Layout/LineLength
99
- ]
100
- end
101
-
102
- def severities
103
- [
104
- "response=$(curl -s --location --request GET \"https://#{qualys_opts[:gateway]}/csapi/v1.2/images/$image_id/vuln/count\" --header \"Authorization: Bearer $token\")", # rubocop:disable Layout/LineLength
105
- 'severity5=$(jq -r ".severity5Count" <<< "${response}")',
106
- 'severity4=$(jq -r ".severity4Count" <<< "${response}")'
107
- ]
108
- end
109
-
110
- def outputs # rubocop:disable Metrics/MethodLength
111
- [
112
- 'if [ "$severity5" = "null" ]; then ' \
113
- 'echo "ERROR: Wrong ImageID or problem during vulnerabilities count." >&2; ' \
114
- 'exit 1; fi',
115
- 'if [ "$severity4" = "null" ]; then ' \
116
- 'echo "ERROR: Wrong ImageID or problem during vulnerabilities count." >&2; ' \
117
- 'exit 1; fi',
118
- 'echo "Severity5: $severity5, Severity4: $severity4"',
119
- 'risk=$((($severity5*3)+($severity4)))',
120
- 'echo "Risk: $risk"',
121
- "if (($risk > \"#{qualys_opts[:acceptable_risk]}\")); then " \
122
- 'echo "Too many vulnerabilities. Severity5: $severity5, Severity4: $severity4" >&2; ' \
123
- 'exit 1; fi'
124
- ]
125
- end
126
- end
127
- end
data/lib/pipedawg/skopeo_copy_job.rb DELETED
@@ -1,81 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Pipedawg
4
- # skopeo_copy_job class
5
- class SkopeoCopyJob < Job
6
- attr_accessor :skopeo_opts
7
-
8
- def initialize(name = 'build', opts = {}, skopeo_opts = {})
9
- @skopeo_opts = {
10
- config: { '$CI_REGISTRY': { username: '$CI_REGISTRY_USER', password: '$CI_REGISTRY_PASSWORD' } },
11
- copy_image: nil, debug: true, destinations: [{ copy_image: nil, flags: [], options: {} }],
12
- flags: [], logins: {}, options: {}, skopeo: 'skopeo', stage: '${CI_PROJECT_DIR}/stage',
13
- image: { entrypoint: [''], name: 'quay.io/skopeo/stable:latest' },
14
- trusted_ca_cert_source_files: [], trusted_ca_cert_target_file: '/etc/docker/certs.d/ca.crt'
15
- }.merge(skopeo_opts)
16
- super name, opts
17
- update
18
- end
19
-
20
- def update # rubocop:disable Metrics/AbcSize
21
- require 'json'
22
- opts[:image] = skopeo_opts[:image] if skopeo_opts[:image]
23
- opts[:rules] = skopeo_opts[:rules] if skopeo_opts[:rules]
24
- opts[:script] = debug + config + cert_copies + login + mkstage + pull + (
25
- skopeo_opts[:destinations].map { |d| push(d) }
26
- ).flatten(1)
27
- end
28
-
29
- private
30
-
31
- def debug
32
- if skopeo_opts[:debug]
33
- Pipedawg::Util.echo_proxy_vars
34
- else
35
- []
36
- end
37
- end
38
-
39
- def config
40
- ['export CONFIG=$(mktemp -d)', "echo #{skopeo_opts[:config].to_json.inspect} > \"${CONFIG}/config.json\""]
41
- end
42
-
43
- def cert_copies
44
- ["mkdir -p $(dirname \"#{skopeo_opts[:trusted_ca_cert_target_file]}\")"] +
45
- Array(skopeo_opts[:trusted_ca_cert_source_files]).map do |cert|
46
- "cat \"#{cert}\" >> \"#{skopeo_opts[:trusted_ca_cert_target_file]}\""
47
- end
48
- end
49
-
50
- def login
51
- skopeo_opts.fetch(:logins, {}).map do |k, v|
52
- "echo \"#{v['password']}\" | #{skopeo_opts[:skopeo]} login --authfile \"${CONFIG}/config.json\" --username \"#{v['username']}\" --password-stdin \"#{k}\"" # rubocop:disable Layout/LineLength
53
- end
54
- end
55
-
56
- def mkstage
57
- ["mkdir -p \"#{skopeo_opts[:stage]}\""]
58
- end
59
-
60
- def pull
61
- copy(skopeo_opts, "docker://#{skopeo_opts[:copy_image]}", "\"dir://#{skopeo_opts[:stage]}\"")
62
- end
63
-
64
- def push(destination_opts)
65
- copy(destination_opts, "\"dir://#{skopeo_opts[:stage]}\"", "docker://#{destination_opts[:copy_image]}")
66
- end
67
-
68
- def copy(opts, source, destination)
69
- Array(["#{skopeo_opts[:skopeo]} copy --authfile \"${CONFIG}/config.json\"", flags(opts), options(opts), source,
70
- destination].reject(&:empty?).join(' '))
71
- end
72
-
73
- def flags(opts)
74
- opts.fetch(:flags, []).uniq.map { |f| "--#{f}" }.join(' ')
75
- end
76
-
77
- def options(opts)
78
- opts.fetch(:options, {}).map { |k, v| "--#{k} \"#{v}\"" }.join(' ')
79
- end
80
- end
81
- end