72 lines
2.0 KiB
YAML
72 lines
2.0 KiB
YAML
{{- if .Values.pipeline.enabled }}
|
|
apiVersion: argoproj.io/v1alpha1
|
|
kind: ClusterWorkflowTemplate
|
|
metadata:
|
|
name: {{ .Values.pipeline.name }}
|
|
spec:
|
|
serviceAccountName: {{ .Values.pipeline.serviceAccountName }}
|
|
entrypoint: security-pipeline
|
|
onExit: pipeline-exit-hook
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: workspace
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: {{ .Values.pipeline.workspace.storage }}
|
|
arguments:
|
|
parameters:
|
|
- name: working-dir
|
|
value: {{ .Values.pipeline.workingDir | quote }}
|
|
- name: fail-on-cvss
|
|
value: {{ .Values.pipeline.failOnCvss | quote }}
|
|
- name: repo-url
|
|
- name: git-revision
|
|
value: {{ .Values.pipeline.gitRevision | quote }}
|
|
templates:
|
|
# Top-level DAG wiring lives here so the workflow flow stays readable.
|
|
- name: security-pipeline
|
|
dag:
|
|
tasks:
|
|
{{ include "template.workflow.security-pipeline.tasks" . | nindent 10 }}
|
|
|
|
# Concrete task implementations stay below.
|
|
- name: clone-repo
|
|
inputs:
|
|
parameters:
|
|
- name: repo-url
|
|
- name: git-revision
|
|
container:
|
|
image: {{ .Values.images.git }}
|
|
command:
|
|
- sh
|
|
- -c
|
|
args:
|
|
- git clone --branch {{ `{{inputs.parameters.git-revision}}` | quote }} --single-branch {{ `{{inputs.parameters.repo-url}}` | quote }} /workspace
|
|
volumeMounts:
|
|
- name: workspace
|
|
mountPath: /workspace
|
|
|
|
- name: parallel-scanners
|
|
inputs:
|
|
parameters:
|
|
- name: working-dir
|
|
dag:
|
|
tasks:
|
|
{{ include "template.workflow.parallel-scanners.tasks" . | nindent 10 }}
|
|
|
|
- name: pipeline-exit-hook
|
|
container:
|
|
image: {{ .Values.images.curl }}
|
|
command:
|
|
- sh
|
|
- -c
|
|
args:
|
|
- |
|
|
set -eu
|
|
echo "Pipeline completed with status: {{ `{{workflow.status}}` }}"
|
|
{{ include "template.workflow.named-templates" . | nindent 4 }}
|
|
{{- end }}
|