The GitLab CI/CD pipeline comprises several jobs across multiple stages, each serving a specific purpose towards the overall goal:
Quality Stage: Contains the
hadolint job to ensure that syntax and best practices are
adhered to in the Dockerfile.
Get-Version Stage: The
getsquid_vars job retrieves the latest version number of
Squid and saves it as an environment variable. It then pushes the
updated README to the master branch.
Docker-hub-build (arm/amd64) Stage: The
docker-hub-build-* jobs are responsible for building Docker
images for ARM and AMD64 platforms respectively, and pushing these
builds to Docker Hub.
Docker-hub-test (arm/amd64) Stage: These jobs test the Docker images built in the previous stage. The docker image is started, and a curl command tests to see if the squid proxy is working.
Docker-hub-pushtag (arm/amd64) Stage: In these
jobs (push-docker-hub-*), the Docker images are tagged with
the Squid version number and architecture name and then they are pushed
to Docker Hub.
Test Stage: Three jobs - Dive,
SquidParseConfig, and Dive-arm analyze the
Docker image to check for size efficiency and check if the squid
configuration file parses correctly.
Docs Stage: Two jobs -
chatgpt_analysis generates a detailed explanation of the
CI/CD pipeline and update_dockerhub_readme updates the
Docker Hub README with the latest content from the repository.
In the Quality stage, hadolint is used to ensure best
practices and Dockerfile syntax are followed. This is performed using
the Hadolint Docker image, which runs over the Dockerfile and flags any
issues as per Dockerfile best practices.
hadolint:
image: hadolint/hadolint:latest-debian
stage: Quality
before_script:
- cd $CI_PROJECT_DIR
script:
- hadolint --ignore DL3008 Dockerfile In the getsquid_vars job, an https request is made to a
static GitHub page which always redirects to the latest Squid release.
The version number is extracted by cutting the required string and
passed to a new environment variable SQUID_VERSION. This
environment variable is essential for the entire pipeline as it is going
to affect the naming and tagging of the Docker images.
If this job fails, the pipeline will stop as SAST jobs depend on this job.
The purpose of the docker-hub-build-* jobs is to build
Docker images for the Squid application, for both ARM and AMD64
platforms, in a Docker-in-Docker environment (docker:dind).
The Dockerfile is executed with the docker build command,
and the resulting image is then pushed to Docker Hub using the
docker push command.
This stage is heavily influenced by the environment variable
SQUID_VERSION, as it is used to pass the version number to
the Docker build command as a build argument.
This stage tests the Docker images just built. For instance,
docker-hub-test runs a fresh container from the Docker
image built on the AMD64 platform and runs a curl command on it to
determine if Squid is functioning correctly. The expectation is that the
job will fail if this validation check does not pass, preventing any
further incorrect deployment.
In this stage, the Docker images are tagged with their respective
architecture names
(SQUID_VERSION-arm/SQUID_VERSION-amd64) and
are then pushed to Docker Hub. If the previous stages have not completed
successfully, these jobs will not run.
In the dive and dive-arm jobs Dive is used to explore the
individual layers in a docker image, showing what is present at each
layer and providing an efficiency score. This allows diagnosis of
unnecessary bloat in docker images and helps fine-tune their size.
This final stage is responsible for generating a detailed explanation
of the GitLab pipeline and updating Docker Hub with the latest README.
The chatgpt_analysis job makes an API call with all the
pipeline details as input to generate a markdown document with an
in-depth explanation of the pipeline. The
update_dockerhub_readme job pulls the latest README.md file
from the Git repository and makes a PATCH request to Docker Hub to
update the full description of the repository.
This commit automatically updates the README with the most recent
Squid version number. The skip ci flag in the commit
message ensures that this change does not trigger another pipeline. This
updated README.md file is then used in the final stage for the Docker
Hub full description update.