.gitlab-ci.yml

image: node:8.12.0-stretch

variables:
  # AUTO_DEVOPS_DOMAIN is the application deployment domain and should be set as a variable at the group or project level.
  # AUTO_DEVOPS_DOMAIN: domain.example.com
  BRANCH_WEB_WALLET: $BRANCH_WEB_WALLET
  BUILDPACK_URL: https://github.com/heroku/heroku-buildpack-nodejs

  POSTGRES_USER: user
  POSTGRES_PASSWORD: testing-password
  POSTGRES_ENABLED: "true"
  POSTGRES_DB: $CI_ENVIRONMENT_SLUG

  KUBERNETES_VERSION: 1.8.6
  HELM_VERSION: 2.6.1

  DOCKER_DRIVER: overlay2

stages:
  - build
  - test
  - review
  #- dast
  - staging
  - production
  - release
  - cleanup

hybrixd:
  cache: {}
  stage: build
  image: docker:stable-git
  services:
  - docker:stable-dind
  script:
    # prepare variable for DEBUG purposes
    - if [[ "$DEBUG_ENABLED" == "1"  ]]; then DEBUG="-debug"; else DEBUG=""; fi
    - "if [[ \"$DEBUG_ENABLED\" == \"1\"  ]]; then echo \"DEBUG_ENABLED is 1: debug-mode\"; else echo \"release-mode\"; fi"

    # install unzip
    - apk update
    - apk add npm
    - apk add python
    - apk add rsync

    # trying to get past error: could not get uid/gid [ 'nobody', 0 ]
    - npm config set unsafe-perm true

    - npm install -g jsdoc

    - ls ~

    - npm install xmldoc
    - npm install node@8.12.0
    - apk add unzip
    - apk add curl
    - apk add jq


    - WORKING_DIR=$PWD
    - echo $PWD

    # trigger pipeline common
    # - "curl --request POST --form \"token=$CI_JOB_TOKEN\" --form ref=master https://gitlab.com/api/v4/projects/hybrix%2Fhybrixd%2Fcommon/trigger/pipeline"

    # download [common] artifact
    - "curl --location --header \"JOB-TOKEN: $CI_JOB_TOKEN\" \"https://gitlab.com/api/v4/projects/hybrix%2Fhybrixd%2Fcommon/jobs/artifacts/master/download?job=common\" -o artifacts-common.zip"

    # remove link to common and unzip the downloaded artifact to the directory (|| true --> on error, no problem)
    - rm -rf  common || true
    - unzip -q -o artifacts-common.zip -d common/

    # remove the zip-file (|| true --> on error, no problem)
    - rm -rf  artifacts-common.zip || true

    # download [interface] artifact
    - "curl --location --header \"JOB-TOKEN: $CI_JOB_TOKEN\" \"https://gitlab.com/api/v4/projects/hybrix%2Fhybrixd%2Finterface/jobs/artifacts/master/download?job=interface${DEBUG}\" -o artifacts-interface.zip"

    # remove link to interface
    - rm -rf  interface || true

    # get content of interface/lib for generation of documentation
    - cd ..
    - git clone -n https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/hybrix/hybrixd/interface.git --depth 1
    - cd interface
    - git checkout origin/master -- lib/hybrixdNode.js
    - git checkout origin/master -- lib/interface.js
    - cd ..
    - cd node

    # unzip the downloaded artifact to the directory (|| true --> on error, no problem)
    - unzip -q -o artifacts-interface.zip -d ./interface/

    # remove the zip-file (|| true --> on error, no problem)
    - rm -rf  artifacts-interface.zip || true

    # download [deterministic] artifact
    # TODO: REMOVE LINE BELOW, UNCOMMENT THIS ONE:- "curl --location --header \"JOB-TOKEN: $CI_JOB_TOKEN\" \"https://gitlab.com/api/v4/projects/hybrix%2Fhybrixd%2Fclient%2Fmodules%2Fdeterministic/jobs/artifacts/master/download?job=deterministic\" -o artifacts-deterministic.zip"
    - "curl --location --header \"JOB-TOKEN: $CI_JOB_TOKEN\" \"https://gitlab.com/api/v4/projects/hybrix%2Fhybrixd%2Fclient%2Fmodules%2Fdeterministic/jobs/169447811/artifacts\" -o artifacts-deterministic.zip"


    # unzip the downloaded artifact to the directory (|| true --> on error, no problem) (consider the artifact is packed as /modules/name/filename.lzma)
    - unzip -q -o artifacts-deterministic.zip -d artifacts-deterministic/
    #- rm -rf ./dist/modules/deterministic
    - rm -rf ./modules/deterministic
    #- cp -rf artifacts-deterministic/ ./dist/modules/deterministic/
    - cp -rf artifacts-deterministic/ ./modules/deterministic/

    # remove the unzipped-files and the zip-file (|| true --> on error, no problem)
    - rm -rf  artifacts-deterministic || true
    - rm -rf  artifacts-deterministic.zip || true

    # download [web-wallet] (not the latest) artifact
    #- "echo \"Download the artifact for the web-wallet from branch: BRANCH_WEB_WALLET = $BRANCH_WEB_WALLET\""
    - BRANCH_WEB_WALLET=master
    - "curl --location --header \"JOB-TOKEN: $CI_JOB_TOKEN\" \"https://gitlab.com/api/v4/projects/hybrix%2Fhybrixd%2Fclient%2Fimplementations%2Fweb-wallet/jobs/artifacts/$BRANCH_WEB_WALLET/download?job=web-wallet\" -o artifacts-web-wallet.zip"

    # run the build-script of the hybrixd-node
    - ./scripts/npm/compile.sh

    - ls ./dist

    # workaround to get the latest artifact
    #- PROJECT_REF_SLUG=hybrix%2Fhybrixd%2Fclient%2Fimplementations%2Fweb-wallet
    #- PROJECT_REF_PATH=hybrix/hybrixd/client/implementations/web-wallet
    #- PROJECT_REF_NAME=web-wallet
    #- PROJECT_REF_BRANCH=master

    # view the first 2 pages
    #- "RESPONSE1=$(curl --header \"Private-Token: $PRIVATE_TOKEN\" --silent \"https://gitlab.com/api/v4/projects/${PROJECT_REF_SLUG}/jobs?scope=success&page=1\")"
    #- "RESPONSE2=$(curl --header \"Private-Token: $PRIVATE_TOKEN\" --silent \"https://gitlab.com/api/v4/projects/${PROJECT_REF_SLUG}/jobs?scope=success&page=2\")"
    #- "BUILD_JOB_ID1=$(echo \"${RESPONSE1}\" | jq -r 'first(.[] | select(.name == \"web-wallet\" and .ref == \"master\")) | .id')"
    #- "BUILD_JOB_ID2=$(echo \"${RESPONSE2}\" | jq -r 'first(.[] | select(.name == \"web-wallet\" and .ref == \"master\")) | .id')"
    #- if [[ "$BUILD_JOB_ID1" == ""  ]]; then BUILD_JOB_ID=$BUILD_JOB_ID2; else BUILD_JOB_ID=$BUILD_JOB_ID1; fi

    #- "echo \"Downloading the artifact from: https://gitlab.com/${PROJECT_REF_PATH}/-/jobs/${BUILD_JOB_ID}/artifacts/download\""

    #- "curl --location --header \"Private-Token: $PRIVATE_TOKEN\" \"https://gitlab.com/${PROJECT_REF_PATH}/-/jobs/${BUILD_JOB_ID}/artifacts/download\" -o artifacts-${PROJECT_REF_NAME}.zip"
    #- "curl --location --header \"Private-Token: $PRIVATE_TOKEN\" \"https://gitlab.com/api/v4/projects/${PROJECT_REF_SLUG}/jobs/${BUILD_JOB_ID}/artifacts\" -o artifacts-${PROJECT_REF_NAME}.zip"

    # unzip the downloaded artifact to the directory
    - rm -rf ./dist/modules/web-wallet
    - mkdir -p ./dist/modules/web-wallet
    - chmod 755 ./dist/modules/web-wallet
    - unzip -q -o artifacts-web-wallet.zip -d ./dist/modules/web-wallet/

    #- mkdir -p ./dist/modules/web-wallet
    #- cp -rf artifacts-web-wallet/ ./dist/modules/web-wallet/

    - ls ./dist/modules/web-wallet
    - ls ./dist/modules/web-wallet/files
    - ls ./dist/modules/web-wallet/files/doc

    # remove the unzipped-files and the zip-file (|| true --> on error, no problem)
    - rm -rf  artifacts-web-wallet || true
    - rm -rf  artifacts-web-wallet.zip || true

    # remove .git files from artifact
    - rm -rf ./.git* || true

    - cd $WORKING_DIR
    - ls -l
    - ls ./dist

    # create a .version file
    - timestamp=$(date -u '+%Y-%m-%dT%H:%M:%S+00:00')
    - if [[ "$DEBUG_ENABLED" == "1"  ]]; then mode=debug; else mode=release; fi
    - npmlist=$(npm list --only=prod --depth=0 -json)

    #- set +e
    #- npmaudit=$(npm audit -json)
    #- set -e #, \"npm-audit\":${npmaudit}

    - echo "{\"${CI_PROJECT_PATH_SLUG}\":{\"mode\":\"${mode}\", \"project_path\":\"${CI_PROJECT_PATH}\", \"commit_ref_name\":\"${CI_COMMIT_REF_NAME}\", \"commit_ref_slug\":\"${CI_COMMIT_REF_SLUG}\", \"commit_sha\":\"${CI_COMMIT_SHA}\", \"pipeline_url\":\"${CI_PIPELINE_URL}\", \"packaged\":\"${timestamp}\", \"npm-list\":${npmlist}}}" > .version

    # concatenate all .version files in the package
    - "find . -name \".version\" -print | xargs cat | tr '\n' ' ' | sed 's:} {:,:g' > dist/versions.json"

    # prettify json in .versions
    - echo "const util = require('util'); const fs = require('fs'); var obj = JSON.parse(fs.readFileSync('dist/versions.json', 'utf8')); const fs_writeFile = util.promisify(fs.writeFile); const fs_readFile = util.promisify(fs.readFile); fs_writeFile('dist/versions.json', JSON.stringify(obj, null, 4));" > .prettify.js
    - node .prettify.js

    # don't remove .version-files
    - rm -rf .version

    # clean up and prepare the artifacts (instead of having a dist)
    - mv ./dist /tmp
    - rm -rf ./*
    - mv /tmp/dist/* ./

    # remove all files starting with a .
    - find -name ".*" -type f -delete
    - setup_docker
    - build
  artifacts:
    paths:
    - ./

test:
  cache: {}
  services:
    - postgres:latest
  variables:
    POSTGRES_DB: test
  stage: test
  image: gliderlabs/herokuish:latest
  script:
    - setup_test_db

    # download chromedriver
    - "curl --location \"https://chromedriver.storage.googleapis.com/2.43/chromedriver_linux64.zip\" -o chromedriver_linux64.zip"

    # sample JUnit test-result xml-file
    #- "echo \"<?xml version=\"1.0\" encoding=\"UTF-8\" ?><testsuites id=\"20181025_140519\" name=\"Sample (25/10/18 14:05:19)\" tests=\"225\" failures=\"1262\" time=\"0.001\"><testsuite id=\"testsuite.example\" name=\"COBOL Code Review\" tests=\"45\" failures=\"17\" time=\"0.001\">   <testcase id=\"testcase.example\" name=\"Use a program name that matches the source file name\" time=\"0.001\">            <failure message=\"PROGRAM:2 Use a program name that matches the source file name\" type=\"WARNING\">WARNING: Use a program name that matches the source file name blablabla</failure></testcase></testsuite></testsuites>\" > test-sample.xml"
    - "echo \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\" ?><testsuites id=\\\"20181025_140519\\\" name=\\\"Sample (25/10/18 14:05:19)\\\" tests=\\\"225\\\" failures=\\\"1262\\\" time=\\\"0.001\\\"><testsuite id=\\\"testsuite.example\\\" name=\\\"COBOL Code Review\\\" tests=\\\"45\\\" failures=\\\"17\\\" time=\\\"0.001\\\">   <testcase id=\\\"testcase.example\\\" name=\\\"Use a program name that matches the source file name\\\" time=\\\"0.001\\\">            <failure message=\\\"PROGRAM:2 Use a program name that matches the source file name\\\" type=\\\"WARNING\\\">WARNING: Use a program name that matches the source file name blablabla</failure></testcase></testsuite></testsuites>\" > test-sample.xml"

    # unzip chromedriver
    - unzip -o chromedriver_linux64.zip -d /usr/bin/google-chrome/
    - cp -R . /tmp/app
    - /bin/herokuish buildpack test

    # install unzip
    - apt-get update
    - apt-get -y install git
    - apt-get -y install tar
    - apt-get -y install npm
    - npm install n -g
    - n 8.12.0

    # trying to get past error: could not get uid/gid [ 'nobody', 0 ]
    #- npm config set unsafe-perm true

    #- npm install -g jsdoc
    #- npm install xmldoc
    #- apk add unzip
    #- apk add curl
    #- apk add nodejs=8.11.4-r0

    #- git clone -n https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/hybrix/hybrixd/dependencies/nodejs.git --depth 1
    #- cd nodejs
    #- git checkout origin/master -- x86_64
    #- cd ..

    # retrieve test.js from hybrix/hybrixd/interface
    # https://gitlab.com/gitlab-org/gitlab-ce/issues/29566
    # https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html
    # unfortunately simple things didn't work:
    #- "curl --request GET --header \"JOB-TOKEN: $CI_JOB_TOKEN\" \"https://gitlab.com/api/v4/projects/hybrix%2Fhybrixd%2Finterface/repository/files/test%2Ftest%2Ejs/raw?ref=master\" -o test/test.js"
    #- git archive --format=tar --remote=git://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/hybrix/hybrixd/interface.git HEAD:test test.js | tar -x
    - mkdir -p test
    - mkdir -p repos
    - cd repos
    - git clone -n https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/hybrix/hybrixd/interface.git --depth 1
    - cd interface
    - git checkout origin/master -- test/test.js
    - mv test/test.js ../../test/test.js
    - cd ../../

    # script is written for dist, so search and replace
    - sed -i -e s:../dist/:../interface/:g ./test/test.js
    - ./hybrixd > /dev/null 2>&1 &
    - sleep 20s
    #- ./hybrixd /version/details
    - cd test

    #- node ./test.js --debug
    - node ./test.js

  coverage: /SUCCESS RATE[^|]*\:[^|]*\s+([\d\.]+)/
  except:
   refs:
     #- /^v.*release$/
     - /^Issue.*$/
     - /^issue.*$/
     - tags
  only:
    variables:
      - $TEST_ENABLED
  artifacts:
    reports:
      junit: test*.xml

review:
  cache: {}
  image: alpine:latest
  stage: review
  script:
    - check_kube_domain
    - install_dependencies
    - download_chart
    - ensure_namespace
    - install_tiller
    - create_secret
    - deploy
    - persist_environment_url
  environment:
    name: review/$CI_COMMIT_REF_NAME
    url: http://$CI_PROJECT_PATH_SLUG-$CI_ENVIRONMENT_SLUG.$AUTO_DEVOPS_DOMAIN
    on_stop: stop_review
  artifacts:
    paths: [environment_url.txt]
  only:
    refs:
      - branches
    kubernetes: active
  except:
    refs:
      - master
      - tags
      - /^Issue.*$/
      #- /^v.*release$/
    variables:
      - $REVIEW_DISABLED

stop_review:
  stage: cleanup
  variables:
    GIT_STRATEGY: none
  script:
    - install_dependencies
    - delete
  environment:
    name: review/$CI_COMMIT_REF_NAME
    action: stop
  when: manual
  allow_failure: true
  only:
    refs:
      - branches
    kubernetes: active
  except:
    refs:
      - /^Issue.*$/
      - master
      - tags
      #- /^v.*release$/
    variables:
      - $REVIEW_DISABLED

# Keys that start with a dot (.) will not be processed by GitLab CI.
# Staging and canary jobs are disabled by default, to enable them
# remove the dot (.) before the job name.
# https://docs.gitlab.com/ee/ci/yaml/README.html#hidden-keys

# Staging deploys are disabled by default since
# continuous deployment to production is enabled by default
# If you prefer to automatically deploy to staging and
# only manually promote to production, enable this job by setting
# STAGING_ENABLED.

staging:
  cache: {}
  #image: node:8.12.0-stretch --> change apk command in certain functions
  image: alpine:latest
  stage: staging
  script:
    - check_kube_domain
    - install_dependencies
    - download_chart
    - ensure_namespace
    - install_tiller
    - create_secret
    - install_certificate
    - deploy
  environment:
    name: staging
    #url: http://$CI_PROJECT_PATH_SLUG-staging.$AUTO_DEVOPS_DOMAIN
    url: https://node-staging.$AUTO_DEVOPS_DOMAIN
  only:
    refs:
      - master
      - tags
      - /^Issue.*$/
    kubernetes: active
    variables:
      - $STAGING_ENABLED

.production: &production_template
  cache: {}
  image: alpine:latest
  stage: production
  script:
    - check_kube_domain
    - install_dependencies
    - download_chart
    - ensure_namespace
    - install_tiller
    - create_secret
    - deploy
    - delete canary
    - delete rollout
    - persist_environment_url
  environment:
    name: production
    url: http://$CI_PROJECT_PATH_SLUG.$AUTO_DEVOPS_DOMAIN
  artifacts:
    paths: [environment_url.txt]

production:
  <<: *production_template
  only:
    refs:
      - tags
    kubernetes: active
  except:
    variables:
      - $STAGING_ENABLED

production_manual:
  <<: *production_template
  environment:
    name: production
    url: http://api.hybrix.io
  when: manual
  allow_failure: false
  only:
    refs:
      - tags
    kubernetes: active
    variables:
      - $STAGING_ENABLED

dist:
  dependencies:
    - hybrixd
  image: alpine:latest
  stage: release
  script:
  # install the packages that we need
  - apk update
  - apk add curl
  - apk add git
  - apk add tar
  - apk add xz
  - apk add zip
  - apk add jq

  # set variables
  # version -> branchname without '-release'
  #- version=${CI_COMMIT_REF_NAME/-release/}
  - version=${CI_COMMIT_TAG/-release/}
  - component=node
  - file=hybrixd.${component}.${version}
  - path=${component}/${version}/

  - ls

  #- cp -r ./dist/. /tmp/${component}/
  #- cp -r . /tmp/${component}/
  #- cp .version . /tmp/${component}/

  - cd /tmp
  - git clone --depth=1 https://oauth2:${PRIVATE_TOKEN}@gitlab.com/hybrix/dist
  - mkdir -p ./dist/${component}/${version}/

  # download [interface] artifact
  #- "curl --location --header \"JOB-TOKEN: $CI_JOB_TOKEN\" \"https://gitlab.com/api/v4/projects/hybrix%2Fhybrixd%2Finterface/jobs/artifacts/${CI_COMMIT_REF_NAME}/download?job=interface\" -o ${path}${file}.zip"

  # go to folder
  #- ls ./dist/${path}

  #- cp ${path}${file}.zip ./../${file}.zip
  #- unzip ${file}.zip -d ${component}

  # workaround to get the latest artifact
  - PROJECT_REF_SLUG=hybrix%2Fhybrixd%2Fnode
  - PROJECT_REF_PATH=hybrix/hybrixd/node
  - PROJECT_REF_NAME=hybrixd
  - PROJECT_REF_BRANCH=${CI_COMMIT_TAG}
  - "echo ${CI_COMMIT_TAG}"
  - "RESPONSE=$(curl --header \"Private-Token: $PRIVATE_TOKEN\" --silent \"https://gitlab.com/api/v4/projects/${PROJECT_REF_SLUG}/jobs?scope=success\")"
  - "echo \"${RESPONSE}\" | jq -r 'first(.[] | select(.name == \"hybrixd\" and .ref == \"'${PROJECT_REF_BRANCH}'\")) | .id'"
  - "BUILD_JOB_ID=$(echo \"${RESPONSE}\" | jq -r 'first(.[] | select(.name == \"hybrixd\" and .ref == \"'${PROJECT_REF_BRANCH}'\")) | .id')"
  - "echo \"Downloading the artifact from: https://gitlab.com/${PROJECT_REF_PATH}/-/jobs/${BUILD_JOB_ID}/artifacts/download\""
  #- "curl --location --header \"Private-Token: $PRIVATE_TOKEN\" \"https://gitlab.com/${PROJECT_REF_PATH}/-/jobs/${BUILD_JOB_ID}/artifacts/download\" -o artifacts-${PROJECT_REF_NAME}.zip"
  - "curl --location --header \"Private-Token: $PRIVATE_TOKEN\" \"https://gitlab.com/api/v4/projects/${PROJECT_REF_SLUG}/jobs/${BUILD_JOB_ID}/artifacts\" -o artifacts-${PROJECT_REF_NAME}.zip"
  - unzip -o artifacts-hybrixd.zip -d ./${component}/

  - ls
  - ls ${component}

  # archive to zip
  - mv artifacts-hybrixd.zip ${file}.zip

  # archive to tar.gz
  - tar -zcvf ${file}.tar.gz ${component}

  # create a xz-archive as well
  - gunzip < ${file}.tar.gz | xz > ${file}.tar.xz
  #- tar cfJ ${file}.tar.xz ${component}

  - cp ${file}.zip ./dist/${component}/${version}/${file}.zip
  - cp ${file}.tar.gz ./dist/${component}/${version}/${file}.tar.gz
  - cp ${file}.tar.xz ./dist/${component}/${version}/${file}.tar.xz

  # for interface we like to distribute the js files directly as well
  #- cp -r ./${component}/*.js ./dist/${path}
  - cd ./dist/

  # configure git-user
  - "git config --global user.name \"${GITLAB_USER_NAME}\""
  - "git config --global user.email \"${GITLAB_USER_EMAIL}\""

  # add, commit and push
  - "git add ."
  - "git commit -m \"release ${version} ${component}\" || true"
  - "git push https://oauth2:${PRIVATE_TOKEN}@gitlab.com/hybrix/dist.git -f"

  except:
    refs:
      - /^Issue.*$/
  only:
    refs:
      - tags
  #- /^v.*release$/


# ---------------------------------------------------------------------------

.auto_devops: &auto_devops |
  # Auto DevOps variables and functions
  [[ "$TRACE" ]] && set -x
  auto_database_url=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${CI_ENVIRONMENT_SLUG}-postgres:5432/${POSTGRES_DB}
  export DATABASE_URL=${DATABASE_URL-$auto_database_url}
  export CI_APPLICATION_REPOSITORY=$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
  export CI_APPLICATION_TAG=$CI_COMMIT_SHA
  export CI_CONTAINER_NAME=ci_job_build_${CI_JOB_ID}
  export TILLER_NAMESPACE=$KUBE_NAMESPACE
  # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products
  export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')

  function registry_login() {
    if [[ -n "$CI_REGISTRY_USER" ]]; then
      echo "Logging to GitLab Container Registry with CI credentials..."
      docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
      echo ""
    fi
  }

  function container_scanning() {
    registry_login

    docker run -d --name db arminc/clair-db:latest
    docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
    apk add -U wget ca-certificates
    docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
    wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    mv clair-scanner_linux_amd64 clair-scanner
    chmod +x clair-scanner
    touch clair-whitelist.yml
    retries=0
    echo "Waiting for clair daemon to start"
    while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
  }

  function code_quality() {
    docker run --env SOURCE_CODE="$PWD" \
               --volume "$PWD":/code \
               --volume /var/run/docker.sock:/var/run/docker.sock \
               "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
  }

  function license_management() {
    if echo $GITLAB_FEATURES |grep license_management > /dev/null ; then
      # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable"
      LICENSE_MANAGEMENT_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')

      docker run --volume "$PWD:/code" \
                 "registry.gitlab.com/gitlab-org/security-products/license-management:$LICENSE_MANAGEMENT_VERSION" analyze /code
    else
      echo "License management is not available in your subscription"
    fi
  }

  function sast() {
    case "$CI_SERVER_VERSION" in
      *-ee)

        # Deprecation notice for CONFIDENCE_LEVEL variable
        if [ -z "$SAST_CONFIDENCE_LEVEL" -a "$CONFIDENCE_LEVEL" ]; then
          SAST_CONFIDENCE_LEVEL="$CONFIDENCE_LEVEL"
          echo "WARNING: CONFIDENCE_LEVEL is deprecated and MUST be replaced with SAST_CONFIDENCE_LEVEL"
        fi

        docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" \
                   --volume "$PWD:/code" \
                   --volume /var/run/docker.sock:/var/run/docker.sock \
                   "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
        ;;
      *)
        echo "GitLab EE is required"
        ;;
    esac
  }

  function dependency_scanning() {
    case "$CI_SERVER_VERSION" in
      *-ee)
        docker run --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}" \
                   --volume "$PWD:/code" \
                   --volume /var/run/docker.sock:/var/run/docker.sock \
                   "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
        ;;
      *)
        echo "GitLab EE is required"
        ;;
    esac
  }

  function get_replicas() {
    track="${1:-stable}"
    percentage="${2:-100}"

    env_track=$( echo $track | tr -s  '[:lower:]'  '[:upper:]' )
    env_slug=$( echo ${CI_ENVIRONMENT_SLUG//-/_} | tr -s  '[:lower:]'  '[:upper:]' )

    if [[ "$track" == "stable" ]] || [[ "$track" == "rollout" ]]; then
      # for stable track get number of replicas from `PRODUCTION_REPLICAS`
      eval new_replicas=\$${env_slug}_REPLICAS
      if [[ -z "$new_replicas" ]]; then
        new_replicas=$REPLICAS
      fi
    else
      # for all tracks get number of replicas from `CANARY_PRODUCTION_REPLICAS`
      eval new_replicas=\$${env_track}_${env_slug}_REPLICAS
      if [[ -z "$new_replicas" ]]; then
        eval new_replicas=\${env_track}_REPLICAS
      fi
    fi

    replicas="${new_replicas:-1}"
    replicas="$(($replicas * $percentage / 100))"

    # always return at least one replicas
    if [[ $replicas -gt 0 ]]; then
      echo "$replicas"
    else
      echo 1
    fi
  }

  function deploy() {
    track="${1-stable}"
    percentage="${2:-100}"
    name="$CI_ENVIRONMENT_SLUG"

    replicas="1"
    service_enabled="true"
    postgres_enabled="$POSTGRES_ENABLED"

    # if track is different than stable,
    # re-use all attached resources
    if [[ "$track" != "stable" ]]; then
      name="$name-$track"
      service_enabled="false"
      postgres_enabled="false"
    fi

    replicas=$(get_replicas "$track" "$percentage")

    if [[ "$CI_PROJECT_VISIBILITY" != "public" ]]; then
      secret_name='gitlab-registry'
    else
      secret_name=''
    fi

    helm upgrade --install \
      --wait \
      --set service.enabled="$service_enabled" \
      --set releaseOverride="$CI_ENVIRONMENT_SLUG" \
      --set image.repository="$CI_APPLICATION_REPOSITORY" \
      --set image.tag="$CI_APPLICATION_TAG" \
      --set image.pullPolicy=IfNotPresent \
      --set image.secrets[0].name="$secret_name" \
      --set application.track="$track" \
      --set application.database_url="$DATABASE_URL" \
      --set service.url="$CI_ENVIRONMENT_URL" \
      --set replicaCount="$replicas" \
      --set postgresql.enabled="$postgres_enabled" \
      --set postgresql.nameOverride="postgres" \
      --set postgresql.postgresUser="$POSTGRES_USER" \
      --set postgresql.postgresPassword="$POSTGRES_PASSWORD" \
      --set postgresql.postgresDatabase="$POSTGRES_DB" \
      --namespace="$KUBE_NAMESPACE" \
      --version="$CI_PIPELINE_ID-$CI_JOB_ID" \
      "$name" \
      chart/

    kubectl rollout status -n "$KUBE_NAMESPACE" -w "deployment/$name"
  }

  function scale() {
    track="${1-stable}"
    percentage="${2-100}"
    name="$CI_ENVIRONMENT_SLUG"

    if [[ "$track" != "stable" ]]; then
      name="$name-$track"
    fi

    replicas=$(get_replicas "$track" "$percentage")

    if [[ -n "$(helm ls -q "^$name$")" ]]; then
      helm upgrade --reuse-values \
        --wait \
        --set replicaCount="$replicas" \
        --namespace="$KUBE_NAMESPACE" \
        "$name" \
        chart/
    fi
  }

  function install_dependencies() {
    apk add -U openssl curl tar gzip bash ca-certificates git
    curl -L -o /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
    curl -L -O https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.28-r0/glibc-2.28-r0.apk
    apk add glibc-2.28-r0.apk
    rm glibc-2.28-r0.apk

    curl "https://kubernetes-helm.storage.googleapis.com/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | tar zx
    mv linux-amd64/helm /usr/bin/
    helm version --client

    curl -L -o /usr/bin/kubectl "https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl"
    chmod +x /usr/bin/kubectl
    kubectl version --client
  }

  function setup_docker() {
    if ! docker info &>/dev/null; then
      if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
        export DOCKER_HOST='tcp://localhost:2375'
      fi
    fi
  }

  function setup_test_db() {
    if [ -z ${KUBERNETES_PORT+x} ]; then
      DB_HOST=postgres
    else
      DB_HOST=localhost
    fi
    export DATABASE_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${DB_HOST}:5432/${POSTGRES_DB}"
  }

  function download_chart() {
    if [[ ! -d chart ]]; then
      auto_chart=${AUTO_DEVOPS_CHART:-gitlab/auto-deploy-app}
      auto_chart_name=$(basename $auto_chart)
      auto_chart_name=${auto_chart_name%.tgz}
      auto_chart_name=${auto_chart_name%.tar.gz}
    else
      auto_chart="chart"
      auto_chart_name="chart"
    fi

    helm init --client-only
    helm repo add gitlab https://charts.gitlab.io
    if [[ ! -d "$auto_chart" ]]; then
      helm fetch ${auto_chart} --untar
    fi
    if [ "$auto_chart_name" != "chart" ]; then
      mv ${auto_chart_name} chart
    fi

    helm dependency update chart/
    helm dependency build chart/
  }

  function ensure_namespace() {
    kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE"
  }

  function check_kube_domain() {
    if [ -z ${AUTO_DEVOPS_DOMAIN+x} ]; then
      echo "In order to deploy or use Review Apps, AUTO_DEVOPS_DOMAIN variable must be set"
      echo "You can do it in Auto DevOps project settings or defining a variable at group or project level"
      echo "You can also manually add it in .gitlab-ci.yml"
      false
    else
      true
    fi
  }

  function build() {
    registry_login

    if [[ -f Dockerfile ]]; then
      echo "Building Dockerfile-based application..."
      docker build \
        --build-arg HTTP_PROXY="$HTTP_PROXY" \
        --build-arg http_proxy="$http_proxy" \
        --build-arg HTTPS_PROXY="$HTTPS_PROXY" \
        --build-arg https_proxy="$https_proxy" \
        --build-arg FTP_PROXY="$FTP_PROXY" \
        --build-arg ftp_proxy="$ftp_proxy" \
        --build-arg NO_PROXY="$NO_PROXY" \
        --build-arg no_proxy="$no_proxy" \
        -t "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" .
    else
      echo "Building Heroku-based application using gliderlabs/herokuish docker image..."
      docker run -i \
        -e BUILDPACK_URL \
        -e HTTP_PROXY \
        -e http_proxy \
        -e HTTPS_PROXY \
        -e https_proxy \
        -e FTP_PROXY \
        -e ftp_proxy \
        -e NO_PROXY \
        -e no_proxy \
        --name="$CI_CONTAINER_NAME" -v "$(pwd):/tmp/app:ro" gliderlabs/herokuish /bin/herokuish buildpack build
      docker commit "$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG"
      docker rm "$CI_CONTAINER_NAME" >/dev/null
      echo ""

      echo "Configuring $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG docker image..."
      docker create --expose 5000 --env PORT=5000 --name="$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" /bin/herokuish procfile start web

      #workaround: edit the package.json, with an on start config-edit (replace 127.0.0.1 with POD's IP, replace 8080 with 5000)
      sed -i -e "s:./hybrixd:sed -i -e 's/127.0.0.1/'\$POD_IP'/g' hybrixd.conf \&\& sed -i -e 's/8080/5000/g' hybrixd.conf \&\& sed -i -e 's#/source/web-wallet##g' hybrixd.conf \&\& ./hybrixd:g" package.json
      docker cp package.json "$CI_CONTAINER_NAME":/app/package.json

      docker commit "$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG"
      docker rm "$CI_CONTAINER_NAME" >/dev/null
      echo ""
    fi

    echo "Pushing to GitLab Container Registry..."
    docker push "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG"
    echo ""
  }

  function install_tiller() {
    echo "Checking Tiller..."
    helm init --upgrade
    kubectl rollout status -n "$TILLER_NAMESPACE" -w "deployment/tiller-deploy"
    if ! helm version --debug; then
      echo "Failed to init Tiller."
      return 1
    fi
    echo ""
  }

  function create_secret() {
    echo "Create secret..."
    if [[ "$CI_PROJECT_VISIBILITY" == "public" ]]; then
      return
    fi

    kubectl create secret -n "$KUBE_NAMESPACE" \
      docker-registry gitlab-registry \
      --docker-server="$CI_REGISTRY" \
      --docker-username="${CI_DEPLOY_USER:-$CI_REGISTRY_USER}" \
      --docker-password="${CI_DEPLOY_PASSWORD:-$CI_REGISTRY_PASSWORD}" \
      --docker-email="$GITLAB_USER_EMAIL" \
      -o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f -
  }

  function dast() {
    export CI_ENVIRONMENT_URL=$(cat environment_url.txt)

    mkdir /zap/wrk/
    /zap/zap-baseline.py -J gl-dast-report.json -t "$CI_ENVIRONMENT_URL" || true
    cp /zap/wrk/gl-dast-report.json .
  }

  function performance() {
    export CI_ENVIRONMENT_URL=$(cat environment_url.txt)

    mkdir gitlab-exporter
    wget -O gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/10-5/index.js

    mkdir sitespeed-results

    if [ -f .gitlab-urls.txt ]
    then
      sed -i -e 's@^@'"$CI_ENVIRONMENT_URL"'@' .gitlab-urls.txt
      docker run --shm-size=1g --rm -v "$(pwd)":/sitespeed.io sitespeedio/sitespeed.io:6.3.1 --plugins.add ./gitlab-exporter --outputFolder sitespeed-results .gitlab-urls.txt
    else
      docker run --shm-size=1g --rm -v "$(pwd)":/sitespeed.io sitespeedio/sitespeed.io:6.3.1 --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "$CI_ENVIRONMENT_URL"
    fi

    mv sitespeed-results/data/performance.json performance.json
  }

  function persist_environment_url() {
      echo $CI_ENVIRONMENT_URL > environment_url.txt
  }

  function install_certificate() {
    echo "View issuer, certs and secrets..."
    kubectl get clusterissuer
    kubectl get certificate
    kubectl get secret
  }

  function delete() {
    track="${1-stable}"
    name="$CI_ENVIRONMENT_SLUG"

    if [[ "$track" != "stable" ]]; then
      name="$name-$track"
    fi

    if [[ -n "$(helm ls -q "^$name$")" ]]; then
      helm delete --purge "$name"
    fi
  }

before_script:
  - *auto_devops