From e1c517591a92ddc3db2acaae132b4d5eefefa187 Mon Sep 17 00:00:00 2001
From: DJ Mountney <dj@gitlab.com>
Date: Tue, 31 Dec 2019 10:48:30 -0800
Subject: [PATCH] The 12.6 release of GitLab

---
 12.6/Dockerfile               | 24 +++++++++++++++
 12.6/LICENSE                  | 21 +++++++++++++
 12.6/README.md                | 42 ++++++++++++++++++++++++++
 12.6/build-scripts/build.sh   | 41 +++++++++++++++++++++++++
 12.6/build-scripts/cleanup.sh |  5 +++
 12.6/build-scripts/prepare.sh | 23 ++++++++++++++
 12.6/scripts/prebuild.sh      | 57 +++++++++++++++++++++++++++++++++++
 7 files changed, 213 insertions(+)
 create mode 100644 12.6/Dockerfile
 create mode 100644 12.6/LICENSE
 create mode 100644 12.6/README.md
 create mode 100755 12.6/build-scripts/build.sh
 create mode 100755 12.6/build-scripts/cleanup.sh
 create mode 100755 12.6/build-scripts/prepare.sh
 create mode 100755 12.6/scripts/prebuild.sh

diff --git a/12.6/Dockerfile b/12.6/Dockerfile
new file mode 100644
index 0000000..9d4dafd
--- /dev/null
+++ b/12.6/Dockerfile
@@ -0,0 +1,24 @@
+ARG BASE_REGISTRY=registry.access.redhat.com
+ARG BASE_IMAGE=ubi8/ubi
+ARG BASE_TAG=8.0
+
+ARG GITLAB_VERSION=v12.6.1-ubi8
+
+ARG UBI_IMAGE=${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+ARG RUBY_IMAGE=registry.access.redhat.com/gitlab/gitlab/gitlab-ruby:12.6
+
+FROM ${UBI_IMAGE} AS builder
+
+ARG NEXUS_SERVER
+ARG VENDOR=gitlab
+ARG GITLAB_VERSION
+ARG PACKAGE_NAME=ubi8-build-dependencies-${GITLAB_VERSION}.tar
+ARG PACKAGE_URL=https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/git-base/${PACKAGE_NAME}
+
+ADD build-scripts/ /build-scripts/
+
+RUN /build-scripts/prepare.sh "${PACKAGE_URL}"
+
+FROM ${RUBY_IMAGE}
+
+COPY --from=builder /prepare/dependencies /
diff --git a/12.6/LICENSE b/12.6/LICENSE
new file mode 100644
index 0000000..5285f42
--- /dev/null
+++ b/12.6/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/12.6/README.md b/12.6/README.md
new file mode 100644
index 0000000..a3bf2cf
--- /dev/null
+++ b/12.6/README.md
@@ -0,0 +1,42 @@
+# gitlab-base-container
+
+Base Git image, used to build other Git based GitLab containers.
+
+## GitLab 12.6.0 release
+
+The hardened containers for GitLab 12.6 require the gitlab 12.6 blob to be available for download.
+
+There are some included scripts to make this easier for user building images offline on their machine.
+
+
+## Building
+
+1. Switch to the 12.6 directory
+2. Run `./build-scripts/build.sh`
+   * Runs docker build, and takes care of setting the appropriate build args for users running locally
+   * Uses the `NEXUS_SERVER` variable from your environment, or full `PACKAGE_URL`.
+
+
+`build-script/build.sh` is provided as an example and helpful for building locally. You can also instead call docker build and pass build-args directly.
+
+## Build Phases
+
+Some of the GitLab containers are build ontop of previous containers, building the containers in ordered phases is necessary to build all containers.
+
+- Phase One
+  * kubectl
+  * gitlab-ruby
+  * gitlab-container-registry
+- Phase Two
+  * git-base
+  * gitlab-exporter
+  * gitlab-mailroom
+  * gitlab-shell
+  * gitlab-rails
+  * gitlab-workhorse
+- Phase 3
+  * gitaly
+- Phase 4
+  * gitlab-sidekiq
+  * gitlab-task-runner
+  * gitlab-unicorn
diff --git a/12.6/build-scripts/build.sh b/12.6/build-scripts/build.sh
new file mode 100755
index 0000000..c1d7ad8
--- /dev/null
+++ b/12.6/build-scripts/build.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# NOTICE: This script requires `docker`.
+
+set -euxo pipefail
+
+TAG=${1:-12.6}
+REPOSITORY=${2:-}
+NEXUS_SERVER=${NEXUS_SERVER:-}
+PACKAGE_URL=${PACKAGE_URL:-}
+DOCKER_OPTS=${DOCKER_OPTS:-""}
+
+imageName() {
+  printf "${REPOSITORY}${1}:${TAG}"
+}
+
+buildImage() {
+  IMAGE="${1}"
+  CONTEXT="${IMAGE%*-ee}"
+  {
+    docker build \
+      -t "$(imageName ${IMAGE})" . \
+      ${DOCKER_OPTS:-} | tee ${CONTEXT}.out
+  } || {
+    echo "${CONTEXT}" >> failed.log
+  }
+}
+
+# Cleanup log outputs from previous build
+rm -f *.out failed.log
+
+if [ $NEXUS_SERVER ]; then
+  DOCKER_OPTS="$DOCKER_OPTS --build-arg NEXUS_SERVER=${NEXUS_SERVER}"
+fi
+
+if [ $PACKAGE_URL ]; then
+  DOCKER_OPTS="$DOCKER_OPTS --build-arg PACKAGE_URL=${PACKAGE_URL}"
+fi
+
+DOCKER_OPTS="$DOCKER_OPTS --build-arg RUBY_IMAGE=$(imageName gitlab-ruby)"
+buildImage git-base
diff --git a/12.6/build-scripts/cleanup.sh b/12.6/build-scripts/cleanup.sh
new file mode 100755
index 0000000..ad291f9
--- /dev/null
+++ b/12.6/build-scripts/cleanup.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+rm -f *.tar.gz *.out failed.log
diff --git a/12.6/build-scripts/prepare.sh b/12.6/build-scripts/prepare.sh
new file mode 100755
index 0000000..953641f
--- /dev/null
+++ b/12.6/build-scripts/prepare.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+PACKAGE_URL=$1
+WORKSPACE="${WORKSPACE:-/prepare}"
+PACKAGE_NAME="${PACKAGE_NAME:-ubi8-build-dependencies.tar}"
+
+# Download UBI dependencies package and it sha256
+curl -fLk --create-dirs "${PACKAGE_URL}.sha256" -o "${WORKSPACE}/${PACKAGE_NAME}.sha256"
+curl -fLk --create-dirs "${PACKAGE_URL}" -o "${WORKSPACE}/${PACKAGE_NAME}"
+
+# Verify the package integrity
+echo "$(cat ${PACKAGE_NAME}.sha256) ${PACKAGE_NAME}" | sha256sum --check --status \
+&& if [ $? == '0' ]; then printf "\nSHA256 check for ${PACKAGE_NAME} succeeded\n\n"; \
+else printf "SHA256 check for ${PACKAGE_NAME} failed\n\n"; fi
+
+# Extract UBI dependencies
+tar -xvf "${WORKSPACE}/${PACKAGE_NAME}" -C "${WORKSPACE}"
+
+# Extract the specific depenencies needed for this contianer
+mkdir ${WORKSPACE}/dependencies
+tar -xvf "${WORKSPACE}/git-base.tar.gz" -C "${WORKSPACE}/dependencies"
diff --git a/12.6/scripts/prebuild.sh b/12.6/scripts/prebuild.sh
new file mode 100755
index 0000000..158c792
--- /dev/null
+++ b/12.6/scripts/prebuild.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -e
+
+### Environment Variables ###
+GITLAB_VERSION=v12.6.1-ubi8
+VENDOR=gitlab
+
+
+# These three variables are required to push whatever outside binaries your container needs at build time to our Nexus repo
+NEXUS_SERVER=${NEXUS_SERVER}
+NEXUS_USERNAME=${NEXUS_USERNAME}
+NEXUS_PASSWORD=${NEXUS_PASSWORD}
+
+
+## Download variables
+DOWNLOAD_DIR=tmp/${VENDOR}
+UPLOAD_URL=https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/kubectl
+
+### Download files/dependencies ###
+# temporarily place your binaries locally in the download directory
+curl --create-dirs https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi8-build-dependencies-${GITLAB_VERSION}.tar  -o ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar
+
+
+### GPG Signature Check ###
+# GPG signature verification is a requirement in the case that the downloaded files have a GPG signature
+# For more information on GPG keys visit https://access.redhat.com/solutions/1541303 or https://gnupg.org/gph/en/manual.html
+curl --create-dirs https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc  -o ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc
+
+for server in $(shuf -e ha.pool.sks-keyservers.net \
+                            hkp://p80.pool.sks-keyservers.net:80 \
+                            keyserver.ubuntu.com \
+                            hkp://keyserver.ubuntu.com:80 \
+                            pgp.mit.edu) ;
+do
+    gpg --batch --keyserver "$server" --recv-keys 8040EEFCCED8C668EF27F7C61DC5606C0C7E9A9B && break || : ; \
+done
+
+gpg --verify ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar
+
+
+### SHA256 Verification ###
+# Verifying the files with the SHA256 is a requirement for all files
+# Make sure to not download the SHA256 from the internet, but create it, check it and upload it to the Nexus repo
+cd ${DOWNLOAD_DIR}
+sha256sum ubi8-build-dependencies-${GITLAB_VERSION}.tar  | awk '{print $1}' > ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256 \
+&& echo "$(cat ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256) ubi8-build-dependencies-${GITLAB_VERSION}.tar" | sha256sum --check --status \
+&& if [ $? == '0' ]; then printf "\nSHA256 check for ubi8-build-dependencies-${GITLAB_VERSION}.tar succeeded\n\n"; \
+else printf "SHA256 check for ubi8-build-dependencies-${GITLAB_VERSION}.tar failed\n\n"; fi
+cd -
+
+### Nexus Repo Upload ###
+# Push whatever binaries you need to ${NEXUS_SERVER}/dsop/vendor/project/ as you see in the example below.  Follow the same
+# format as in Gitlab.  You will also need to push the GPG signature file and SHA256 file
+for package in ubi8-build-dependencies-${GITLAB_VERSION}.tar ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256 ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc
+do
+    curl -kfS -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T ${DOWNLOAD_DIR}/${package} https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/git-base/${package}
+done
-- 
GitLab