homelab/.gitlab-ci.yml at main · nihalxkumar/homelab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
stages:
  - lint
  - validate
  - security

variables:
  FF_USE_FASTZIP: "true"
  CACHE_COMPRESSION_LEVEL: "fastest"

# Shared cache config
.cache_policy: &cache_policy
  cache:
    policy: pull-push
    paths:
      - .cache/pip
    key: ${CI_COMMIT_REF_SLUG}

# ============================================================================
# LINT STAGE
# ============================================================================

ansible:lint:
  stage: lint
  image: python:3.12-slim
  <<: *cache_policy
  before_script:
    - pip install --cache-dir .cache/pip -q ansible-lint ansible-core
  script:
    - echo "Linting Ansible playbooks (warnings only)..."
    - ansible-lint ansible/ -p || true
  allow_failure: true
  only:
    - merge_requests
    - main

docs:check:
  stage: lint
  image: alpine:latest
  script:
    - "[ -f README.md ] && wc -l README.md || (echo 'ERROR: README.md missing' && exit 1)"
  allow_failure: true
  only:
    - merge_requests
    - main

# ============================================================================
# VALIDATE STAGE
# ============================================================================

kustomize:build:
  stage: validate
  image: alpine:latest
  before_script:
    - apk add --no-cache curl bash
    - curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
    - mv kustomize /usr/local/bin/
    - curl -fsSL https://get.helm.sh/helm-v3.17.0-linux-amd64.tar.gz | tar -xz --strip-components=1 -C /usr/local/bin linux-amd64/helm
  variables:
    KUSTOMIZE_ENABLE_ALPHA_COMMANDS: "true"
  script:
    - echo "Building all Kustomize overlays..."
    - |
      find kubernetes -name "kustomization.yaml" -type f | while read kust_file; do
        dir=$(dirname "$kust_file")
        echo "Building $dir..."
        kustomize build --enable-alpha-plugins "$dir" > /dev/null || exit 1
        echo "✓ $dir builds successfully"
      done
    - echo "✓ All Kustomize builds passed"
  allow_failure: false
  only:
    - merge_requests
    - main

kubeval:validate:
  stage: validate
  image: alpine:latest
  before_script:
    - apk add --no-cache wget tar
    - wget -q https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
    - tar xf kubeval-linux-amd64.tar.gz -C /usr/local/bin
  script:
    - echo "Validating Kubernetes manifests..."
    - |
      find kubernetes -name "*.yaml" -type f \
        ! -name "kustomization.yaml" \
        ! -name "*.sops.yaml" \
        ! -name "secret*.yaml" \
        ! -name "*crd*.yaml" \
        ! -name "*customresourcedefinition*.yaml" | while read file; do
        if grep -q "kind: HelmRelease" "$file" 2>/dev/null; then
          echo "Skipping HelmRelease: $file"
          continue
        fi
        if grep -q "apiVersion:" "$file" 2>/dev/null; then
          kubeval "$file" --ignore-missing-schemas 2>/dev/null || echo "  ⚠ $file has schema warnings"
        fi
      done
    - echo "✓ Kubeval validation complete"
  allow_failure: true
  only:
    - merge_requests
    - main

# ============================================================================
# SECURITY STAGE
# ============================================================================

secrets:detect:
  stage: security
  image: python:3.12-slim
  <<: *cache_policy
  before_script:
    - pip install --cache-dir .cache/pip -q detect-secrets
  script:
    - echo "Scanning for secrets..."
    - detect-secrets scan --baseline .secrets.baseline || true
  allow_failure: true
  only:
    - merge_requests
    - main

sops:validate:
  stage: security
  image: alpine:latest
  script:
    - echo "Validating SOPS encrypted files..."
    - |
      find kubernetes -name "*.sops.yaml" -type f | while read file; do
        if grep -q "^sops:$" "$file" 2>/dev/null && grep -q "age:" "$file" 2>/dev/null; then
          echo "✓ $file has SOPS envelope (Age encrypted)"
        else
          echo "✗ $file missing SOPS envelope"
          exit 1
        fi
      done
    - |
      find kubernetes -path "*/secrets/*" -name "*.yaml" -type f ! -name "*.sops.yaml" | while read file; do
        echo "✗ $file in secrets/ directory should use .sops.yaml extension"
        exit 1
      done
    - echo "✓ All secrets properly encrypted with SOPS"
  allow_failure: false
  only:
    - merge_requests
    - main

# ============================================================================
# RENOVATE SCHEDULE (Runs on cron, not on MR)
# ============================================================================

renovate:scheduled:
  stage: security
  image: renovate/renovate:39
  script:
    - export RENOVATE_TOKEN=$CI_JOB_TOKEN
    - export RENOVATE_GITLAB_HOST=gitlab.com
    - export RENOVATE_PLATFORM=gitlab
    - export RENOVATE_REPOSITORY=$CI_PROJECT_PATH
    - export RENOVATE_AUTODISCOVER=false
    - export LOG_LEVEL=info
    - renovate
  only:
    - schedules
  allow_failure: true
  timeout: 1 hour