CI: Add image scan

This commit is contained in:
Björn Busse 2024-01-10 23:36:10 +01:00
parent c9e62c83d3
commit 8b67c1dfbc
7 changed files with 84 additions and 15 deletions

View File

@ -15,11 +15,19 @@ on:
jobs:
setup-cluster:
name: minikube
runs-on: ubuntu-latest
steps:
- name: start minikube
id: minikube
uses: medyagh/setup-minikube@latest
- name: kubectl
run: kubectl get pods -A
- name: Checkout code
uses: actions/checkout@v3
- name: Start minikube
id: minikube
uses: medyagh/setup-minikube@latest
- name: kubectl
run: kubectl get pods -A -o wide
- name: Setup cluster
run: |
./run.sh
- name: kubectl
run: |
kubectl get pods -A -o wide && \
kubectl get helmrelease -A

View File

@ -0,0 +1,21 @@
name: Scan
on:
push:
branches:
- '**'
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/bbusse/gtfso-import'
format: 'sarif'
output: 'trivy-results.sarif'

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
bin/*
flux_2.2.1_linux_amd64.tar.gz
flux
helm

View File

@ -9,6 +9,8 @@ and the HA API deployment with the /success endpoint and a ReplicaSet of 2.
- Database: PostgresqlHA
- Import: gtfso-import
- API: gtfso-vbb
Monitoring: kube-prometheus-stack
Vulnerability Scanning: Trivy
## Clone repository
```
@ -48,10 +50,11 @@ $ minikube stop
```
## TODOs / Notes
Make gtfso a native Prometheus exporter
Vulnerability Scanning
gtfso-import needs the database secret for import
Vulnerability scanning in github action with https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning
Add monitoring target to kube-prometheus-stack
Define strategy for version updates
Use SOPS for secret management
Consider SOPS for secret management
Terraform has minikube and flux providers
## Resources
@ -61,3 +64,4 @@ Terraform has minikube and flux providers
[Terraform Flux Provider](https://github.com/fluxcd/terraform-provider-flux)
[Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)
[bitnami PostgreSQL HA Helm](https://bitnami.com/stack/postgresql-ha/helm)
[Trivy](https://github.com/aquasecurity/trivy)

View File

@ -39,11 +39,11 @@ spec:
protocol: TCP
livenessProbe:
httpGet:
path: /
path: /healthz
port: http
readinessProbe:
httpGet:
path: /
path: /healthy
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}

41
deploy
View File

@ -3,6 +3,8 @@
# Deploy app to k8s using fluxcd
#
set -o pipefail
DEPLOY_MODE="flux"
readonly DEPLOY_MODE
APP_NAMESPACE="app"
@ -17,7 +19,8 @@ GTFSO_IMPORT_CHART_VERSION="0.1.0"
readonly GTFSO_IMPORT_CHART_VERSION
GTFSO_VBB_CHART_VERSION="0.1.0"
readonly GTFSO_VBB_CHART_VERSION
PROM_STACK_CHART_VERSION="55.7.0"
readonly PROM_STACK_CHART_VERSION
# Create namespaces
kubectl create namespace "${APP_NAMESPACE}"
@ -27,14 +30,42 @@ kubectl create namespace "${MONITORING_NAMESPACE}"
if [ "flux" == $DEPLOY_MODE ]; then
# Add Helm Charts via Flux HelmRelease CRD
printf "Using flux to create HelmRelease\n"
# App
# Add a git repository as source for Helm Charts
./flux create source git e2m \
--url=https://git.e2m.io/mue/obch \
--branch dev \
--namespace "${APP_NAMESPACE}"
# Add a Helm OCI repository as source for Helm Charts
./flux create source helm bitnami \
--url=oci://registry-1.docker.io/bitnamicharts \
--namespace "${APP_NAMESPACE}"
./flux create helmrelease pgsql-ha \
--chart postgresql-ha \
--chart-version "${PGSQLHA_CHART_VERSION}" \
--source HelmRepository/bitnamicharts \
--source HelmRepository/bitnami \
--namespace "${APP_NAMESPACE}"
./flux create helmrelease gtfso-import \
--chart charts/gtfso-import \
--namespace ${APP_NAMESPACE} \
--source GitRepository/e2m
./flux create helmrelease gtfso-vbb \
--chart charts/gtfso-vbb \
--namespace ${APP_NAMESPACE} \
--source GitRepository/e2m
# Monitoring
./flux create source helm prometheus-community \
--url=https://prometheus-community.github.io/helm-charts \
--namespace "${MONITORING_NAMESPACE}"
./flux create helmrelease prometheus \
--chart kube-prometheus-stack \
--chart-version "${PROM_STACK_CHART_VERSION}" \
--namespace "${MONITORING_NAMESPACE}" \
--source=HelmRepository/prometheus-community
elif [ "helm" == $DEPLOY_MODE ]; then
# Add Helm Charts via Helm
printf "Using Helm to install Chart\n"
printf "Using Helm to install Charts\n"
# App
helm install pgsql-ha "${PGSQLHA_OCI_URL}" \
--version "${PGSQLHA_CHART_VERSION}" \
--namespace "${APP_NAMESPACE}"
@ -44,4 +75,8 @@ elif [ "helm" == $DEPLOY_MODE ]; then
helm install gtfso-vbb charts/gtfso-vbb \
--version "${GTFSO_VBB_CHART_VERSION}" \
--namespace "${APP_NAMESPACE}"
# Monitoring
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install prometheus prometheus-community/kube-prometheus-stack
fi

View File

@ -4,7 +4,7 @@
# with k8s dashboard and flux
#
set -eo pipefail
set -o pipefail
PRJ="obch"
readonly PRJ