diff --git a/.github/workflows/setup-cluster.yml b/.github/workflows/setup-cluster.yml index 232c7e4..27fc3fe 100644 --- a/.github/workflows/setup-cluster.yml +++ b/.github/workflows/setup-cluster.yml @@ -15,11 +15,19 @@ on: jobs: setup-cluster: - name: minikube runs-on: ubuntu-latest steps: - - name: start minikube - id: minikube - uses: medyagh/setup-minikube@latest - - name: kubectl - run: kubectl get pods -A + - name: Checkout code + uses: actions/checkout@v3 + - name: Start minikube + id: minikube + uses: medyagh/setup-minikube@latest + - name: kubectl + run: kubectl get pods -A -o wide + - name: Setup cluster + run: | + ./run.sh + - name: kubectl + run: | + kubectl get pods -A -o wide && \ + kubectl get helmrelease -A diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml new file mode 100644 index 0000000..96b8fe5 --- /dev/null +++ b/.github/workflows/vulnerability-scan.yml @@ -0,0 +1,21 @@ +name: Scan +on: + push: + branches: + - '**' + pull_request: + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ghcr.io/bbusse/gtfso-import' + format: 'sarif' + output: 'trivy-results.sarif' diff --git a/.gitignore b/.gitignore index bcd3211..6cc15eb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +bin/* flux_2.2.1_linux_amd64.tar.gz flux helm diff --git a/README.md b/README.md index d16d658..0d7f791 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@ and the HA API deployment with the /success endpoint and a ReplicaSet of 2. - Database: PostgresqlHA - Import: gtfso-import - API: gtfso-vbb + Monitoring: kube-prometheus-stack + Vulnerability Scanning: Trivy ## Clone repository ``` @@ -48,10 +50,11 @@ $ minikube stop ``` ## TODOs / Notes -Make gtfso a native Prometheus exporter -Vulnerability Scanning +gtfso-import needs the database secret for import +Vulnerability scanning in github action with https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning +Add monitoring target to kube-prometheus-stack Define strategy for version updates -Use SOPS for secret management +Consider SOPS for secret management Terraform has minikube and flux providers ## Resources @@ -61,3 +64,4 @@ Terraform has minikube and flux providers [Terraform Flux Provider](https://github.com/fluxcd/terraform-provider-flux) [Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/) [bitnami PostgreSQL HA Helm](https://bitnami.com/stack/postgresql-ha/helm) +[Trivy](https://github.com/aquasecurity/trivy) diff --git a/charts/gtfso-vbb/templates/deployment.yaml b/charts/gtfso-vbb/templates/deployment.yaml index 16ee2ca..ef81c02 100644 --- a/charts/gtfso-vbb/templates/deployment.yaml +++ b/charts/gtfso-vbb/templates/deployment.yaml @@ -39,11 +39,11 @@ spec: protocol: TCP livenessProbe: httpGet: - path: / + path: /healthz port: http readinessProbe: httpGet: - path: / + path: /healthy port: http resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/deploy b/deploy index db6fbcc..fd96aac 100755 --- a/deploy +++ b/deploy @@ -3,6 +3,8 @@ # Deploy app to k8s using fluxcd # +set -o pipefail + DEPLOY_MODE="flux" readonly DEPLOY_MODE APP_NAMESPACE="app" @@ -17,7 +19,8 @@ GTFSO_IMPORT_CHART_VERSION="0.1.0" readonly GTFSO_IMPORT_CHART_VERSION GTFSO_VBB_CHART_VERSION="0.1.0" readonly GTFSO_VBB_CHART_VERSION - +PROM_STACK_CHART_VERSION="55.7.0" +readonly PROM_STACK_CHART_VERSION # Create namespaces kubectl create namespace "${APP_NAMESPACE}" @@ -27,14 +30,42 @@ kubectl create namespace "${MONITORING_NAMESPACE}" if [ "flux" == $DEPLOY_MODE ]; then # Add Helm Charts via Flux HelmRelease CRD printf "Using flux to create HelmRelease\n" + # App + # Add a git repository as source for Helm Charts + ./flux create source git e2m \ + --url=https://git.e2m.io/mue/obch \ + --branch dev \ + --namespace "${APP_NAMESPACE}" + # Add a Helm OCI repository as source for Helm Charts + ./flux create source helm bitnami \ + --url=oci://registry-1.docker.io/bitnamicharts \ + --namespace "${APP_NAMESPACE}" ./flux create helmrelease pgsql-ha \ --chart postgresql-ha \ --chart-version "${PGSQLHA_CHART_VERSION}" \ - --source HelmRepository/bitnamicharts \ + --source HelmRepository/bitnami \ --namespace "${APP_NAMESPACE}" + ./flux create helmrelease gtfso-import \ + --chart charts/gtfso-import \ + --namespace ${APP_NAMESPACE} \ + --source GitRepository/e2m + ./flux create helmrelease gtfso-vbb \ + --chart charts/gtfso-vbb \ + --namespace ${APP_NAMESPACE} \ + --source GitRepository/e2m + # Monitoring + ./flux create source helm prometheus-community \ + --url=https://prometheus-community.github.io/helm-charts \ + --namespace "${MONITORING_NAMESPACE}" + ./flux create helmrelease prometheus \ + --chart kube-prometheus-stack \ + --chart-version "${PROM_STACK_CHART_VERSION}" \ + --namespace "${MONITORING_NAMESPACE}" \ + --source=HelmRepository/prometheus-community elif [ "helm" == $DEPLOY_MODE ]; then # Add Helm Charts via Helm - printf "Using Helm to install Chart\n" + printf "Using Helm to install Charts\n" + # App helm install pgsql-ha "${PGSQLHA_OCI_URL}" \ --version "${PGSQLHA_CHART_VERSION}" \ --namespace "${APP_NAMESPACE}" @@ -44,4 +75,8 @@ elif [ "helm" == $DEPLOY_MODE ]; then helm install gtfso-vbb charts/gtfso-vbb \ --version "${GTFSO_VBB_CHART_VERSION}" \ --namespace "${APP_NAMESPACE}" + # Monitoring + helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + helm repo update + helm install prometheus prometheus-community/kube-prometheus-stack fi diff --git a/setup-cluster b/setup-cluster index 40ce508..e6e3258 100755 --- a/setup-cluster +++ b/setup-cluster @@ -4,7 +4,7 @@ # with k8s dashboard and flux # -set -eo pipefail +set -o pipefail PRJ="obch" readonly PRJ