CI: Add image scan

This commit is contained in:
Björn Busse 2024-01-10 23:36:10 +01:00
parent c9e62c83d3
commit 8b67c1dfbc
7 changed files with 84 additions and 15 deletions

View File

@ -15,11 +15,19 @@ on:
jobs: jobs:
setup-cluster: setup-cluster:
name: minikube
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: start minikube - name: Checkout code
uses: actions/checkout@v3
- name: Start minikube
id: minikube id: minikube
uses: medyagh/setup-minikube@latest uses: medyagh/setup-minikube@latest
- name: kubectl - name: kubectl
run: kubectl get pods -A run: kubectl get pods -A -o wide
- name: Setup cluster
run: |
./run.sh
- name: kubectl
run: |
kubectl get pods -A -o wide && \
kubectl get helmrelease -A

View File

@ -0,0 +1,21 @@
name: Scan
on:
push:
branches:
- '**'
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/bbusse/gtfso-import'
format: 'sarif'
output: 'trivy-results.sarif'

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
bin/*
flux_2.2.1_linux_amd64.tar.gz flux_2.2.1_linux_amd64.tar.gz
flux flux
helm helm

View File

@ -9,6 +9,8 @@ and the HA API deployment with the /success endpoint and a ReplicaSet of 2.
- Database: PostgresqlHA - Database: PostgresqlHA
- Import: gtfso-import - Import: gtfso-import
- API: gtfso-vbb - API: gtfso-vbb
Monitoring: kube-prometheus-stack
Vulnerability Scanning: Trivy
## Clone repository ## Clone repository
``` ```
@ -48,10 +50,11 @@ $ minikube stop
``` ```
## TODOs / Notes ## TODOs / Notes
Make gtfso a native Prometheus exporter gtfso-import needs the database secret for import
Vulnerability Scanning Vulnerability scanning in github action with https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning
Add monitoring target to kube-prometheus-stack
Define strategy for version updates Define strategy for version updates
Use SOPS for secret management Consider SOPS for secret management
Terraform has minikube and flux providers Terraform has minikube and flux providers
## Resources ## Resources
@ -61,3 +64,4 @@ Terraform has minikube and flux providers
[Terraform Flux Provider](https://github.com/fluxcd/terraform-provider-flux) [Terraform Flux Provider](https://github.com/fluxcd/terraform-provider-flux)
[Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/) [Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)
[bitnami PostgreSQL HA Helm](https://bitnami.com/stack/postgresql-ha/helm) [bitnami PostgreSQL HA Helm](https://bitnami.com/stack/postgresql-ha/helm)
[Trivy](https://github.com/aquasecurity/trivy)

View File

@ -39,11 +39,11 @@ spec:
protocol: TCP protocol: TCP
livenessProbe: livenessProbe:
httpGet: httpGet:
path: / path: /healthz
port: http port: http
readinessProbe: readinessProbe:
httpGet: httpGet:
path: / path: /healthy
port: http port: http
resources: resources:
{{- toYaml .Values.resources | nindent 12 }} {{- toYaml .Values.resources | nindent 12 }}

41
deploy
View File

@ -3,6 +3,8 @@
# Deploy app to k8s using fluxcd # Deploy app to k8s using fluxcd
# #
set -o pipefail
DEPLOY_MODE="flux" DEPLOY_MODE="flux"
readonly DEPLOY_MODE readonly DEPLOY_MODE
APP_NAMESPACE="app" APP_NAMESPACE="app"
@ -17,7 +19,8 @@ GTFSO_IMPORT_CHART_VERSION="0.1.0"
readonly GTFSO_IMPORT_CHART_VERSION readonly GTFSO_IMPORT_CHART_VERSION
GTFSO_VBB_CHART_VERSION="0.1.0" GTFSO_VBB_CHART_VERSION="0.1.0"
readonly GTFSO_VBB_CHART_VERSION readonly GTFSO_VBB_CHART_VERSION
PROM_STACK_CHART_VERSION="55.7.0"
readonly PROM_STACK_CHART_VERSION
# Create namespaces # Create namespaces
kubectl create namespace "${APP_NAMESPACE}" kubectl create namespace "${APP_NAMESPACE}"
@ -27,14 +30,42 @@ kubectl create namespace "${MONITORING_NAMESPACE}"
if [ "flux" == $DEPLOY_MODE ]; then if [ "flux" == $DEPLOY_MODE ]; then
# Add Helm Charts via Flux HelmRelease CRD # Add Helm Charts via Flux HelmRelease CRD
printf "Using flux to create HelmRelease\n" printf "Using flux to create HelmRelease\n"
# App
# Add a git repository as source for Helm Charts
./flux create source git e2m \
--url=https://git.e2m.io/mue/obch \
--branch dev \
--namespace "${APP_NAMESPACE}"
# Add a Helm OCI repository as source for Helm Charts
./flux create source helm bitnami \
--url=oci://registry-1.docker.io/bitnamicharts \
--namespace "${APP_NAMESPACE}"
./flux create helmrelease pgsql-ha \ ./flux create helmrelease pgsql-ha \
--chart postgresql-ha \ --chart postgresql-ha \
--chart-version "${PGSQLHA_CHART_VERSION}" \ --chart-version "${PGSQLHA_CHART_VERSION}" \
--source HelmRepository/bitnamicharts \ --source HelmRepository/bitnami \
--namespace "${APP_NAMESPACE}" --namespace "${APP_NAMESPACE}"
./flux create helmrelease gtfso-import \
--chart charts/gtfso-import \
--namespace ${APP_NAMESPACE} \
--source GitRepository/e2m
./flux create helmrelease gtfso-vbb \
--chart charts/gtfso-vbb \
--namespace ${APP_NAMESPACE} \
--source GitRepository/e2m
# Monitoring
./flux create source helm prometheus-community \
--url=https://prometheus-community.github.io/helm-charts \
--namespace "${MONITORING_NAMESPACE}"
./flux create helmrelease prometheus \
--chart kube-prometheus-stack \
--chart-version "${PROM_STACK_CHART_VERSION}" \
--namespace "${MONITORING_NAMESPACE}" \
--source=HelmRepository/prometheus-community
elif [ "helm" == $DEPLOY_MODE ]; then elif [ "helm" == $DEPLOY_MODE ]; then
# Add Helm Charts via Helm # Add Helm Charts via Helm
printf "Using Helm to install Chart\n" printf "Using Helm to install Charts\n"
# App
helm install pgsql-ha "${PGSQLHA_OCI_URL}" \ helm install pgsql-ha "${PGSQLHA_OCI_URL}" \
--version "${PGSQLHA_CHART_VERSION}" \ --version "${PGSQLHA_CHART_VERSION}" \
--namespace "${APP_NAMESPACE}" --namespace "${APP_NAMESPACE}"
@ -44,4 +75,8 @@ elif [ "helm" == $DEPLOY_MODE ]; then
helm install gtfso-vbb charts/gtfso-vbb \ helm install gtfso-vbb charts/gtfso-vbb \
--version "${GTFSO_VBB_CHART_VERSION}" \ --version "${GTFSO_VBB_CHART_VERSION}" \
--namespace "${APP_NAMESPACE}" --namespace "${APP_NAMESPACE}"
# Monitoring
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install prometheus prometheus-community/kube-prometheus-stack
fi fi

View File

@ -4,7 +4,7 @@
# with k8s dashboard and flux # with k8s dashboard and flux
# #
set -eo pipefail set -o pipefail
PRJ="obch" PRJ="obch"
readonly PRJ readonly PRJ