CI: Add image scan
This commit is contained in:
parent
c9e62c83d3
commit
8b67c1dfbc
14
.github/workflows/setup-cluster.yml
vendored
14
.github/workflows/setup-cluster.yml
vendored
@ -15,11 +15,19 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
setup-cluster:
|
setup-cluster:
|
||||||
name: minikube
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: start minikube
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
- name: Start minikube
|
||||||
id: minikube
|
id: minikube
|
||||||
uses: medyagh/setup-minikube@latest
|
uses: medyagh/setup-minikube@latest
|
||||||
- name: kubectl
|
- name: kubectl
|
||||||
run: kubectl get pods -A
|
run: kubectl get pods -A -o wide
|
||||||
|
- name: Setup cluster
|
||||||
|
run: |
|
||||||
|
./run.sh
|
||||||
|
- name: kubectl
|
||||||
|
run: |
|
||||||
|
kubectl get pods -A -o wide && \
|
||||||
|
kubectl get helmrelease -A
|
||||||
|
21
.github/workflows/vulnerability-scan.yml
vendored
Normal file
21
.github/workflows/vulnerability-scan.yml
vendored
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
name: Scan
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- '**'
|
||||||
|
pull_request:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
name: Build
|
||||||
|
runs-on: ubuntu-20.04
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- name: Run Trivy vulnerability scanner
|
||||||
|
uses: aquasecurity/trivy-action@master
|
||||||
|
with:
|
||||||
|
image-ref: 'ghcr.io/bbusse/gtfso-import'
|
||||||
|
format: 'sarif'
|
||||||
|
output: 'trivy-results.sarif'
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,4 @@
|
|||||||
|
bin/*
|
||||||
flux_2.2.1_linux_amd64.tar.gz
|
flux_2.2.1_linux_amd64.tar.gz
|
||||||
flux
|
flux
|
||||||
helm
|
helm
|
||||||
|
10
README.md
10
README.md
@ -9,6 +9,8 @@ and the HA API deployment with the /success endpoint and a ReplicaSet of 2.
|
|||||||
- Database: PostgresqlHA
|
- Database: PostgresqlHA
|
||||||
- Import: gtfso-import
|
- Import: gtfso-import
|
||||||
- API: gtfso-vbb
|
- API: gtfso-vbb
|
||||||
|
Monitoring: kube-prometheus-stack
|
||||||
|
Vulnerability Scanning: Trivy
|
||||||
|
|
||||||
## Clone repository
|
## Clone repository
|
||||||
```
|
```
|
||||||
@ -48,10 +50,11 @@ $ minikube stop
|
|||||||
```
|
```
|
||||||
|
|
||||||
## TODOs / Notes
|
## TODOs / Notes
|
||||||
Make gtfso a native Prometheus exporter
|
gtfso-import needs the database secret for import
|
||||||
Vulnerability Scanning
|
Vulnerability scanning in github action with https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning
|
||||||
|
Add monitoring target to kube-prometheus-stack
|
||||||
Define strategy for version updates
|
Define strategy for version updates
|
||||||
Use SOPS for secret management
|
Consider SOPS for secret management
|
||||||
Terraform has minikube and flux providers
|
Terraform has minikube and flux providers
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
@ -61,3 +64,4 @@ Terraform has minikube and flux providers
|
|||||||
[Terraform Flux Provider](https://github.com/fluxcd/terraform-provider-flux)
|
[Terraform Flux Provider](https://github.com/fluxcd/terraform-provider-flux)
|
||||||
[Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)
|
[Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)
|
||||||
[bitnami PostgreSQL HA Helm](https://bitnami.com/stack/postgresql-ha/helm)
|
[bitnami PostgreSQL HA Helm](https://bitnami.com/stack/postgresql-ha/helm)
|
||||||
|
[Trivy](https://github.com/aquasecurity/trivy)
|
||||||
|
@ -39,11 +39,11 @@ spec:
|
|||||||
protocol: TCP
|
protocol: TCP
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /
|
path: /healthz
|
||||||
port: http
|
port: http
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /
|
path: /healthy
|
||||||
port: http
|
port: http
|
||||||
resources:
|
resources:
|
||||||
{{- toYaml .Values.resources | nindent 12 }}
|
{{- toYaml .Values.resources | nindent 12 }}
|
||||||
|
41
deploy
41
deploy
@ -3,6 +3,8 @@
|
|||||||
# Deploy app to k8s using fluxcd
|
# Deploy app to k8s using fluxcd
|
||||||
#
|
#
|
||||||
|
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
DEPLOY_MODE="flux"
|
DEPLOY_MODE="flux"
|
||||||
readonly DEPLOY_MODE
|
readonly DEPLOY_MODE
|
||||||
APP_NAMESPACE="app"
|
APP_NAMESPACE="app"
|
||||||
@ -17,7 +19,8 @@ GTFSO_IMPORT_CHART_VERSION="0.1.0"
|
|||||||
readonly GTFSO_IMPORT_CHART_VERSION
|
readonly GTFSO_IMPORT_CHART_VERSION
|
||||||
GTFSO_VBB_CHART_VERSION="0.1.0"
|
GTFSO_VBB_CHART_VERSION="0.1.0"
|
||||||
readonly GTFSO_VBB_CHART_VERSION
|
readonly GTFSO_VBB_CHART_VERSION
|
||||||
|
PROM_STACK_CHART_VERSION="55.7.0"
|
||||||
|
readonly PROM_STACK_CHART_VERSION
|
||||||
|
|
||||||
# Create namespaces
|
# Create namespaces
|
||||||
kubectl create namespace "${APP_NAMESPACE}"
|
kubectl create namespace "${APP_NAMESPACE}"
|
||||||
@ -27,14 +30,42 @@ kubectl create namespace "${MONITORING_NAMESPACE}"
|
|||||||
if [ "flux" == $DEPLOY_MODE ]; then
|
if [ "flux" == $DEPLOY_MODE ]; then
|
||||||
# Add Helm Charts via Flux HelmRelease CRD
|
# Add Helm Charts via Flux HelmRelease CRD
|
||||||
printf "Using flux to create HelmRelease\n"
|
printf "Using flux to create HelmRelease\n"
|
||||||
|
# App
|
||||||
|
# Add a git repository as source for Helm Charts
|
||||||
|
./flux create source git e2m \
|
||||||
|
--url=https://git.e2m.io/mue/obch \
|
||||||
|
--branch dev \
|
||||||
|
--namespace "${APP_NAMESPACE}"
|
||||||
|
# Add a Helm OCI repository as source for Helm Charts
|
||||||
|
./flux create source helm bitnami \
|
||||||
|
--url=oci://registry-1.docker.io/bitnamicharts \
|
||||||
|
--namespace "${APP_NAMESPACE}"
|
||||||
./flux create helmrelease pgsql-ha \
|
./flux create helmrelease pgsql-ha \
|
||||||
--chart postgresql-ha \
|
--chart postgresql-ha \
|
||||||
--chart-version "${PGSQLHA_CHART_VERSION}" \
|
--chart-version "${PGSQLHA_CHART_VERSION}" \
|
||||||
--source HelmRepository/bitnamicharts \
|
--source HelmRepository/bitnami \
|
||||||
--namespace "${APP_NAMESPACE}"
|
--namespace "${APP_NAMESPACE}"
|
||||||
|
./flux create helmrelease gtfso-import \
|
||||||
|
--chart charts/gtfso-import \
|
||||||
|
--namespace ${APP_NAMESPACE} \
|
||||||
|
--source GitRepository/e2m
|
||||||
|
./flux create helmrelease gtfso-vbb \
|
||||||
|
--chart charts/gtfso-vbb \
|
||||||
|
--namespace ${APP_NAMESPACE} \
|
||||||
|
--source GitRepository/e2m
|
||||||
|
# Monitoring
|
||||||
|
./flux create source helm prometheus-community \
|
||||||
|
--url=https://prometheus-community.github.io/helm-charts \
|
||||||
|
--namespace "${MONITORING_NAMESPACE}"
|
||||||
|
./flux create helmrelease prometheus \
|
||||||
|
--chart kube-prometheus-stack \
|
||||||
|
--chart-version "${PROM_STACK_CHART_VERSION}" \
|
||||||
|
--namespace "${MONITORING_NAMESPACE}" \
|
||||||
|
--source=HelmRepository/prometheus-community
|
||||||
elif [ "helm" == $DEPLOY_MODE ]; then
|
elif [ "helm" == $DEPLOY_MODE ]; then
|
||||||
# Add Helm Charts via Helm
|
# Add Helm Charts via Helm
|
||||||
printf "Using Helm to install Chart\n"
|
printf "Using Helm to install Charts\n"
|
||||||
|
# App
|
||||||
helm install pgsql-ha "${PGSQLHA_OCI_URL}" \
|
helm install pgsql-ha "${PGSQLHA_OCI_URL}" \
|
||||||
--version "${PGSQLHA_CHART_VERSION}" \
|
--version "${PGSQLHA_CHART_VERSION}" \
|
||||||
--namespace "${APP_NAMESPACE}"
|
--namespace "${APP_NAMESPACE}"
|
||||||
@ -44,4 +75,8 @@ elif [ "helm" == $DEPLOY_MODE ]; then
|
|||||||
helm install gtfso-vbb charts/gtfso-vbb \
|
helm install gtfso-vbb charts/gtfso-vbb \
|
||||||
--version "${GTFSO_VBB_CHART_VERSION}" \
|
--version "${GTFSO_VBB_CHART_VERSION}" \
|
||||||
--namespace "${APP_NAMESPACE}"
|
--namespace "${APP_NAMESPACE}"
|
||||||
|
# Monitoring
|
||||||
|
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
|
||||||
|
helm repo update
|
||||||
|
helm install prometheus prometheus-community/kube-prometheus-stack
|
||||||
fi
|
fi
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
# with k8s dashboard and flux
|
# with k8s dashboard and flux
|
||||||
#
|
#
|
||||||
|
|
||||||
set -eo pipefail
|
set -o pipefail
|
||||||
|
|
||||||
PRJ="obch"
|
PRJ="obch"
|
||||||
readonly PRJ
|
readonly PRJ
|
||||||
|
Loading…
Reference in New Issue
Block a user