CI: Add image scan

.github/workflows/setup-cluster.yml

@@ -15,11 +15,19 @@ on:
 
 jobs:
   setup-cluster:
-    name: minikube
     runs-on: ubuntu-latest
     steps:
-      - name: start minikube
+    - name: Checkout code
+      uses: actions/checkout@v3
+    - name: Start minikube
       id: minikube
       uses: medyagh/setup-minikube@latest
     - name: kubectl
-        run: kubectl get pods -A
+      run: kubectl get pods -A -o wide
+    - name: Setup cluster
+      run: |
+        ./run.sh
+    - name: kubectl
+      run: |
+        kubectl get pods -A -o wide && \
+        kubectl get helmrelease -A

.github/workflows/vulnerability-scan.yml

@@ -0,0 +1,21 @@
+name: Scan
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'ghcr.io/bbusse/gtfso-import'
+          format: 'sarif'
+          output: 'trivy-results.sarif'

.gitignore

@@ -1,3 +1,4 @@
+bin/*
 flux_2.2.1_linux_amd64.tar.gz
 flux
 helm

README.md

@@ -9,6 +9,8 @@ and the HA API deployment with the /success endpoint and a ReplicaSet of 2.
 - Database: PostgresqlHA  
 - Import: gtfso-import  
 - API: gtfso-vbb  
+  Monitoring: kube-prometheus-stack
+  Vulnerability Scanning: Trivy
 
 ## Clone repository
 ```
@@ -48,10 +50,11 @@ $ minikube stop
 ```
 
 ## TODOs / Notes
-Make gtfso a native Prometheus exporter  
+gtfso-import needs the database secret for import  
-Vulnerability Scanning  
+Vulnerability scanning in github action with https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning   
+Add monitoring target to kube-prometheus-stack  
 Define strategy for version updates  
-Use SOPS for secret management  
+Consider SOPS for secret management  
 Terraform has minikube and flux providers  
 
 ## Resources
@@ -61,3 +64,4 @@ Terraform has minikube and flux providers
 [Terraform Flux Provider](https://github.com/fluxcd/terraform-provider-flux)  
 [Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  
 [bitnami PostgreSQL HA Helm](https://bitnami.com/stack/postgresql-ha/helm)  
+[Trivy](https://github.com/aquasecurity/trivy)

charts/gtfso-vbb/templates/deployment.yaml

@@ -39,11 +39,11 @@ spec:
               protocol: TCP
           livenessProbe:
             httpGet:
-              path: /
+              path: /healthz
               port: http
           readinessProbe:
             httpGet:
-              path: /
+              path: /healthy
               port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

deploy

@@ -3,6 +3,8 @@
 # Deploy app to k8s using fluxcd
 #
 
+set -o pipefail
+
 DEPLOY_MODE="flux"
 readonly DEPLOY_MODE
 APP_NAMESPACE="app"
@@ -17,7 +19,8 @@ GTFSO_IMPORT_CHART_VERSION="0.1.0"
 readonly GTFSO_IMPORT_CHART_VERSION
 GTFSO_VBB_CHART_VERSION="0.1.0"
 readonly GTFSO_VBB_CHART_VERSION
-
+PROM_STACK_CHART_VERSION="55.7.0"
+readonly PROM_STACK_CHART_VERSION
 
 # Create namespaces
 kubectl create namespace "${APP_NAMESPACE}"
@@ -27,14 +30,42 @@ kubectl create namespace "${MONITORING_NAMESPACE}"
 if [ "flux" == $DEPLOY_MODE ]; then
     # Add Helm Charts via Flux HelmRelease CRD
     printf "Using flux to create HelmRelease\n"
+    # App
+    # Add a git repository as source for Helm Charts
+    ./flux create source git e2m \
+        --url=https://git.e2m.io/mue/obch \
+        --branch dev \
+        --namespace "${APP_NAMESPACE}"
+    # Add a Helm OCI repository as source for Helm Charts
+    ./flux create source helm bitnami \
+       --url=oci://registry-1.docker.io/bitnamicharts \
+       --namespace "${APP_NAMESPACE}"
     ./flux create helmrelease pgsql-ha \
         --chart postgresql-ha \
         --chart-version "${PGSQLHA_CHART_VERSION}" \
-        --source HelmRepository/bitnamicharts \
+        --source HelmRepository/bitnami \
         --namespace "${APP_NAMESPACE}"
+    ./flux create helmrelease gtfso-import \
+        --chart charts/gtfso-import \
+        --namespace ${APP_NAMESPACE} \
+        --source GitRepository/e2m
+    ./flux create helmrelease gtfso-vbb \
+        --chart charts/gtfso-vbb \
+        --namespace ${APP_NAMESPACE} \
+        --source GitRepository/e2m
+    # Monitoring
+    ./flux create source helm prometheus-community \
+        --url=https://prometheus-community.github.io/helm-charts \
+        --namespace "${MONITORING_NAMESPACE}"
+    ./flux create helmrelease prometheus \
+        --chart kube-prometheus-stack \
+        --chart-version "${PROM_STACK_CHART_VERSION}" \
+        --namespace "${MONITORING_NAMESPACE}" \
+        --source=HelmRepository/prometheus-community
 elif [ "helm" == $DEPLOY_MODE ]; then
     # Add Helm Charts via Helm
-    printf "Using Helm to install Chart\n"
+    printf "Using Helm to install Charts\n"
+    # App
     helm install pgsql-ha "${PGSQLHA_OCI_URL}" \
         --version "${PGSQLHA_CHART_VERSION}" \
         --namespace "${APP_NAMESPACE}"
@@ -44,4 +75,8 @@ elif [ "helm" == $DEPLOY_MODE ]; then
     helm install gtfso-vbb charts/gtfso-vbb \
         --version "${GTFSO_VBB_CHART_VERSION}" \
         --namespace "${APP_NAMESPACE}"
+    # Monitoring
+    helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+    helm repo update
+    helm install prometheus prometheus-community/kube-prometheus-stack
 fi

setup-cluster

@@ -4,7 +4,7 @@
 # with k8s dashboard and flux
 #
 
-set -eo pipefail
+set -o pipefail
 
 PRJ="obch"
 readonly PRJ