CI: Add image scan
This commit is contained in:
parent
c9e62c83d3
commit
8b67c1dfbc
14
.github/workflows/setup-cluster.yml
vendored
14
.github/workflows/setup-cluster.yml
vendored
@ -15,11 +15,19 @@ on:
|
||||
|
||||
jobs:
|
||||
setup-cluster:
|
||||
name: minikube
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: start minikube
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
- name: Start minikube
|
||||
id: minikube
|
||||
uses: medyagh/setup-minikube@latest
|
||||
- name: kubectl
|
||||
run: kubectl get pods -A
|
||||
run: kubectl get pods -A -o wide
|
||||
- name: Setup cluster
|
||||
run: |
|
||||
./run.sh
|
||||
- name: kubectl
|
||||
run: |
|
||||
kubectl get pods -A -o wide && \
|
||||
kubectl get helmrelease -A
|
||||
|
21
.github/workflows/vulnerability-scan.yml
vendored
Normal file
21
.github/workflows/vulnerability-scan.yml
vendored
Normal file
@ -0,0 +1,21 @@
|
||||
name: Scan
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- '**'
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'ghcr.io/bbusse/gtfso-import'
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,4 @@
|
||||
bin/*
|
||||
flux_2.2.1_linux_amd64.tar.gz
|
||||
flux
|
||||
helm
|
||||
|
10
README.md
10
README.md
@ -9,6 +9,8 @@ and the HA API deployment with the /success endpoint and a ReplicaSet of 2.
|
||||
- Database: PostgresqlHA
|
||||
- Import: gtfso-import
|
||||
- API: gtfso-vbb
|
||||
Monitoring: kube-prometheus-stack
|
||||
Vulnerability Scanning: Trivy
|
||||
|
||||
## Clone repository
|
||||
```
|
||||
@ -48,10 +50,11 @@ $ minikube stop
|
||||
```
|
||||
|
||||
## TODOs / Notes
|
||||
Make gtfso a native Prometheus exporter
|
||||
Vulnerability Scanning
|
||||
gtfso-import needs the database secret for import
|
||||
Vulnerability scanning in github action with https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning
|
||||
Add monitoring target to kube-prometheus-stack
|
||||
Define strategy for version updates
|
||||
Use SOPS for secret management
|
||||
Consider SOPS for secret management
|
||||
Terraform has minikube and flux providers
|
||||
|
||||
## Resources
|
||||
@ -61,3 +64,4 @@ Terraform has minikube and flux providers
|
||||
[Terraform Flux Provider](https://github.com/fluxcd/terraform-provider-flux)
|
||||
[Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)
|
||||
[bitnami PostgreSQL HA Helm](https://bitnami.com/stack/postgresql-ha/helm)
|
||||
[Trivy](https://github.com/aquasecurity/trivy)
|
||||
|
@ -39,11 +39,11 @@ spec:
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
path: /healthz
|
||||
port: http
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
path: /healthy
|
||||
port: http
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
|
41
deploy
41
deploy
@ -3,6 +3,8 @@
|
||||
# Deploy app to k8s using fluxcd
|
||||
#
|
||||
|
||||
set -o pipefail
|
||||
|
||||
DEPLOY_MODE="flux"
|
||||
readonly DEPLOY_MODE
|
||||
APP_NAMESPACE="app"
|
||||
@ -17,7 +19,8 @@ GTFSO_IMPORT_CHART_VERSION="0.1.0"
|
||||
readonly GTFSO_IMPORT_CHART_VERSION
|
||||
GTFSO_VBB_CHART_VERSION="0.1.0"
|
||||
readonly GTFSO_VBB_CHART_VERSION
|
||||
|
||||
PROM_STACK_CHART_VERSION="55.7.0"
|
||||
readonly PROM_STACK_CHART_VERSION
|
||||
|
||||
# Create namespaces
|
||||
kubectl create namespace "${APP_NAMESPACE}"
|
||||
@ -27,14 +30,42 @@ kubectl create namespace "${MONITORING_NAMESPACE}"
|
||||
if [ "flux" == $DEPLOY_MODE ]; then
|
||||
# Add Helm Charts via Flux HelmRelease CRD
|
||||
printf "Using flux to create HelmRelease\n"
|
||||
# App
|
||||
# Add a git repository as source for Helm Charts
|
||||
./flux create source git e2m \
|
||||
--url=https://git.e2m.io/mue/obch \
|
||||
--branch dev \
|
||||
--namespace "${APP_NAMESPACE}"
|
||||
# Add a Helm OCI repository as source for Helm Charts
|
||||
./flux create source helm bitnami \
|
||||
--url=oci://registry-1.docker.io/bitnamicharts \
|
||||
--namespace "${APP_NAMESPACE}"
|
||||
./flux create helmrelease pgsql-ha \
|
||||
--chart postgresql-ha \
|
||||
--chart-version "${PGSQLHA_CHART_VERSION}" \
|
||||
--source HelmRepository/bitnamicharts \
|
||||
--source HelmRepository/bitnami \
|
||||
--namespace "${APP_NAMESPACE}"
|
||||
./flux create helmrelease gtfso-import \
|
||||
--chart charts/gtfso-import \
|
||||
--namespace ${APP_NAMESPACE} \
|
||||
--source GitRepository/e2m
|
||||
./flux create helmrelease gtfso-vbb \
|
||||
--chart charts/gtfso-vbb \
|
||||
--namespace ${APP_NAMESPACE} \
|
||||
--source GitRepository/e2m
|
||||
# Monitoring
|
||||
./flux create source helm prometheus-community \
|
||||
--url=https://prometheus-community.github.io/helm-charts \
|
||||
--namespace "${MONITORING_NAMESPACE}"
|
||||
./flux create helmrelease prometheus \
|
||||
--chart kube-prometheus-stack \
|
||||
--chart-version "${PROM_STACK_CHART_VERSION}" \
|
||||
--namespace "${MONITORING_NAMESPACE}" \
|
||||
--source=HelmRepository/prometheus-community
|
||||
elif [ "helm" == $DEPLOY_MODE ]; then
|
||||
# Add Helm Charts via Helm
|
||||
printf "Using Helm to install Chart\n"
|
||||
printf "Using Helm to install Charts\n"
|
||||
# App
|
||||
helm install pgsql-ha "${PGSQLHA_OCI_URL}" \
|
||||
--version "${PGSQLHA_CHART_VERSION}" \
|
||||
--namespace "${APP_NAMESPACE}"
|
||||
@ -44,4 +75,8 @@ elif [ "helm" == $DEPLOY_MODE ]; then
|
||||
helm install gtfso-vbb charts/gtfso-vbb \
|
||||
--version "${GTFSO_VBB_CHART_VERSION}" \
|
||||
--namespace "${APP_NAMESPACE}"
|
||||
# Monitoring
|
||||
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
|
||||
helm repo update
|
||||
helm install prometheus prometheus-community/kube-prometheus-stack
|
||||
fi
|
||||
|
@ -4,7 +4,7 @@
|
||||
# with k8s dashboard and flux
|
||||
#
|
||||
|
||||
set -eo pipefail
|
||||
set -o pipefail
|
||||
|
||||
PRJ="obch"
|
||||
readonly PRJ
|
||||
|
Loading…
Reference in New Issue
Block a user