Move out sqs web server out of chain repo #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CI/CD:BUILD:AND:DEPLOY" | |
on: | |
push: | |
branches: [ "main", "v*.*.*" ] | |
pull_request: | |
branches: [ "main", "v*.*.*" ] | |
jobs: | |
# This job deploys to prod. | |
# This job will do the following and deploy to job on the production trigger. | |
# This builds the docker image | |
# This then scans the docker image if you pass [docker scan] | |
# This will then template the kubernetes manifest with the environment variables set in the pipeline. | |
# After templating the manifest it will deploy it into Kubernetes. | |
# The pipeline will wait for the deployment to start and report that its ready 1/1 | |
# The rolling update strategy will ensure the pod passes its health check ensuring you didn't deploy bad code and there is no outage. | |
# The manifest deploys both the redis deployment and the sqs container as two separate deployments. | |
# Then it uses ZAProxy to do an OWASP Top 10 scan passive and active attack against the end point if you pass [zap scan] | |
build_prod: | |
if: github.ref == 'refs/heads/main' | |
env: | |
docker_org: "osmolabs" | |
docker_server_url: "https://index.docker.io/v1/" | |
docker_repo: "sqs" | |
app_name: "sqs" | |
kubernetes_namespace: "sqs" | |
redis_docker_image: "bitnami/redis:latest" | |
redis_port: "6379" | |
redis_user: "default" | |
redis_name: "article" | |
# initial delay is how long the health check waits before checking its active for reds. | |
redis_initial_delay_seconds: "10" | |
# period is how often the health check runs for redis. | |
redis_period_seconds: "10" | |
# specifies the number of redis pods to run for redis. | |
replicas: "1" | |
# min ready seaconds is the minimum time before the pod can report ready. | |
min_ready_seconds: "30" | |
# max unavailable is the number of unavailble pods during a rolling update. You set this to 0 so it leaves current one running. | |
max_unavailable: "0" | |
# max surge is the number of pods the manifest can search to perform a rollin gupdate. | |
max_surge: "2" | |
image_pull_secret: "sqs" | |
container_port: "9092" | |
service_port: "80" | |
# the initial delay of the health check for the sqs pod. | |
initial_delay_seconds: "30" | |
# how often the health check goes off for the sqs deployment. | |
period_seconds: "10" | |
#this sets debug for the container which makes it wait to start. | |
debug: "false" | |
chain_id: "osmosis-1" | |
node_rpc: "https://rpc.osmosis.zone:443" | |
node_grpc: "grpc.osmosis.zone:9090" | |
domain_name: "sqs.osmosis.zone" | |
path: "/" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
# We use this to set the environment variables for the job that we cant set at the job level. | |
- name: "SET:ENV:VARS" | |
run: | | |
echo "docker_tag=${GITHUB_SHA::7}" >> ${GITHUB_ENV} | |
echo "redis_password=${{ secrets.PROD_SQS_REDIS_PASSWORD }}" >> ${GITHUB_ENV} | |
echo "${{ secrets.PROD_KUBECONFIG }}" > temp_config.yaml | |
echo "KUBECONFIG=$(pwd)/temp_config.yaml" >> ${GITHUB_ENV} | |
# This step checks to see if the docker tag you are pushing exists. | |
# If the docker image doesn't exist it will build and push it. | |
- name: "DOCKER:BUILD:CHECK:PUSH" | |
uses: iDevOps-io/idevops-git-actions/docker_build_check_tag_and_push@main | |
with: | |
docker_username: "${{ secrets.DOCKER_USERNAME }}" | |
docker_password: "${{ secrets.DOCKER_PASSWORD }}" | |
docker_org: "${{ env.docker_org }}" | |
docker_image: "${{ env.docker_repo }}" | |
docker_tag: "${{ env.docker_tag }}" | |
docker_file_location: "./" | |
# This is the docker image scan it will use anchore grype scanning | |
# This will scan the docker image for vulnerbilities if [docker scan] is in the comment. | |
# It will print a report in the pipeline. | |
- name: "DOCKER:IMAGE:SCAN:ANCHORE" | |
if: contains(github.event.head_commit.message, '[docker scan]') | |
uses: iDevOps-io/idevops-git-actions/execute_docker_scan_grype@main | |
with: | |
docker_image_name: "${{ env.docker_org }}/${{ env.docker_repo }}:${{ env.docker_tag }}" | |
# This steap creates the namespace if it doesn't exist and then re-creates the docker pull secret incase credentials have changed. | |
- name: "CREATE:DOCKER:SECRET:NAMESPACE" | |
run: | | |
echo "Create namespace if it doesn't exist." | |
kubectl create namespace ${kubernetes_namespace} || echo "Namespace Exists" | |
echo "Delete the image pull secret, and re-create to ensure it gets updated" | |
kubectl delete secret ${image_pull_secret} -n ${kubernetes_namespace} --ignore-not-found=true | |
kubectl create secret docker-registry ${image_pull_secret} \ | |
--docker-server="${docker_server_url}" \ | |
--docker-username="${{ secrets.DOCKER_USERNAME }}" \ | |
--docker-password="${{ secrets.DOCKER_PASSWORD }}" \ | |
--namespace ${kubernetes_namespace} | |
# This step template replaces variables in the file with -=VAR_NAME=- syntax with environment variables that match VAR_NAME | |
- name: "EXECUTE:TEMPLATE:REPLACEMENT:ON:FILE" | |
uses: iDevOps-io/idevops-git-actions/template_replace_file@main | |
with: | |
input_file: "manifests/deployment.yaml.template" | |
output_file: "manifests/deployment.yaml" | |
# This will apply the redis manifest and the sqs manifest after templating them. | |
- name: "APPLY:KUBECONFIG" | |
run: | | |
echo "Apply the manifest and deploy the application and redis updates to the cluster" | |
kubectl apply -f manifests/deployment.yaml -n ${kubernetes_namespace} | |
# This step waits for the new deployment to return 1/1 ready status meaning it succeded for both redis and sqs. | |
- name: "CHECK:DEPLOYMENT:STATUS" | |
run: | | |
echo "Check the rollout status of redis. This will force pipeline to wait until its serving" | |
kubectl rollout status deployment/${app_name}-redis -n ${kubernetes_namespace} | |
echo "Check the rollout status of the deployment to prevent pipeline from continuing until new release is rolled out." | |
kubectl rollout status deployment/${app_name} -n ${kubernetes_namespace} | |
# This step triggers when [zap scan] is added to the commit message. | |
# This will trigger an OWASP top 10 Passinve and Active attack against the endpoint using ZAProxy. | |
- name: "ZAProxy Scan Active/Passive OWASP TOP 10 Security" | |
if: contains(github.event.head_commit.message, '[zap scan]') | |
uses: iDevOps-io/idevops-git-actions/execute_zaproxy_owasp_security_can_on_endpoint@main | |
with: | |
web_url: "https://${{ env.domain_name }}" | |
# This job deploys to dev. | |
# This job will do the following and deploy to job on the production trigger. | |
# This builds the docker image | |
# This then scans the docker image if you pass [docker scan] | |
# This will then template the kubernetes manifest with the environment variables set in the pipeline. | |
# After templating the manifest it will deploy it into Kubernetes. | |
# The pipeline will wait for the deployment to start and report that its ready 1/1 | |
# The rolling update strategy will ensure the pod passes its health check ensuring you didn't deploy bad code and there is no outage. | |
# The manifest deploys both the redis deployment and the sqs container as two separate deployments. | |
# Then it uses ZAProxy to do an OWASP Top 10 scan passive and active attack against the end point if you pass [zap scan] | |
build_dev: | |
if: github.ref != 'refs/heads/main' | |
env: | |
docker_org: "osmolabs" | |
docker_repo: "sqs-dev" | |
app_name: "sqs" | |
kubernetes_namespace: "sqs" | |
redis_docker_image: "bitnami/redis:latest" | |
redis_port: "6379" | |
redis_user: "user" | |
redis_name: "article" | |
redis_initial_delay_seconds: "10" | |
redis_period_seconds: "10" | |
replicas: "1" | |
min_ready_seconds: "30" | |
max_unavailable: "0" | |
max_surge: "2" | |
image_pull_secret: "sqs" | |
container_port: "9092" | |
service_port: "80" | |
initial_delay_seconds: "30" | |
period_seconds: "10" | |
debug: "true" | |
chain_id: "osmosis-1" | |
node_rpc: "https://rpc.osmosis.zone:443" | |
node_grpc: "grpc.osmosis.zone:9090" | |
domain_name: "sqs.dev-osmosis.zone" | |
path: "/" | |
docker_server_url: "https://index.docker.io/v1/" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
# We use this to set the environment variables for the job that we cant set at the job level. | |
- name: "SET:SECRET:ENV:VARS" | |
run: | | |
echo "docker_tag=${GITHUB_SHA::7}" >> ${GITHUB_ENV} | |
echo "redis_password=${{ secrets.DEV_SQS_REDIS_PASSWORD }}" >> ${GITHUB_ENV} | |
echo "${{ secrets.DEV_KUBECONFIG }}" > temp_config.yaml | |
echo "KUBECONFIG=$(pwd)/temp_config.yaml" >> ${GITHUB_ENV} | |
# This builds and pushes docker image. | |
- name: "SET:SECRET:ENV:VARS" | |
run: | | |
docker build -t ${docker_org}/${docker_repo}:${docker_tag} . | |
docker login --username ${{ secrets.DOCKER_USERNAME }} --password ${{ secrets.DOCKER_PASSWORD }} | |
docker push ${docker_org}/${docker_repo}:${docker_tag} | |
# This step checks to see if the docker tag you are pushing exists. | |
# If the docker image doesn't exist it will build and push it. | |
- name: "DOCKER:BUILD:CHECK:PUSH" | |
uses: iDevOps-io/idevops-git-actions/docker_build_check_tag_and_push@main | |
with: | |
docker_username: "${{ secrets.DOCKER_USERNAME }}" | |
docker_password: "${{ secrets.DOCKER_PASSWORD }}" | |
docker_org: "${{ env.docker_org }}" | |
docker_image: "${{ env.docker_repo }}" | |
docker_tag: "${{ env.docker_tag }}" | |
docker_file_location: "./" | |
# This is the docker image scan it will use anchore grype scanning | |
# This will scan the docker image for vulnerbilities if [docker scan] is in the comment. | |
# It will print a report in the pipeline. | |
- name: "DOCKER:IMAGE:SCAN:ANCHORE" | |
if: contains(github.event.head_commit.message, '[docker scan]') | |
uses: iDevOps-io/idevops-git-actions/execute_docker_scan_grype@main | |
with: | |
docker_image_name: "${{ env.docker_org }}/${{ env.docker_repo }}:${{ env.docker_tag }}" | |
# This steap creates the namespace if it doesn't exist and then re-creates the docker pull secret incase credentials have changed. | |
- name: "CREATE:DOCKER:SECRET:NAMESPACE" | |
run: | | |
echo "Create namespace if it doesn't exist." | |
kubectl create namespace ${kubernetes_namespace} || echo "Namespace Exists" | |
echo "Delete the image pull secret, and re-create to ensure it gets updated" | |
kubectl delete secret ${image_pull_secret} -n ${kubernetes_namespace} --ignore-not-found=true | |
kubectl create secret docker-registry ${image_pull_secret} \ | |
--docker-server="${docker_server_url}" \ | |
--docker-username="${{ secrets.DOCKER_USERNAME }}" \ | |
--docker-password="${{ secrets.DOCKER_PASSWORD }}" \ | |
--namespace ${kubernetes_namespace} | |
# This step template replaces variables in the file with -=VAR_NAME=- syntax with environment variables that match VAR_NAME | |
- name: "EXECUTE:TEMPLATE:REPLACEMENT:ON:FILE" | |
uses: iDevOps-io/idevops-git-actions/template_replace_file@main | |
with: | |
input_file: "manifests/deployment.yaml.template" | |
output_file: "manifests/deployment.yaml" | |
# This will apply the redis manifest and the sqs manifest after templating them. | |
- name: "APPLY:KUBECONFIG" | |
run: | | |
echo "Apply the manifest and deploy the application and redis updates to the cluster" | |
kubectl apply -f manifests/deployment.yaml -n ${kubernetes_namespace} | |
# This step waits for the new deployment to return 1/1 ready status meaning it succeded for both redis and sqs. | |
- name: "CHECK:DEPLOYMENT:STATUS" | |
run: | | |
echo "Check the rollout status of redis. This will force pipeline to wait until its serving" | |
kubectl rollout status deployment/${app_name}-redis -n ${kubernetes_namespace} | |
echo "Check the rollout status of the deployment to prevent pipeline from continuing until new release is rolled out." | |
kubectl rollout status deployment/${app_name} -n ${kubernetes_namespace} | |
# This step triggers when [zap scan] is added to the commit message. | |
# This will trigger an OWASP top 10 Passinve and Active attack against the endpoint using ZAProxy. | |
- name: "ZAProxy Scan Active/Passive OWASP TOP 10 Security" | |
if: contains(github.event.head_commit.message, '[zap scan]') | |
uses: iDevOps-io/idevops-git-actions/execute_zaproxy_owasp_security_can_on_endpoint@main | |
with: | |
web_url: "https://${{ env.domain_name }}" |