-
Notifications
You must be signed in to change notification settings - Fork 13
261 lines (232 loc) · 12.5 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
name: "CI/CD:BUILD:AND:DEPLOY"
on:
push:
branches: [ "main", "v*.*.*" ]
pull_request:
branches: [ "main", "v*.*.*" ]
jobs:
# This job deploys to prod.
# This job will do the following and deploy to job on the production trigger.
# This builds the docker image
# This then scans the docker image if you pass [docker scan]
# This will then template the kubernetes manifest with the environment variables set in the pipeline.
# After templating the manifest it will deploy it into Kubernetes.
# The pipeline will wait for the deployment to start and report that its ready 1/1
# The rolling update strategy will ensure the pod passes its health check ensuring you didn't deploy bad code and there is no outage.
# The manifest deploys both the redis deployment and the sqs container as two separate deployments.
# Then it uses ZAProxy to do an OWASP Top 10 scan passive and active attack against the end point if you pass [zap scan]
build_prod:
if: github.ref == 'refs/heads/main'
env:
docker_org: "osmolabs"
docker_server_url: "https://index.docker.io/v1/"
docker_repo: "sqs"
app_name: "sqs"
kubernetes_namespace: "sqs"
redis_docker_image: "bitnami/redis:latest"
redis_port: "6379"
redis_user: "default"
redis_name: "article"
# initial delay is how long the health check waits before checking its active for reds.
redis_initial_delay_seconds: "10"
# period is how often the health check runs for redis.
redis_period_seconds: "10"
# specifies the number of redis pods to run for redis.
replicas: "1"
# min ready seaconds is the minimum time before the pod can report ready.
min_ready_seconds: "30"
# max unavailable is the number of unavailble pods during a rolling update. You set this to 0 so it leaves current one running.
max_unavailable: "0"
# max surge is the number of pods the manifest can search to perform a rollin gupdate.
max_surge: "2"
image_pull_secret: "sqs"
container_port: "9092"
service_port: "80"
# the initial delay of the health check for the sqs pod.
initial_delay_seconds: "30"
# how often the health check goes off for the sqs deployment.
period_seconds: "10"
#this sets debug for the container which makes it wait to start.
debug: "false"
chain_id: "osmosis-1"
node_rpc: "https://rpc.osmosis.zone:443"
node_grpc: "https://rpc.osmosis.zone:443"
domain_name: "sqs.osmosis.zone"
path: "/"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# We use this to set the environment variables for the job that we cant set at the job level.
- name: "SET:ENV:VARS"
run: |
echo "docker_tag=${GITHUB_SHA::7}" >> ${GITHUB_ENV}
echo "redis_password=${{ secrets.PROD_SQS_REDIS_PASSWORD }}" >> ${GITHUB_ENV}
echo "${{ secrets.PROD_KUBECONFIG }}" > temp_config.yaml
echo "KUBECONFIG=$(pwd)/temp_config.yaml" >> ${GITHUB_ENV}
# This step checks to see if the docker tag you are pushing exists.
# If the docker image doesn't exist it will build and push it.
- name: "DOCKER:BUILD:CHECK:PUSH"
uses: iDevOps-io/idevops-git-actions/docker_build_check_tag_and_push@main
with:
docker_username: "${{ secrets.DOCKER_USERNAME }}"
docker_password: "${{ secrets.DOCKER_PASSWORD }}"
docker_org: "${{ env.docker_org }}"
docker_image: "${{ env.docker_repo }}"
docker_tag: "${{ env.docker_tag }}"
docker_file_location: "./"
# This is the docker image scan it will use anchore grype scanning
# This will scan the docker image for vulnerbilities if [docker scan] is in the comment.
# It will print a report in the pipeline.
- name: "DOCKER:IMAGE:SCAN:ANCHORE"
if: contains(github.event.head_commit.message, '[docker scan]')
uses: iDevOps-io/idevops-git-actions/execute_docker_scan_grype@main
with:
docker_image_name: "${{ env.docker_org }}/${{ env.docker_repo }}:${{ env.docker_tag }}"
# This steap creates the namespace if it doesn't exist and then re-creates the docker pull secret incase credentials have changed.
- name: "CREATE:DOCKER:SECRET:NAMESPACE"
run: |
echo "Create namespace if it doesn't exist."
kubectl create namespace ${kubernetes_namespace} || echo "Namespace Exists"
echo "Delete the image pull secret, and re-create to ensure it gets updated"
kubectl delete secret ${image_pull_secret} -n ${kubernetes_namespace} --ignore-not-found=true
kubectl create secret docker-registry ${image_pull_secret} \
--docker-server="${docker_server_url}" \
--docker-username="${{ secrets.DOCKER_USERNAME }}" \
--docker-password="${{ secrets.DOCKER_PASSWORD }}" \
--namespace ${kubernetes_namespace}
# This step template replaces variables in the file with -=VAR_NAME=- syntax with environment variables that match VAR_NAME
- name: "EXECUTE:TEMPLATE:REPLACEMENT:ON:FILE"
uses: iDevOps-io/idevops-git-actions/template_replace_file@main
with:
input_file: "manifests/deployment.yaml.template"
output_file: "manifests/deployment.yaml"
# This will apply the redis manifest and the sqs manifest after templating them.
- name: "APPLY:KUBECONFIG"
run: |
echo "Apply the manifest and deploy the application and redis updates to the cluster"
kubectl apply -f manifests/deployment.yaml -n ${kubernetes_namespace}
# This step waits for the new deployment to return 1/1 ready status meaning it succeded for both redis and sqs.
- name: "CHECK:DEPLOYMENT:STATUS"
run: |
echo "Check the rollout status of redis. This will force pipeline to wait until its serving"
kubectl rollout status deployment/${app_name}-redis -n ${kubernetes_namespace}
echo "Check the rollout status of the deployment to prevent pipeline from continuing until new release is rolled out."
kubectl rollout status deployment/${app_name} -n ${kubernetes_namespace}
# This step triggers when [zap scan] is added to the commit message.
# This will trigger an OWASP top 10 Passinve and Active attack against the endpoint using ZAProxy.
- name: "ZAProxy Scan Active/Passive OWASP TOP 10 Security"
if: contains(github.event.head_commit.message, '[zap scan]')
uses: iDevOps-io/idevops-git-actions/execute_zaproxy_owasp_security_can_on_endpoint@main
with:
web_url: "https://${{ env.domain_name }}"
# This job deploys to dev.
# This job will do the following and deploy to job on the production trigger.
# This builds the docker image
# This then scans the docker image if you pass [docker scan]
# This will then template the kubernetes manifest with the environment variables set in the pipeline.
# After templating the manifest it will deploy it into Kubernetes.
# The pipeline will wait for the deployment to start and report that its ready 1/1
# The rolling update strategy will ensure the pod passes its health check ensuring you didn't deploy bad code and there is no outage.
# The manifest deploys both the redis deployment and the sqs container as two separate deployments.
# Then it uses ZAProxy to do an OWASP Top 10 scan passive and active attack against the end point if you pass [zap scan]
build_dev:
if: github.ref != 'refs/heads/main'
env:
docker_org: "osmolabs"
docker_repo: "sqs-dev"
app_name: "sqs"
kubernetes_namespace: "sqs"
redis_docker_image: "bitnami/redis:latest"
redis_port: "6379"
redis_user: "user"
redis_name: "article"
redis_initial_delay_seconds: "10"
redis_period_seconds: "10"
replicas: "1"
min_ready_seconds: "30"
max_unavailable: "0"
max_surge: "2"
image_pull_secret: "sqs"
container_port: "9092"
service_port: "80"
initial_delay_seconds: "30"
period_seconds: "10"
debug: "true"
chain_id: "osmosis-1"
node_rpc: "https://rpc.osmosis.zone:443"
node_grpc: "https://rpc.osmosis.zone:443"
domain_name: "sqs.dev-osmosis.zone"
path: "/"
docker_server_url: "https://index.docker.io/v1/"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# We use this to set the environment variables for the job that we cant set at the job level.
- name: "SET:SECRET:ENV:VARS"
run: |
echo "docker_tag=${GITHUB_SHA::7}" >> ${GITHUB_ENV}
echo "redis_password=${{ secrets.DEV_SQS_REDIS_PASSWORD }}" >> ${GITHUB_ENV}
echo "${{ secrets.DEV_KUBECONFIG }}" > temp_config.yaml
echo "KUBECONFIG=$(pwd)/temp_config.yaml" >> ${GITHUB_ENV}
# This builds and pushes docker image.
- name: "SET:SECRET:ENV:VARS"
run: |
docker build -t ${docker_org}/${docker_repo}:${docker_tag} .
docker login --username ${{ secrets.DOCKER_USERNAME }} --password ${{ secrets.DOCKER_PASSWORD }}
docker push ${docker_org}/${docker_repo}:${docker_tag}
# This step checks to see if the docker tag you are pushing exists.
# If the docker image doesn't exist it will build and push it.
- name: "DOCKER:BUILD:CHECK:PUSH"
uses: iDevOps-io/idevops-git-actions/docker_build_check_tag_and_push@main
with:
docker_username: "${{ secrets.DOCKER_USERNAME }}"
docker_password: "${{ secrets.DOCKER_PASSWORD }}"
docker_org: "${{ env.docker_org }}"
docker_image: "${{ env.docker_repo }}"
docker_tag: "${{ env.docker_tag }}"
docker_file_location: "./"
# This is the docker image scan it will use anchore grype scanning
# This will scan the docker image for vulnerbilities if [docker scan] is in the comment.
# It will print a report in the pipeline.
- name: "DOCKER:IMAGE:SCAN:ANCHORE"
if: contains(github.event.head_commit.message, '[docker scan]')
uses: iDevOps-io/idevops-git-actions/execute_docker_scan_grype@main
with:
docker_image_name: "${{ env.docker_org }}/${{ env.docker_repo }}:${{ env.docker_tag }}"
# This steap creates the namespace if it doesn't exist and then re-creates the docker pull secret incase credentials have changed.
- name: "CREATE:DOCKER:SECRET:NAMESPACE"
run: |
echo "Create namespace if it doesn't exist."
kubectl create namespace ${kubernetes_namespace} || echo "Namespace Exists"
echo "Delete the image pull secret, and re-create to ensure it gets updated"
kubectl delete secret ${image_pull_secret} -n ${kubernetes_namespace} --ignore-not-found=true
kubectl create secret docker-registry ${image_pull_secret} \
--docker-server="${docker_server_url}" \
--docker-username="${{ secrets.DOCKER_USERNAME }}" \
--docker-password="${{ secrets.DOCKER_PASSWORD }}" \
--namespace ${kubernetes_namespace}
# This step template replaces variables in the file with -=VAR_NAME=- syntax with environment variables that match VAR_NAME
- name: "EXECUTE:TEMPLATE:REPLACEMENT:ON:FILE"
uses: iDevOps-io/idevops-git-actions/template_replace_file@main
with:
input_file: "manifests/deployment.yaml.template"
output_file: "manifests/deployment.yaml"
# This will apply the redis manifest and the sqs manifest after templating them.
- name: "APPLY:KUBECONFIG"
run: |
echo "Apply the manifest and deploy the application and redis updates to the cluster"
kubectl apply -f manifests/deployment.yaml -n ${kubernetes_namespace}
# This step waits for the new deployment to return 1/1 ready status meaning it succeded for both redis and sqs.
- name: "CHECK:DEPLOYMENT:STATUS"
run: |
echo "Check the rollout status of redis. This will force pipeline to wait until its serving"
kubectl rollout status deployment/${app_name}-redis -n ${kubernetes_namespace}
echo "Check the rollout status of the deployment to prevent pipeline from continuing until new release is rolled out."
kubectl rollout status deployment/${app_name} -n ${kubernetes_namespace}
# This step triggers when [zap scan] is added to the commit message.
# This will trigger an OWASP top 10 Passinve and Active attack against the endpoint using ZAProxy.
- name: "ZAProxy Scan Active/Passive OWASP TOP 10 Security"
if: contains(github.event.head_commit.message, '[zap scan]')
uses: iDevOps-io/idevops-git-actions/execute_zaproxy_owasp_security_can_on_endpoint@main
with:
web_url: "https://${{ env.domain_name }}"