diff --git a/.github/workflows/alerts-ee.yaml b/.github/workflows/alerts-ee.yaml index 68146296d..5057f460c 100644 --- a/.github/workflows/alerts-ee.yaml +++ b/.github/workflows/alerts-ee.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -26,7 +26,6 @@ on: - "!ee/api/requirements.txt" - "!ee/api/requirements-crons.txt" - name: Build and Deploy Alerts EE jobs: @@ -55,7 +54,7 @@ jobs: - name: Docker login run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - uses: azure/k8s-set-context@v1 with: @@ -68,7 +67,6 @@ jobs: # Ignore the failure of a step and avoid terminating the job. continue-on-error: true - - name: Building and Pushing api image id: build-image env: @@ -103,9 +101,9 @@ jobs: # kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - + echo > /tmp/image_override.yaml - + for line in `cat /tmp/image_tag.txt`; do image_array=($(echo "$line" | tr ':' '\n')) @@ -120,15 +118,16 @@ jobs: - name: Deploy to kubernetes run: | cd scripts/helmcharts/ - + # Update changed image tag sed -i "/alerts/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - + cat /tmp/image_override.yaml # Deploy command - mv openreplay/charts/{ingress-nginx,alerts,quickwit} /tmp + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,alerts,quickwit,connector} /tmp/charts/ rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,alerts,quickwit} openreplay/charts/ + mv /tmp/charts/* openreplay/charts/ helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - env: DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} @@ -145,16 +144,14 @@ jobs: SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # limit-access-to-actor: true - + SLACK_MESSAGE: "Build failed :bomb:" + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # limit-access-to-actor: true diff --git a/.github/workflows/alerts.yaml b/.github/workflows/alerts.yaml index 9c10c4dee..8e823c60e 100644 --- a/.github/workflows/alerts.yaml +++ b/.github/workflows/alerts.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -47,7 +47,7 @@ jobs: - name: Docker login run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" + docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - uses: azure/k8s-set-context@v1 with: @@ -60,7 +60,6 @@ jobs: # Ignore the failure of a step and avoid terminating the job. continue-on-error: true - - name: Building and Pushing Alerts image id: build-image env: @@ -95,9 +94,9 @@ jobs: # kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - + echo > /tmp/image_override.yaml - + for line in `cat /tmp/image_tag.txt`; do image_array=($(echo "$line" | tr ':' '\n')) @@ -111,7 +110,7 @@ jobs: - name: Deploy to kubernetes run: | cd scripts/helmcharts/ - + ## Update secerts sed -i "s#openReplayContainerRegistry.*#openReplayContainerRegistry: \"${{ secrets.OSS_REGISTRY_URL }}\"#g" vars.yaml sed -i "s/postgresqlPassword: \"changeMePassword\"/postgresqlPassword: \"${{ secrets.OSS_PG_PASSWORD }}\"/g" vars.yaml @@ -119,15 +118,16 @@ jobs: sed -i "s/secretKey: \"changeMeMinioPassword\"/secretKey: \"${{ secrets.OSS_MINIO_SECRET_KEY }}\"/g" vars.yaml sed -i "s/jwt_secret: \"SetARandomStringHere\"/jwt_secret: \"${{ secrets.OSS_JWT_SECRET }}\"/g" vars.yaml sed -i "s/domainName: \"\"/domainName: \"${{ secrets.OSS_DOMAIN_NAME }}\"/g" vars.yaml - + # Update changed image tag sed -i "/alerts/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - + cat /tmp/image_override.yaml # Deploy command - mv openreplay/charts/{ingress-nginx,alerts,quickwit} /tmp + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,alerts,quickwit,connector} /tmp/charts/ rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,alerts,quickwit} openreplay/charts/ + mv /tmp/charts/* openreplay/charts/ helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - env: DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} @@ -143,16 +143,13 @@ jobs: SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # limit-access-to-actor: true - - - + SLACK_MESSAGE: "Build failed :bomb:" + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # limit-access-to-actor: true diff --git a/.github/workflows/api-ee.yaml b/.github/workflows/api-ee.yaml index 8c875d6a1..91b51d871 100644 --- a/.github/workflows/api-ee.yaml +++ b/.github/workflows/api-ee.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -25,7 +25,6 @@ on: - "!ee/api/*-dev.sh" - "!ee/api/requirements-*.txt" - name: Build and Deploy Chalice EE jobs: @@ -34,127 +33,124 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true + # Caching docker images + - uses: satackey/action-docker-layer-caching@v0.0.11 + # Ignore the failure of a step and avoid terminating the job. + continue-on-error: true - - - name: Building and Pushing api image - id: build-image - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd api - PUSH_IMAGE=0 bash -x ./build.sh ee - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing api image + id: build-image + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd api + PUSH_IMAGE=0 bash -x ./build.sh ee + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("chalice") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("chalice") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("chalice") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - # We've to strip off the -ee, as helm will append it. - tag: `echo ${image_array[1]} | cut -d '-' -f 1` - EOF - done + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + # We've to strip off the -ee, as helm will append it. + tag: `echo ${image_array[1]} | cut -d '-' -f 1` + EOF + done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/chalice/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,chalice,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,chalice,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # We're not passing -ee flag, because helm will add that. - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: ee - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # limit-access-to-actor: true + # Update changed image tag + sed -i "/chalice/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,chalice,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # We're not passing -ee flag, because helm will add that. + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: ee + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # limit-access-to-actor: true diff --git a/.github/workflows/api.yaml b/.github/workflows/api.yaml index 5884dc9f6..ad34e0527 100644 --- a/.github/workflows/api.yaml +++ b/.github/workflows/api.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -26,121 +26,121 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} - jwt_secret: ${{ secrets.OSS_JWT_SECRET }} - minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.OSS_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.OSS_DOMAIN_NAME }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.OSS_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true + # Caching docker images + - uses: satackey/action-docker-layer-caching@v0.0.11 + # Ignore the failure of a step and avoid terminating the job. + continue-on-error: true - - - name: Building and Pushing api image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd api - PUSH_IMAGE=0 bash -x ./build.sh - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing api image + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd api + PUSH_IMAGE=0 bash -x ./build.sh + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("chalice") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("chalice") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("chalice") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - tag: ${image_array[1]} - EOF - done + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + tag: ${image_array[1]} + EOF + done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/chalice/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/chalice/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,chalice,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,chalice,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - - env: - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,chalice,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - + env: + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: foss - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: foss + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # iimit-access-to-actor: true diff --git a/.github/workflows/assist-ee.yaml b/.github/workflows/assist-ee.yaml index 31fdd9c0d..195ee887c 100644 --- a/.github/workflows/assist-ee.yaml +++ b/.github/workflows/assist-ee.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -24,106 +24,107 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - - name: Building and Pushing Assist image - id: build-image - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd assist - PUSH_IMAGE=0 bash -x ./build.sh ee - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing Assist image + id: build-image + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd assist + PUSH_IMAGE=0 bash -x ./build.sh ee + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("assist") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("assist") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("assist") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - # We've to strip off the -ee, as helm will append it. - tag: `echo ${image_array[1]} | cut -d '-' -f 1` - EOF - done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + # We've to strip off the -ee, as helm will append it. + tag: `echo ${image_array[1]} | cut -d '-' -f 1` + EOF + done + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/assist/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/assist/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,assist,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,assist,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # We're not passing -ee flag, because helm will add that. - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,assist,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # We're not passing -ee flag, because helm will add that. + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # iimit-access-to-actor: true diff --git a/.github/workflows/assist-stats.yaml b/.github/workflows/assist-stats.yaml index b1cbc07fd..ed7078f6f 100644 --- a/.github/workflows/assist-stats.yaml +++ b/.github/workflows/assist-stats.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -23,130 +23,129 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} - jwt_secret: ${{ secrets.OSS_JWT_SECRET }} - minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.OSS_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.OSS_DOMAIN_NAME }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.OSS_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true + # Caching docker images + - uses: satackey/action-docker-layer-caching@v0.0.11 + # Ignore the failure of a step and avoid terminating the job. + continue-on-error: true - - - name: Building and Pushing assist-stats image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd assist-stats - PUSH_IMAGE=0 bash -x ./build.sh ee - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing assist-stats image + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd assist-stats + PUSH_IMAGE=0 bash -x ./build.sh ee + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("assist-stats") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("assist-stats") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("assist-stats") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done -### Enterprise code deployment + ### Enterprise code deployment - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontextee + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontextee - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Deploy to kubernetes ee - run: | - cd scripts/helmcharts/ - cat </tmp/image_override.yaml - assist-stats: - image: - # We've to strip off the -ee, as helm will append it. - tag: ${IMAGE_TAG} - EOF + - name: Deploy to kubernetes ee + run: | + cd scripts/helmcharts/ + cat </tmp/image_override.yaml + assist-stats: + image: + # We've to strip off the -ee, as helm will append it. + tag: ${IMAGE_TAG} + EOF - # Update changed image tag - sed -i "/assist-stats/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/assist-stats/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,assist-stats,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,assist-stats,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -f - - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # We're not passing -ee flag, because helm will add that. - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,assist-stats,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -f - + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # We're not passing -ee flag, because helm will add that. + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: foss - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # limit-access-to-actor: true + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: foss + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # limit-access-to-actor: true diff --git a/.github/workflows/assist.yaml b/.github/workflows/assist.yaml index d15804775..02a2c8fb1 100644 --- a/.github/workflows/assist.yaml +++ b/.github/workflows/assist.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -23,106 +23,107 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} - jwt_secret: ${{ secrets.OSS_JWT_SECRET }} - minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.OSS_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.OSS_DOMAIN_NAME }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.OSS_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - - name: Building and Pushing Assist image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd assist - PUSH_IMAGE=0 bash -x ./build.sh - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing Assist image + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd assist + PUSH_IMAGE=0 bash -x ./build.sh + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("assist") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("assist") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("assist") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - # We've to strip off the -ee, as helm will append it. - tag: `echo ${image_array[1]} | cut -d '-' -f 1` - EOF - done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + # We've to strip off the -ee, as helm will append it. + tag: `echo ${image_array[1]} | cut -d '-' -f 1` + EOF + done + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/assist/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/assist/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,assist,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,assist,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - # We're not passing -ee flag, because helm will add that. - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,assist,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + # We're not passing -ee flag, because helm will add that. + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # iimit-access-to-actor: true diff --git a/.github/workflows/crons-ee.yaml b/.github/workflows/crons-ee.yaml index ae0535949..0fb91d420 100644 --- a/.github/workflows/crons-ee.yaml +++ b/.github/workflows/crons-ee.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -35,124 +35,124 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true + # Caching docker images + - uses: satackey/action-docker-layer-caching@v0.0.11 + # Ignore the failure of a step and avoid terminating the job. + continue-on-error: true - - - name: Building and Pushing api image - id: build-image - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd api - PUSH_IMAGE=0 bash -x ./build_crons.sh ee - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing api image + id: build-image + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd api + PUSH_IMAGE=0 bash -x ./build_crons.sh ee + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("crons") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("crons") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("crons") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - # We've to strip off the -ee, as helm will append it. - tag: `echo ${image_array[1]} | cut -d '-' -f 1` - EOF - done + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + # We've to strip off the -ee, as helm will append it. + tag: `echo ${image_array[1]} | cut -d '-' -f 1` + EOF + done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/crons/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/crons/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,utilities,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,utilities,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # We're not passing -ee flag, because helm will add that. - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,utilities,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # We're not passing -ee flag, because helm will add that. + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: ee - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: ee + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # iimit-access-to-actor: true diff --git a/.github/workflows/frontend-dev.yaml b/.github/workflows/frontend-dev.yaml index 00e6036d1..d9c590d2b 100644 --- a/.github/workflows/frontend-dev.yaml +++ b/.github/workflows/frontend-dev.yaml @@ -1,7 +1,7 @@ -name: Frontend Dev Deployment +name: Frontend Dev Deployment on: workflow_dispatch # Disable previous workflows for this action. -concurrency: +concurrency: group: ${{ github.workflow }} #-${{ github.ref }} cancel-in-progress: true @@ -9,76 +9,77 @@ jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - name: Checkout + uses: actions/checkout@v2 - - name: Cache node modules - uses: actions/cache@v1 - with: - path: node_modules - key: ${{ runner.OS }}-build-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.OS }}-build- - ${{ runner.OS }}- + - name: Cache node modules + uses: actions/cache@v1 + with: + path: node_modules + key: ${{ runner.OS }}-build-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.OS }}-build- + ${{ runner.OS }}- - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.DEV_DOMAIN_NAME }} - license_key: ${{ secrets.DEV_LICENSE_KEY }} - jwt_secret: ${{ secrets.DEV_JWT_SECRET }} - minio_access_key: ${{ secrets.DEV_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.DEV_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.DEV_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.DEV_DOMAIN_NAME }} + license_key: ${{ secrets.DEV_LICENSE_KEY }} + jwt_secret: ${{ secrets.DEV_JWT_SECRET }} + minio_access_key: ${{ secrets.DEV_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.DEV_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.DEV_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.DEV_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.DEV_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - - name: Building and Pushing frontend image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - run: | - set -x - cd frontend - mv .env.sample .env - docker run --rm -v /etc/passwd:/etc/passwd -u `id -u`:`id -g` -v $(pwd):/home/${USER} -w /home/${USER} --name node_build node:14-stretch-slim /bin/bash -c "yarn && yarn build" - # https://github.com/docker/cli/issues/1134#issuecomment-613516912 - DOCKER_BUILDKIT=1 docker build --target=cicd -t $DOCKER_REPO/frontend:${IMAGE_TAG} . - docker tag $DOCKER_REPO/frontend:${IMAGE_TAG} $DOCKER_REPO/frontend:${IMAGE_TAG}-ee - docker push $DOCKER_REPO/frontend:${IMAGE_TAG} - docker push $DOCKER_REPO/frontend:${IMAGE_TAG}-ee + - name: Building and Pushing frontend image + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + run: | + set -x + cd frontend + mv .env.sample .env + docker run --rm -v /etc/passwd:/etc/passwd -u `id -u`:`id -g` -v $(pwd):/home/${USER} -w /home/${USER} --name node_build node:14-stretch-slim /bin/bash -c "yarn && yarn build" + # https://github.com/docker/cli/issues/1134#issuecomment-613516912 + DOCKER_BUILDKIT=1 docker build --target=cicd -t $DOCKER_REPO/frontend:${IMAGE_TAG} . + docker tag $DOCKER_REPO/frontend:${IMAGE_TAG} $DOCKER_REPO/frontend:${IMAGE_TAG}-ee + docker push $DOCKER_REPO/frontend:${IMAGE_TAG} + docker push $DOCKER_REPO/frontend:${IMAGE_TAG}-ee - - name: Deploy to kubernetes foss - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes foss + run: | + cd scripts/helmcharts/ - set -x - cat <>/tmp/image_override.yaml - frontend: - image: - tag: ${IMAGE_TAG} - EOF + set -x + cat <>/tmp/image_override.yaml + frontend: + image: + tag: ${IMAGE_TAG} + EOF - # Update changed image tag - sed -i "/frontend/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/frontend/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,frontend,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,frontend,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - iMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,frontend,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + iMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} diff --git a/.github/workflows/frontend.yaml b/.github/workflows/frontend.yaml index 4a557c340..b13f88f37 100644 --- a/.github/workflows/frontend.yaml +++ b/.github/workflows/frontend.yaml @@ -1,4 +1,4 @@ -name: Frontend Foss Deployment +name: Frontend Foss Deployment on: workflow_dispatch: push: @@ -7,7 +7,7 @@ on: paths: - frontend/** # Disable previous workflows for this action. -concurrency: +concurrency: group: ${{ github.workflow }} #-${{ github.ref }} cancel-in-progress: true @@ -15,132 +15,133 @@ jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - name: Checkout + uses: actions/checkout@v2 - - name: Cache node modules - uses: actions/cache@v1 - with: - path: node_modules - key: ${{ runner.OS }}-build-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.OS }}-build- - ${{ runner.OS }}- + - name: Cache node modules + uses: actions/cache@v1 + with: + path: node_modules + key: ${{ runner.OS }}-build-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.OS }}-build- + ${{ runner.OS }}- - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} - jwt_secret: ${{ secrets.OSS_JWT_SECRET }} - minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.OSS_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.OSS_DOMAIN_NAME }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.OSS_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - - name: Building and Pushing frontend image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - run: | - set -x - cd frontend - mv .env.sample .env - docker run --rm -v /etc/passwd:/etc/passwd -u `id -u`:`id -g` -v $(pwd):/home/${USER} -w /home/${USER} --name node_build node:18-slim /bin/bash -c "yarn && yarn build" - # https://github.com/docker/cli/issues/1134#issuecomment-613516912 - DOCKER_BUILDKIT=1 docker build --target=cicd -t $DOCKER_REPO/frontend:${IMAGE_TAG} . - docker tag $DOCKER_REPO/frontend:${IMAGE_TAG} $DOCKER_REPO/frontend:${IMAGE_TAG}-ee - docker push $DOCKER_REPO/frontend:${IMAGE_TAG} - docker push $DOCKER_REPO/frontend:${IMAGE_TAG}-ee + - name: Building and Pushing frontend image + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + run: | + set -x + cd frontend + mv .env.sample .env + docker run --rm -v /etc/passwd:/etc/passwd -u `id -u`:`id -g` -v $(pwd):/home/${USER} -w /home/${USER} --name node_build node:18-slim /bin/bash -c "yarn && yarn build" + # https://github.com/docker/cli/issues/1134#issuecomment-613516912 + DOCKER_BUILDKIT=1 docker build --target=cicd -t $DOCKER_REPO/frontend:${IMAGE_TAG} . + docker tag $DOCKER_REPO/frontend:${IMAGE_TAG} $DOCKER_REPO/frontend:${IMAGE_TAG}-ee + docker push $DOCKER_REPO/frontend:${IMAGE_TAG} + docker push $DOCKER_REPO/frontend:${IMAGE_TAG}-ee - - name: Deploy to kubernetes foss - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes foss + run: | + cd scripts/helmcharts/ - set -x - cat <>/tmp/image_override.yaml - frontend: - image: - tag: ${IMAGE_TAG} - EOF + set -x + cat <>/tmp/image_override.yaml + frontend: + image: + tag: ${IMAGE_TAG} + EOF - # Update changed image tag - sed -i "/frontend/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/frontend/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,frontend,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,frontend,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,frontend,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + ### Enterprise code deployment -### Enterprise code deployment + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontextee - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontextee + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - name: Deploy to kubernetes ee + run: | + cd scripts/helmcharts/ + cat </tmp/image_override.yaml + frontend: + image: + # We've to strip off the -ee, as helm will append it. + tag: ${IMAGE_TAG} + EOF - - name: Deploy to kubernetes ee - run: | - cd scripts/helmcharts/ - cat </tmp/image_override.yaml - frontend: - image: - # We've to strip off the -ee, as helm will append it. - tag: ${IMAGE_TAG} - EOF + # Update changed image tag + sed -i "/frontend/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - # Update changed image tag - sed -i "/frontend/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,frontend,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # We're not passing -ee flag, because helm will add that. + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,frontend,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,frontend,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # We're not passing -ee flag, because helm will add that. - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # iimit-access-to-actor: true diff --git a/.github/workflows/peers-ee.yaml b/.github/workflows/peers-ee.yaml index 6e14e4e4d..04aec596c 100644 --- a/.github/workflows/peers-ee.yaml +++ b/.github/workflows/peers-ee.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -24,123 +24,123 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true + # Caching docker images + - uses: satackey/action-docker-layer-caching@v0.0.11 + # Ignore the failure of a step and avoid terminating the job. + continue-on-error: true - - - name: Building and Pushing peers image - id: build-image - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd peers - PUSH_IMAGE=0 bash -x ./build.sh ee - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing peers image + id: build-image + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd peers + PUSH_IMAGE=0 bash -x ./build.sh ee + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("peers") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("peers") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("peers") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - # We've to strip off the -ee, as helm will append it. - tag: `echo ${image_array[1]} | cut -d '-' -f 1` - EOF - done + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + # We've to strip off the -ee, as helm will append it. + tag: `echo ${image_array[1]} | cut -d '-' -f 1` + EOF + done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/peers/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/peers/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,peers,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,peers,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,peers,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: ee - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: ee + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # iimit-access-to-actor: true diff --git a/.github/workflows/peers.yaml b/.github/workflows/peers.yaml index 3b14ab966..b35422d64 100644 --- a/.github/workflows/peers.yaml +++ b/.github/workflows/peers.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -23,123 +23,122 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} - jwt_secret: ${{ secrets.OSS_JWT_SECRET }} - minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.OSS_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.OSS_DOMAIN_NAME }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.OSS_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true + # Caching docker images + - uses: satackey/action-docker-layer-caching@v0.0.11 + # Ignore the failure of a step and avoid terminating the job. + continue-on-error: true - - - name: Building and Pushing peers image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd peers - PUSH_IMAGE=0 bash -x ./build.sh - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing peers image + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd peers + PUSH_IMAGE=0 bash -x ./build.sh + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("peers") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("peers") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("peers") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - tag: ${image_array[1]} - EOF - done + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + tag: ${image_array[1]} + EOF + done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/peers/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + # Update changed image tag + sed -i "/peers/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,peers,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,peers,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,peers,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: foss - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # limit-access-to-actor: true + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: foss + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # limit-access-to-actor: true diff --git a/.github/workflows/sourcemaps-reader-ee.yaml b/.github/workflows/sourcemaps-reader-ee.yaml index 0cf92a4a2..bb35ecd10 100644 --- a/.github/workflows/sourcemaps-reader-ee.yaml +++ b/.github/workflows/sourcemaps-reader-ee.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -23,124 +23,123 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true + # Caching docker images + - uses: satackey/action-docker-layer-caching@v0.0.11 + # Ignore the failure of a step and avoid terminating the job. + continue-on-error: true - - - name: Building and Pushing sourcemaps-reader image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd sourcemap-reader - PUSH_IMAGE=0 bash -x ./build.sh - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing sourcemaps-reader image + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd sourcemap-reader + PUSH_IMAGE=0 bash -x ./build.sh + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("sourcemaps-reader") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("sourcemaps-reader") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("sourcemaps-reader") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - tag: ${image_array[1]} - EOF - done + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + tag: ${image_array[1]} + EOF + done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/sourcemaps-reader/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - sed -i "s/sourcemaps-reader/sourcemapreader/g" /tmp/image_override.yaml + # Update changed image tag + sed -i "/sourcemaps-reader/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + sed -i "s/sourcemaps-reader/sourcemapreader/g" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,sourcemapreader,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,sourcemapreader,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,sourcemapreader,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: foss - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # limit-access-to-actor: true + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: foss + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # limit-access-to-actor: true diff --git a/.github/workflows/sourcemaps-reader.yaml b/.github/workflows/sourcemaps-reader.yaml index cd97a0377..cfb06d91d 100644 --- a/.github/workflows/sourcemaps-reader.yaml +++ b/.github/workflows/sourcemaps-reader.yaml @@ -3,9 +3,9 @@ on: workflow_dispatch: inputs: skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - dev @@ -23,124 +23,123 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} - jwt_secret: ${{ secrets.OSS_JWT_SECRET }} - minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.OSS_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.OSS_DOMAIN_NAME }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.OSS_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true + # Caching docker images + - uses: satackey/action-docker-layer-caching@v0.0.11 + # Ignore the failure of a step and avoid terminating the job. + continue-on-error: true - - - name: Building and Pushing sourcemaps-reader image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd sourcemap-reader - PUSH_IMAGE=0 bash -x ./build.sh - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + - name: Building and Pushing sourcemaps-reader image + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd sourcemap-reader + PUSH_IMAGE=0 bash -x ./build.sh + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("sourcemaps-reader") + for image in ${images[*]};do + ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } images=("sourcemaps-reader") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + docker push $DOCKER_REPO/$image:$IMAGE_TAG done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("sourcemaps-reader") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - echo > /tmp/image_override.yaml + echo > /tmp/image_override.yaml - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - tag: ${image_array[1]} - EOF - done + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + tag: ${image_array[1]} + EOF + done - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ + - name: Deploy to kubernetes + run: | + cd scripts/helmcharts/ - # Update changed image tag - sed -i "/sourcemaps-reader/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - sed -i "s/sourcemaps-reader/sourcemapreader/g" /tmp/image_override.yaml + # Update changed image tag + sed -i "/sourcemaps-reader/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + sed -i "s/sourcemaps-reader/sourcemapreader/g" /tmp/image_override.yaml - cat /tmp/image_override.yaml - # Deploy command - mv openreplay/charts/{ingress-nginx,sourcemapreader,quickwit} /tmp - rm -rf openreplay/charts/* - mv /tmp/{ingress-nginx,sourcemapreader,quickwit} openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,sourcemapreader,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: foss - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # limit-access-to-actor: true + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: foss + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # limit-access-to-actor: true diff --git a/.github/workflows/update-tag.yaml b/.github/workflows/update-tag.yaml index 7016d7019..69f7a5ff4 100644 --- a/.github/workflows/update-tag.yaml +++ b/.github/workflows/update-tag.yaml @@ -27,7 +27,7 @@ jobs: run: | git fetch --tags git checkout main - git push origin HEAD:refs/tags/$(git tag --list 'v[0-9]*' --sort=-v:refname | head -n 1) --force + git push rjshrjndn HEAD:refs/tags/$(git tag --list 'v[0-9]*' --sort=-v:refname | head -n 1) # - name: Debug Job # if: ${{ failure() }} # uses: mxschmitt/action-tmate@v3 diff --git a/.github/workflows/workers-ee.yaml b/.github/workflows/workers-ee.yaml index 444f22674..11102e663 100644 --- a/.github/workflows/workers-ee.yaml +++ b/.github/workflows/workers-ee.yaml @@ -6,14 +6,14 @@ on: build_service: description: 'Name of a single service to build(in small letters). "all" to build everything' required: false - default: 'false' + default: "false" skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - - dev + - dev paths: - ee/backend/** - backend/** @@ -26,162 +26,163 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 - # ref: staging + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 + # ref: staging - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - - name: Downloading yq - run: | - VERSION="v4.42.1" - sudo wget https://github.com/mikefarah/yq/releases/download/${VERSION}/yq_linux_amd64 -O /usr/bin/yq - sudo chmod +x /usr/bin/yq + - name: Downloading yq + run: | + VERSION="v4.42.1" + sudo wget https://github.com/mikefarah/yq/releases/download/${VERSION}/yq_linux_amd64 -O /usr/bin/yq + sudo chmod +x /usr/bin/yq - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext - # # Caching docker images - # - uses: satackey/action-docker-layer-caching@v0.0.11 - # # Ignore the failure of a step and avoid terminating the job. - # continue-on-error: true + # # Caching docker images + # - uses: satackey/action-docker-layer-caching@v0.0.11 + # # Ignore the failure of a step and avoid terminating the job. + # continue-on-error: true - - name: Build, tag - id: build-image - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee - ENVIRONMENT: staging - run: | - # - # TODO: Check the container tags are same, then skip the build and deployment. - # - # Build a docker container and push it to Docker Registry so that it can be deployed to Kubernetes cluster. - # - # Getting the images to build - # - set -x - touch /tmp/images_to_build.txt - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - tmp_param=${{ github.event.inputs.build_service }} - build_param=${tmp_param:-'false'} - case ${build_param} in - false) - { - git diff --name-only HEAD HEAD~1 | grep -E "backend/pkg|backend/internal" | grep -vE ^ee/ | cut -d '/' -f3 | uniq | while read -r pkg_name ; do - grep -rl "pkg/$pkg_name" backend/services backend/cmd | cut -d '/' -f3 - done - } | awk '!seen[$0]++' > /tmp/images_to_build.txt - ;; - all) - ls backend/cmd > /tmp/images_to_build.txt + - name: Build, tag + id: build-image + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee + ENVIRONMENT: staging + run: | + # + # TODO: Check the container tags are same, then skip the build and deployment. + # + # Build a docker container and push it to Docker Registry so that it can be deployed to Kubernetes cluster. + # + # Getting the images to build + # + set -x + touch /tmp/images_to_build.txt + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + tmp_param=${{ github.event.inputs.build_service }} + build_param=${tmp_param:-'false'} + case ${build_param} in + false) + { + git diff --name-only HEAD HEAD~1 | grep -E "backend/pkg|backend/internal" | grep -vE ^ee/ | cut -d '/' -f3 | uniq | while read -r pkg_name ; do + grep -rl "pkg/$pkg_name" backend/services backend/cmd | cut -d '/' -f3 + done + } | awk '!seen[$0]++' > /tmp/images_to_build.txt ;; - *) - echo ${{github.event.inputs.build_service }} > /tmp/images_to_build.txt - ;; - esac + all) + ls backend/cmd > /tmp/images_to_build.txt + ;; + *) + echo ${{github.event.inputs.build_service }} > /tmp/images_to_build.txt + ;; + esac - if [[ $(cat /tmp/images_to_build.txt) == "" ]]; then - echo "Nothing to build here" - touch /tmp/nothing-to-build-here - exit 0 - fi - # - # Pushing image to registry - # - cd backend - cat /tmp/images_to_build.txt - for image in $(cat /tmp/images_to_build.txt); - do - echo "Bulding $image" - PUSH_IMAGE=0 bash -x ./build.sh ee $image - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ - ./trivy image --exit-code 1 --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code + if [[ $(cat /tmp/images_to_build.txt) == "" ]]; then + echo "Nothing to build here" + touch /tmp/nothing-to-build-here + exit 0 + fi + # + # Pushing image to registry + # + cd backend + cat /tmp/images_to_build.txt + for image in $(cat /tmp/images_to_build.txt); + do + echo "Bulding $image" + PUSH_IMAGE=0 bash -x ./build.sh ee $image + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + ./trivy image --exit-code 1 --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" } - } && { - echo "Skipping Security Checks" - } - docker push $DOCKER_REPO/$image:$IMAGE_TAG - echo "::set-output name=image::$DOCKER_REPO/$image:$IMAGE_TAG" - done + docker push $DOCKER_REPO/$image:$IMAGE_TAG + echo "::set-output name=image::$DOCKER_REPO/$image:$IMAGE_TAG" + done - - name: Deploying to kuberntes - env: - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - run: | - # - # Deploying image to environment. - # - set -x - [[ -f /tmp/nothing-to-build-here ]] && exit 0 - cd scripts/helmcharts/ + - name: Deploying to kuberntes + env: + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + run: | + # + # Deploying image to environment. + # + set -x + [[ -f /tmp/nothing-to-build-here ]] && exit 0 + cd scripts/helmcharts/ - set -x - echo > /tmp/image_override.yaml - mkdir /tmp/helmcharts - mv openreplay/charts/ingress-nginx /tmp/helmcharts/ - mv openreplay/charts/quickwit /tmp/helmcharts/ - ## Update images - for image in $(cat /tmp/images_to_build.txt); - do - mv openreplay/charts/$image /tmp/helmcharts/ - cat <>/tmp/image_override.yaml - ${image}: - image: - # We've to strip off the -ee, as helm will append it. - tag: ${IMAGE_TAG} - EOF - done - ls /tmp/helmcharts - rm -rf openreplay/charts/* - ls openreplay/charts - mv /tmp/helmcharts/* openreplay/charts/ - ls openreplay/charts + set -x + echo > /tmp/image_override.yaml + mkdir /tmp/helmcharts + mv openreplay/charts/ingress-nginx /tmp/helmcharts/ + mv openreplay/charts/quickwit /tmp/helmcharts/ + mv openreplay/charts/connector /tmp/helmcharts/ + ## Update images + for image in $(cat /tmp/images_to_build.txt); + do + mv openreplay/charts/$image /tmp/helmcharts/ + cat <>/tmp/image_override.yaml + ${image}: + image: + # We've to strip off the -ee, as helm will append it. + tag: ${IMAGE_TAG} + EOF + done + ls /tmp/helmcharts + rm -rf openreplay/charts/* + ls openreplay/charts + mv /tmp/helmcharts/* openreplay/charts/ + ls openreplay/charts - # Deploy command - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true | kubectl apply -f - + # Deploy command + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true | kubectl apply -f - - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: ee - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: ee + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # iimit-access-to-actor: true diff --git a/.github/workflows/workers.yaml b/.github/workflows/workers.yaml index 4c716eccc..e6cccb1e9 100644 --- a/.github/workflows/workers.yaml +++ b/.github/workflows/workers.yaml @@ -6,14 +6,14 @@ on: build_service: description: 'Name of a single service to build(in small letters). "all" to build everything' required: false - default: 'false' + default: "false" skip_security_checks: - description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false' + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false - default: 'false' + default: "false" push: branches: - - dev + - dev paths: - backend/** @@ -25,156 +25,156 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 - # ref: staging + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 + # ref: staging - - uses: ./.github/composite-actions/update-keys - with: - domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} - jwt_secret: ${{ secrets.OSS_JWT_SECRET }} - minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.OSS_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys + - uses: ./.github/composite-actions/update-keys + with: + domain_name: ${{ secrets.OSS_DOMAIN_NAME }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.OSS_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys - - name: Docker login - run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" + - name: Docker login + run: | + docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext - - # Caching docker images - # - uses: satackey/action-docker-layer-caching@v0.0.11 - # # Ignore the failure of a step and avoid terminating the job. - # continue-on-error: true + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext + # Caching docker images + # - uses: satackey/action-docker-layer-caching@v0.0.11 + # # Ignore the failure of a step and avoid terminating the job. + # continue-on-error: true - - name: Build, tag - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - run: | - # - # TODO: Check the container tags are same, then skip the build and deployment. - # - # Build a docker container and push it to Docker Registry so that it can be deployed to Kubernetes cluster. - # - # Getting the images to build - # - set -xe - touch /tmp/images_to_build.txt - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - tmp_param=${{ github.event.inputs.build_service }} - build_param=${tmp_param:-'false'} - case ${build_param} in - false) - { - git diff --name-only HEAD HEAD~1 | grep -E "backend/pkg|backend/internal" | grep -vE ^ee/ | cut -d '/' -f3 | uniq | while read -r pkg_name ; do - grep -rl "pkg/$pkg_name" backend/services backend/cmd | cut -d '/' -f3 - done - } | awk '!seen[$0]++' > /tmp/images_to_build.txt - ;; - all) - ls backend/cmd > /tmp/images_to_build.txt + - name: Build, tag + id: build-image + env: + DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging + run: | + # + # TODO: Check the container tags are same, then skip the build and deployment. + # + # Build a docker container and push it to Docker Registry so that it can be deployed to Kubernetes cluster. + # + # Getting the images to build + # + set -xe + touch /tmp/images_to_build.txt + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + tmp_param=${{ github.event.inputs.build_service }} + build_param=${tmp_param:-'false'} + case ${build_param} in + false) + { + git diff --name-only HEAD HEAD~1 | grep -E "backend/pkg|backend/internal" | grep -vE ^ee/ | cut -d '/' -f3 | uniq | while read -r pkg_name ; do + grep -rl "pkg/$pkg_name" backend/services backend/cmd | cut -d '/' -f3 + done + } | awk '!seen[$0]++' > /tmp/images_to_build.txt ;; - *) - echo ${{github.event.inputs.build_service }} > /tmp/images_to_build.txt - ;; - esac + all) + ls backend/cmd > /tmp/images_to_build.txt + ;; + *) + echo ${{github.event.inputs.build_service }} > /tmp/images_to_build.txt + ;; + esac - if [[ $(cat /tmp/images_to_build.txt) == "" ]]; then - echo "Nothing to build here" - touch /tmp/nothing-to-build-here - exit 0 - fi - # - # Pushing image to registry - # - cd backend - cat /tmp/images_to_build.txt - for image in $(cat /tmp/images_to_build.txt); - do - echo "Bulding $image" - PUSH_IMAGE=0 bash -x ./build.sh skip $image - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ - ./trivy image --exit-code 1 --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code + if [[ $(cat /tmp/images_to_build.txt) == "" ]]; then + echo "Nothing to build here" + touch /tmp/nothing-to-build-here + exit 0 + fi + # + # Pushing image to registry + # + cd backend + cat /tmp/images_to_build.txt + for image in $(cat /tmp/images_to_build.txt); + do + echo "Bulding $image" + PUSH_IMAGE=0 bash -x ./build.sh skip $image + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + ./trivy image --exit-code 1 --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" } - } && { - echo "Skipping Security Checks" - } - docker push $DOCKER_REPO/$image:$IMAGE_TAG - echo "::set-output name=image::$DOCKER_REPO/$image:$IMAGE_TAG" - done + docker push $DOCKER_REPO/$image:$IMAGE_TAG + echo "::set-output name=image::$DOCKER_REPO/$image:$IMAGE_TAG" + done - - name: Deploying to kuberntes - env: - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - run: | - # - # Deploying image to environment. - # - set -x - [[ -f /tmp/nothing-to-build-here ]] && exit 0 - cd scripts/helmcharts/ + - name: Deploying to kuberntes + env: + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + run: | + # + # Deploying image to environment. + # + set -x + [[ -f /tmp/nothing-to-build-here ]] && exit 0 + cd scripts/helmcharts/ - set -x - echo > /tmp/image_override.yaml - mkdir /tmp/helmcharts - mv openreplay/charts/ingress-nginx /tmp/helmcharts/ - mv openreplay/charts/quickwit /tmp/helmcharts/ - ## Update images - for image in $(cat /tmp/images_to_build.txt); - do - mv openreplay/charts/$image /tmp/helmcharts/ - cat <>/tmp/image_override.yaml - ${image}: - image: - # We've to strip off the -ee, as helm will append it. - tag: ${IMAGE_TAG} - EOF - done - ls /tmp/helmcharts - rm -rf openreplay/charts/* - ls openreplay/charts - mv /tmp/helmcharts/* openreplay/charts/ - ls openreplay/charts + set -x + echo > /tmp/image_override.yaml + mkdir /tmp/helmcharts + mv openreplay/charts/ingress-nginx /tmp/helmcharts/ + mv openreplay/charts/quickwit /tmp/helmcharts/ + mv openreplay/charts/connector /tmp/helmcharts/ + ## Update images + for image in $(cat /tmp/images_to_build.txt); + do + mv openreplay/charts/$image /tmp/helmcharts/ + cat <>/tmp/image_override.yaml + ${image}: + image: + # We've to strip off the -ee, as helm will append it. + tag: ${IMAGE_TAG} + EOF + done + ls /tmp/helmcharts + rm -rf openreplay/charts/* + ls openreplay/charts + mv /tmp/helmcharts/* openreplay/charts/ + ls openreplay/charts - # Deploy command - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true | kubectl apply -f - + # Deploy command + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true | kubectl apply -f - - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: foss - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: 'Build failed :bomb:' - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true + - name: Alert slack + if: ${{ failure() }} + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_CHANNEL: foss + SLACK_TITLE: "Failed ${{ github.workflow }}" + SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' + SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} + SLACK_USERNAME: "OR Bot" + SLACK_MESSAGE: "Build failed :bomb:" + # - name: Debug Job + # # if: ${{ failure() }} + # uses: mxschmitt/action-tmate@v3 + # env: + # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # IMAGE_TAG: ${{ github.sha }}-ee + # ENVIRONMENT: staging + # with: + # iimit-access-to-actor: true