diff --git a/.github/workflows/assist-server-ee.yaml b/.github/workflows/assist-server-ee.yaml new file mode 100644 index 000000000..62f857f9d --- /dev/null +++ b/.github/workflows/assist-server-ee.yaml @@ -0,0 +1,122 @@ +# This action will push the assist changes to aws +on: + workflow_dispatch: + inputs: + skip_security_checks: + description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" + required: false + default: "false" + push: + branches: + - dev + paths: + - "ee/assist-server/**" + +name: Build and Deploy Assist-Server EE + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + # We need to diff with old commit + # to see which workers got changed. + fetch-depth: 2 + + - uses: ./.github/composite-actions/update-keys + with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} + domain_name: ${{ secrets.EE_DOMAIN_NAME }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} + jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} + minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} + minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} + pg_password: ${{ secrets.EE_PG_PASSWORD }} + registry_url: ${{ secrets.OSS_REGISTRY_URL }} + name: Update Keys + + - name: Docker login + run: | + docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" + + - uses: azure/k8s-set-context@v1 + with: + method: kubeconfig + kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. + id: setcontext + + - name: Building and Pushing Assist-Server image + id: build-image + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee + ENVIRONMENT: staging + run: | + skip_security_checks=${{ github.event.inputs.skip_security_checks }} + cd assist-server + PUSH_IMAGE=0 bash -x ./build.sh ee + [[ "x$skip_security_checks" == "xtrue" ]] || { + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ + images=("assist-server") + for image in ${images[*]};do + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + done + err_code=$? + [[ $err_code -ne 0 ]] && { + exit $err_code + } + } && { + echo "Skipping Security Checks" + } + images=("assist-server") + for image in ${images[*]};do + docker push $DOCKER_REPO/$image:$IMAGE_TAG + done + - name: Creating old image input + run: | + # + # Create yaml with existing image tags + # + kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ + tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt + + echo > /tmp/image_override.yaml + + for line in `cat /tmp/image_tag.txt`; + do + image_array=($(echo "$line" | tr ':' '\n')) + cat <> /tmp/image_override.yaml + ${image_array[0]}: + image: + # We've to strip off the -ee, as helm will append it. + tag: `echo ${image_array[1]} | cut -d '-' -f 1` + EOF + done + - name: Deploy to kubernetes + run: | + pwd + cd scripts/helmcharts/ + + # Update changed image tag + sed -i "/assist-server/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml + + cat /tmp/image_override.yaml + # Deploy command + mkdir -p /tmp/charts + mv openreplay/charts/{ingress-nginx,assist-server,quickwit,connector} /tmp/charts/ + rm -rf openreplay/charts/* + mv /tmp/charts/* openreplay/charts/ + helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - + env: + DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} + # We're not passing -ee flag, because helm will add that. + IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} + ENVIRONMENT: staging