diff --git a/.github/workflows/peers-ee.yaml b/.github/workflows/peers-ee.yaml deleted file mode 100644 index 58d06a190..000000000 --- a/.github/workflows/peers-ee.yaml +++ /dev/null @@ -1,150 +0,0 @@ -# This action will push the peers changes to aws -on: - workflow_dispatch: - inputs: - skip_security_checks: - description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" - required: false - default: "false" - push: - branches: - - dev - paths: - - "ee/peers/**" - - "peers/**" - - "!peers/.gitignore" - - "!peers/*-dev.sh" - -name: Build and Deploy Peers EE - -jobs: - deploy: - name: Deploy - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 - - - uses: ./.github/composite-actions/update-keys - with: - assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} - assist_key: ${{ secrets.ASSIST_KEY }} - domain_name: ${{ secrets.EE_DOMAIN_NAME }} - jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} - jwt_secret: ${{ secrets.EE_JWT_SECRET }} - jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} - jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} - license_key: ${{ secrets.EE_LICENSE_KEY }} - minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.EE_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys - - - name: Docker login - run: | - docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" - - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext - - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true - - - name: Building and Pushing peers image - id: build-image - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd peers - PUSH_IMAGE=0 bash -x ./build.sh ee - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ - images=("peers") - for image in ${images[*]};do - ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG - done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("peers") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - - echo > /tmp/image_override.yaml - - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - # We've to strip off the -ee, as helm will append it. - tag: `echo ${image_array[1]} | cut -d '-' -f 1` - EOF - done - - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ - - # Update changed image tag - sed -i "/peers/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - - cat /tmp/image_override.yaml - # Deploy command - mkdir -p /tmp/charts - mv openreplay/charts/{ingress-nginx,peers,quickwit,connector} /tmp/charts/ - rm -rf openreplay/charts/* - mv /tmp/charts/* openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - - env: - DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: ee - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: "Build failed :bomb:" - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # iimit-access-to-actor: true diff --git a/.github/workflows/peers.yaml b/.github/workflows/peers.yaml deleted file mode 100644 index 564e8c41f..000000000 --- a/.github/workflows/peers.yaml +++ /dev/null @@ -1,148 +0,0 @@ -# This action will push the peers changes to aws -on: - workflow_dispatch: - inputs: - skip_security_checks: - description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" - required: false - default: "false" - push: - branches: - - dev - paths: - - "peers/**" - - "!peers/.gitignore" - - "!peers/*-dev.sh" - -name: Build and Deploy Peers - -jobs: - deploy: - name: Deploy - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - # We need to diff with old commit - # to see which workers got changed. - fetch-depth: 2 - - - uses: ./.github/composite-actions/update-keys - with: - assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} - assist_key: ${{ secrets.ASSIST_KEY }} - domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} - jwt_secret: ${{ secrets.OSS_JWT_SECRET }} - jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} - jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} - minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} - minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} - pg_password: ${{ secrets.OSS_PG_PASSWORD }} - registry_url: ${{ secrets.OSS_REGISTRY_URL }} - name: Update Keys - - - name: Docker login - run: | - docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - - - uses: azure/k8s-set-context@v1 - with: - method: kubeconfig - kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. - id: setcontext - - # Caching docker images - - uses: satackey/action-docker-layer-caching@v0.0.11 - # Ignore the failure of a step and avoid terminating the job. - continue-on-error: true - - - name: Building and Pushing peers image - id: build-image - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - run: | - skip_security_checks=${{ github.event.inputs.skip_security_checks }} - cd peers - PUSH_IMAGE=0 bash -x ./build.sh - [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ - images=("peers") - for image in ${images[*]};do - ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG - done - err_code=$? - [[ $err_code -ne 0 ]] && { - exit $err_code - } - } && { - echo "Skipping Security Checks" - } - images=("peers") - for image in ${images[*]};do - docker push $DOCKER_REPO/$image:$IMAGE_TAG - done - - name: Creating old image input - run: | - # - # Create yaml with existing image tags - # - kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ - tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt - - echo > /tmp/image_override.yaml - - for line in `cat /tmp/image_tag.txt`; - do - image_array=($(echo "$line" | tr ':' '\n')) - cat <> /tmp/image_override.yaml - ${image_array[0]}: - image: - tag: ${image_array[1]} - EOF - done - - - name: Deploy to kubernetes - run: | - cd scripts/helmcharts/ - - # Update changed image tag - sed -i "/peers/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml - - cat /tmp/image_override.yaml - # Deploy command - mkdir -p /tmp/charts - mv openreplay/charts/{ingress-nginx,peers,quickwit,connector} /tmp/charts/ - rm -rf openreplay/charts/* - mv /tmp/charts/* openreplay/charts/ - helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - - env: - DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} - IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} - ENVIRONMENT: staging - - - name: Alert slack - if: ${{ failure() }} - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: foss - SLACK_TITLE: "Failed ${{ github.workflow }}" - SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' - SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} - SLACK_USERNAME: "OR Bot" - SLACK_MESSAGE: "Build failed :bomb:" - - # - name: Debug Job - # # if: ${{ failure() }} - # uses: mxschmitt/action-tmate@v3 - # env: - # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} - # IMAGE_TAG: ${{ github.sha }}-ee - # ENVIRONMENT: staging - # with: - # limit-access-to-actor: true