# This action will push the assist-stats changes to aws on: workflow_dispatch: inputs: skip_security_checks: description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" required: false default: "false" push: branches: - dev paths: - "assist-stats/**" - "!assist-stats/.gitignore" - "!assist-stats/*-dev.sh" - "!assist-stats/requirements-*.txt" name: Build and Deploy Assist Stats ee jobs: deploy: name: Deploy runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 with: # We need to diff with old commit # to see which workers got changed. fetch-depth: 2 - uses: ./.github/composite-actions/update-keys with: assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} registry_url: ${{ secrets.OSS_REGISTRY_URL }} name: Update Keys - name: Docker login run: | docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" - uses: azure/k8s-set-context@v1 with: method: kubeconfig kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. id: setcontext # Caching docker images - uses: satackey/action-docker-layer-caching@v0.0.11 # Ignore the failure of a step and avoid terminating the job. continue-on-error: true - name: Building and Pushing assist-stats image id: build-image env: DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee ENVIRONMENT: staging run: | skip_security_checks=${{ github.event.inputs.skip_security_checks }} cd assist-stats PUSH_IMAGE=0 bash -x ./build.sh ee [[ "x$skip_security_checks" == "xtrue" ]] || { curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("assist-stats") for image in ${images[*]};do ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { exit $err_code } } && { echo "Skipping Security Checks" } images=("assist-stats") for image in ${images[*]};do docker push $DOCKER_REPO/$image:$IMAGE_TAG done ### Enterprise code deployment - uses: azure/k8s-set-context@v1 with: method: kubeconfig kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. id: setcontextee - uses: ./.github/composite-actions/update-keys with: assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} registry_url: ${{ secrets.OSS_REGISTRY_URL }} name: Update Keys - name: Deploy to kubernetes ee run: | cd scripts/helmcharts/ cat </tmp/image_override.yaml assist-stats: image: # We've to strip off the -ee, as helm will append it. tag: ${IMAGE_TAG} EOF export IMAGE_TAG=${IMAGE_TAG} # Update changed image tag yq '.utilities.apiCrons.assiststats.image.tag = strenv(IMAGE_TAG)' -i /tmp/image_override.yaml cat /tmp/image_override.yaml # Deploy command mkdir -p /tmp/charts mv openreplay/charts/{ingress-nginx,assist-stats,quickwit,connector,assist-api} /tmp/charts/ rm -rf openreplay/charts/* mv /tmp/charts/* openreplay/charts/ helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -f - env: DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} # We're not passing -ee flag, because helm will add that. IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} ENVIRONMENT: staging - name: Alert slack if: ${{ failure() }} uses: rtCamp/action-slack-notify@v2 env: SLACK_CHANNEL: foss SLACK_TITLE: "Failed ${{ github.workflow }}" SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} SLACK_USERNAME: "OR Bot" SLACK_MESSAGE: "Build failed :bomb:" # - name: Debug Job # # if: ${{ failure() }} # uses: mxschmitt/action-tmate@v3 # env: # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} # IMAGE_TAG: ${{ github.sha }}-ee # ENVIRONMENT: staging # with: # limit-access-to-actor: true