155 lines
5.8 KiB
YAML
155 lines
5.8 KiB
YAML
# This action will push the alerts changes to aws
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
skip_security_checks:
|
|
description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false'
|
|
required: false
|
|
default: 'false'
|
|
push:
|
|
branches:
|
|
- dev
|
|
- api-*
|
|
paths:
|
|
- "ee/api/**"
|
|
- "api/**"
|
|
- "!api/.gitignore"
|
|
- "!api/routers"
|
|
- "!api/app.py"
|
|
- "!api/*-dev.sh"
|
|
- "!api/requirements.txt"
|
|
- "!api/requirements-crons.txt"
|
|
- "!ee/api/.gitignore"
|
|
- "!ee/api/routers"
|
|
- "!ee/api/app.py"
|
|
- "!ee/api/*-dev.sh"
|
|
- "!ee/api/requirements.txt"
|
|
- "!ee/api/requirements-crons.txt"
|
|
|
|
|
|
name: Build and Deploy Alerts EE
|
|
|
|
jobs:
|
|
deploy:
|
|
name: Deploy
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
with:
|
|
# We need to diff with old commit
|
|
# to see which workers got changed.
|
|
fetch-depth: 2
|
|
|
|
- name: Docker login
|
|
run: |
|
|
docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}"
|
|
|
|
- uses: azure/k8s-set-context@v1
|
|
with:
|
|
method: kubeconfig
|
|
kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret.
|
|
id: setcontext
|
|
|
|
# Caching docker images
|
|
- uses: satackey/action-docker-layer-caching@v0.0.11
|
|
# Ignore the failure of a step and avoid terminating the job.
|
|
continue-on-error: true
|
|
|
|
|
|
- name: Building and Pushing api image
|
|
id: build-image
|
|
env:
|
|
DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
|
|
IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee
|
|
ENVIRONMENT: staging
|
|
run: |
|
|
skip_security_checks=${{ github.event.inputs.skip_security_checks }}
|
|
cd api
|
|
PUSH_IMAGE=0 bash -x ./build_alerts.sh ee
|
|
[[ "x$skip_security_checks" == "xtrue" ]] || {
|
|
curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./
|
|
images=("alerts")
|
|
for image in ${images[*]};do
|
|
./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG
|
|
done
|
|
err_code=$?
|
|
[[ $err_code -ne 0 ]] && {
|
|
exit $err_code
|
|
}
|
|
} && {
|
|
echo "Skipping Security Checks"
|
|
}
|
|
images=("alerts")
|
|
for image in ${images[*]};do
|
|
docker push $DOCKER_REPO/$image:$IMAGE_TAG
|
|
done
|
|
- name: Creating old image input
|
|
run: |
|
|
#
|
|
# Create yaml with existing image tags
|
|
#
|
|
kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\
|
|
tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt
|
|
|
|
echo > /tmp/image_override.yaml
|
|
|
|
for line in `cat /tmp/image_tag.txt`;
|
|
do
|
|
image_array=($(echo "$line" | tr ':' '\n'))
|
|
cat <<EOF >> /tmp/image_override.yaml
|
|
${image_array[0]}:
|
|
image:
|
|
# We've to strip off the -ee, as helm will append it.
|
|
tag: `echo ${image_array[1]} | cut -d '-' -f 1`
|
|
EOF
|
|
done
|
|
|
|
- name: Deploy to kubernetes
|
|
run: |
|
|
cd scripts/helmcharts/
|
|
|
|
## Update secerts
|
|
sed -i "s#openReplayContainerRegistry.*#openReplayContainerRegistry: \"${{ secrets.OSS_REGISTRY_URL }}\"#g" vars.yaml
|
|
sed -i "s/postgresqlPassword: \"changeMePassword\"/postgresqlPassword: \"${{ secrets.EE_PG_PASSWORD }}\"/g" vars.yaml
|
|
sed -i "s/accessKey: \"changeMeMinioAccessKey\"/accessKey: \"${{ secrets.EE_MINIO_ACCESS_KEY }}\"/g" vars.yaml
|
|
sed -i "s/secretKey: \"changeMeMinioPassword\"/secretKey: \"${{ secrets.EE_MINIO_SECRET_KEY }}\"/g" vars.yaml
|
|
sed -i "s/jwt_secret: \"SetARandomStringHere\"/jwt_secret: \"${{ secrets.EE_JWT_SECRET }}\"/g" vars.yaml
|
|
sed -i "s/domainName: \"\"/domainName: \"${{ secrets.EE_DOMAIN_NAME }}\"/g" vars.yaml
|
|
sed -i "s/enterpriseEditionLicense: \"\"/enterpriseEditionLicense: \"${{ secrets.EE_LICENSE_KEY }}\"/g" vars.yaml
|
|
|
|
# Update changed image tag
|
|
sed -i "/alerts/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml
|
|
|
|
cat /tmp/image_override.yaml
|
|
# Deploy command
|
|
mv openreplay/charts/{ingress-nginx,alerts,quickwit} /tmp
|
|
rm -rf openreplay/charts/*
|
|
mv /tmp/{ingress-nginx,alerts,quickwit} openreplay/charts/
|
|
helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f -
|
|
env:
|
|
DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
|
|
# We're not passing -ee flag, because helm will add that.
|
|
IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}
|
|
ENVIRONMENT: staging
|
|
|
|
- name: Alert slack
|
|
if: ${{ failure() }}
|
|
uses: rtCamp/action-slack-notify@v2
|
|
env:
|
|
SLACK_CHANNEL: ee
|
|
SLACK_TITLE: "Failed ${{ github.workflow }}"
|
|
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }}
|
|
SLACK_USERNAME: "OR Bot"
|
|
SLACK_MESSAGE: 'Build failed :bomb:'
|
|
|
|
# - name: Debug Job
|
|
# # if: ${{ failure() }}
|
|
# uses: mxschmitt/action-tmate@v3
|
|
# env:
|
|
# DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
|
|
# IMAGE_TAG: ${{ github.sha }}-ee
|
|
# ENVIRONMENT: staging
|
|
|