Security updates #557
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
release: | |
types: [published, prereleased, edited] | |
push: | |
branches: | |
- master | |
pull_request: | |
jobs: | |
build-docker: | |
name: Build Dockerfile-controller | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Cache Docker layers | |
uses: actions/cache@v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
- name: Build image | |
uses: docker/build-push-action@v3 | |
with: | |
context: . | |
file: ./Dockerfile-controller | |
tags: equinor/gordo-controller:latest | |
load: true | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: equinor/gordo-controller:latest | |
format: 'table' | |
exit-code: '10' | |
ignore-unfixed: true | |
hide-progress: true | |
severity: 'CRITICAL,HIGH' | |
timeout: '5m' | |
- | |
# Temp fix | |
# https://github.com/docker/build-push-action/issues/252 | |
# https://github.com/moby/buildkit/issues/1896 | |
name: Move cache | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
test: | |
name: Test ${{ matrix.rust }} on ${{ matrix.os }} | |
needs: build-docker | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-latest] | |
rust: [stable] | |
env: | |
KUBERNETES_VERSION: v1.23.15 | |
MINIKUBE_VERSION: v1.27.1 | |
MINIKUBE_SHA256: "159bc79f3914dadb7c9f56b6e9d5b73a1c54acb26dca8f1ea84b99ff5da42620" | |
MINIKUBE_HOME: /home/runner | |
KUBECONFIG: /home/runner/.kube/config | |
CHANGE_MINIKUBE_NONE_USER: "true" | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Setup Rust toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
toolchain: ${{ matrix.rust }} | |
- name: Cargo cache | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
target | |
key: ${{ runner.os }}-${{ runner.rust }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Cache Docker layers | |
uses: actions/cache@v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
- name: Build image | |
uses: docker/build-push-action@v3 | |
with: | |
context: . | |
file: ./Dockerfile-controller | |
tags: ${{ steps.prep.outputs.base_image }} | |
load: true | |
cache-from: type=local,src=/tmp/.buildx-cache | |
- name: Install kubectl | |
run: | | |
sudo curl -L -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.19.0/bin/linux/amd64/kubectl | |
sudo chmod +x /usr/bin/kubectl | |
- name: Install kustomize | |
run: | | |
sudo curl -L -o /usr/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 | |
sudo chmod +x /usr/bin/kustomize | |
- name: Build all kustomize overlays | |
run: | | |
sudo kustomize build k8s/production | |
sudo kustomize build k8s/minikube | |
- name: Install minikube | |
run: | | |
set -e | |
sudo apt-get update | |
sudo apt-get install -y conntrack | |
sudo curl -L -o /usr/bin/minikube https://storage.googleapis.com/minikube/releases/${MINIKUBE_VERSION}/minikube-linux-amd64 | |
echo "${MINIKUBE_SHA256} /usr/bin/minikube" | sha256sum -c --status | |
sudo chmod +x /usr/bin/minikube | |
- name: Start minikube | |
run: | | |
sudo -E /usr/bin/minikube start --kubernetes-version=${KUBERNETES_VERSION} --vm-driver=none --container-runtime=docker || journalctl -xeu kubelet | |
sudo chown -R $USER $HOME/.minikube $HOME/.kube | |
- name: Build image | |
uses: docker/build-push-action@v3 | |
with: | |
context: . | |
file: ./Dockerfile-controller | |
tags: equinor/gordo-controller:latest | |
load: true | |
cache-from: type=local,src=/tmp/.buildx-cache-new | |
- name: Run gordo-controller on minikube | |
run: | | |
kubectl apply -k k8s/minikube -n default || echo "Skipping on Istio error" | |
bash scripts/wait_gordo_controller.sh | |
- name: Test CRDs | |
run: | | |
kubectl get gordos > /dev/null | |
kubectl get models > /dev/null | |
- name: Unit tests | |
env: | |
KUBERNETES_SERVICE_HOST: localhost | |
KUBERNETES_SERVICE_PORT: 8443 | |
RUST_BACKTRACE: 1 | |
run: | |
cargo test --tests -- --test-threads=1 | |
- name: Integration Tests | |
env: | |
DEPLOY_IMAGE: "gordo-infrastructure/gordo-deploy" | |
DOCKER_REGISTRY: "docker.io" | |
run: | | |
bash scripts/integration_tests.sh | |
push-image: | |
name: Push docker images | |
needs: build-docker | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_LICENSE: AGPL-3.0 | |
IMAGE_HOME_URL: https://github.com/equinor/gordo-controller | |
DOCKER_REGISTRY: ghcr.io | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Prepare variables | |
id: prep | |
run: | | |
python3 scripts/github_docker.py -r equinor -i gordo-controller | |
- name: Cache Docker layers | |
uses: actions/cache@v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
- name: Login to production CR | |
uses: docker/login-action@v2 | |
if: ${{ steps.prep.outputs.login_prod_cr }} | |
with: | |
registry: ${{ env.DOCKER_PROD_REGISTRY }} | |
username: ${{ secrets.DOCKER_PROD_USERNAME }} | |
password: ${{ secrets.DOCKER_PROD_TOKEN }} | |
- name: Login to CR | |
uses: docker/login-action@v2 | |
if: ${{ steps.prep.outputs.login_cr }} | |
with: | |
registry: ${{ env.DOCKER_REGISTRY }} | |
username: ${{ secrets.DOCKER_GITHUB_USER }} | |
password: ${{ secrets.DOCKER_GITHUB_PASSWORD }} | |
- name: Build and push | |
uses: docker/build-push-action@v3 | |
if: ${{ steps.prep.outputs.push_image }} | |
with: | |
push: true | |
context: . | |
file: ./Dockerfile-controller | |
tags: ${{ steps.prep.outputs.tags_gordo_base }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
labels: | | |
org.opencontainers.image.title=gordo-controller | |
org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }} | |
org.opencontainers.image.source=${{ env.IMAGE_HOME_URL }} | |
org.opencontainers.image.version=${{ steps.prep.outputs.version }} | |
org.opencontainers.image.created=${{ steps.prep.outputs.created }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }} |