forked from kubeflow/kubeflow
-
Notifications
You must be signed in to change notification settings - Fork 3
145 lines (129 loc) · 5.33 KB
/
build-kfam.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: component/access-management
on:
push:
branches:
- kubeflow-aaw2.0
paths:
- components/access-management/**
pull_request:
paths:
- components/access-management/**
types:
- 'opened'
- 'synchronize'
- 'reopened'
schedule:
- cron: '0 22 * * *'
# Environment variables available to all jobs and steps in this workflow
env:
REGISTRY_NAME: k8scc01covidacr
DEV_REGISTRY_NAME: k8scc01covidacrdev
CLUSTER_NAME: k8s-cancentral-02-covid-aks
CLUSTER_RESOURCE_GROUP: k8s-cancentral-01-covid-aks
TRIVY_VERSION: "v0.57.0"
TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
TRIVY_MAX_RETRIES: 5
TRIVY_RETRY_DELAY: 20
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
HADOLINT_VERSION: "2.12.0"
jobs:
build-push:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- uses: actions/checkout@v2
# Determine if pushing to Prod or Dev ACR
- name: Set ENV variables for a PR containing the auto-deploy tag
if: github.event_name == 'pull_request' && contains( github.event.pull_request.labels.*.name, 'auto-deploy')
run: echo "REGISTRY=${{env.DEV_REGISTRY_NAME}}.azurecr.io" >> "$GITHUB_ENV"
- name: Set ENV variable for pushes to master
if: github.event_name == 'push' && github.ref == 'refs/heads/kubeflow-aaw2.0'
run: echo "REGISTRY=${{env.REGISTRY_NAME}}.azurecr.io" >> "$GITHUB_ENV"
# Connect to Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
# Connect to DEV Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.DEV_REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.DEV_REGISTRY_USERNAME }}
password: ${{ secrets.DEV_REGISTRY_PASSWORD }}
- name: Run Hadolint
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
sudo chmod +x hadolint
./hadolint ./components/access-management/Dockerfile --no-fail
# Container build to a Azure Container registry (ACR)
- name: Docker build
run: |
docker build \
-t localhost:5000/kubeflow/kfam:${{ github.sha }} \
components/access-management/
docker push localhost:5000/kubeflow/kfam:${{ github.sha }}
docker image prune
# Scan image for vulnerabilities
- name: Aqua Security Trivy image scan
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
set +e # Lets trivy return an error without it being fatal
for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do
echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..."
trivy image \
--db-repository ${{ env.TRIVY_DATABASES }} \
--java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \
localhost:5000/kubeflow/kfam:${{ github.sha }} \
--exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \
EXIT_CODE=$?
if [[ $EXIT_CODE -eq 0 ]]; then
echo "Trivy scan completed successfully."
exit 0
elif [[ $EXIT_CODE -eq 10 ]]; then
echo "Trivy scan completed successfully. Some vulnerabilities were found."
exit 10
elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then
echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..."
sleep ${{ env.TRIVY_RETRY_DELAY }}
else
echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting."
exit 1
fi
done
# Run Dockle
- name: Run dockle
uses: goodwithtech/dockle-action@main
with:
image: localhost:5000/kubeflow/kfam:${{ github.sha }}
format: 'list'
exit-code: '0'
exit-level: 'fatal'
ignore: 'DKL-DI-0006'
# Pushes if this is a push to master or an update to a PR that has auto-deploy label
- name: Test if we should push to ACR
id: should-i-push
if: |
github.event_name == 'push' ||
(
github.event_name == 'pull_request' &&
contains( github.event.pull_request.labels.*.name, 'auto-deploy')
)
run: echo "::set-output name=boolean::true"
- name: Docker push
if: steps.should-i-push.outputs.boolean == 'true'
run: |
docker pull localhost:5000/kubeflow/kfam:${{ github.sha }}
docker tag localhost:5000/kubeflow/kfam:${{ github.sha }} ${{ env.REGISTRY }}/kubeflow/kfam:${{ github.sha }}
docker push ${{ env.REGISTRY }}/kubeflow/kfam:${{ github.sha }}
- name: Slack Notification
if: failure() && github.event_name=='schedule'
uses: act10ns/slack@v1
with:
status: failure
message: kubeflow build failed. https://github.com/StatCan/kubeflow/actions/runs/${{github.run_id}}