Merge pull request #1 from contino/main

merge
drewkhoury · May 25, 2022 · 3e651c8 · 3e651c8
2 parents 014d2b3 + 066885d
commit 3e651c8
Show file tree

Hide file tree

Showing 24 changed files with 632 additions and 312 deletions.
diff --git a/.github/workflows/create-diagram.yml b/.github/workflows/create-diagram.yml
@@ -4,7 +4,7 @@ on:
     tags:
       - v*
     branches:
-      - master
+      - main
   pull_request:
 jobs:
   repo-visuals:

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,75 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Deploy to k8s
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  PROJECT_ID: ${{ secrets.GKE_PROJECT }} # contini-XXX-de5a
+  GKE_CLUSTER: gke-test-2022 # Add your cluster name here.
+  GKE_ZONE: us-central1    # Add your cluster zone here.
+  DEPLOYMENT_NAME: gke-hello-app  # Add your deployment name here.
+  IMAGE: go-hello-world
+
+jobs:
+  setup-build-publish-deploy:
+    name: Setup, Build, Publish, and Deploy
+    runs-on: ubuntu-latest
+    environment: production
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    # Setup gcloud CLI
+    - uses: google-github-actions/setup-gcloud@94337306dda8180d967a56932ceb4ddcf01edae7
+      with:
+        service_account_key: ${{ secrets.GKE_SA_KEY }}
+        project_id: ${{ secrets.GKE_PROJECT }}
+
+    # Configure Docker to use the gcloud command-line tool as a credential
+    # helper for authentication
+    - run: |-
+        gcloud --quiet auth configure-docker
+
+    # Get the GKE credentials so we can deploy to the cluster
+    - uses: google-github-actions/get-gke-credentials@fb08709ba27618c31c09e014e1d8364b02e5042e
+      with:
+        cluster_name: ${{ env.GKE_CLUSTER }}
+        location: ${{ env.GKE_ZONE }}
+        credentials: ${{ secrets.GKE_SA_KEY }}
+
+    # Build the Docker image
+    - name: Build
+      run: |-
+        docker build \
+          --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \
+          --build-arg GITHUB_SHA="$GITHUB_SHA" \
+          --build-arg GITHUB_REF="$GITHUB_REF" \
+          .
+
+    # Push the Docker image to Google Container Registry
+    - name: Publish
+      run: |-
+        docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA"
+
+    # Set up kustomize
+    - name: Set up Kustomize
+      run: |-
+        curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64
+        chmod u+x ./kustomize
+
+    # Deploy the Docker image to the GKE cluster
+    - name: Deploy
+      run: |-
+        ./kustomize edit set image gcr.io/$PROJECT_ID/$IMAGE:latest=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA
+        ./kustomize build . | kubectl apply -f -
+        kubectl rollout status deployment/$DEPLOYMENT_NAME
+        kubectl get services -o wide
diff --git a/.github/workflows/google.yml b/.github/workflows/google.yml
diff --git a/.github/workflows/main-test.yml.backup b/.github/workflows/main-test.yml.backup
@@ -0,0 +1,39 @@
+# Used to test things during PR's that would normally only happen on main branch
+#
+# eg updates to dynamodb table
+#
+
+name: Main CI (TESTING for PRs)
+
+on:
+  pull_request:
+      types: [opened, synchronize, reopened]
+
+env:
+  IMAGE_NAME: go-hello-world
+  GITHUB_TOKEN: ${{ secrets.GITHUBTOKEN }}
+
+jobs:
+
+  buildtest:
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: checkout repo
+      uses: actions/checkout@v2
+
+    - name: Create DynamboDB Table in AWS - To store metadata (one-time)
+      run: make create_table
+      env:
+        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        AWS_DEFAULT_REGION: us-east-2
+
+    # - name: Create tags in DynamboDB Table in AWS - Metadata for this commit
+    #   run: make create_tags
+    #   env:
+    #     PIPELINE_ID: ${GITHUB_RUN_ID}-${GITHUB_RUN_NUMBER}
+    #     AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    #     AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    #     AWS_DEFAULT_REGION: us-east-2
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,131 +1,77 @@
-name: CI
+name: Main CI
 
 on:
   push:
     # Publish `master` as Docker `latest` image.
     branches:
-      - master
+      - main
 
     # Publish `v1.2.3` tags as releases.
     tags:
       - v*
 
   # Run tests for any PRs.
   pull_request:
-
-env:
-  IMAGE_NAME: go-hello-world
-  GITHUB_TOKEN: ${{ secrets.GITHUBTOKEN }} # not sure why gh didn't let me create a secret with an underscore in it????????
+    types: [opened, synchronize, reopened]
 
 jobs:
-  security:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'
-
-    steps:
-    - uses: actions/checkout@v2
-    - uses: ynniss/golang-security-action@master
-      with:
-        CODE_PATH: "./src/" 
-
-  security-gosec:
-    runs-on: ubuntu-latest
-    env:
-      GO111MODULE: on
-    steps:
-      - name: Checkout Source
-        uses: actions/checkout@v2
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          args: ./...
 
   build:
 
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
+#    if: github.event_name == 'push'
 
     steps:
-    - uses: actions/checkout@v2
-
-    # this will cause a failure which is only in some demos but annoying in others  
-    #- uses: ynniss/golang-security-action@master
-    #  with:
-    #    #CODE_PATH: "./src/" # <<< we should move our go source into a generic src container so the refernce app is nicely organized and it's easier to build/find source
-    #    CODE_PATH: "./"
-
-
-
-
-
-
-
-
-
-
-
-
+    - name: checkout code
+      uses: actions/checkout@v2
 
     - name: Tests
       run: make test
-      
+
     - name: Build the Go package
       run: make build
 
+    - name: Security Tests
+      run: make security 
+
+    - name: Archive security results
+      uses: actions/upload-artifact@v2
+      with:
+        name: security-report
+        path: security-report
+
+
     - name: Run the Go package locally (detached)
       run: make run
 
-    #- name: Create DynamboDB Table in AWS
-    #  run: make create_table
-    #  env:
-    #    FOO: ${{ secrets.FOO }}
-    #    BAR: "BAZ"
-    #    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-    #    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-    #    AWS_DEFAULT_REGION: us-east-2
+#     This is only used to initially create the table - need a cleaner way to include this,
+#     and have it do nothing if the table exists.  Make currently ignores error
+    - name: Create DynamboDB Table in AWS - To store metadata (one-time)
+      run: make create_table
+      env:
+        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        AWS_DEFAULT_REGION: us-east-2
 
-    - name: Create tags in DynamboDB Table in AWS
+    - name: Create tags in DynamboDB Table in AWS - Metadata for this commit
       run: make create_tags
       env:
-        FOO: ${{ secrets.FOO }}
-        BAR: "BAZ"
+        PIPELINE_ID: ${GITHUB_RUN_ID}
         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         AWS_DEFAULT_REGION: us-east-2
 
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
+    - name: Push image
+      run: make push
 
-
-
-
-
-
-
-    # this was just in here to prove our the publish, should actually edit the make build do write the correct image name then we can remove this step
-    - name: Build image
-      run: docker build . --file Dockerfile --tag $IMAGE_NAME
-
-    # this is a bit verbose so probably time we wrapped it in make (it was just a copy/paste from github actions anyway)
-    - name: Log into registry and Push image
-      run: |
-        echo "${{ secrets.GH_PACKAGES }}" | docker login docker.pkg.github.com -u ${{ github.actor }} --password-stdin
-
-        IMAGE_ID=docker.pkg.github.com/${{ github.repository }}/$IMAGE_NAME
-
-        # Change all uppercase to lowercase
-        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
-
-        # Strip git ref prefix from version
-        VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-
-        # Strip "v" prefix from tag name
-        [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
-
-        # Use Docker `latest` tag convention
-        [ "$VERSION" == "master" ] && VERSION=latest
-
-        echo IMAGE_ID=$IMAGE_ID
-        echo VERSION=$VERSION
-
-        docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
-        docker push $IMAGE_ID:$VERSION
+  call-verify:
+    uses: ./.github/workflows/verify.yml
+    needs: [build]
+    secrets: inherit
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,7 +4,7 @@ on: @@
         tags:
           - v*
         branches:
-          - master
+          - main
       pull_request:
     jobs:
       repo-visuals:
@@ Expand Down @@