Consistent labeling for resources managed by the Application
contro…
#130
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Main | |
## This Github Action workflow is triggered, if code is pushed to the main branch or a Pull Request | |
## (PR) is opened / edited from the dev branch. | |
## In real world scenario, pushing directly to the main branch should be blocked. | |
on: | |
push: | |
branches: [main] | |
## Adding this allows us to trigger this workflow manually (Just for debugging purposes). | |
workflow_dispatch: {} | |
jobs: | |
scan_sourcecode: | |
name: Scanning sourcecode to find vulberabilities, misconfigurations and exposed secrets | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
security-events: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Create outputs directory | |
run: mkdir -p ./outputs/trivy | |
- name: Run Trivy vulnerability and secret scanner in fs mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: fs | |
scan-ref: . | |
trivy-config: trivy.yaml | |
format: sarif | |
output: ./outputs/trivy/fs-scan-result.sarif | |
- name: Upload the scan result as Github artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy.fs-scan-result.sarif | |
path: ./outputs/trivy/fs-scan-result.sarif | |
- name: Detect IaC vulnerabilities and misconfigurations using Trivy | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: config | |
scan-ref: . | |
trivy-config: trivy.yaml | |
format: sarif | |
output: ./outputs/trivy/config-scan-result.sarif | |
- name: Upload the scan result as Github artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy.config-scan-result.sarif | |
path: ./outputs/trivy/config-scan-result.sarif | |
## The Trivy scan results will be uploaded to Github CodeQL only when code is being pushed to | |
## the main branch. | |
- name: Upload the scan results to Github CodeQL | |
if: github.ref == 'refs/heads/main' | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: ./outputs/trivy | |
build_push_sign_and_scan_container_images: | |
name: Build, push, sign and scan container images | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
contents: write | |
security-events: write | |
strategy: | |
matrix: | |
microservice: | |
- name: users-microservice | |
path: backend/microservices/users | |
manifest: kubernetes/manifests/microservices/users/application.yaml | |
path_filters: | | |
changed: | |
- backend/microservices/users/** | |
- backend/lib.rs | |
- backend/sql/mod.rs | |
- name: profiles-microservice | |
path: backend/microservices/profiles | |
manifest: kubernetes/manifests/microservices/profiles/application.yaml | |
path_filters: | | |
changed: | |
- backend/microservices/profiles/** | |
- backend/lib.rs | |
- backend/sql/mod.rs | |
- name: followships-microservice | |
path: backend/microservices/followships | |
manifest: kubernetes/manifests/microservices/followships/application.yaml | |
path_filters: | | |
changed: | |
- backend/microservices/followships/** | |
- backend/lib.rs | |
- backend/sql/mod.rs | |
- name: posts-microservice | |
path: backend/microservices/posts | |
manifest: kubernetes/manifests/microservices/posts/application.yaml | |
path_filters: | | |
changed: | |
- backend/microservices/posts/** | |
- backend/lib.rs | |
- backend/sql/mod.rs | |
- name: feeds-microservice | |
path: backend/microservices/feeds | |
manifest: kubernetes/manifests/microservices/feeds/application.yaml | |
path_filters: | | |
changed: | |
- backend/microservices/feeds/** | |
- backend/lib.rs | |
- backend/sql/mod.rs | |
- name: gateway | |
path: backend/gateway | |
manifest: kubernetes/manifests/microservices/gateway/application.yaml | |
path_filters: | | |
changed: | |
- backend/gateway/** | |
- go.work.sum | |
- name: application-controller | |
path: kubernetes/operators/application | |
manifest: kubernetes/manifests/application-controller/deployment.yaml | |
path_filters: | | |
changed: | |
- kubernetes/operators/application/** | |
- go.work.sum | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
## If sourcecode of the microservice has changed, only then we will rebuild, push, sign | |
## and scan the container image. | |
- name: Detect sourcecode change | |
uses: dorny/paths-filter@v2 | |
id: path-filter | |
with: | |
base: ${{ github.ref }} | |
filters: ${{ matrix.microservice.path_filters }} | |
- name: Set up QEMU | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: docker/setup-buildx-action@v2 | |
- name: Login to GitHub Container Registry | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: archisman-mridha | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Restore cached Cargo dependencies (if exists) | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: actions/cache/restore@v3 | |
with: | |
path: | | |
/usr/local/cargo/registry/ | |
target/ | |
key: ${{ runner.os }}-cargo-${{ matrix.microservice.name }}-${{ hashFiles('**/Cargo.lock') }} | |
- name: Build and push AMD64 container image | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
file: ${{ matrix.microservice.path }}/Dockerfile | |
## It takes pretty long to build container images for the ARM64 platform (even when using | |
## QEMU). So skipping it ! | |
platforms: linux/amd64 | |
push: true | |
tags: ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }} | |
## Experimental cache exporter for GitHub Actions provided by buildx and BuildKit. | |
## It uses the GitHub Cache API to fetch and load the Docker layer cache blobs across | |
## builds. | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Cache Cargo dependencies | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: actions/cache@v3 | |
with: | |
path: | | |
/usr/local/cargo/registry/ | |
target/ | |
key: ${{ runner.os }}-cargo-${{ matrix.microservice.name }}-${{ hashFiles('**/Cargo.lock') }} | |
- name: Remove cached folders from local machine | |
if: steps.path-filter.outputs.changed == 'true' | |
run: | | |
rm -rf /usr/local/cargo/registry/ target/ | |
## Cosign is a command line utility that can sign and verify software artifact, such as | |
## container images and blobs. | |
- name: Install Cosign | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.2.1 | |
- name: Sign the published container image | |
if: steps.path-filter.outputs.changed == 'true' | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
run: | | |
mkdir -p ~/.temp | |
echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > ~/.temp/cosign.key | |
cosign sign --key ~/.temp/cosign.key \ | |
-a "repo=instagram-clone" \ | |
-a "owner=Archisman-Mridha" \ | |
ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }} -y | |
- name: Create outputs directory | |
if: steps.path-filter.outputs.changed == 'true' | |
run: mkdir -p ./outputs/trivy | |
- name: Scan container image for vulnerabilities | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }} | |
ignore-unfixed: true | |
vuln-type: os,library | |
trivy-config: trivy.yaml | |
format: sarif | |
output: ./outputs/trivy/${{ matrix.microservice.name }}.container-image-scan-result.sarif | |
- name: Upload the scan result as Github artifact | |
if: steps.path-filter.outputs.changed == 'true' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy.${{ matrix.microservice.name }}-microservice.container-image-scan-result.sarif | |
path: ./outputs/trivy/${{ matrix.microservice.name }}.container-image-scan-result.sarif | |
- name: Update container image tag in Kubernetes manifests | |
if: steps.path-filter.outputs.changed == 'true' | |
run: | | |
git config --global user.name "Archisman-Mridha" | |
git config --global user.email "[email protected]" | |
git config --global pull.rebase false | |
git pull origin main -f | |
sed -i 's/instagram-clone-\(.*\):[[:alnum:]]\+/instagram-clone-\1:${{ github.sha }}/g' ${{ matrix.microservice.manifest }} | |
git add . | |
git commit -m "🤖 Update container image tag for ${{ matrix.microservice.name }} to ${{ github.sha }}" | |
git push --set-upstream origin main |