diff --git a/.github/workflows/auth-api-workflow.yml b/.github/workflows/auth-api-workflow.yml new file mode 100644 index 000000000..a5f4f029e --- /dev/null +++ b/.github/workflows/auth-api-workflow.yml @@ -0,0 +1,152 @@ +name: Auth API Workflow + +on: + push: + branches: [ "ci_cd_workflow" ] + paths: + - 'auth-api/**' + +env: + REGISTRY: 859047589462.dkr.ecr.us-east-1.amazonaws.com + DOCKER_REPOSITORY: sample-microsvc-app-auth-api + CLUSTER_REPO: https://github.com/CelestialSystem/mcs-poc-001-k8s.git + + +permissions: + contents: read + packages: write + id-token: write + security-events: write +jobs: + + getBranch_and_commitHash: + runs-on: ubuntu-latest + + outputs: + output1: ${{ steps.branch.outputs.git_branch }} + output2: ${{ steps.hash.outputs.git_hash }} + steps: + - name: Get Branch + id: branch + run: echo "::set-output name=git_branch::${GITHUB_REF#refs/heads/}" + + - name: Get Hash + id: hash + run: echo "::set-output name=git_hash::$(echo $GITHUB_SHA | cut -c1-7)" + + build_and_push: + + runs-on: ubuntu-latest + needs: getBranch_and_commitHash + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build the Docker image + working-directory: auth-api + run: docker build . --file Dockerfile --tag $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + - name: Push image to Amazon ECR + run: | + docker push $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + testDockerImage: + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push] + + steps: + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Pull Docker Image + run: | + docker pull ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + format: 'sarif' + output: 'trivy-results-docker.sarif' + severity: 'CRITICAL,HIGH' + + - name: Debug output + run: | + echo "#########TRIVY################" + cat trivy-results-docker.sarif + + - name: Upload Trivy scan results to Github security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-docker.sarif' + + + deployToDevEnv: + + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push, testDockerImage] + env: + GH_USER: div1127 + CLUSTER_REPO: CelestialSystem/mcs-poc-001-k8s.git + GIT_USER_EMAIL: d.srivastav@celestialsys.com + GIT_USER_NAME: Divyansh Srivastav + ARGOCD_APP: auth-api-service + REPO_CONTEXT: /home/runner/work/mcs-poc-001-k8s + SVC_CONTEXT: /home/runner/work/mcs-poc-001-k8s/k8s/auth-api + + + steps: + + - name: Install yq (YAML Processor) & Git + run: | + sudo add-apt-repository ppa:rmescandon/yq + sudo apt update + sudo apt install yq git -y + - name: Install ArgoCD CLI + run: | + curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 + sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd + rm argocd-linux-amd64 + - name: GitOps - Update deployment repository with new Image Version + uses: nick-fields/retry@v2 + with: + timeout_minutes: 10 + max_attempts: 4 + retry_on: error + command: | + cd /home/runner/work + git clone "https://${{ env.GH_USER }}:${{ secrets.GH_TOKEN }}@github.com/${{ env.CLUSTER_REPO }}" + cd ${{ env.SVC_CONTEXT }} + yq eval '.spec.template.spec.containers[0].image = "${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}}"' -i deployment.yaml + cd ${{ env.REPO_CONTEXT }} + git config --global user.email ${{ env.GIT_USER_EMAIL }} + git config --global user.name ${{ env.GIT_USER_NAME }} + git add ${{ env.SVC_CONTEXT}}/deployment.yaml + git commit -m "Updated Image Version." + git push + + - name: Synk ArgoCD app + run: | + argocd login ${{ secrets.ARGOCD_SERVER }} --username ${{ secrets.ARGOCD_USER }} --password ${{ secrets.ARGOCD_PASSWORD }} --insecure --grpc-web + argocd app sync ${{ env.ARGOCD_APP }} --grpc-web diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..2196a219c --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,76 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '35 0 * * 1' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go', 'java', 'javascript', 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/frontend-workflow.yml b/.github/workflows/frontend-workflow.yml new file mode 100644 index 000000000..e70506695 --- /dev/null +++ b/.github/workflows/frontend-workflow.yml @@ -0,0 +1,152 @@ +name: Auth API Workflow + +on: + push: + branches: [ "ci_cd_workflow" ] + paths: + - 'frontend/**' + +env: + REGISTRY: 859047589462.dkr.ecr.us-east-1.amazonaws.com + DOCKER_REPOSITORY: sample-microsvc-app-frontend + CLUSTER_REPO: https://github.com/CelestialSystem/mcs-poc-001-k8s.git + + +permissions: + contents: read + packages: write + id-token: write + security-events: write +jobs: + + getBranch_and_commitHash: + runs-on: ubuntu-latest + + outputs: + output1: ${{ steps.branch.outputs.git_branch }} + output2: ${{ steps.hash.outputs.git_hash }} + steps: + - name: Get Branch + id: branch + run: echo "::set-output name=git_branch::${GITHUB_REF#refs/heads/}" + + - name: Get Hash + id: hash + run: echo "::set-output name=git_hash::$(echo $GITHUB_SHA | cut -c1-7)" + + build_and_push: + + runs-on: ubuntu-latest + needs: getBranch_and_commitHash + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build the Docker image + working-directory: frontend + run: docker build . --file Dockerfile --tag $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + - name: Push image to Amazon ECR + run: | + docker push $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + testDockerImage: + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push] + + steps: + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Pull Docker Image + run: | + docker pull ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + format: 'sarif' + output: 'trivy-results-docker.sarif' + severity: 'CRITICAL,HIGH' + + - name: Debug output + run: | + echo "#########TRIVY################" + cat trivy-results-docker.sarif + + - name: Upload Trivy scan results to Github security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-docker.sarif' + + + deployToDevEnv: + + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push, testDockerImage] + env: + GH_USER: div1127 + CLUSTER_REPO: CelestialSystem/mcs-poc-001-k8s.git + GIT_USER_EMAIL: d.srivastav@celestialsys.com + GIT_USER_NAME: Divyansh Srivastav + ARGOCD_APP: frontend-app + REPO_CONTEXT: /home/runner/work/mcs-poc-001-k8s + SVC_CONTEXT: /home/runner/work/mcs-poc-001-k8s/k8s/frontend + + + steps: + + - name: Install yq (YAML Processor) & Git + run: | + sudo add-apt-repository ppa:rmescandon/yq + sudo apt update + sudo apt install yq git -y + - name: Install ArgoCD CLI + run: | + curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 + sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd + rm argocd-linux-amd64 + - name: GitOps - Update deployment repository with new Image Version + uses: nick-fields/retry@v2 + with: + timeout_minutes: 10 + max_attempts: 4 + retry_on: error + command: | + cd /home/runner/work + git clone "https://${{ env.GH_USER }}:${{ secrets.GH_TOKEN }}@github.com/${{ env.CLUSTER_REPO }}" + cd ${{ env.SVC_CONTEXT }} + yq eval '.spec.template.spec.containers[0].image = "${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}}"' -i deployment.yaml + cd ${{ env.REPO_CONTEXT }} + git config --global user.email ${{ env.GIT_USER_EMAIL }} + git config --global user.name ${{ env.GIT_USER_NAME }} + git add ${{ env.SVC_CONTEXT}}/deployment.yaml + git commit -m "Updated Image Version." + git push + + - name: Synk ArgoCD app + run: | + argocd login ${{ secrets.ARGOCD_SERVER }} --username ${{ secrets.ARGOCD_USER }} --password ${{ secrets.ARGOCD_PASSWORD }} --insecure --grpc-web + argocd app sync ${{ env.ARGOCD_APP }} --grpc-web \ No newline at end of file diff --git a/.github/workflows/log-message-processor-workflow.yml b/.github/workflows/log-message-processor-workflow.yml new file mode 100644 index 000000000..5fabec1d7 --- /dev/null +++ b/.github/workflows/log-message-processor-workflow.yml @@ -0,0 +1,152 @@ +name: Auth API Workflow + +on: + push: + branches: [ "ci_cd_workflow" ] + paths: + - 'log-message-processor/**' + +env: + REGISTRY: 859047589462.dkr.ecr.us-east-1.amazonaws.com + DOCKER_REPOSITORY: sample-microsvc-app-log-message-processor + CLUSTER_REPO: https://github.com/CelestialSystem/mcs-poc-001-k8s.git + + +permissions: + contents: read + packages: write + id-token: write + security-events: write +jobs: + + getBranch_and_commitHash: + runs-on: ubuntu-latest + + outputs: + output1: ${{ steps.branch.outputs.git_branch }} + output2: ${{ steps.hash.outputs.git_hash }} + steps: + - name: Get Branch + id: branch + run: echo "::set-output name=git_branch::${GITHUB_REF#refs/heads/}" + + - name: Get Hash + id: hash + run: echo "::set-output name=git_hash::$(echo $GITHUB_SHA | cut -c1-7)" + + build_and_push: + + runs-on: ubuntu-latest + needs: getBranch_and_commitHash + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build the Docker image + working-directory: log-message-processor + run: docker build . --file Dockerfile --tag $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + - name: Push image to Amazon ECR + run: | + docker push $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + testDockerImage: + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push] + + steps: + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Pull Docker Image + run: | + docker pull ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + format: 'sarif' + output: 'trivy-results-docker.sarif' + severity: 'CRITICAL,HIGH' + + - name: Debug output + run: | + echo "#########TRIVY################" + cat trivy-results-docker.sarif + + - name: Upload Trivy scan results to Github security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-docker.sarif' + + + deployToDevEnv: + + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push, testDockerImage] + env: + GH_USER: div1127 + CLUSTER_REPO: CelestialSystem/mcs-poc-001-k8s.git + GIT_USER_EMAIL: d.srivastav@celestialsys.com + GIT_USER_NAME: Divyansh Srivastav + ARGOCD_APP: log-message-processor-service + REPO_CONTEXT: /home/runner/work/mcs-poc-001-k8s + SVC_CONTEXT: /home/runner/work/mcs-poc-001-k8s/k8s/log-message-processor + + + steps: + + - name: Install yq (YAML Processor) & Git + run: | + sudo add-apt-repository ppa:rmescandon/yq + sudo apt update + sudo apt install yq git -y + - name: Install ArgoCD CLI + run: | + curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 + sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd + rm argocd-linux-amd64 + - name: GitOps - Update deployment repository with new Image Version + uses: nick-fields/retry@v2 + with: + timeout_minutes: 10 + max_attempts: 4 + retry_on: error + command: | + cd /home/runner/work + git clone "https://${{ env.GH_USER }}:${{ secrets.GH_TOKEN }}@github.com/${{ env.CLUSTER_REPO }}" + cd ${{ env.SVC_CONTEXT }} + yq eval '.spec.template.spec.containers[0].image = "${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}}"' -i deployment.yaml + cd ${{ env.REPO_CONTEXT }} + git config --global user.email ${{ env.GIT_USER_EMAIL }} + git config --global user.name ${{ env.GIT_USER_NAME }} + git add ${{ env.SVC_CONTEXT}}/deployment.yaml + git commit -m "Updated Image Version." + git push + + - name: Synk ArgoCD app + run: | + argocd login ${{ secrets.ARGOCD_SERVER }} --username ${{ secrets.ARGOCD_USER }} --password ${{ secrets.ARGOCD_PASSWORD }} --insecure --grpc-web + argocd app sync ${{ env.ARGOCD_APP }} --grpc-web \ No newline at end of file diff --git a/.github/workflows/todos-api-workflow.yml b/.github/workflows/todos-api-workflow.yml new file mode 100644 index 000000000..1f8758bd7 --- /dev/null +++ b/.github/workflows/todos-api-workflow.yml @@ -0,0 +1,151 @@ +name: Auth API Workflow + +on: + push: + branches: [ "ci_cd_workflow" ] + paths: + - 'todos-api/**' + +env: + REGISTRY: 859047589462.dkr.ecr.us-east-1.amazonaws.com + DOCKER_REPOSITORY: sample-microsvc-app-todos-api + CLUSTER_REPO: https://github.com/CelestialSystem/mcs-poc-001-k8s.git + + +permissions: + contents: read + packages: write + id-token: write + security-events: write +jobs: + + getBranch_and_commitHash: + runs-on: ubuntu-latest + + outputs: + output1: ${{ steps.branch.outputs.git_branch }} + output2: ${{ steps.hash.outputs.git_hash }} + steps: + - name: Get Branch + id: branch + run: echo "::set-output name=git_branch::${GITHUB_REF#refs/heads/}" + + - name: Get Hash + id: hash + run: echo "::set-output name=git_hash::$(echo $GITHUB_SHA | cut -c1-7)" + + build_and_push: + + runs-on: ubuntu-latest + needs: getBranch_and_commitHash + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build the Docker image + working-directory: todos-api + run: docker build . --file Dockerfile --tag $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + - name: Push image to Amazon ECR + run: | + docker push $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + testDockerImage: + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push] + + steps: + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Pull Docker Image + run: | + docker pull ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + format: 'sarif' + output: 'trivy-results-docker.sarif' + severity: 'CRITICAL,HIGH' + + - name: Debug output + run: | + echo "#########TRIVY################" + cat trivy-results-docker.sarif + + - name: Upload Trivy scan results to Github security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-docker.sarif' + + + deployToDevEnv: + + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push, testDockerImage] + env: + GH_USER: div1127 + CLUSTER_REPO: CelestialSystem/mcs-poc-001-k8s.git + GIT_USER_EMAIL: d.srivastav@celestialsys.com + GIT_USER_NAME: Divyansh Srivastav + ARGOCD_APP: todos-api-service + REPO_CONTEXT: /home/runner/work/mcs-poc-001-k8s + SVC_CONTEXT: /home/runner/work/mcs-poc-001-k8s/k8s/todos-api + + steps: + + - name: Install yq (YAML Processor) & Git + run: | + sudo add-apt-repository ppa:rmescandon/yq + sudo apt update + sudo apt install yq git -y + - name: Install ArgoCD CLI + run: | + curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 + sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd + rm argocd-linux-amd64 + - name: GitOps - Update deployment repository with new Image Version + uses: nick-fields/retry@v2 + with: + timeout_minutes: 10 + max_attempts: 4 + retry_on: error + command: | + cd /home/runner/work + git clone "https://${{ env.GH_USER }}:${{ secrets.GH_TOKEN }}@github.com/${{ env.CLUSTER_REPO }}" + cd ${{ env.SVC_CONTEXT }} + yq eval '.spec.template.spec.containers[0].image = "${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}}"' -i deployment.yaml + cd ${{ env.REPO_CONTEXT }} + git config --global user.email ${{ env.GIT_USER_EMAIL }} + git config --global user.name ${{ env.GIT_USER_NAME }} + git add ${{ env.SVC_CONTEXT}}/deployment.yaml + git commit -m "Updated Image Version." + git push + + - name: Synk ArgoCD app + run: | + argocd login ${{ secrets.ARGOCD_SERVER }} --username ${{ secrets.ARGOCD_USER }} --password ${{ secrets.ARGOCD_PASSWORD }} --insecure --grpc-web + argocd app sync ${{ env.ARGOCD_APP }} --grpc-web \ No newline at end of file diff --git a/.github/workflows/users-api-workflow.yml b/.github/workflows/users-api-workflow.yml new file mode 100644 index 000000000..d0f32d5b5 --- /dev/null +++ b/.github/workflows/users-api-workflow.yml @@ -0,0 +1,151 @@ +name: Auth API Workflow + +on: + push: + branches: [ "ci_cd_workflow" ] + paths: + - 'users-api/**' + +env: + REGISTRY: 859047589462.dkr.ecr.us-east-1.amazonaws.com + DOCKER_REPOSITORY: sample-microsvc-app-users-api + CLUSTER_REPO: https://github.com/CelestialSystem/mcs-poc-001-k8s.git + + +permissions: + contents: read + packages: write + id-token: write + security-events: write +jobs: + + getBranch_and_commitHash: + runs-on: ubuntu-latest + + outputs: + output1: ${{ steps.branch.outputs.git_branch }} + output2: ${{ steps.hash.outputs.git_hash }} + steps: + - name: Get Branch + id: branch + run: echo "::set-output name=git_branch::${GITHUB_REF#refs/heads/}" + + - name: Get Hash + id: hash + run: echo "::set-output name=git_hash::$(echo $GITHUB_SHA | cut -c1-7)" + + build_and_push: + + runs-on: ubuntu-latest + needs: getBranch_and_commitHash + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build the Docker image + working-directory: users-api + run: docker build . --file Dockerfile --tag $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + - name: Push image to Amazon ECR + run: | + docker push $REGISTRY/$DOCKER_REPOSITORY:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + + testDockerImage: + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push] + + steps: + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Login to AWS ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Pull Docker Image + run: | + docker pull ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}} + format: 'sarif' + output: 'trivy-results-docker.sarif' + severity: 'CRITICAL,HIGH' + + - name: Debug output + run: | + echo "#########TRIVY################" + cat trivy-results-docker.sarif + + - name: Upload Trivy scan results to Github security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-docker.sarif' + + + deployToDevEnv: + + runs-on: ubuntu-latest + needs: [getBranch_and_commitHash, build_and_push, testDockerImage] + env: + GH_USER: div1127 + CLUSTER_REPO: CelestialSystem/mcs-poc-001-k8s.git + GIT_USER_EMAIL: d.srivastav@celestialsys.com + GIT_USER_NAME: Divyansh Srivastav + ARGOCD_APP: users-api-service + REPO_CONTEXT: /home/runner/work/mcs-poc-001-k8s + SVC_CONTEXT: /home/runner/work/mcs-poc-001-k8s/k8s/users-api + + + steps: + + - name: Install yq (YAML Processor) & Git + run: | + sudo add-apt-repository ppa:rmescandon/yq + sudo apt update + sudo apt install yq git -y + - name: Install ArgoCD CLI + run: | + curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 + sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd + rm argocd-linux-amd64 + - name: GitOps - Update deployment repository with new Image Version + uses: nick-fields/retry@v2 + with: + timeout_minutes: 10 + max_attempts: 4 + retry_on: error + command: | + cd /home/runner/work + git clone "https://${{ env.GH_USER }}:${{ secrets.GH_TOKEN }}@github.com/${{ env.CLUSTER_REPO }}" + cd ${{ env.SVC_CONTEXT }} + yq eval '.spec.template.spec.containers[0].image = "${{ env.REGISTRY }}/${{ env.DOCKER_REPOSITORY }}:${{needs.getBranch_and_commitHash.outputs.output1}}-${{needs.getBranch_and_commitHash.outputs.output2}}"' -i deployment.yaml + cd ${{ env.REPO_CONTEXT }} + git config --global user.email ${{ env.GIT_USER_EMAIL }} + git config --global user.name ${{ env.GIT_USER_NAME }} + git add ${{ env.SVC_CONTEXT}}/deployment.yaml + git commit -m "Updated Image Version." + git push + + - name: Synk ArgoCD app + run: | + argocd login ${{ secrets.ARGOCD_SERVER }} --username ${{ secrets.ARGOCD_USER }} --password ${{ secrets.ARGOCD_PASSWORD }} --insecure --grpc-web \ No newline at end of file diff --git a/auth-api/Dockerfile b/auth-api/Dockerfile index 444cc0e72..bf8bb220c 100644 --- a/auth-api/Dockerfile +++ b/auth-api/Dockerfile @@ -1,10 +1,12 @@ +# auth_api_workflow. FROM golang:1.9-alpine EXPOSE 8081 WORKDIR /go/src/app -RUN apk --no-cache add curl git && \ - curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh +RUN apk --no-cache add curl git +#RUN curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh +RUN curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh COPY . . RUN dep ensure @@ -12,4 +14,3 @@ RUN dep ensure RUN go build -o auth-api CMD /go/src/app/auth-api - diff --git a/k8s/auth-api/deployment.yaml b/k8s/auth-api/deployment.yaml index 4f802c60a..810487ad6 100644 --- a/k8s/auth-api/deployment.yaml +++ b/k8s/auth-api/deployment.yaml @@ -1,11 +1,17 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: + namespace: todo labels: app: microservice-app-example + service: auth-api name: auth-api spec: replicas: 1 + selector: + matchLabels: + app: microservice-app-example + service: auth-api template: metadata: labels: @@ -13,18 +19,18 @@ spec: service: auth-api spec: containers: - - env: - - name: AUTH_API_PORT - value: "8081" - - name: JWT_SECRET - value: myfancysecret - - name: USERS_API_ADDRESS - value: http://users-api:8083 - - name: ZIPKIN_URL - value: http://zipkin:9411/api/v2/spans - image: auth-api - name: auth-api - ports: - - containerPort: 8081 - imagePullPolicy: Never + - env: + - name: AUTH_API_PORT + value: "8081" + - name: JWT_SECRET + value: myfancysecret + - name: USERS_API_ADDRESS + value: http://users-api:8083 + - name: ZIPKIN_URL + value: http://zipkin:9411/api/v2/spans + image: auth-api + name: auth-api + ports: + - containerPort: 8081 + imagePullPolicy: Never restartPolicy: Always diff --git a/k8s/auth-api/service.yaml b/k8s/auth-api/service.yaml index 68047183b..136986b08 100644 --- a/k8s/auth-api/service.yaml +++ b/k8s/auth-api/service.yaml @@ -1,8 +1,10 @@ apiVersion: v1 kind: Service metadata: + namespace: todo labels: app: microservice-app-example + service: auth-api name: auth-api spec: ports: diff --git a/k8s/frontend/deployment.yaml b/k8s/frontend/deployment.yaml index 78244bfe8..4dc9886b3 100644 --- a/k8s/frontend/deployment.yaml +++ b/k8s/frontend/deployment.yaml @@ -1,11 +1,17 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: + namespace: todo labels: app: microservice-app-example + service: frontend name: frontend spec: replicas: 1 + selector: + matchLabels: + app: microservice-app-example + service: frontend template: metadata: labels: @@ -13,18 +19,18 @@ spec: service: frontend spec: containers: - - env: - - name: AUTH_API_ADDRESS - value: http://auth-api:8081 - - name: PORT - value: "8080" - - name: TODOS_API_ADDRESS - value: http://todos-api:8082 - - name: ZIPKIN_URL - value: http://zipkin:9411/api/v2/spans - image: frontend - name: frontend - ports: - - containerPort: 8080 - imagePullPolicy: Never - restartPolicy: Always + - env: + - name: AUTH_API_ADDRESS + value: http://auth-api:8081 + - name: PORT + value: "8080" + - name: TODOS_API_ADDRESS + value: http://todos-api:8082 + - name: ZIPKIN_URL + value: http://zipkin:9411/api/v2/spans + image: frontend + name: frontend + ports: + - containerPort: 8080 + imagePullPolicy: Never + restartPolicy: Always \ No newline at end of file diff --git a/k8s/frontend/service.yaml b/k8s/frontend/service.yaml index 1ab75f781..392dbc713 100644 --- a/k8s/frontend/service.yaml +++ b/k8s/frontend/service.yaml @@ -1,12 +1,14 @@ apiVersion: v1 kind: Service metadata: + namespace: todo labels: app: microservice-app-example + service: frontend name: frontend spec: ports: - port: 8080 selector: service: frontend - type: LoadBalancer \ No newline at end of file + type: ClusterIP \ No newline at end of file diff --git a/k8s/log-message-processor/deployment.yaml b/k8s/log-message-processor/deployment.yaml index 40229bab3..fbd13bce3 100644 --- a/k8s/log-message-processor/deployment.yaml +++ b/k8s/log-message-processor/deployment.yaml @@ -1,11 +1,17 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: + namespace: todo labels: app: microservice-app-example + service: log-message-processor name: log-message-processor spec: replicas: 1 + selector: + matchLabels: + app: microservice-app-example + service: log-message-processor template: metadata: labels: @@ -13,17 +19,17 @@ spec: service: log-message-processor spec: containers: - - env: - - name: REDIS_HOST - value: redis-queue - - name: REDIS_PORT - value: "6379" - - name: REDIS_CHANNEL - value: log_channel - - name: ZIPKIN_URL - value: http://zipkin:9411/api/v1/spans - - image: log-message-processor - name: log-message-processor - imagePullPolicy: Never + - env: + - name: REDIS_HOST + value: redis-queue + - name: REDIS_PORT + value: "6379" + - name: REDIS_CHANNEL + value: log_channel + - name: ZIPKIN_URL + value: http://zipkin:9411/api/v1/spans + + image: log-message-processor + name: log-message-processor + imagePullPolicy: Never restartPolicy: Always diff --git a/k8s/redis-queue/deployment.yaml b/k8s/redis-queue/deployment.yaml index 025d13994..2612573be 100644 --- a/k8s/redis-queue/deployment.yaml +++ b/k8s/redis-queue/deployment.yaml @@ -1,11 +1,17 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: + namespace: todo labels: app: microservice-app-example + service: redis-queue name: redis-queue spec: replicas: 1 + selector: + matchLabels: + app: microservice-app-example + service: redis-queue template: metadata: labels: @@ -13,8 +19,7 @@ spec: service: redis-queue spec: containers: - - env: - image: redis + - image: redis name: redis-queue ports: - containerPort: 6379 diff --git a/k8s/redis-queue/service.yaml b/k8s/redis-queue/service.yaml index a160c2edc..da6a781a6 100644 --- a/k8s/redis-queue/service.yaml +++ b/k8s/redis-queue/service.yaml @@ -1,8 +1,10 @@ apiVersion: v1 kind: Service metadata: + namespace: todo labels: app: microservice-app-example + service: redis-queue name: redis-queue spec: ports: diff --git a/k8s/todos-api/deployment.yaml b/k8s/todos-api/deployment.yaml index 20e880b61..119cf5f52 100644 --- a/k8s/todos-api/deployment.yaml +++ b/k8s/todos-api/deployment.yaml @@ -1,11 +1,17 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: + namespace: todo labels: app: microservice-app-example + service: todos-api name: todos-api spec: replicas: 1 + selector: + matchLabels: + app: microservice-app-example + service: todos-api template: metadata: labels: @@ -13,23 +19,22 @@ spec: service: todos-api spec: containers: - - env: - - name: JWT_SECRET - value: myfancysecret - - name: TODO_API_PORT - value: "8082" - - name: REDIS_HOST - value: redis-queue - - name: REDIS_PORT - value: "6379" - - name: REDIS_CHANNEL - value: log_channel - - name: ZIPKIN_URL - value: http://zipkin:9411/api/v2/spans - - image: todos-api - name: todos-api - ports: - - containerPort: 8082 - imagePullPolicy: Never + - env: + - name: JWT_SECRET + value: myfancysecret + - name: TODO_API_PORT + value: "8082" + - name: REDIS_HOST + value: redis-queue + - name: REDIS_PORT + value: "6379" + - name: REDIS_CHANNEL + value: log_channel + - name: ZIPKIN_URL + value: http://zipkin:9411/api/v2/spans + image: todos-api + name: todos-api + ports: + - containerPort: 8082 + imagePullPolicy: Never restartPolicy: Always diff --git a/k8s/todos-api/service.yaml b/k8s/todos-api/service.yaml index 23c4e257b..66a5a1d53 100644 --- a/k8s/todos-api/service.yaml +++ b/k8s/todos-api/service.yaml @@ -1,8 +1,10 @@ apiVersion: v1 kind: Service metadata: + namespace: todo labels: app: microservice-app-example + service: todos-api name: todos-api spec: ports: diff --git a/k8s/users-api/deployment.yaml b/k8s/users-api/deployment.yaml index 0a9e418bb..2000e3186 100644 --- a/k8s/users-api/deployment.yaml +++ b/k8s/users-api/deployment.yaml @@ -1,11 +1,17 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: + namespace: todo labels: app: microservice-app-example + service: users-api name: users-api spec: replicas: 1 + selector: + matchLabels: + app: microservice-app-example + service: users-api template: metadata: labels: @@ -13,16 +19,16 @@ spec: service: users-api spec: containers: - - env: - - name: JWT_SECRET - value: myfancysecret - - name: SERVER_PORT - value: "8083" - - name: SPRING_ZIPKIN_BASE_URL - value: http://zipkin:9411 - image: users-api - name: users-api - ports: - - containerPort: 8083 - imagePullPolicy: Never + - env: + - name: JWT_SECRET + value: myfancysecret + - name: SERVER_PORT + value: "8083" + - name: SPRING_ZIPKIN_BASE_URL + value: http://zipkin:9411 + image: users-api + name: users-api + ports: + - containerPort: 8083 + imagePullPolicy: Never restartPolicy: Always diff --git a/k8s/users-api/service.yaml b/k8s/users-api/service.yaml index 81961c76e..49d9aa003 100644 --- a/k8s/users-api/service.yaml +++ b/k8s/users-api/service.yaml @@ -1,8 +1,10 @@ apiVersion: v1 kind: Service metadata: + namespace: todo labels: app: microservice-app-example + service: users-api name: users-api spec: ports: diff --git a/k8s/zipkin/deployment.yaml b/k8s/zipkin/deployment.yaml index 52461b9f7..f0bccd749 100644 --- a/k8s/zipkin/deployment.yaml +++ b/k8s/zipkin/deployment.yaml @@ -1,11 +1,17 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: + namespace: todo labels: app: microservice-app-example + service: zipkin name: zipkin spec: replicas: 1 + selector: + matchLabels: + app: microservice-app-example + service: zipkin template: metadata: labels: @@ -13,8 +19,7 @@ spec: service: zipkin spec: containers: - - env: - image: openzipkin/zipkin + - image: openzipkin/zipkin name: zipkin ports: - containerPort: 9411 diff --git a/k8s/zipkin/service.yaml b/k8s/zipkin/service.yaml index 715ea1488..b1a330a95 100644 --- a/k8s/zipkin/service.yaml +++ b/k8s/zipkin/service.yaml @@ -1,6 +1,7 @@ apiVersion: v1 kind: Service metadata: + namespace: todo labels: app: microservice-app-example name: zipkin