-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'release/v0.14.2' into main
- Loading branch information
Showing
22 changed files
with
807 additions
and
498 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
# Build the manager binary | ||
FROM golang:1.20.3 AS builder | ||
FROM golang:1.21 AS builder | ||
|
||
WORKDIR /workspace | ||
|
||
|
@@ -31,7 +31,7 @@ RUN make compile-generic | |
FROM gcr.io/distroless/static:nonroot | ||
LABEL maintainer="[email protected]" \ | ||
NAME="k8s-service-discovery" \ | ||
VERSION="0.14.1" | ||
VERSION="0.14.2" | ||
|
||
WORKDIR / | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,11 +6,19 @@ endif | |
|
||
## Variables | ||
|
||
# Setting SHELL to bash allows bash commands to be executed by recipes. | ||
# Options are set to exit when a recipe line exits non-zero or a piped command fails. | ||
SHELL = /usr/bin/env bash -o pipefail | ||
.SHELLFLAGS = -ec | ||
|
||
BINARY_YQ = $(UTILITY_BIN_PATH)/yq | ||
|
||
# The productive tag of the image | ||
IMAGE ?= | ||
|
||
# Set production as default stage. Use "development" as stage in your .env file to generate artifacts | ||
# with development images pointing to K3S_CLUSTER_FQDN. | ||
STAGE?=production | ||
K3S_CLUSTER_FQDN?=k3ces.local | ||
K3S_LOCAL_REGISTRY_PORT?=30099 | ||
K3CES_REGISTRY_URL_PREFIX="${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}" | ||
|
@@ -66,7 +74,6 @@ K8S_PRE_GENERATE_TARGETS ?= k8s-create-temporary-resource | |
.PHONY: k8s-generate | ||
k8s-generate: ${BINARY_YQ} $(K8S_RESOURCE_TEMP_FOLDER) $(K8S_PRE_GENERATE_TARGETS) ## Generates the final resource yaml. | ||
@echo "Applying general transformations..." | ||
@sed -i "s/'{{ .Namespace }}'/$(NAMESPACE)/" $(K8S_RESOURCE_TEMP_YAML) | ||
@if [[ ${STAGE} == "development" ]]; then \ | ||
$(BINARY_YQ) -i e "(select(.kind == \"Deployment\").spec.template.spec.containers[]|select(.image == \"*$(ARTIFACT_ID)*\").image)=\"$(IMAGE_DEV)\"" $(K8S_RESOURCE_TEMP_YAML); \ | ||
else \ | ||
|
@@ -77,6 +84,7 @@ k8s-generate: ${BINARY_YQ} $(K8S_RESOURCE_TEMP_FOLDER) $(K8S_PRE_GENERATE_TARGET | |
.PHONY: k8s-apply | ||
k8s-apply: k8s-generate image-import $(K8S_POST_GENERATE_TARGETS) ## Applies all generated K8s resources to the current cluster and namespace. | ||
@echo "Apply generated K8s resources..." | ||
@sed -i "s/'{{ .Namespace }}'/$(NAMESPACE)/" $(K8S_RESOURCE_TEMP_YAML) | ||
@kubectl apply -f $(K8S_RESOURCE_TEMP_YAML) --namespace=${NAMESPACE} | ||
|
||
##@ K8s - Docker | ||
|
@@ -119,5 +127,8 @@ __check_defined = \ | |
$(if $(value $1),, \ | ||
$(error Undefined $1$(if $2, ($2)))) | ||
|
||
.PHONY: install-yq ## Installs the yq YAML editor. | ||
install-yq: ${BINARY_YQ} | ||
|
||
${BINARY_YQ}: $(UTILITY_BIN_PATH) ## Download yq locally if necessary. | ||
$(call go-get-tool,$(BINARY_YQ),github.com/mikefarah/yq/[email protected]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,154 @@ | ||
#!/bin/bash | ||
set -o errexit | ||
set -o pipefail | ||
set -o nounset | ||
|
||
function readCredentialsIfUnset() { | ||
if [ -z "${USERNAME}" ]; then | ||
echo "username is unset" | ||
while [[ -z ${USERNAME} ]]; do | ||
read -r -p "type username for ${REGISTRY_URL}: " USERNAME | ||
done | ||
fi | ||
if [ -z "${PASSWORD}" ]; then | ||
echo "password is unset" | ||
while [[ -z ${PASSWORD} ]]; do | ||
read -r -s -p "type password for ${REGISTRY_URL}: " PASSWORD | ||
done | ||
fi | ||
} | ||
|
||
function diffArrays() { | ||
local cveListX=("$1") | ||
local cveListY=("$2") | ||
local result=() | ||
|
||
local cveX | ||
# Disable the following shellcheck because the arrays are sufficiently whitespace delimited because of the jq parsing result. | ||
# shellcheck disable=SC2128 | ||
for cveX in ${cveListX}; do | ||
local found=0 | ||
local cveY | ||
for cveY in ${cveListY}; do | ||
[[ "${cveY}" == "${cveX}" ]] && { | ||
found=1 | ||
break | ||
} | ||
done | ||
|
||
[[ "${found}" == 0 ]] && result+=("${cveX}") | ||
done | ||
|
||
echo "${result[@]}" | ||
} | ||
|
||
function dockerLogin() { | ||
docker login "${REGISTRY_URL}" -u "${USERNAME}" -p "${PASSWORD}" | ||
} | ||
|
||
function dockerLogout() { | ||
docker logout "${REGISTRY_URL}" | ||
} | ||
|
||
function nameFromDogu() { | ||
jsonPropertyFromDogu ".Name" | ||
} | ||
|
||
function imageFromDogu() { | ||
jsonPropertyFromDogu ".Image" | ||
} | ||
|
||
function versionFromDogu() { | ||
jsonPropertyFromDogu ".Version" | ||
} | ||
|
||
function jsonPropertyFromDogu() { | ||
local property="${1}" | ||
jq -r "${property}" "${DOGU_JSON_FILE}" | ||
} | ||
|
||
function pullRemoteImage() { | ||
docker pull "$(imageFromDogu):$(versionFromDogu)" | ||
} | ||
|
||
function buildLocalImage() { | ||
docker build . -t "$(imageFromDogu):$(versionFromDogu)" | ||
} | ||
|
||
function scanImage() { | ||
docker run -v "${TRIVY_CACHE_DIR}":"${TRIVY_DOCKER_CACHE_DIR}" -v /var/run/docker.sock:/var/run/docker.sock -v "${TRIVY_PATH}":/result aquasec/trivy --cache-dir "${TRIVY_DOCKER_CACHE_DIR}" -f json -o /result/results.json image ${TRIVY_IMAGE_SCAN_FLAGS:+"${TRIVY_IMAGE_SCAN_FLAGS}"} "$(imageFromDogu):$(versionFromDogu)" | ||
} | ||
|
||
function parseTrivyJsonResult() { | ||
local severity="${1}" | ||
local trivy_result_file="${2}" | ||
|
||
# First select results which have the property "Vulnerabilities". Filter the vulnerability ids with the given severity and afterward put the values in an array. | ||
# This array is used to format the values with join(" ") in a whitespace delimited string list. | ||
jq -rc "[.Results[] | select(.Vulnerabilities) | .Vulnerabilities | .[] | select(.Severity == \"${severity}\") | .VulnerabilityID] | join(\" \")" "${trivy_result_file}" | ||
} | ||
|
||
RELEASE_SH="build/make/release.sh" | ||
|
||
REGISTRY_URL="registry.cloudogu.com" | ||
DOGU_JSON_FILE="dogu.json" | ||
|
||
CVE_SEVERITY="CRITICAL" | ||
|
||
TRIVY_PATH= | ||
TRIVY_RESULT_FILE= | ||
TRIVY_CACHE_DIR= | ||
TRIVY_DOCKER_CACHE_DIR=/tmp/db | ||
TRIVY_IMAGE_SCAN_FLAGS= | ||
|
||
USERNAME="" | ||
PASSWORD="" | ||
DRY_RUN= | ||
|
||
function runMain() { | ||
readCredentialsIfUnset | ||
dockerLogin | ||
|
||
mkdir -p "${TRIVY_PATH}" # Cache will not be removed after release. rm requires root because the trivy container only runs with root. | ||
pullRemoteImage | ||
scanImage | ||
local remote_trivy_cve_list | ||
remote_trivy_cve_list=$(parseTrivyJsonResult "${CVE_SEVERITY}" "${TRIVY_RESULT_FILE}") | ||
|
||
buildLocalImage | ||
scanImage | ||
local local_trivy_cve_list | ||
local_trivy_cve_list=$(parseTrivyJsonResult "${CVE_SEVERITY}" "${TRIVY_RESULT_FILE}") | ||
|
||
dockerLogout | ||
|
||
local cve_in_local_but_not_in_remote | ||
cve_in_local_but_not_in_remote=$(diffArrays "${local_trivy_cve_list}" "${remote_trivy_cve_list}") | ||
if [[ -n "${cve_in_local_but_not_in_remote}" ]]; then | ||
echo "Abort release. Added new vulnerabilities:" | ||
echo "${cve_in_local_but_not_in_remote[@]}" | ||
exit 2 | ||
fi | ||
|
||
local cve_in_remote_but_not_in_local | ||
cve_in_remote_but_not_in_local=$(diffArrays "${remote_trivy_cve_list}" "${local_trivy_cve_list}") | ||
if [[ -z "${cve_in_remote_but_not_in_local}" ]]; then | ||
echo "Abort release. Fixed no new vulnerabilities" | ||
exit 3 | ||
fi | ||
|
||
"${RELEASE_SH}" "dogu-cve-release" "${cve_in_remote_but_not_in_local}" "${DRY_RUN}" | ||
} | ||
|
||
# make the script only runMain when executed, not when sourced from bats tests | ||
if [[ -n "${BASH_VERSION}" && "${BASH_SOURCE[0]}" == "${0}" ]]; then | ||
USERNAME="${1:-""}" | ||
PASSWORD="${2:-""}" | ||
TRIVY_IMAGE_SCAN_FLAGS="${3:-""}" | ||
DRY_RUN="${4:-""}" | ||
|
||
TRIVY_PATH="/tmp/trivy-dogu-cve-release-$(nameFromDogu)" | ||
TRIVY_RESULT_FILE="${TRIVY_PATH}/results.json" | ||
TRIVY_CACHE_DIR="${TRIVY_PATH}/db" | ||
runMain | ||
fi |
Oops, something went wrong.