kryptonian.dev / k8s-cluster
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

CI: Things

Skyler Mäntysaari 496c2d34 aee074fc

+269
+5
.github/labeler.yaml
··· 1 + --- 2 + area/ci: 3 + - ".github/**/*" 4 + area/kubernetes: 5 + - "cluster/**/*"
+132
.github/scripts/container-parser.sh
··· 1 + #!/usr/bin/env bash 2 + 3 + # 4 + # script to parse out any images from Kubernetes manifests, 5 + # helm values, flux helm releases, or docker compose files. 6 + # returns a object with an array of containers from the parsed file 7 + # 8 + 9 + set -o errexit 10 + set -o nounset 11 + set -o pipefail 12 + 13 + show_help() { 14 + cat << EOF 15 + Usage: $(basename "$0") <options> 16 + -h, --help Display help 17 + -f, --file File to scan for container images 18 + --nothing Enable nothing mode 19 + EOF 20 + } 21 + 22 + main() { 23 + local file= 24 + local nothing= 25 + parse_command_line "$@" 26 + check "jo" 27 + check "jq" 28 + check "yq" 29 + parse_files 30 + } 31 + 32 + parse_command_line() { 33 + while :; do 34 + case "${1:-}" in 35 + -h|--help) 36 + show_help 37 + exit 38 + ;; 39 + -f|--file) 40 + if [[ -n "${2:-}" ]]; then 41 + file="$2" 42 + shift 43 + else 44 + echo "ERROR: '-f|--file' cannot be empty." >&2 45 + show_help 46 + exit 1 47 + fi 48 + ;; 49 + --nothing) 50 + nothing=1 51 + ;; 52 + *) 53 + break 54 + ;; 55 + esac 56 + shift 57 + done 58 + 59 + if [[ -z "$file" ]]; then 60 + echo "ERROR: '-f|--file' is required." >&2 61 + show_help 62 + exit 1 63 + fi 64 + 65 + if [[ -z "$nothing" ]]; then 66 + nothing=0 67 + fi 68 + } 69 + 70 + check() { 71 + command -v "${1}" >/dev/null 2>&1 || { 72 + echo >&2 "ERROR: ${1} is not installed or not found in \$PATH" >&2 73 + exit 1 74 + } 75 + } 76 + 77 + parse_files() { 78 + # create new array to hold the images 79 + images=() 80 + 81 + # look in hydrated flux helm releases 82 + chart_registry_url=$(sed -nr 's|.*registryUrl=(.+)$|\1|p' "${file}") 83 + chart_name=$(yq eval .spec.chart.spec.chart "${file}" 2>/dev/null) 84 + if [[ -n ${chart_registry_url} && -n "${chart_name}" ]]; then 85 + chart_version=$(yq eval .spec.chart.spec.version "${file}" 2>/dev/null) 86 + chart_values=$(yq eval .spec.values "${file}" 2>/dev/null) 87 + pushd "$(mktemp -d)" > /dev/null 2>&1 88 + helm repo add ci "${chart_registry_url}" > /dev/null 2>&1 89 + helm pull "ci/${chart_name}" --untar --version "${chart_version}" 90 + resources=$(echo "${chart_values}" | helm template "${chart_name}" "${chart_name}" --version "${chart_version}" -f -) 91 + popd > /dev/null 2>&1 92 + images+=("$(echo "${resources}" | yq eval-all '.spec.template.spec.containers.[].image' -)") 93 + fi 94 + 95 + # look in helm values 96 + images+=("$(yq eval-all '[.. | select(has("repository")) | select(has("tag"))] | .[] | .repository + ":" + .tag' "${file}" 2>/dev/null)") 97 + 98 + # look in kubernetes deployments, statefulsets and daemonsets 99 + images+=("$(yq eval-all '.spec.template.spec.containers.[].image' "${file}" 2>/dev/null)") 100 + 101 + # look in kubernetes pods 102 + images+=("$(yq eval-all '.spec.containers.[].image' "${file}" 2>/dev/null)") 103 + 104 + # look in kubernetes cronjobs 105 + images+=("$(yq eval-all '.spec.jobTemplate.spec.template.spec.containers.[].image' "${file}" 2>/dev/null)") 106 + 107 + # look in docker compose 108 + images+=("$(yq eval-all '.services.*.image' "${file}" 2>/dev/null)") 109 + 110 + # remove duplicate values xD 111 + IFS=" " read -r -a images <<< "$(tr ' ' '\n' <<< "${images[@]}" | sort -u | tr '\n' ' ')" 112 + 113 + # create new array to hold the parsed images 114 + parsed_images=() 115 + # loop thru the images removing any invalid items 116 + for i in "${images[@]}"; do 117 + # loop thru each image and split on new lines (for when yq finds multiple containers in the same file) 118 + for b in ${i//\\n/ }; do 119 + if [[ -z "${b}" || "${b}" == "null" || "${b}" == "---" ]]; then 120 + continue 121 + fi 122 + parsed_images+=("${b}") 123 + done 124 + done 125 + # check if parsed_images array has items 126 + if (( ${#parsed_images[@]} )); then 127 + # convert the bash array to json and wrap array in an containers object 128 + jo -a "${parsed_images[@]}" | jq -c '{containers: [(.[])]}' 129 + fi 130 + } 131 + 132 + main "$@"
+34
.github/workflows/meta-label-size.yaml
··· 1 + --- 2 + name: Meta - Label Size 3 + 4 + on: # yamllint disable-line rule:truthy 5 + pull_request: 6 + branches: 7 + - main 8 + 9 + jobs: 10 + label-size: 11 + name: Label Size 12 + runs-on: ubuntu-latest 13 + steps: 14 + - name: Generate Token 15 + uses: tibdex/github-app-token@v1 16 + id: generate-token 17 + with: 18 + app_id: ${{ secrets.BOT_APP_ID }} 19 + private_key: ${{ secrets.BOT_APP_PRIVATE_KEY }} 20 + 21 + - name: Label Size 22 + uses: pascalgn/size-label-action@v0.4.3 23 + env: 24 + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" 25 + with: 26 + sizes: > 27 + { 28 + "0": "XS", 29 + "20": "S", 30 + "50": "M", 31 + "200": "L", 32 + "800": "XL", 33 + "2000": "XXL" 34 + }
+25
.github/workflows/meta-labeler.yaml
··· 1 + --- 2 + name: Meta - Labeler 3 + 4 + on: # yamllint disable-line rule:truthy 5 + pull_request: 6 + branches: 7 + - main 8 + 9 + jobs: 10 + labeler: 11 + name: Labeler 12 + runs-on: ubuntu-latest 13 + steps: 14 + - name: Generate Token 15 + uses: tibdex/github-app-token@v1 16 + id: generate-token 17 + with: 18 + app_id: ${{ secrets.BOT_APP_ID }} 19 + private_key: ${{ secrets.BOT_APP_PRIVATE_KEY }} 20 + 21 + - name: Labeler 22 + uses: actions/labeler@v4 23 + with: 24 + repo-token: "${{ steps.generate-token.outputs.token }}" 25 + configuration-path: .github/labeler.yaml
+73
.github/workflows/scan-containers.yaml
··· 1 + --- 2 + name: Scan Containers 3 + 4 + on: # yamllint disable-line rule:truthy 5 + pull_request: 6 + branches: 7 + - main 8 + paths: 9 + - "cluster/**.yaml" 10 + - "provision/ansible/**.yml.j2" 11 + 12 + jobs: 13 + detect-file-changes: 14 + name: Detect File Changes 15 + runs-on: ubuntu-20.04 16 + steps: 17 + - uses: actions/checkout@v2 18 + - uses: dorny/paths-filter@v2 19 + id: filter 20 + with: 21 + list-files: json 22 + filters: | 23 + yaml: 24 + - added|modified: "**.yaml" 25 + - added|modified: "**.yml" 26 + - added|modified: "**.yaml.j2" 27 + - added|modified: "**.yml.j2" 28 + outputs: 29 + yaml_files: ${{ steps.filter.outputs.yaml_files }} 30 + detect-containers: 31 + name: Detect Containers 32 + runs-on: ubuntu-20.04 33 + needs: detect-file-changes 34 + strategy: 35 + matrix: 36 + file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }} 37 + steps: 38 + - name: Checkout 39 + uses: actions/checkout@v2 40 + - name: Install Jo 41 + run: | 42 + sudo apt-get install jo 43 + - name: Detect Containers in Files 44 + id: containers 45 + run: | 46 + containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}") 47 + echo "${containers}" 48 + echo ::set-output name=containers::${containers} 49 + outputs: 50 + containers: ${{ steps.containers.outputs.containers }} 51 + scan-containers: 52 + name: Scan Containers 53 + runs-on: ubuntu-20.04 54 + needs: detect-containers 55 + strategy: 56 + matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }} 57 + fail-fast: false 58 + steps: 59 + - name: Checkout 60 + uses: actions/checkout@v2 61 + - name: Scan Container 62 + uses: aquasecurity/trivy-action@0.2.1 63 + with: 64 + image-ref: ${{ matrix.containers }} 65 + vuln-type: os,library 66 + severity: CRITICAL,HIGH 67 + format: template 68 + template: "@/contrib/sarif.tpl" 69 + output: trivy-results.sarif 70 + - name: Upload Trivy scan results to GitHub Security tab 71 + uses: github/codeql-action/upload-sarif@v1 72 + with: 73 + sarif_file: trivy-results.sarif