chore: update ruby, ubi image, and fix CVEs #103
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Build Test | |
on: | |
pull_request: | |
branches-ignore: | |
- /^release\/.*/ | |
- main | |
jobs: | |
build: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Setup Ruby and install gems | |
uses: ruby/setup-ruby@v1 | |
with: | |
bundler-cache: true | |
ruby-version: 3.1 | |
- name: Install dependencies | |
run: | | |
sudo ci_scripts/install_dep.sh | |
- name: Builder | |
run: | | |
bundle exec rake build -t -v | |
cp -R pkg /tmp | |
- name: Cache pkg | |
uses: actions/cache@v1 | |
with: | |
path: /tmp | |
key: ${{ runner.os }}-build | |
unit-test: | |
runs-on: ubuntu-20.04 | |
needs: | |
- build | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: Install dependencies | |
run: | | |
sudo ci_scripts/install_dep.sh | |
- uses: actions/cache@v2 | |
with: | |
path: /tmp | |
key: ${{ runner.os }}-build | |
- name: Run unit tests | |
run: | | |
bundle exec rake test -t -v | |
func-test: | |
needs: | |
- unit-test | |
runs-on: ubuntu-20.04 | |
env: | |
CI_SPLUNK_PORT: 8089 | |
CI_SPLUNK_USERNAME: admin | |
CI_SPLUNK_HEC_TOKEN: a6b5e77f-d5f6-415a-bd43-930cecb12959 | |
CI_SPLUNK_PASSWORD: ${{ secrets.CI_SPLUNK_PASSWORD }} | |
CI_INDEX_EVENTS: ci_events | |
CI_INDEX_OBJECTS: ci_objects | |
CI_INDEX_METRICS: ci_metrics | |
CI_SPLUNK_HOST: ${{ secrets.CI_SPLUNK_HOST }} | |
KUBERNETES_VERSION: v1.23.2 | |
MINIKUBE_VERSION: v1.24.0 | |
MINIKUBE_NODE_COUNTS: 2 | |
GITHUB_ACTIONS: true | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: Prepare container build | |
id: prep | |
run: | | |
VERSION=`cat VERSION` | |
TAGS=splunk/fluentd-hec:recent | |
echo ::set-output name=tags::${TAGS} | |
echo ::set-output name=version::${VERSION} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@master | |
with: | |
platforms: all | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
- name: Build multi-arch kubernetes-metrics image | |
uses: docker/build-push-action@v2 | |
with: | |
builder: ${{ steps.buildx.outputs.name }} | |
context: . | |
file: ./docker/Dockerfile | |
platforms: linux/amd64 | |
push: false | |
load: true | |
tags: ${{ steps.prep.outputs.tags }} | |
build-args: VERSION=${{ steps.prep.outputs.version }} | |
- name: Check kubernetes-metrics image | |
run: | | |
docker image ls | |
- name: Setup Minikube | |
run: | | |
# Install Kubectl | |
curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/${KUBERNETES_VERSION}/bin/linux/amd64/kubectl | |
chmod +x kubectl | |
sudo mv kubectl /usr/local/bin/ | |
mkdir -p ${HOME}/.kube | |
touch ${HOME}/.kube/config | |
# Install Minikube | |
curl -Lo minikube https://storage.googleapis.com/minikube/releases/${MINIKUBE_VERSION}/minikube-linux-amd64 | |
chmod +x minikube | |
sudo mv minikube /usr/local/bin/ | |
# Start Minikube and Wait | |
minikube start --driver=docker --container-runtime=docker --cpus 2 --memory 4096 --kubernetes-version=${KUBERNETES_VERSION} --no-vtx-check -n=${MINIKUBE_NODE_COUNTS} | |
export JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}' | |
until kubectl get nodes -o jsonpath="$JSONPATH" 2>&1 | grep -q "Ready=True"; do | |
sleep 1; | |
done | |
- name: Deploy k8s connector | |
run: | | |
ci_scripts/deploy_connector.sh | |
- name: Deploy log generator | |
run: | | |
# Cleanup Indexes | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/$CI_INDEX_EVENTS | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/$CI_INDEX_OBJECTS | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/$CI_INDEX_METRICS | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/default-events | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/ns-anno | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/pod-anno | |
# Delete HEC token | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/servicesNS/nobody/splunk_httpinput/data/inputs/http/splunk_hec_token | |
# Setup Indexes | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=$CI_INDEX_EVENTS -d datatype=event | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=$CI_INDEX_OBJECTS -d datatype=event | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=$CI_INDEX_METRICS -d datatype=metric | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=default-events -d datatype=event | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=ns-anno -d datatype=event | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=pod-anno -d datatype=event | |
# Setup HEC token | |
curl -X POST -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD -k -d "name=splunk_hec_token&token=a6b5e77f-d5f6-415a-bd43-930cecb12959&disabled=0&index=default-events&indexes=default-events,$CI_INDEX_METRICS,$CI_INDEX_OBJECTS,$CI_INDEX_EVENTS,ns-anno,pod-anno" https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/servicesNS/nobody/splunk_httpinput/data/inputs/http | |
cd /opt/splunk-connect-for-kubernetes | |
kubectl apply -f test/test_setup.yaml | |
sleep 60 | |
- uses: actions/setup-python@v2 | |
with: | |
python-version: 3.7 | |
- name: Run functional tests | |
run: | | |
# Cleanup Indexes | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/$CI_INDEX_EVENTS | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/$CI_INDEX_OBJECTS | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/$CI_INDEX_METRICS | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/default-events | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/ns-anno | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes/pod-anno | |
# Delete HEC token | |
curl -X DELETE -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/servicesNS/nobody/splunk_httpinput/data/inputs/http/splunk_hec_token | |
# Setup Indexes | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=$CI_INDEX_EVENTS -d datatype=event | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=$CI_INDEX_OBJECTS -d datatype=event | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=$CI_INDEX_METRICS -d datatype=metric | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=default-events -d datatype=event | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=ns-anno -d datatype=event | |
curl -X POST -k -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/services/data/indexes -d name=pod-anno -d datatype=event | |
# Setup HEC token | |
curl -X POST -u $CI_SPLUNK_USERNAME:$CI_SPLUNK_PASSWORD -k -d "name=splunk_hec_token&token=a6b5e77f-d5f6-415a-bd43-930cecb12959&disabled=0&index=default-events&indexes=default-events,$CI_INDEX_METRICS,$CI_INDEX_OBJECTS,$CI_INDEX_EVENTS,ns-anno,pod-anno" https://$CI_SPLUNK_HOST:$CI_SPLUNK_PORT/servicesNS/nobody/splunk_httpinput/data/inputs/http | |
echo "check the pods" | |
kubectl get pods -A | |
cd /opt/splunk-connect-for-kubernetes | |
kubectl get nodes | |
export PYTHONWARNINGS="ignore:Unverified HTTPS request" | |
cd test | |
pip install --upgrade pip | |
pip install -r requirements.txt | |
echo "Running functional tests....." | |
python -m pytest \ | |
--splunkd-url https://$CI_SPLUNK_HOST:8089 \ | |
--splunk-user admin \ | |
--splunk-password $CI_SPLUNK_PASSWORD \ | |
--nodes-count $MINIKUBE_NODE_COUNTS\ | |
-p no:warnings -s -n auto | |
fossa-scan: | |
continue-on-error: true | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: run fossa anlyze and create report | |
run: | | |
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash | |
fossa analyze --include-unused-deps --debug | |
fossa report attribution --format text > /tmp/THIRDPARTY | |
env: | |
FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} | |
- name: upload THIRDPARTY file | |
uses: actions/upload-artifact@v2 | |
with: | |
name: THIRDPARTY | |
path: /tmp/THIRDPARTY | |
- name: run fossa test | |
run: | | |
fossa test --debug | |
env: | |
FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} | |
semgrep: | |
runs-on: ubuntu-latest | |
name: security-sast-semgrep | |
if: github.actor != 'dependabot[bot]' | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Semgrep | |
id: semgrep | |
uses: returntocorp/semgrep-action@v1 | |
with: | |
publishToken: ${{ secrets.SEMGREP_PUBLISH_TOKEN }} |