-
Notifications
You must be signed in to change notification settings - Fork 2
244 lines (210 loc) · 7.55 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
name: Build and Test
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
workflow_call:
pull_request:
workflow_dispatch:
jobs:
build:
name: Build Rock
runs-on: [self-hosted, linux, X64, jammy, large]
timeout-minutes: 30
outputs:
rock-file: ${{ steps.build-snap.outputs.rock }}
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup LXD
uses: canonical/setup-lxd@main
- name: Install required dependencies
run: |
# docker
sudo snap install docker --channel=latest/stable
sudo addgroup --system docker; sudo adduser $USER docker
newgrp docker
sudo snap disable docker; sudo snap enable docker
# skopeo
sudo snap install --devmode --channel edge skopeo
# rockcraft
sudo snap install rockcraft --classic --edge
# jq and yq
sudo snap install jq yq
- name: Upgrade linux deps with security updates
run: |
sudo apt-get update
# install security updates
sudo apt-get -s dist-upgrade \
| grep "^Inst" \
| grep -i securi \
| awk -F " " {'print $2'} \
| xargs sudo apt-get install -y
sudo apt-get autoremove -y
- name: Build rock
run: |
rockcraft pack --verbose
- name: Upload built rock job artifact
uses: actions/upload-artifact@v3
with:
name: charmed_opensearch_rock_amd64
path: "charmed-opensearch_*.rock"
scan:
name: Trivy scan and sbom generation
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 15
needs:
- build
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ inputs.branch }}
- name: Download rock file
uses: actions/download-artifact@v3
with:
name: charmed_opensearch_rock_amd64
path: .
- name: Install rockcraft (for skopeo)
run: |
sudo snap install rockcraft --classic --edge
- name: Import locally
run: |
# Unpack artifact
version="$(cat rockcraft.yaml | yq .version)"
sudo skopeo \
--insecure-policy \
copy \
oci-archive:charmed-opensearch_${version}_amd64.rock \
docker-daemon:charmed_opensearch_rock_amd64:test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'trivy/charmed_opensearch_rock_amd64:test'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
ref: ${{ inputs.branch }}
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
format: 'spdx-json'
output: 'dependency-results.sbom.json'
image-ref: 'trivy/charmed_opensearch_rock_amd64:test'
github-pat: ${{ secrets.GITHUB_TOKEN }}
severity: "MEDIUM,HIGH,CRITICAL"
scanners: "vuln"
- name: Upload trivy report as a Github artifact
uses: actions/upload-artifact@v4
with:
name: trivy-sbom-report
path: '${{ github.workspace }}/dependency-results.sbom.json'
retention-days: 90
test:
name: Test Rock
runs-on: ubuntu-latest
timeout-minutes: 15
needs:
- build
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Download rock file
uses: actions/download-artifact@v3
with:
name: charmed_opensearch_rock_amd64
path: .
- name: Install required dependencies
run: |
# docker
sudo snap install docker --channel=latest/stable
sudo addgroup --system docker; sudo adduser $USER docker
newgrp docker
sudo snap disable docker; sudo snap enable docker
# skopeo
sudo snap install --devmode --channel edge skopeo
sudo snap install yq
- name: Create local image
run: |
version="$(cat rockcraft.yaml | yq .version)"
sudo skopeo \
--insecure-policy \
copy \
oci-archive:charmed-opensearch_${version}_amd64.rock \
docker-daemon:charmed-opensearch:${version}
- name: Setup the required system configs
run: |
sudo sysctl -w vm.swappiness=0
sudo sysctl -w vm.max_map_count=262144
sudo sysctl -w net.ipv4.tcp_retries2=5
- name: Start OpenSearch
run: |
version="$(cat rockcraft.yaml | yq .version)"
# create first cm_node container
container_0_id=$(docker run \
-d --rm -it \
-e NODE_NAME=cm0 \
-e INITIAL_CM_NODES=cm0 \
-p 9200:9200 \
--name cm0 \
charmed-opensearch:"${version}")
container_0_ip=$(docker inspect -f '{{ .NetworkSettings.IPAddress }}' "${container_0_id}")
# wait a bit for it to fully initialize
sleep 30s
# create data/voting_only node container
container_1_id=$(docker run \
-d --rm -it \
-e NODE_NAME=data1 \
-e SEED_HOSTS="${container_0_ip}" \
-e NODE_ROLES=data,voting_only \
-p 9201:9200 \
--name data1 \
charmed-opensearch:"${version}")
container_1_ip=$(docker inspect -f '{{ .NetworkSettings.IPAddress }}' "${container_1_id}")
# wait a bit for it to fully initialize
sleep 30s
# create 2nd cm_node container
container_2_id=$(docker run \
-d --rm -it \
-e NODE_NAME=cm1 \
-e SEED_HOSTS="${container_0_ip},${container_1_ip}" \
-e INITIAL_CM_NODES="cm0,cm1" \
-p 9202:9200 \
--name cm1 \
charmed-opensearch:"${version}")
container_2_ip=$(docker inspect -f '{{ .NetworkSettings.IPAddress }}' "${container_2_id}")
# wait a bit for it to fully initialize
sleep 30s
- name: Ensure the cluster is reachable and nodes well joined
run: |
# test node
cluster_resp=$(curl -sk -XGET http://127.0.0.1:9200)
echo -e "Cluster Response: \n ${cluster_resp}"
node_name=$(echo "${cluster_resp}" | jq -r .name)
if [ "${node_name}" != "cm0" ]; then
exit 1
fi
# query all nodes of cluster
successful_nodes="$(curl -sk -XGET http://127.0.0.1:9200/_nodes | jq ._nodes.successful)"
if [ "${successful_nodes}" != 3 ]; then
exit 1
fi
all_nodes="$(curl -sk -XGET http://127.0.0.1:9200/_nodes/ | \
jq '.nodes | values[] | .name' | \
jq -s '. |= if . then sort else empty end' | \
jq -r '. | values[]' | \
paste -sd "," - \
)"
echo "All nodes: ${all_nodes}"
if [ "${all_nodes}" != "cm0,cm1,data1" ]; then
exit 1
fi