-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Initial commit * signed commit * Update Makefile * deleting values.yaml file * added release.yml file * added resources to containers * added codeowners
- Loading branch information
1 parent
f819bdf
commit 62dacb0
Showing
20 changed files
with
491 additions
and
0 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
* @metal-toolbox/hollow-core | ||
* @metal-toolbox/security-core |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
name: helm-test | ||
on: | ||
push: | ||
branches: [ "main" ] | ||
pull_request: | ||
branches: [ "main" ] | ||
workflow_dispatch: | ||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- name: Install Helm | ||
uses: azure/setup-helm@v3 | ||
with: | ||
version: v3.10.0 | ||
|
||
- name: Run a one-line script | ||
run: cd charts/audittail/tests && helm dependency update ./consumerapp && helm template consumerapp ./consumerapp/ --debug |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
name: Release Charts | ||
|
||
on: | ||
push: | ||
branches: | ||
- master | ||
|
||
jobs: | ||
release: | ||
permissions: | ||
contents: write | ||
packages: write | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Configure Git | ||
run: | | ||
git config user.name "hnadiminti-equinix" | ||
git config user.email "hari.nadiminti@eu.equinix.com" | ||
- name: Install Helm | ||
uses: azure/setup-helm@v3 | ||
with: | ||
version: v3.10.0 | ||
|
||
- name: Run chart-releaser | ||
uses: helm/chart-releaser-action@v1.4.1 | ||
with: | ||
charts_dir: charts | ||
env: | ||
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
name: Release | ||
|
||
on: | ||
push: | ||
tags: | ||
- v** | ||
|
||
jobs: | ||
auto-release: | ||
name: Create Release | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Release | ||
uses: softprops/action-gh-release@v1 | ||
with: | ||
generate_release_notes: true | ||
|
||
container-main: | ||
uses: metal-toolbox/container-push/.github/workflows/container-push.yml@main | ||
with: | ||
name: audittail | ||
tag: ${GITHUB_REF_NAME} | ||
dockerfile_path: images/audittail/Dockerfile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
--- | ||
name: security | ||
|
||
# Run for all pushes to main and pull requests when Go or YAML files change | ||
on: | ||
push: | ||
branches: | ||
- main | ||
pull_request: | ||
# The branches below must be a subset of the branches above | ||
branches: [ main ] | ||
schedule: | ||
- cron: '23 20 * * 2' | ||
|
||
jobs: | ||
scan-trivy: | ||
name: sec-scan-trivy | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
|
||
- name: Run Trivy vulnerability scanner in repo mode | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
scan-type: 'fs' | ||
security-checks: 'vuln,config,secret' | ||
ignore-unfixed: true | ||
format: 'sarif' | ||
output: 'trivy-results.sarif' | ||
severity: 'HIGH,CRITICAL' | ||
skip-dirs: 'tests' | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: 'trivy-results.sarif' | ||
|
||
scan-anchore: | ||
name: sec-scan-anchore | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
|
||
- name: Scan current project | ||
id: codescan | ||
uses: anchore/scan-action@v3 | ||
with: | ||
path: "." | ||
severity-cutoff: high | ||
acs-report-enable: true | ||
|
||
- name: upload Anchore scan SARIF report | ||
uses: github/codeql-action/upload-sarif@v2 | ||
if: ${{ always() }} | ||
with: | ||
sarif_file: ${{ steps.codescan.outputs.sarif }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
TAG?= | ||
|
||
|
||
.PHONY: release | ||
release: ## Issues a release | ||
@test -n "$(TAG)" || (echo "The TAG variable must be set" && exit 1) | ||
@echo "Releasing $(TAG)" | ||
git checkout -b "release-$(TAG)" | ||
sed -i -E s/v[0-9]+\.[0-9]+\.[0-9]+/$(TAG)/ charts/audittail/templates/_values.tpl | ||
git add charts/audittail/templates/_values.tpl | ||
git commit -m "Release $(TAG)" | ||
git tag -m "Release $(TAG)" "$(TAG)" | ||
git push origin "release-$(TAG)" | ||
git push origin "$(TAG)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v2 | ||
name: audittail | ||
description: A Helm chart for Kubernetes | ||
|
||
# A chart can be either an 'application' or a 'library' chart. | ||
# | ||
# Application charts are a collection of templates that can be packaged into versioned archives | ||
# to be deployed. | ||
# | ||
# Library charts provide useful utilities or functions for the chart developer. They're included as | ||
# a dependency of application charts to inject those utilities and functions into the rendering | ||
# pipeline. Library charts do not define any templates and therefore cannot be deployed. | ||
type: library | ||
|
||
# This is the chart version. This version number should be incremented each time you make changes | ||
# to the chart and its templates, including the app version. | ||
# Versions are expected to follow Semantic Versioning (https://semver.org/) | ||
version: 1.0.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Kubernetes container arguments | ||
*/}} | ||
{{- define "audittail.args" -}} | ||
- '-f' | ||
- '/app-audit/audit.log' | ||
{{- end -}} | ||
|
||
{{- define "audittail.initargs" -}} | ||
- 'init' | ||
{{ include "audittail.args" .}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "audittail.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "audittail.fullname" -}} | ||
{{- if .Values.fullnameOverride }} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- $name := default .Chart.Name .Values.nameOverride }} | ||
{{- if contains $name .Release.Name }} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "audittail.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "audittail.labels" -}} | ||
helm.sh/chart: {{ include "audittail.chart" . }} | ||
{{ include "audittail.selectorLabels" . }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end }} | ||
|
||
{{/* | ||
Selector labels | ||
*/}} | ||
{{- define "audittail.selectorLabels" -}} | ||
app.kubernetes.io/name: {{ include "audittail.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create the name of the service account to use | ||
*/}} | ||
{{- define "audittail.serviceAccountName" -}} | ||
{{- if .Values.serviceAccount.create }} | ||
{{- default (include "audittail.fullname" .) .Values.serviceAccount.name }} | ||
{{- else }} | ||
{{- default "default" .Values.serviceAccount.name }} | ||
{{- end }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Kubernetes Init Container | ||
*/}} | ||
{{- define "audittail.initContainer" -}} | ||
- image: {{ include "audittail.image" .}} | ||
name: {{ template "audittail.initContainerName" }} | ||
args: {{ include "audittail.initargs" . | nindent 4}} | ||
securityContext: {{ include "audittail.securityContext" . | nindent 4}} | ||
resources: {{ include "audittail.resources" . | nindent 4}} | ||
volumeMounts: {{ include "audittail.volumeMount" . | nindent 4}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Kubernetes Container Resources | ||
*/}} | ||
{{- define "audittail.resources" -}} | ||
requests: | ||
memory: "128Mi" | ||
cpu: "100m" | ||
limits: | ||
memory: "256Mi" | ||
cpu: "200m" | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Kubernetes Container Security Context | ||
*/}} | ||
{{- define "audittail.securityContext" -}} | ||
allowPrivilegeEscalation: false | ||
runAsNonRoot: true | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Kubernetes Init Container | ||
*/}} | ||
{{- define "audittail.sidecarContainer" -}} | ||
- image: {{ include "audittail.image" .}} | ||
name: {{ template "audittail.sidecarContainerName" }} | ||
args: {{ include "audittail.args" .| nindent 4}} | ||
securityContext: {{ include "audittail.securityContext" . | nindent 4}} | ||
resources: {{ include "audittail.resources" . | nindent 4}} | ||
volumeMounts: {{ include "audittail.volumeMount" . | nindent 4}} | ||
readOnly: true | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
audittail log path | ||
*/}} | ||
|
||
{{- define "audittail.auditLogPath" -}} | ||
{{- printf "/app-audit/audit.log" -}} | ||
{{- end -}} | ||
|
||
|
||
{{- define "audittail.image" -}} | ||
{{- if .Values.auditailImage -}} | ||
{{- .Values.auditailImage -}} | ||
{{- else -}} | ||
{{- printf "ghcr.io/metal-toolbox/audittail:v0.5.1" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
|
||
{{- define "audittail.volumeName" -}} | ||
{{- printf "audit-logs" -}} | ||
{{- end -}} | ||
|
||
|
||
{{- define "audittail.mountPath" -}} | ||
{{- printf "/app-audit" -}} | ||
{{- end -}} | ||
|
||
|
||
{{- define "audittail.initContainerName" -}} | ||
{{- printf "init-audit-logs" -}} | ||
{{- end -}} | ||
|
||
{{- define "audittail.sidecarContainerName" -}} | ||
{{- printf "audit-logger" -}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Kubernetes Volumes | ||
*/}} | ||
{{- define "audittail.volume" -}} | ||
- name: {{ template "audittail.volumeName" }} | ||
emptyDir: {} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Kubernetes Volume Mounts | ||
*/}} | ||
{{- define "audittail.volumeMount" -}} | ||
- mountPath: {{ template "audittail.mountPath" }} | ||
name: {{ template "audittail.volumeName" }} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*.orig | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ |
Oops, something went wrong.