Added good practices rbac secrets #110
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| automated_tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: docker/login-action@v1 | |
| with: | |
| registry: docker.io | |
| username: weaveworkstimberwolfci | |
| password: ${{ secrets.DOCKERHUB_TOKEN_WEAVEWORKSTIMBERWOLFCI }} | |
| - name: Go tests | |
| run: | | |
| docker run -v ${RUNNER_WORKSPACE}/${GITHUB_REPOSITORY#*/}/policies:/policies \ | |
| weaveworks/polctl:v0.0.2 /scripts/test_policies/test_policies --root-dir /policies | |
| - name: OPA tests | |
| run: | | |
| docker run -v ${RUNNER_WORKSPACE}/${GITHUB_REPOSITORY#*/}:/workspace openpolicyagent/opa:latest test /workspace/policies /workspace/examples -v --ignore '*.yml','*.yaml','.md','.csv' | |
| automated_policies_doc: | |
| runs-on: ubuntu-latest | |
| needs: [automated_tests] | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: docker/login-action@v1 | |
| with: | |
| registry: docker.io | |
| username: weaveworkstimberwolfci | |
| password: ${{ secrets.DOCKERHUB_TOKEN_WEAVEWORKSTIMBERWOLFCI }} | |
| - name: Auto-generate Policies doc | |
| run: | | |
| export REPO_PATH=${RUNNER_WORKSPACE}/${GITHUB_REPOSITORY#*/} | |
| docker run --rm -v ${REPO_PATH}/policies:/policies weaveworks/polctl:v0.0.2 \ | |
| python3 /scripts/generate_policies_doc.py -d /policies -p /policies | |
| if [[ `git status --porcelain` ]] | |
| then | |
| echo "Pushing auto-generated policies doc" | |
| git config user.name github-actions | |
| git config user.email github-actions@github.com | |
| git fetch | |
| git checkout ${{ github.event.pull_request.head.ref }} | |
| git pull | |
| git add ${REPO_PATH}/policies/policies.md | |
| git commit -m "add auto-generated policies doc" | |
| git push origin ${{ github.event.pull_request.head.ref }} | |
| else | |
| echo "No changes in auto-generated policies doc" | |
| fi | |
| automated_datastudio_csv: | |
| runs-on: ubuntu-latest | |
| needs: [automated_policies_doc] | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: docker/login-action@v1 | |
| with: | |
| registry: docker.io | |
| username: weaveworkstimberwolfci | |
| password: ${{ secrets.DOCKERHUB_TOKEN_WEAVEWORKSTIMBERWOLFCI }} | |
| - name: Export Datastudio CSV | |
| run: | | |
| export REPO_PATH=${RUNNER_WORKSPACE}/${GITHUB_REPOSITORY#*/} | |
| docker run --rm -v ${REPO_PATH}/policies:/policies weaveworks/polctl:v0.0.2 \ | |
| python3 /scripts/generate_datastudio_csv.py -d /policies -p /policies | |
| if [[ `git status --porcelain` ]] | |
| then | |
| echo "Pushing auto-generated datastudio csv" | |
| git config user.name github-actions | |
| git config user.email github-actions@github.com | |
| git fetch | |
| git checkout ${{ github.event.pull_request.head.ref }} | |
| git pull | |
| git add ${REPO_PATH}/policies/datastudio.csv | |
| git commit -m "add auto-generated datastudio csv" | |
| git push origin ${{ github.event.pull_request.head.ref }} | |
| else | |
| echo "No changes in auto-generated datastudio csv" | |
| fi | |
| update_crds_with_rego_code: | |
| runs-on: ubuntu-latest | |
| needs: [automated_datastudio_csv] | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Update Policies CRDs REGO code | |
| run: | | |
| # Loop on policies CRDs and update the REGO code field | |
| export REPO_PATH=${RUNNER_WORKSPACE}/${GITHUB_REPOSITORY#*/} | |
| for dir in ${REPO_PATH}/policies/*/; do | |
| export POLICY_DIR=$dir | |
| yq -i '.spec.code |= strload(env(POLICY_DIR)+"/policy.rego")' $POLICY_DIR/policy.yaml | |
| done | |
| if [[ `git status --porcelain` ]] | |
| then | |
| echo "Updating Policies CRDs REGO code" | |
| git config user.name github-actions | |
| git config user.email github-actions@github.com | |
| git fetch | |
| git checkout ${{ github.event.pull_request.head.ref }} | |
| git pull | |
| git add ${REPO_PATH}/policies | |
| git commit -m "Update Policies CRDs REGO code" | |
| git push origin ${{ github.event.pull_request.head.ref }} | |
| else | |
| echo "No changes in policies." | |
| fi | |
| # sync: | |
| # if: github.event_name == 'push' | |
| # needs: [update_crds_with_rego_code] | |
| # runs-on: ubuntu-latest | |
| # container: | |
| # image: mgxinternal/mgx-circle-deployer:aws | |
| # credentials: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # options: --name mglx-deployer --network-alias mglx-deployer | |
| # ports: | |
| # - 8080:8080 | |
| # env: | |
| # AWS_ACCESS_KEY_ID_DEV: ${{ secrets.AWS_ACCESS_KEY_ID_DEV }} | |
| # AWS_SECRET_ACCESS_KEY_DEV: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }} | |
| # AWS_DEFAULT_REGION_DEV: ${{ secrets.AWS_DEFAULT_REGION_DEV }} | |
| # AWS_CLUSTER_NAME_DEV: ${{ secrets.AWS_CLUSTER_NAME_DEV }} | |
| # # AWS_ACCESS_KEY_ID_PROD: ${{ secrets.AWS_ACCESS_KEY_ID_PROD }} | |
| # # AWS_SECRET_ACCESS_KEY_PROD: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }} | |
| # # AWS_DEFAULT_REGION_PROD: ${{ secrets.AWS_DEFAULT_REGION_PROD }} | |
| # # AWS_CLUSTER_NAME_PROD: ${{ secrets.AWS_CLUSTER_NAME_PROD }} | |
| # steps: | |
| # - uses: actions/checkout@v2 | |
| # - uses: docker/login-action@v1 | |
| # with: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - name: Auth to cluster | |
| # run: | | |
| # if [[ "${GITHUB_REF##*/}" == "aws-dev" ]] | |
| # then | |
| # export CIRCLE_BRANCH="dev" | |
| # else | |
| # export CIRCLE_BRANCH=${GITHUB_REF##*/} | |
| # fi | |
| # /bin/auth_to_cluster | |
| # - name: Sync | |
| # run: | | |
| # apk add --no-cache python3 py3-pip | |
| # pip3 install pyyaml click requests | |
| # kubectl port-forward --address 0.0.0.0 -n cluster-advisor service/policies-service 8080:80 & | |
| # while ! netstat -tna | grep 'LISTEN\>' | grep 8080; do sleep 3 ; done | |
| # export HOST_REPO_PATH=/home/runner/work/${{ github.event.repository.name }}/${{ github.event.repository.name }} | |
| # # categories | |
| # docker run --rm --network host -v ${HOST_REPO_PATH}/categories:/categories weaveworks/polctl:v0.0.2 \ | |
| # python3 /scripts/sync/sync.py categories -d /categories --policies-service http://localhost:8080/api/v1 | |
| # # standards and controls | |
| # docker run --rm --network host -v ${HOST_REPO_PATH}/standards:/standards weaveworks/polctl:v0.0.2 \ | |
| # python3 /scripts/sync/sync.py standards -d /standards --policies-service http://localhost:8080/api/v1 | |
| # # templates | |
| # docker run --rm --network host -v ${HOST_REPO_PATH}/examples:/examples weaveworks/polctl:v0.0.2 \ | |
| # python3 /scripts/sync/sync.py templates -d /examples --policies-service http://localhost:8080/api/v1 | |
| # # policies | |
| # docker run --rm --network host -v ${HOST_REPO_PATH}/policies:/policies weaveworks/polctl:v0.0.2 \ | |
| # python3 /scripts/sync/sync.py policies -d /policies --policies-service http://localhost:8080/api/v1 |