diff --git a/.circleci/build.config b/.circleci/build.config new file mode 100644 index 000000000..1237e75c4 --- /dev/null +++ b/.circleci/build.config @@ -0,0 +1,5 @@ +DOCKERFILE='Dockerfile' + +EXTERNAL_REGISTRY_BASE_DOMAIN=quay.io +REPOSITORY_NAME=reactiveops/polaris +DOCKERTAG=${EXTERNAL_REGISTRY_BASE_DOMAIN}/${REPOSITORY_NAME} diff --git a/.circleci/config.yml b/.circleci/config.yml index c5ccee959..6098046fd 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,38 +1,32 @@ version: 2 references: - install_goreleaser: &install_goreleaser - run: - name: Install GoReleaser - command: | - curl -fsSLo goreleaser.deb https://github.com/goreleaser/goreleaser/releases/download/v0.94.0/goreleaser_amd64.deb - echo "8dbad6683d6fc9367e637e6eed8e01a0d63c9660 goreleaser.deb" | sha1sum -c - sudo dpkg -i goreleaser.deb - rm goreleaser.deb set_environment_variables: &set_environment_variables run: name: Set Environment Variables command: | - echo 'export REPO=quay.io/reactiveops/polaris' >> ${BASH_ENV} + echo 'export CI_SHA1=$CIRCLE_SHA1' >> ${BASH_ENV} + echo 'export CI_BRANCH=$CIRCLE_BRANCH' >> ${BASH_ENV} + echo 'export CI_BUILD_NUM=$CIRCLE_BUILD_NUM' >> ${BASH_ENV} + echo 'export CI_TAG=$CIRCLE_TAG' >> ${BASH_ENV} + echo 'export PUSH_ALL_VERSION_TAGS=true' >> ${BASH_ENV} docker_build_and_push: &docker_build_and_push run: name: Docker login, build, and push command: | - docker build -t $REPO:dev-$CIRCLE_SHA1 . + docker-pull -f .circleci/build.config + docker-build -f .circleci/build.config + if [[ -n $CIRCLE_TAG ]]; then + export ADDITIONAL_DOCKER_TAG_VERSIONS=(`echo $CIRCLE_TAG | sed -e 's/\(\w\+\)\..*$/\1/'`) + fi if [[ -z $CIRCLE_PR_NUMBER ]]; then docker login quay.io -u="reactiveops+circleci" -p="${quay_token}" - docker push $REPO:dev-$CIRCLE_SHA1 + docker-push -f .circleci/build.config else echo "Skipping docker push for forked PR" fi - docker_tag_release: &docker_tag_release - run: - name: Docker tag release - command: | - docker login quay.io -u="reactiveops+circleci" -p="${quay_token}" - docker build -t $REPO:dev-$CIRCLE_SHA1 . - docker tag $REPO:dev-$CIRCLE_SHA1 $REPO:$CIRCLE_TAG - docker push $REPO:$CIRCLE_TAG + + # Test scripts update_coverage: &update_coverage run: name: Update Coverage @@ -43,12 +37,11 @@ references: else echo "Skipping coverage for forked PR" fi - test_dashboard: &test_dashboard run: name: Test Dashboard command: | - go run main.go --dashboard --dashboard-port 3000 --audit-path ./deploy/dashboard.yaml & + go run main.go --dashboard --dashboard-port 3000 --audit-path ./examples & sleep 5 curl -f http://localhost:3000 > /dev/null curl -f http://localhost:3000/health > /dev/null @@ -57,6 +50,30 @@ references: curl -f http://localhost:3000/results.json > /dev/null curl -f http://localhost:3000/details/security > /dev/null + # Release scripts + install_goreleaser: &install_goreleaser + run: + name: Install GoReleaser + command: | + curl -fsSLo goreleaser.deb https://github.com/goreleaser/goreleaser/releases/download/v0.94.0/goreleaser_amd64.deb + echo "8dbad6683d6fc9367e637e6eed8e01a0d63c9660 goreleaser.deb" | sha1sum -c + sudo dpkg -i goreleaser.deb + rm goreleaser.deb + release_deploy_configs: &release_deploy_configs + run: + name: Release deploy configs + command: | + git clone --branch polaris-latest https://github.com/reactiveops/charts + mkdir deploy + helm template ./charts/stable/polaris --name polaris --namespace polaris --set templateOnly=true > deploy/dashboard.yaml + helm template ./charts/stable/polaris --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml + upload_url=$(curl --silent https://api.github.com/repos/reactiveops/polaris/releases/latest | grep upload_url) + upload_url=$(echo $upload_url | sed -e 's/.*\(https.*\){.*$/\1/') + curl -X POST "$upload_url?name=dashboard.yaml" --data-binary "@./deploy/dashboard.yaml" -H "Authorization: Bearer $GITHUB_TOKEN" -H "Content-Type: application/x-yaml" + curl -X POST "$upload_url?name=webhook.yaml" --data-binary "@./deploy/webhook.yaml" -H "Authorization: Bearer $GITHUB_TOKEN" -H "Content-Type: application/x-yaml" + rm -rf ./charts + rm -rf ./deploy + jobs: build: docker: @@ -80,20 +97,7 @@ jobs: - *update_coverage - *test_dashboard - test-deploy: - docker: - - image: quay.io/reactiveops/ci-images:v8.0-stretch - steps: - - checkout - - run: - name: Verify helm chart synced with deploy files - command: | - helm init --client-only - make helm-to-k8s - git diff --exit-code ./deploy || (echo " - Make sure to regenerate k8s deploy config with 'make helm-to-k8s'" && exit 1) - - release: + release_binary: working_directory: /go/src/github.com/reactiveops/polaris/ docker: - image: circleci/golang:1.12 @@ -101,22 +105,30 @@ jobs: - checkout - setup_remote_docker - *set_environment_variables - - *docker_tag_release - *install_goreleaser - run: go get -u github.com/gobuffalo/packr/v2/packr2 - run: packr2 - run: goreleaser + release_images: + working_directory: /go/src/github.com/reactiveops/polaris/ + docker: + - image: quay.io/reactiveops/ci-images:v8.0-stretch + steps: + - checkout + - setup_remote_docker + - *set_environment_variables + - *docker_build_and_push + - *release_deploy_configs + workflows: version: 2 build: jobs: - test - - test-deploy - build: requires: - test - - test-deploy context: org-global # Allow using testing tags for testing circle test + build steps filters: @@ -124,7 +136,17 @@ workflows: only: /^testing-.*/ release: jobs: - - release: + - release_binary: + context: org-global + filters: + branches: + ignore: /.*/ + # Testing tags are reserved for testing circle test + build steps + tags: + ignore: /^testing-.*/ + - release_images: + requires: + - release_binary context: org-global filters: branches: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2ee542f87..06e16c136 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -57,23 +57,35 @@ Each new pull request should: - Be up to date and/or rebased on the master branch ## Creating a new release -* Change the version number in: - * main.go - * README.md -* Add relevant entries to CHANGELOG.md -* Create a PR and merge your changes -* Tag and push the latest: -``` -git checkout master -git pull -git tag $VERSION -git push --tags -``` -* CircleCI will add an entry to the releases page on GitHub -* In [the helm char](https://github.com/reactiveops/charts), change the version number in: - * stable/polaris/README.md - * stable/polaris/Chart.yaml - * stable/polaris/values.yaml -* Create a PR for the helm chart and merge your changes -* In this repo, run `make helm-to-k8s` to regenerate the `deploy/` directory -* Commit your changes and create a PR + +### Minor/patch releases +Minor and patch releases only need to change this repo. The Helm chart and deploy scripts +will automatically pull in the latest changes. + +To deploy a minor or patch release, follow steps 2 and 3 from "Major releases" below. + +### Major releases +Major releases need to change both this repository and the +[Helm chart repo](https://github.com/reactiveops/charts/). + +The steps are: +1. Create a PR in the [charts repo](https://github.com/reactiveops/charts/) + * Use a branch named `polaris-latest` + * Bump the version number in: + * stable/polaris/README.md + * stable/polaris/Chart.yaml + * stable/polaris/values.yaml + * **Don't merge yet!** +2. Create a PR for this repo + * Bump the version number in: + * main.go + * README.md + * Merge your PR +3. Tag the latest branch for this repo + * Pull the latest for the `master` branch + * Run `git tag $VERSION && git push --tags` + * Wait for CircleCI to finish the build for the tag, which will: + * Create the proper image tag in quay.io + * Add an entry to the releases page on GitHub +4. Merge the PR for the charts repo you created in step 1. + diff --git a/Makefile b/Makefile deleted file mode 100644 index 7f712c1a2..000000000 --- a/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -helm-to-k8s: - helm repo add reactiveops-stable https://charts.reactiveops.com/stable - # TODO: once we're on Helm 3, we can template using remote repos - helm fetch --untar --untardir ./polaris-helm 'reactiveops-stable/polaris' - helm template ./polaris-helm/polaris --name polaris --namespace polaris --set templateOnly=true > deploy/dashboard.yaml - helm template ./polaris-helm/polaris --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml - rm -r ./polaris-helm diff --git a/README.md b/README.md index 0d2f808eb..1e976f3a0 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Polaris helps keep your cluster healthy. It runs a variety of checks to ensure t ## Quickstart ``` -kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/dashboard.yaml +kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/dashboard.yaml kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80 ``` With the port forwarding in place, you can open http://localhost:8080 in your browser to view the dashboard. @@ -53,13 +53,13 @@ or run against local YAML files. ### kubectl #### Dashboard ``` -kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/dashboard.yaml +kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/dashboard.yaml kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80 ``` #### Webhook ``` -kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/webhook.yaml +kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/webhook.yaml ``` ### Helm diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml deleted file mode 100644 index ba5758312..000000000 --- a/deploy/dashboard.yaml +++ /dev/null @@ -1,212 +0,0 @@ ---- -# Source: polaris/templates/0-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: polaris ---- -# Source: polaris/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: polaris - namespace: polaris - labels: - app: polaris -data: - config.yaml: | - resources: - cpuRequestsMissing: warning - cpuLimitsMissing: warning - memoryRequestsMissing: warning - memoryLimitsMissing: warning - images: - tagNotSpecified: error - healthChecks: - readinessProbeMissing: warning - livenessProbeMissing: warning - networking: - hostNetworkSet: warning - hostPortSet: warning - security: - hostIPCSet: error - hostPIDSet: error - notReadOnlyRootFileSystem: warning - privilegeEscalationAllowed: error - runAsRootAllowed: warning - runAsPrivileged: error - capabilities: - error: - ifAnyAdded: - - SYS_ADMIN - - NET_ADMIN - - ALL - warning: - ifAnyAddedBeyond: - - CHOWN - - DAC_OVERRIDE - - FSETID - - FOWNER - - MKNOD - - NET_RAW - - SETGID - - SETUID - - SETFCAP - - SETPCAP - - NET_BIND_SERVICE - - SYS_CHROOT - - KILL - - AUDIT_WRITE - ---- -# Source: polaris/templates/dashboard.rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: polaris-dashboard - namespace: polaris - labels: - app: polaris ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: polaris-dashboard - labels: - app: polaris -rules: - - apiGroups: - - 'apps' - - 'extensions' - resources: - - 'deployments' - verbs: - - 'get' - - 'list' - - apiGroups: - - '' - resources: - - 'nodes' - - 'namespaces' - - 'pods' - verbs: - - 'get' - - 'list' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: polaris-dashboard - labels: - app: polaris -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: polaris-dashboard -subjects: - - kind: ServiceAccount - name: polaris-dashboard - namespace: polaris ---- -# Source: polaris/templates/dashboard.service.yaml -apiVersion: v1 -kind: Service -metadata: - name: polaris-dashboard - namespace: polaris - labels: - app: polaris -spec: - ports: - - name: dashboard - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: polaris - component: dashboard - type: ClusterIP ---- -# Source: polaris/templates/dashboard.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - checksum/config: '6ec4a4dc87403cae67c01438398a5f1d4ef836ffeaf26a33b685c066b940495a' - name: polaris-dashboard - namespace: polaris - labels: - app: polaris - component: dashboard -spec: - replicas: 1 - selector: - matchLabels: - app: polaris - component: dashboard - template: - metadata: - labels: - app: polaris - component: dashboard - spec: - volumes: - - name: config - configMap: - name: polaris - containers: - - command: - - polaris - - --dashboard - - --config - - /opt/app/config.yaml - image: 'quay.io/reactiveops/polaris:0.1.5' - imagePullPolicy: 'Always' - name: dashboard - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 20 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml - readOnly: true - serviceAccountName: polaris-dashboard ---- -# Source: polaris/templates/webhook.deployment.yaml - ---- -# Source: polaris/templates/webhook.rbac.yaml - ---- -# Source: polaris/templates/webhook.secret.yaml - ---- -# Source: polaris/templates/webhook.service.yaml - diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml deleted file mode 100644 index 1c4310699..000000000 --- a/deploy/webhook.yaml +++ /dev/null @@ -1,280 +0,0 @@ ---- -# Source: polaris/templates/0-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: polaris ---- -# Source: polaris/templates/webhook.secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris -type: Opaque -stringData: - cert.pem: '' ---- -# Source: polaris/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: polaris - namespace: polaris - labels: - app: polaris -data: - config.yaml: | - resources: - cpuRequestsMissing: warning - cpuLimitsMissing: warning - memoryRequestsMissing: warning - memoryLimitsMissing: warning - images: - tagNotSpecified: error - healthChecks: - readinessProbeMissing: warning - livenessProbeMissing: warning - networking: - hostNetworkSet: warning - hostPortSet: warning - security: - hostIPCSet: error - hostPIDSet: error - notReadOnlyRootFileSystem: warning - privilegeEscalationAllowed: error - runAsRootAllowed: warning - runAsPrivileged: error - capabilities: - error: - ifAnyAdded: - - SYS_ADMIN - - NET_ADMIN - - ALL - warning: - ifAnyAddedBeyond: - - CHOWN - - DAC_OVERRIDE - - FSETID - - FOWNER - - MKNOD - - NET_RAW - - SETGID - - SETUID - - SETFCAP - - SETPCAP - - NET_BIND_SERVICE - - SYS_CHROOT - - KILL - - AUDIT_WRITE - ---- -# Source: polaris/templates/webhook.rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: polaris-webhook - labels: - app: polaris -rules: - - apiGroups: - - 'apps' - - 'extensions' - resources: - - 'deployments' - verbs: - - 'get' - - 'list' - # required by controller-runtime code doing a cluster wide lookup - # when it seems namespace would suffice - - apiGroups: - - '' - resources: - - 'secrets' - - 'services' - verbs: - - 'get' - - 'list' - - 'watch' - - apiGroups: - - 'admissionregistration.k8s.io' - resources: - - 'validatingwebhookconfigurations' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: polaris-webhook - labels: - app: polaris -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: polaris-webhook -subjects: - - kind: ServiceAccount - name: polaris-webhook - namespace: polaris ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris -rules: - # required for current controller-runtime bootstrap method - - apiGroups: - - '' - resources: - - 'secrets' - - 'services' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: polaris-webhook -subjects: - - kind: ServiceAccount - name: polaris-webhook - namespace: polaris ---- -# Source: polaris/templates/webhook.service.yaml -apiVersion: v1 -kind: Service -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris -spec: - ports: - - name: webhook - port: 443 - protocol: TCP - targetPort: 9876 - selector: - app: polaris - component: webhook - type: ClusterIP ---- -# Source: polaris/templates/webhook.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - checksum/config: '6ec4a4dc87403cae67c01438398a5f1d4ef836ffeaf26a33b685c066b940495a' - name: polaris-webhook - namespace: polaris - labels: - app: polaris - component: webhook -spec: - replicas: 1 - selector: - matchLabels: - app: polaris - component: webhook - template: - metadata: - labels: - app: polaris - component: webhook - spec: - containers: - - name: webhook - command: - - polaris - - --webhook - - --config - - /opt/app/config.yaml - image: 'quay.io/reactiveops/polaris:0.1.5' - imagePullPolicy: 'Always' - ports: - - containerPort: 9876 - # These are fairly useless readiness/liveness probes for now - # Follow this issue for potential improvements: - # https://github.com/kubernetes-sigs/controller-runtime/issues/356 - livenessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml - readOnly: true - - name: secret - mountPath: /opt/cert/ - readOnly: true - - name: cr-logs - mountPath: /tmp/ - readOnly: false - serviceAccountName: polaris-webhook - volumes: - - name: config - configMap: - name: polaris - - name: secret - secret: - secretName: polaris-webhook - - name: cr-logs - emptyDir: {} ---- -# Source: polaris/templates/dashboard.deployment.yaml - ---- -# Source: polaris/templates/dashboard.rbac.yaml - ---- -# Source: polaris/templates/dashboard.service.yaml -