feat: initial release [HYB-698] (#51)

* feat: uni broker helm chart * fix: ci and release config (#17) * fix: ci and release config * chore: editorconfig * fix: disable helm chart publishing * chore: remove test cases doc * fix: update ca cert trust settings (#18) * fix: update ca cert trust settings * fix: docs to readme, correct var to disable cert trust * fix: correct dockerhub password * fix: support ACCEPTS_ (#19) * fix: support ACCEPTS_ * fix: dockerhub password * chore: expand dockerhub password (#20) * fix: correct serviceAccount format (#25) * fix: add missing serviceName field (#26) * ci: move kubeconform to validate step (#27) * fix: correct tenant to region (#23) * fix: custom docker registry (#35) * fix: specify universal broker platform auth and credential references (#24) * fix: implement ingress and service (#29) * fix: implement ingress and service * fix: high availability mode, limits and requests, tolerations, affinities (#30) * fix: high availability mode, limits and requests * fix: tolerations, selectors, affinities * fix: security context, openshift adaptation (#28) * fix: enable commit signing (#21) * fix: broker serve tls (#22) * fix: support outbound proxy config (#31) * fix: extra k8s objects, sidecars, initContainers (#32) * fix: add logging levels, probe definitions (#33) * fix: insecure downstream mode (#34) * fix: preflight checks (#36) * fix: preflight checks * fix: remove preflight checks disable value * fix: strict schema checking, cleanup (#40) * ci: enable deploy and test (#37) * ci: adds a queue step to prevent concurrent deploy/test cycles * ci: upsize executor * ci: helmignore * ci: remove useless log * fix: add runtimeclass and priorityclass (#39) * ci: enable helm push (#43) * chore: apply prettier formatting (#41) * chore: fix precommit config for prettier * chore: prettier * ci: add security gates (#42) * ci: add gates to PR workflow * ci: add template for IaC scan * fix: sign helm chart (#45) * docs: LICENSE (#46) * fix: publish and sign jobs (#47) * fix: add missing gh context * fix: change trigger from check_suite to release * ci: use team-hybrid-common for github token (#48) * fix: strip v from tag (#49) * fix: remove registry-1.docker.io prefix (#50) * fix: ensure post install notes reflect the Snyk region (#52) --------- Co-authored-by: saumil Macwan <[email protected]>
snyk · Nov 28, 2024 · ff58b45 · ff58b45
1 parent 1bf4d6b
commit ff58b45
Show file tree

Hide file tree

Showing 65 changed files with 12,916 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,213 @@
+version: 2.1
+
+orbs:
+  prodsec: snyk/prodsec-orb@1
+  helm: circleci/helm@3
+  queue: eddiewebb/queue@3
+
+parameters:
+  kubectl-version:
+    type: string
+    default: "1.28"
+
+jobs:
+  validate_charts:
+    docker:
+      - image: alpine/k8s:1.28.14
+    resource_class: small
+    parameters:
+      deployment-id:
+        type: env_var_name
+        default: DEPLOYMENT_ID
+      client-id:
+        type: env_var_name
+        default: CLIENT_ID
+      client-secret:
+        type: env_var_name
+        default: CLIENT_SECRET
+      my-ghe-token:
+        type: env_var_name
+        default: MY_GHE_TOKEN
+      snyk-token:
+        type: env_var_name
+        default: "SNYK_API_TOKEN"
+    steps:
+      - checkout
+      - run:
+          name: Helm dependencies
+          command: helm dep up
+          working_directory: snyk-universal-broker
+      - run:
+          name: Run helm unittest
+          command: helm unittest .
+          working_directory: snyk-universal-broker
+      - run:
+          name: Template to file
+          command: |
+            helm template \
+              -f values.yaml \
+              --set deploymentId=${<<parameters.deployment-id>>} \
+              --set clientId=${<<parameters.client-id>>} \
+              --set clientSecret=${<<parameters.client-secret>>} \
+              --set credentialReferences.MY_GHE_TOKEN=${<<parameters.my-ghe-token>>} \
+              . > template.yaml
+          working_directory: snyk-universal-broker
+      - run:
+          name: Kubeconform
+          command: |
+            kubeconform -ignore-missing-schemas template.yaml
+          working_directory: snyk-universal-broker
+      - persist_to_workspace:
+          root: snyk-universal-broker
+          paths:
+            - template.yaml
+
+  validate_documentation:
+    docker:
+      - image: cimg/node:20.18.0
+    resource_class: small
+    steps:
+      - checkout
+      - run:
+          name: Run the readme generator
+          command: npx @bitnami/readme-generator-for-helm -v snyk-universal-broker/values.yaml -r README.md
+      - run:
+          name: Check if files in CI have changed
+          command: |
+            if [[ -n $(git diff --name-only README.md) ]]; then
+              echo "README content not synchronised with values.yaml"
+              exit 1
+            fi
+
+  deploy_and_test:
+    machine:
+      image: ubuntu-2204:current
+    resource_class: large
+    parameters:
+      deployment-id:
+        type: env_var_name
+        default: DEPLOYMENT_ID
+      client-id:
+        type: env_var_name
+        default: CLIENT_ID
+      client-secret:
+        type: env_var_name
+        default: CLIENT_SECRET
+      my-ghe-token:
+        type: env_var_name
+        default: MY_GHE_TOKEN
+      snyk-token:
+        type: env_var_name
+        default: "SNYK_API_TOKEN"
+    steps:
+      - checkout
+      - helm/install_helm_client
+      - helm/install_helm_plugin:
+          helm_plugin_url: https://github.com/helm-unittest/helm-unittest
+      - run:
+          name: Install Pre-reqs
+          command: |
+            curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
+            curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+            echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v<<pipeline.parameters.kubectl-version>>/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
+            sudo apt-get update
+            sudo apt-get install -y kubectl
+      - run:
+          name: Deploy Universal Broker
+          command: |
+            helm dep up
+            k3d cluster create
+            helm install \
+              --debug \
+              --wait \
+              -f values.yaml \
+              --set region=dev \
+              --set deploymentId=${<<parameters.deployment-id>>} \
+              --set clientId=${<<parameters.client-id>>} \
+              --set clientSecret=${<<parameters.client-secret>>} \
+              --set credentialReferences.MY_GHE_TOKEN=${<<parameters.my-ghe-token>>} \
+              snyk-universal-broker \
+              .
+          working_directory: snyk-universal-broker
+      - run:
+          name: Test Import
+          command: |
+            LOG_LEVEL="debug" \
+              SNYK_TOKEN=${<<parameters.snyk-token>>} \
+              npx \
+              --yes \
+              tsx \
+              .circleci/scripts/testImport/testImport.ts \
+              ".circleci/snyk-import/snyk-import-ghe.json" \
+              "https://api.dev.snyk.io"
+
+  publish:
+    docker:
+      - image: cimg/node:22.9
+    resource_class: small
+    parameters:
+      dockerhub-password:
+        type: env_var_name
+        default: DOCKERHUB_PASSWORD
+    steps:
+      - checkout
+      - run:
+          name: Install npm dependencies
+          command: npm ci
+      - helm/install_helm_client
+      - run:
+          name: Docker Login for OCI Push
+          command: |
+            echo "${<<parameters.dockerhub-password>>}" | helm registry login -u snykdocker --password-stdin registry-1.docker.io
+      - run:
+          name: Run semantic-release
+          command: npx semantic-release
+## Note - signing happens via GitHub Action to leverage OIDC. CircleCI doesn't support this directly, yet.
+
+  security_scans:
+    docker:
+      - image: cimg/base:stable
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - prodsec/security_scans:
+          mode: auto
+
+workflows:
+  validate_and_publish:
+    jobs:
+      - prodsec/secrets-scan:
+          name: Scan repository for secrets
+          context:
+            - snyk-bot-slack
+          channel: hybrid-alerts
+          trusted-branch: main
+      - validate_charts:
+          context:
+            - snyk-universal-broker-helm-chart
+      - security_scans:
+          context:
+            - team-hybrid-snyk
+          requires:
+            - validate_charts
+      - validate_documentation
+      - deploy_and_test:
+          context:
+            - snyk-universal-broker-helm-chart
+          requires:
+            - validate_charts
+            - security_scans
+            - Scan repository for secrets
+      - publish:
+          context:
+            - team-hybrid-common
+            - team-broker-docker-hub
+          requires:
+            - validate_documentation
+            - deploy_and_test
+          filters:
+            branches:
+              only:
+                - main
+                - rc
diff --git a/.circleci/scripts/testImport/logger.ts b/.circleci/scripts/testImport/logger.ts
@@ -0,0 +1,36 @@
+// Set up some basic logging
+enum LogMessage {
+  INFO = "info",
+  WARN = "warn",
+  DEBUG = "debug",
+  ERROR = "error",
+}
+
+export default class makeLog {
+  info(message: string) {
+    console.log(
+      "\x1b[32m%s\x1b[0m",
+      `[${LogMessage.INFO.toUpperCase()}]: ${message}`
+    );
+  }
+  warn(message: string) {
+    console.log(
+      "\x1b[33m%s\x1b[0m",
+      `[${LogMessage.WARN.toUpperCase()}]: ${message}`
+    );
+  }
+  error(message: string) {
+    console.error(
+      "\x1b[31m%s\x1b[0m",
+      `[${LogMessage.ERROR.toUpperCase()}]: ${message}`
+    );
+  }
+  debug(message: string) {
+    if (process.env.LOG_LEVEL == LogMessage.DEBUG) {
+      console.log(
+        "\x1b[2m%s\x1b[0m",
+        `[${LogMessage.DEBUG.toUpperCase()}]: ${message}`
+      );
+    }
+  }
+}