Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: initial release #44

Closed
wants to merge 27 commits into from
Closed

feat: initial release #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
aa40a44
fix: ci and release config (#17)
soniqua Nov 8, 2024
dcc8d96
fix: update ca cert trust settings (#18)
soniqua Nov 8, 2024
02c87a1
fix: support ACCEPTS_ (#19)
soniqua Nov 8, 2024
b80c825
chore: expand dockerhub password (#20)
soniqua Nov 8, 2024
e92b104
fix: correct serviceAccount format (#25)
soniqua Nov 12, 2024
5d391f4
fix: add missing serviceName field (#26)
soniqua Nov 12, 2024
c6dcc8a
ci: move kubeconform to validate step (#27)
soniqua Nov 12, 2024
4d190a4
fix: correct tenant to region (#23)
soniqua Nov 12, 2024
7b8d73a
fix: custom docker registry (#35)
soniqua Nov 12, 2024
3d1e72d
fix: specify universal broker platform auth and credential references…
soniqua Nov 12, 2024
c1862df
fix: implement ingress and service (#29)
soniqua Nov 12, 2024
7f3346c
fix: high availability mode, limits and requests, tolerations, affini…
soniqua Nov 12, 2024
fe4b2b4
fix: security context, openshift adaptation (#28)
soniqua Nov 12, 2024
2476d05
fix: enable commit signing (#21)
soniqua Nov 12, 2024
1f86ae9
fix: broker serve tls (#22)
soniqua Nov 12, 2024
2514527
fix: support outbound proxy config (#31)
soniqua Nov 12, 2024
0268572
fix: extra k8s objects, sidecars, initContainers (#32)
soniqua Nov 12, 2024
42da896
fix: add logging levels, probe definitions (#33)
soniqua Nov 12, 2024
57d91f4
fix: insecure downstream mode (#34)
soniqua Nov 12, 2024
a6967bf
fix: preflight checks (#36)
soniqua Nov 12, 2024
93877f4
fix: strict schema checking, cleanup (#40)
soniqua Nov 13, 2024
804c678
ci: enable deploy and test (#37)
soniqua Nov 13, 2024
651cb03
fix: add runtimeclass and priorityclass (#39)
soniqua Nov 13, 2024
308ab1b
ci: enable helm push (#43)
soniqua Nov 13, 2024
49effc7
chore: apply prettier formatting (#41)
soniqua Nov 13, 2024
0a49fd6
ci: add security gates (#42)
soniqua Nov 13, 2024
742ee34
fix: sign helm chart (#45)
soniqua Nov 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 169 additions & 44 deletions .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,87 +1,212 @@
version: 2.1

orbs:
prodsec: snyk/prodsec-orb@1
helm: circleci/helm@3
queue: eddiewebb/queue@3

parameters:
kubectl-version:
type: string
default: "1.28"

jobs:
validate_charts:
docker:
- image: alpine/k8s:1.28.14
resource_class: medium
resource_class: small
parameters:
deployment-id:
type: env_var_name
default: DEPLOYMENT_ID
client-id:
type: env_var_name
default: CLIENT_ID
client-secret:
type: env_var_name
default: CLIENT_SECRET
my-ghe-token:
type: env_var_name
default: MY_GHE_TOKEN
snyk-token:
type: env_var_name
default: "SNYK_API_TOKEN"
steps:
- checkout
- run:
name: Helm dependencies
command: helm dep up
working_directory:
snyk-universal-broker

working_directory: snyk-universal-broker
- run:
name: Run helm unittest
command: helm unittest .
working_directory:
snyk-universal-broker
working_directory: snyk-universal-broker
- run:
name: Template to file
command: |
helm template \
-f values.yaml \
--set deploymentId=${<<parameters.deployment-id>>} \
--set clientId=${<<parameters.client-id>>} \
--set clientSecret=${<<parameters.client-secret>>} \
--set credentialReferences.MY_GHE_TOKEN=${<<parameters.my-ghe-token>>} \
. > template.yaml
working_directory: snyk-universal-broker
- run:
name: Kubeconform
command: |
kubeconform -ignore-missing-schemas template.yaml
working_directory: snyk-universal-broker
- persist_to_workspace:
root: snyk-universal-broker
paths:
- template.yaml

publish:
validate_documentation:
docker:
- image: cimg/node:22.9
- image: cimg/node:20.18.0
resource_class: small
steps:
- checkout
- run:
name: Install npm dependencies
command: npm ci
name: Run the readme generator
command: npx @bitnami/readme-generator-for-helm -v snyk-universal-broker/values.yaml -r README.md
- run:
name: Check if files in CI have changed
command: |
if [[ -n $(git diff --name-only README.md) ]]; then
echo "README content not synchronised with values.yaml"
exit 1
fi

deploy_and_test:
machine:
image: ubuntu-2204:current
resource_class: large
parameters:
deployment-id:
type: env_var_name
default: DEPLOYMENT_ID
client-id:
type: env_var_name
default: CLIENT_ID
client-secret:
type: env_var_name
default: CLIENT_SECRET
my-ghe-token:
type: env_var_name
default: MY_GHE_TOKEN
snyk-token:
type: env_var_name
default: "SNYK_API_TOKEN"
steps:
- checkout
- helm/install_helm_client
- helm/install_helm_plugin:
helm_plugin_url: https://github.com/helm-unittest/helm-unittest
- run:
name: Set up Git
name: Install Pre-reqs
command: |
git remote set-url origin [email protected]/snyk/snyk-universal-broker-helmchart.git

curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v<<pipeline.parameters.kubectl-version>>/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubectl
- run:
name: Install Helm
name: Deploy Universal Broker
command: |
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
helm dep up
k3d cluster create
helm install \
--debug \
--wait \
-f values.yaml \
--set region=dev \
--set deploymentId=${<<parameters.deployment-id>>} \
--set clientId=${<<parameters.client-id>>} \
--set clientSecret=${<<parameters.client-secret>>} \
--set credentialReferences.MY_GHE_TOKEN=${<<parameters.my-ghe-token>>} \
snyk-universal-broker \
.
working_directory: snyk-universal-broker
- run:
name: Test Import
command: |
LOG_LEVEL="debug" \
SNYK_TOKEN=${<<parameters.snyk-token>>} \
npx \
--yes \
tsx \
.circleci/scripts/testImport/testImport.ts \
".circleci/snyk-import/snyk-import-ghe.json" \
"https://api.dev.snyk.io"

publish:
docker:
- image: cimg/node:22.9
resource_class: small
parameters:
dockerhub-password:
type: env_var_name
default: DOCKERHUB_PASSWORD
steps:
- checkout
- run:
name: Install npm dependencies
command: npm ci
- helm/install_helm_client
- run:
name: Docker Login for OCI Push
command: |
echo "$DOCKER_PASSWORD" | helm registry login -u snykdocker --password-stdin registry-1.docker.io


echo "${<<parameters.dockerhub-password>>}" | helm registry login -u snykdocker --password-stdin registry-1.docker.io
- run:
name: Run semantic-release
command: npx semantic-release
environment:
DOCKER_USERNAME: $DOCKER_USERNAME
DOCKER_PASSWORD: $DOCKER_PASSWORD

- run:
name: Update Chart Version
command: |
CHART_DIR="snyk-universal-broker"
NEW_VERSION=$(git describe --tags --abbrev=0)
echo "Updating Chart.yaml to version $NEW_VERSION"
sed -i "s/^version: .*/version: $NEW_VERSION/" $CHART_DIR/Chart.yaml
## Note - signing happens via GitHub Action to leverage OIDC. CircleCI doesn't support this directly, yet.

- run:
name: Package Helm Chart
command: |
helm dep up snyk-universal-broker
helm package snyk-universal-broker

- run:
name: Push Helm Chart to OCI Registry
command: |
helm push snyk-universal-broker-*.tgz oci://registry-1.docker.io/snyk
environment:
DOCKER_USERNAME: $DOCKER_USERNAME
DOCKER_PASSWORD: $DOCKER_PASSWORD
security_scans:
docker:
- image: cimg/base:stable
steps:
- checkout
- attach_workspace:
at: .
- prodsec/security_scans:
mode: auto

workflows:
validate_and_publish:
jobs:
- validate_charts
- publish:
- prodsec/secrets-scan:
name: Scan repository for secrets
context:
- snyk-bot-slack
channel: hybrid-alerts
trusted-branch: main
- validate_charts:
context:
- snyk-universal-broker-helm-chart
- security_scans:
context:
- team-hybrid-snyk
requires:
- validate_charts
- validate_documentation
- deploy_and_test:
context:
- snyk-universal-broker-helm-chart
requires:
- validate_charts
- security_scans
- Scan repository for secrets
- publish:
context:
- team-broker-docker-hub
requires:
- validate_documentation
- deploy_and_test
filters:
branches:
only:
- main
- rc
36 changes: 36 additions & 0 deletions .circleci/scripts/testImport/logger.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
// Set up some basic logging
enum LogMessage {
INFO = "info",
WARN = "warn",
DEBUG = "debug",
ERROR = "error",
}

export default class makeLog {
info(message: string) {
console.log(
"\x1b[32m%s\x1b[0m",
`[${LogMessage.INFO.toUpperCase()}]: ${message}`
);
}
warn(message: string) {
console.log(
"\x1b[33m%s\x1b[0m",
`[${LogMessage.WARN.toUpperCase()}]: ${message}`
);
}
error(message: string) {
console.error(
"\x1b[31m%s\x1b[0m",
`[${LogMessage.ERROR.toUpperCase()}]: ${message}`
);
}
debug(message: string) {
if (process.env.LOG_LEVEL == LogMessage.DEBUG) {
console.log(
"\x1b[2m%s\x1b[0m",
`[${LogMessage.DEBUG.toUpperCase()}]: ${message}`
);
}
}
}
Loading
Loading