Support creating AgentInjectors in the chart #656
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build" | |
on: | |
pull_request: | |
push: | |
branches: | |
- master | |
tags: | |
- "v*" | |
workflow_dispatch: {} | |
jobs: | |
# | |
# Building Stage | |
# | |
generate-version: | |
runs-on: ubuntu-latest | |
outputs: | |
version: ${{ steps.generate-version.outputs.version }} | |
is-public-build: ${{ steps.generate-version.outputs.is-public-build }} | |
steps: | |
- name: Detect Version | |
id: generate-version | |
run: | | |
$ref = '${{ github.ref }}' | |
if ($ref.StartsWith('refs/tags/v')) | |
{ | |
$version = ($ref -split '/v' | Select-Object -Last 1) | |
$isPublicBuild = $true | |
} | |
else | |
{ | |
$version = "0.0.1" | |
$isPublicBuild = $false | |
} | |
Write-Host "Detected version: '$version'." | |
"version=$version" >> $env:GITHUB_OUTPUT | |
"is-public-build=$isPublicBuild" >> $env:GITHUB_OUTPUT | |
shell: pwsh | |
build-image: | |
runs-on: ubuntu-latest | |
needs: generate-version | |
permissions: | |
packages: write | |
outputs: | |
digest: ${{ steps.build.outputs.digest }} | |
env: | |
IMAGE_NAME: ghcr.io/contrast-security-oss/agent-operator/operator | |
BUILD_VERSION: ${{ needs.generate-version.outputs.version }} | |
IS_PUBLIC_BUILD: ${{ needs.generate-version.outputs.is-public-build }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- uses: docker/setup-buildx-action@v3 | |
id: buildx | |
with: | |
install: true | |
version: latest | |
- uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Docker Meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.IMAGE_NAME }} | |
tags: | | |
type=raw,value=trunk-artifact,enable=${{ github.ref == 'refs/heads/master' }} | |
type=raw,value=pr-artifact,enable=${{ github.event_name == 'pull_request' }} | |
type=raw,value=dispatch-artifact,enable=${{ github.event_name == 'workflow_dispatch' }} | |
type=raw,value=release-artifact,enable=${{ needs.generate-version.outputs.version != '0.0.1' }} | |
- uses: docker/build-push-action@v5 | |
id: build | |
with: | |
file: Dockerfile | |
context: . | |
push: ${{ github.event_name != 'pull_request' }} # don't push the image for PR builds | |
cache-from: ${{ github.actor != 'dependabot[bot]' && format('type=registry,ref={0}:cache', env.IMAGE_NAME) || ''}} | |
cache-to: ${{ github.actor != 'dependabot[bot]' && format('type=registry,ref={0}:cache,mode=max', env.IMAGE_NAME) || ''}} | |
build-args: | | |
BUILD_VERSION=${{ env.BUILD_VERSION }} | |
IS_PUBLIC_BUILD=${{ env.IS_PUBLIC_BUILD }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
build-manifests: | |
runs-on: ubuntu-latest | |
needs: generate-version | |
env: | |
BUILD_VERSION: ${{ needs.generate-version.outputs.version }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: imranismail/setup-kustomize@v2 | |
- name: Generate Manifests (Prod) | |
run: | | |
set -xe | |
cd ./manifests/install/prod | |
kustomize edit set image 'contrast/agent-operator:${{ env.BUILD_VERSION }}' | |
cat ../../license-header.yaml > ./install-prod.yaml | |
kustomize build ./ >> ./install-prod.yaml | |
shell: bash | |
- name: Generate Manifests (Prod-Quay) | |
run: | | |
set -xe | |
cd ./manifests/install/prod-quay | |
kustomize edit set image 'quay.io/contrast/agent-operator:${{ env.BUILD_VERSION }}' | |
cat ../../license-header.yaml > ./install-prod-quay.yaml | |
kustomize build ./ >> ./install-prod-quay.yaml | |
shell: bash | |
- name: Stage Manifests | |
run: | | |
set -xe | |
cp manifests/install/prod/install-prod.yaml ./install-prod.yaml | |
cp manifests/install/prod-quay/install-prod-quay.yaml ./install-prod-quay.yaml | |
shell: bash | |
- name: Publish (Artifacts) | |
uses: actions/upload-artifact@v3 | |
with: | |
name: manifests | |
path: | | |
install-prod.yaml | |
install-prod-quay.yaml | |
retention-days: 7 | |
build-helm-chart: | |
runs-on: ubuntu-latest | |
needs: generate-version | |
env: | |
BUILD_VERSION: ${{ needs.generate-version.outputs.version }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: imranismail/setup-kustomize@v2 | |
- uses: azure/setup-helm@v3 | |
with: | |
version: v3.10.1 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate Chart | |
run: | | |
set -xe | |
pwsh ./manifests/helm/build.ps1 \ | |
-AppVersion ${{ env.BUILD_VERSION }} \ | |
-ChartVersion ${{ env.BUILD_VERSION }} | |
shell: bash | |
- name: Render Manifests | |
run: | | |
set -xe | |
helm template test \ | |
./manifests/helm/dist/contrast-agent-operator-${{ env.BUILD_VERSION }}.tgz \ | |
--values ./manifests/helm/values.testing.yaml \ | |
--include-crds \ | |
| tee ./manifests/helm/dist/output.yaml | |
shell: bash | |
- name: Publish (Chart) | |
uses: actions/upload-artifact@v3 | |
with: | |
name: helm-chart | |
path: | | |
manifests/helm/dist/*.tgz | |
retention-days: 7 | |
- name: Publish (Manifests) | |
uses: actions/upload-artifact@v3 | |
with: | |
name: helm-manifests | |
path: | | |
manifests/helm/dist/output.yaml | |
retention-days: 7 | |
test-image: | |
runs-on: ubuntu-latest | |
needs: | |
- build-image | |
strategy: | |
matrix: | |
k3s-version: | |
- 1.28 # EOL: 2024-10-28 | |
- 1.27 # EOL: 2024-06-28 | |
- 1.26 # EOL: 2024-02-28 | |
- 1.25 # EOL: 2023-10-28 | |
fail-fast: false | |
env: | |
IMAGE: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} | |
if: ${{ github.event_name != 'pull_request' }} # should match push logic in build-image | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: nolar/setup-k3d-k3s@v1 | |
name: Deploy K3d | |
with: | |
version: v${{ matrix.k3s-version }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Import Images | |
uses: nick-fields/retry@v2 | |
with: | |
timeout_minutes: 10 | |
max_attempts: 5 | |
command: | | |
set -xe | |
docker pull ${{ env.IMAGE }} | |
docker tag ${{ env.IMAGE }} local/agent-operator:latest | |
k3d image import local/agent-operator:latest --mode direct | |
docker pull busybox:stable | |
k3d image import busybox:stable --mode direct | |
docker pull k8s.gcr.io/pause:3.3 | |
k3d image import k8s.gcr.io/pause:3.3 --mode direct | |
shell: bash | |
- name: Deploy Manifests | |
run: | | |
set -xe | |
kubectl apply -k manifests/install/testing | |
kubectl --namespace testing-agent-operator wait --for=condition=Available --timeout=30s deployment contrast-agent-operator | |
kubectl apply -k manifests/examples/testing | |
shell: bash | |
- name: Setup .NET SDK | |
uses: actions/setup-dotnet@v3 | |
with: | |
dotnet-version: 6.0.x | |
- name: Execute Functional Tests | |
run: | | |
set -xe | |
dotnet test ./tests/Contrast.K8s.AgentOperator.FunctionalTests/Contrast.K8s.AgentOperator.FunctionalTests.csproj | |
shell: bash | |
- name: Dump Operator Logs | |
uses: nick-fields/retry@v2 | |
if: ${{ always() }} | |
with: | |
timeout_minutes: 10 | |
max_attempts: 5 | |
command: | | |
set -xe | |
kubectl --namespace testing-agent-operator get events --sort-by=.metadata.creationTimestamp | |
kubectl --namespace testing-agent-operator get deployment contrast-agent-operator -o yaml | |
kubectl --namespace testing-agent-operator logs deployment/contrast-agent-operator | |
shell: bash | |
test-manifests: | |
runs-on: ubuntu-latest | |
needs: | |
- build-manifests | |
- build-helm-chart | |
strategy: | |
matrix: | |
artifact: | |
- manifests | |
- helm-manifests | |
k3s-version: | |
- 1.28 # EOL: 2024-10-28 | |
- 1.27 # EOL: 2024-06-28 | |
- 1.26 # EOL: 2024-02-28 | |
- 1.25 # EOL: 2023-10-28 | |
fail-fast: false | |
steps: | |
- name: Setup Pluto | |
uses: FairwindsOps/pluto/github-action@master | |
- name: Setup Polaris | |
uses: fairwindsops/polaris/.github/actions/setup-polaris@master | |
with: | |
version: 7.2.0 | |
- name: Setup Kubeconform | |
run: | | |
set -xe | |
wget https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | |
tar xf kubeconform-linux-amd64.tar.gz | |
sudo install kubeconform /usr/local/bin/kubeconform | |
- name: Download Manifests | |
uses: actions/download-artifact@v3 | |
id: download-artifacts | |
with: | |
name: ${{ matrix.artifact }} | |
path: ./artifacts | |
- name: Validate Manifests | |
run: | | |
set -xe | |
which kubeconform | |
which pluto | |
which polaris | |
for manifest in ./artifacts/*.yaml; | |
do | |
# https://github.com/yannh/kubeconform/issues/100#issuecomment-1096832969 | |
# Skipping the custom manifests for now. | |
kubeconform \ | |
--verbose \ | |
--summary \ | |
--kubernetes-version ${{ matrix.k3s-version }}.0 \ | |
-schema-location "default" \ | |
-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{ .NormalizedKubernetesVersion }}/{{ .ResourceKind }}{{ .KindSuffix }}.json" \ | |
-ignore-missing-schemas \ | |
$manifest | |
pluto detect \ | |
--output wide \ | |
--target-versions k8s=v${{ matrix.k3s-version }}.0 \ | |
$manifest | |
done | |
polaris audit \ | |
--audit-path ./artifacts/ \ | |
--set-exit-code-on-danger \ | |
--set-exit-code-below-score 90 | |
shell: bash | |
# | |
# Release Internal Stage | |
# | |
release-internal: | |
runs-on: ubuntu-latest | |
environment: internal | |
concurrency: | |
group: internal | |
needs: | |
- generate-version | |
- build-image | |
- test-image | |
- test-manifests | |
permissions: | |
packages: write | |
env: | |
BUILD_VERSION: ${{ needs.generate-version.outputs.version }} | |
IMAGE_NAME: ghcr.io/contrast-security-oss/agent-operator/operator | |
if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Login (GitHub) | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Docker Meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.IMAGE_NAME }} | |
tags: | | |
type=semver,pattern={{version}},value=${{ env.BUILD_VERSION }} | |
type=semver,pattern={{major}}.{{minor}},value=${{ env.BUILD_VERSION }} | |
type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }} | |
type=raw,latest | |
- name: Tag for Release | |
uses: akhilerm/[email protected] | |
with: | |
src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} | |
dst: | | |
${{ steps.meta.outputs.tags }} | |
# | |
# Release Public Stage | |
# | |
release-public: | |
runs-on: ubuntu-latest | |
environment: public | |
concurrency: | |
group: public | |
cancel-in-progress: true | |
needs: | |
- generate-version | |
- build-image | |
- release-internal | |
permissions: | |
contents: write | |
packages: write | |
env: | |
BUILD_VERSION: ${{ needs.generate-version.outputs.version }} | |
if: ${{ needs.generate-version.outputs.version != '0.0.1' }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Login (GitHub) | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Login (Dockerhub) | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_PAT }} | |
- name: Login (Quay) | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: Docker Meta | |
id: dockerhub-meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
docker.io/contrast/agent-operator | |
quay.io/contrast/agent-operator | |
ghcr.io/contrast-security-oss/agent-operator/operator | |
tags: | | |
type=semver,pattern={{version}},value=${{ env.BUILD_VERSION }} | |
type=semver,pattern={{major}}.{{minor}},value=${{ env.BUILD_VERSION }} | |
type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }} | |
type=raw,latest | |
- name: Tag for Release | |
uses: akhilerm/[email protected] | |
with: | |
src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} | |
dst: | | |
${{ steps.dockerhub-meta.outputs.tags }} | |
${{ steps.quay-meta.outputs.tags }} | |
- uses: actions/download-artifact@v3 | |
id: download-artifacts | |
with: | |
name: manifests | |
path: ./artifacts | |
- name: Publish | |
uses: ncipollo/release-action@v1 | |
with: | |
body: | | |
Version v${{ env.BUILD_VERSION }} released! | |
``` | |
contrast/agent-operator:${{ env.BUILD_VERSION }} | |
contrast/agent-operator@${{ needs.build-image.outputs.digest }} | |
quay.io/contrast/agent-operator:${{ env.BUILD_VERSION }} | |
quay.io/contrast/agent-operator@${{ needs.build-image.outputs.digest }} | |
``` | |
artifacts: ${{ steps.download-artifacts.outputs.download-path }}/*.yaml | |
token: ${{ secrets.GITHUB_TOKEN }} | |
allowUpdates: true | |
- name: Publish Helm Chart | |
uses: peter-evans/repository-dispatch@v2 | |
with: | |
token: ${{ secrets.GH_PR_WRITE_PAT }} | |
repository: Contrast-Security-OSS/helm-charts | |
event-type: oob-update | |
client-payload: | | |
{ | |
"type": "agent-operator", | |
"runId": "${{ github.run_id }}", | |
"artifactName": "helm-chart" | |
} | |
- name: Create Sentry Release | |
uses: getsentry/action-release@v1 | |
with: | |
environment: production | |
ignore_empty: true | |
# BUILD_VERSION is the semantic version, but the operator will send the .NET version i.e. X.X.X.X. | |
version: agent-operator@${{ env.BUILD_VERSION }}.0 | |
env: | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
SENTRY_ORG: sentry | |
SENTRY_PROJECT: agent-operator | |
SENTRY_URL: https://sentry.prod.dotnet.contsec.com | |
- uses: act10ns/slack@v2 | |
with: | |
status: ${{ job.status }} | |
message: |- | |
Version <https://github.com/Contrast-Security-OSS/agent-operator/releases/tag/v${{ env.BUILD_VERSION }}|v${{ env.BUILD_VERSION }}> of the agent-operator was released! | |
fallback: |- | |
[GitHub] Version v${{ env.BUILD_VERSION }} of the agent-operator was released! | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |