ci/cd - staging improvements

2023-08-25 17:51:32 +02:00 · 2023-08-25 17:51:32 +02:00 · d6aa6a9b09
parent 9aba006738
commit d6aa6a9b09
12 changed files with 114 additions and 71 deletions
--- a/.github/workflows/linux-build.yml
+++ b/.github/workflows/linux-build.yml
@ -24,10 +24,6 @@ on:
        required: true
      DOCKER_TOKEN:
        required: true
-      PRIVATE_REGISTRY:
-        required: true
-      PRIVATE_REGISTRY_TOKEN:
-        required: true
      ARM_SSH_KEY:
        required: false
      ARM_SSH_IP:
@ -87,12 +83,12 @@ jobs:
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: Login to private repository
+      - name: Login to ghcr
        uses: docker/login-action@v2
        with:
-          registry: ${{ secrets.PRIVATE_REGISTRY }}
-          username: registry
-          password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      # Build testing package image
      - name: Build package image
        if: inputs.RELEASE == 'testing'
@ -103,8 +99,8 @@ jobs:
          file: src/linux/Dockerfile-${{ inputs.LINUX }}
          platforms: ${{ inputs.PLATFORMS }}
          tags: local/bunkerweb-${{ inputs.LINUX }}:latest
-          cache-from: type=registry,ref=bunkerity/cache:${{ inputs.LINUX }}-testing
-          cache-to: type=registry,ref=bunkerity/cache:${{ inputs.LINUX }}-testing,mode=min
+          cache-from: type=gha,scope=${{ inputs.LINUX }}-testing
+          cache-to: type=gha,scope=${{ inputs.LINUX }}-testing,mode=min
      # Build non-testing package image
      - name: Build package image
        if: inputs.RELEASE != 'testing'
@ -136,6 +132,12 @@ jobs:
          name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
          path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
      # Build test image
+      - name: Extract metadata
+        if: inputs.TEST == true
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
      - name: Build test image
        if: inputs.TEST == true
        uses: docker/build-push-action@v4
@ -144,4 +146,5 @@ jobs:
          file: tests/linux/Dockerfile-${{ inputs.LINUX }}
          platforms: ${{ inputs.PLATFORMS }}
          push: true
-          tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/staging-create-infra.yml
+++ b/.github/workflows/staging-create-infra.yml
@ -41,10 +41,18 @@ jobs:
      - run: ./tests/create.sh ${{ inputs.TYPE }}
        env:
          CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
-      - run: tar -cvf terraform.tar /tmp/${{ inputs.TYPE }}
+          REG_USER: ${{ github.actor }}
+          REG_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - run: |
+          tar -cvf terraform.tar /tmp/${{ inputs.TYPE }}
+          echo "$SECRET_KEY" > /tmp/.secret_key
+          openssl enc -in terraform.tar -aes-256-cbc -pbkdf2 -pass file:/tmp/.secret_key -out terraform.tar.enc
+          rm -f /tmp/.secret_key
        if: always()
+        env:
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: tf-${{ inputs.TYPE }}
-          path: terraform.tar
+          path: terraform.tar.enc
--- a/.github/workflows/staging-delete-infra.yml
+++ b/.github/workflows/staging-delete-infra.yml
@ -20,11 +20,18 @@ jobs:
        uses: actions/checkout@v3
      - name: Install terraform
        uses: hashicorp/setup-terraform@v2
+
      - uses: actions/download-artifact@v3
        with:
          name: tf-${{ inputs.TYPE }}
          path: /tmp
-      - run: tar xvf /tmp/terraform.tar -C / && mkdir ~/.ssh && touch ~/.ssh/id_rsa.pub
+      - run: |
+          echo "$SECRET_KEY" > /tmp/.secret_key
+          openssl dec -in /tmp/terraform.tar.enc -aes-256-cbc -pbkdf2 -pass file:/tmp/.secret_key -out /tmp/terraform.tar
+          rm -f /tmp/.secret_key
+          tar xvf /tmp/terraform.tar -C / && mkdir ~/.ssh && touch ~/.ssh/id_rsa.pub
+        env:
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
      - uses: azure/setup-kubectl@v3
        if: inputs.TYPE == 'k8s'
      # Remove infra
--- a/.github/workflows/staging-tests.yml
+++ b/.github/workflows/staging-tests.yml
@ -26,20 +26,17 @@ jobs:
      # Prepare
      - name: Checkout source code
        uses: actions/checkout@v3
-      - name: Login to private repository
+      - name: Login to ghcr
        uses: docker/login-action@v2
        with:
-          registry: ${{ secrets.PRIVATE_REGISTRY }}
-          username: registry
-          password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
-      - name: Pull BW image
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:testing local/bunkerweb-tests:latest
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - run: docker pull ghcr.io/bunkerity/bunkerweb-tests:testing && docker tag ghcr.io/bunkerity/bunkerweb-tests:testing local/bunkerweb-tests:latest
        if: contains(fromJSON('["linux", "k8s"]'), inputs.TYPE) != true
-      - name: Pull Scheduler image
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:testing local/scheduler-tests:latest
+      - run: docker pull ghcr.io/bunkerity/scheduler-tests:testing && docker tag ghcr.io/bunkerity/scheduler-tests:testing local/scheduler-tests:latest
        if: contains(fromJSON('["linux", "k8s"]'), inputs.TYPE) != true
-      - name: Pull Autoconf image
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:testing local/autoconf-tests:latest
+      - run: docker pull ghcr.io/bunkerity/autoconf-tests:testing && docker tag ghcr.io/bunkerity/autoconf-tests:testing local/autoconf-tests:latest
        if: contains(fromJSON('["autoconf", "swarm"]'), inputs.TYPE)
      - name: Push images to local repo
        run: docker tag local/bunkerweb-tests:latest 192.168.42.100:5000/bunkerweb-tests:latest && docker push 192.168.42.100:5000/bunkerweb-tests:latest && docker tag local/scheduler-tests:latest 192.168.42.100:5000/scheduler-tests:latest && docker push 192.168.42.100:5000/scheduler-tests:latest && docker tag local/autoconf-tests:latest 192.168.42.100:5000/autoconf-tests:latest && docker push 192.168.42.100:5000/autoconf-tests:latest
@ -51,6 +48,14 @@ jobs:
          name: tf-k8s
          path: /tmp
        if: inputs.TYPE == 'k8s'
+      - run: |
+          echo "$SECRET_KEY" > /tmp/.secret_key
+          openssl dec -in /tmp/terraform.tar.enc -aes-256-cbc -pbkdf2 -pass file:/tmp/.secret_key -out /tmp/terraform.tar
+          rm -f /tmp/.secret_key
+          tar xvf /tmp/terraform.tar -C /
+        env:
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+        if: inputs.TYPE == 'k8s'
      - run: tar xvf /tmp/terraform.tar -C /
        if: inputs.TYPE == 'k8s'
      - uses: azure/setup-kubectl@v3
@ -59,19 +64,16 @@ jobs:
        if: inputs.TYPE == 'k8s'
      - name: Pull BW linux ubuntu test image
        if: inputs.TYPE == 'linux'
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/ubuntu-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/ubuntu-tests:testing local/ubuntu:latest
+        run: docker pull ghcr.io/bunkerity/ubuntu-tests:testing && docker tag ghcr.io/bunkerity ubuntu-tests:testing local/ubuntu:latest
      - name: Pull BW linux debian test image
        if: inputs.TYPE == 'linux'
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/debian-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/debian-tests:testing local/debian:latest
-      # - name: Pull BW linux centos test image
-      #   if: inputs.TYPE == 'linux'
-      #   run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/centos-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/centos-tests:testing local/centos:latest
+        run: docker pull ghcr.io/bunkerity/debian-tests:testing && docker tag ghcr.io/bunkerity debian-tests:testing local/debian:latest
      - name: Pull BW linux fedora test image
        if: inputs.TYPE == 'linux'
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/fedora-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/fedora-tests:testing local/fedora:latest
+        run: docker pull ghcr.io/bunkerity/fedora-tests:testing && docker tag ghcr.io/bunkerity fedora-tests:testing local/fedora:latest
      - name: Pull BW linux rhel test image
        if: inputs.TYPE == 'linux'
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/rhel-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/rhel-tests:testing local/rhel:latest
+        run: docker pull ghcr.io/bunkerity/rhel-tests:testing && docker tag ghcr.io/bunkerity rhel-tests:testing local/rhel:latest
      # Do tests
      - name: Run tests
        if: inputs.TYPE == 'docker'
@ -112,12 +114,6 @@ jobs:
        env:
          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
-      # - name: Run Linux centos tests
-      #   if: inputs.TYPE == 'linux'
-      #   run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "centos"
-      #   env:
-      #     TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
-      #     ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
      - name: Run Linux fedora tests
        if: inputs.TYPE == 'linux'
        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "fedora"
--- a/.github/workflows/staging.yml
+++ b/.github/workflows/staging.yml
@ -10,6 +10,9 @@ jobs:

  # Build Docker images
  build-containers:
+    permissions:
+      contents: read
+      packages: write
    strategy:
      matrix:
        image: [bunkerweb, scheduler, autoconf, ui]
@ -33,11 +36,12 @@ jobs:
    secrets:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-      PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
-      PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}

  # Build Linux packages
  build-packages:
+    permissions:
+      contents: read
+      packages: write
    strategy:
      matrix:
        linux: [ubuntu, debian, fedora, rhel]
@ -60,8 +64,6 @@ jobs:
    secrets:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-      PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
-      PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}

  # Code security
  code-security:
@ -126,9 +128,6 @@ jobs:
    uses: ./.github/workflows/tests-ui.yml
    with:
      RELEASE: testing
-    secrets:
-      PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
-      PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
  prepare-tests-core:
    needs: [create-infras]
    runs-on: ubuntu-latest
@ -151,9 +150,6 @@ jobs:
    with:
      TEST: ${{ matrix.test }}
      RELEASE: testing
-    secrets:
-      PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
-      PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}

  # Delete infrastructures
  delete-infras:
@ -172,26 +168,29 @@ jobs:
  push-images:
    needs: [staging-tests, tests-ui, tests-core]
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
    steps:
      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: Login to private repository
+      - name: Login to ghcr
        uses: docker/login-action@v2
        with:
-          registry: ${{ secrets.PRIVATE_REGISTRY }}
-          username: registry
-          password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Push BW image
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:testing bunkerity/bunkerweb:testing && docker push bunkerity/bunkerweb:testing
+        run: docker pull ghcr.io/bunkerweb-tests:testing && docker tag ghcr.io/bunkerweb-tests:testing bunkerity/bunkerweb:testing && docker push bunkerity/bunkerweb:testing && docker tag bunkerity/bunkerweb:testing ghcr.io/bunkerity/bunkerweb:testing && docker push ghcr.io/bunkerity/bunkerweb:testing
      - name: Push scheduler image
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:testing bunkerity/bunkerweb-scheduler:testing && docker push bunkerity/bunkerweb-scheduler:testing
+        run: docker pull ghcr.io/scheduler-tests:testing && docker tag ghcr.io/scheduler-tests:testing bunkerity/bunkerweb-scheduler:testing && docker push bunkerity/bunkerweb-scheduler:testing && docker tag bunkerity/bunkerweb-scheduler:testing ghcr.io/bunkerity/bunkerweb-scheduler:testing && docker push ghcr.io/bunkerity/bunkerweb-scheduler:testing
      - name: Push UI image
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/ui-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/ui-tests:testing bunkerity/bunkerweb-ui:testing && docker push bunkerity/bunkerweb-ui:testing
+        run: docker pull ghcr.io/ui-tests:testing && docker tag ghcr.io/ui-tests:testing bunkerity/bunkerweb-ui:testing && docker push bunkerity/bunkerweb-ui:testing && docker tag bunkerity/bunkerweb-ui:testing ghcr.io/bunkerity/bunkerweb-ui:testing && docker push ghcr.io/bunkerity/bunkerweb-ui:testing
      - name: Push autoconf image
-        run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:testing bunkerity/bunkerweb-autoconf:testing && docker push bunkerity/bunkerweb-autoconf:testing
+        run: docker pull ghcr.io/autoconf-tests:testing && docker tag ghcr.io/autoconf-tests:testing bunkerity/bunkerweb-autoconf:testing && docker push bunkerity/bunkerweb-autoconf:testing && docker tag bunkerity/bunkerweb-autoconf:testing ghcr.io/bunkerity/bunkerweb-autoconf:testing && docker push ghcr.io/bunkerity/bunkerweb-autoconf:testing

  # Push Linux packages
  push-packages:
--- a/tests/create.sh
+++ b/tests/create.sh
@ -2,6 +2,8 @@

 # drop and export secrets
 echo "${CICD_SECRETS}" > /opt/.env
+echo "export TF_VAR_k8s_reg_user=${REG_USER}" >> /opt/.env
+echo "export TF_VAR_k8s_reg_token=${REG_TOKEN}" >> /opt/.env
 chmod +x /opt/.env
 . /opt/.env

--- a/tests/terraform/autoconf.tf
+++ b/tests/terraform/autoconf.tf
@ -2,10 +2,12 @@
 variable "autoconf_ip" {
  type     = string
  nullable = false
+  sensitive = true
 }
 variable "autoconf_ip_id" {
  type     = string
  nullable = false
+  sensitive = true
 }

 # Create cicd_bw_autoconf SSH key
@ -25,7 +27,7 @@ resource "scaleway_instance_server" "instance" {

 # Create Ansible inventory file
 resource "local_file" "ansible_inventory" {
-  content = templatefile("templates/autoconf_inventory.tftpl", {
+  sensitive_content = templatefile("templates/autoconf_inventory.tftpl", {
    public_ip = var.autoconf_ip
  })
  filename = "/tmp/autoconf_inventory"
--- a/tests/terraform/docker.tf
+++ b/tests/terraform/docker.tf
@ -2,10 +2,12 @@
 variable "docker_ip" {
  type     = string
  nullable = false
+  sensitive = true
 }
 variable "docker_ip_id" {
  type     = string
  nullable = false
+  sensitive = true
 }

 # Create cicd_bw_docker SSH key
@ -25,7 +27,7 @@ resource "scaleway_instance_server" "instance" {

 # Create Ansible inventory file
 resource "local_file" "ansible_inventory" {
-  content = templatefile("templates/docker_inventory.tftpl", {
+  sensitive_content = templatefile("templates/docker_inventory.tftpl", {
    public_ip = var.docker_ip
  })
  filename = "/tmp/docker_inventory"
--- a/tests/terraform/k8s.tf
+++ b/tests/terraform/k8s.tf
@ -2,10 +2,17 @@
 variable "k8s_ip" {
  type     = string
  nullable = false
+  sensitive = true
 }
-variable "k8s_dockerconfigjson" {
+variable "k8s_reg_user" {
  type = string
  nullable = false
+  sensitive = true
+}
+variable "k8s_reg_token" {
+  type = string
+  nullable = false
+  sensitive = true
 }

 # Create k8s cluster
@ -28,7 +35,7 @@ resource "scaleway_k8s_pool" "pool" {
 # Get kubeconfig file
 resource "local_file" "kubeconfig" {
  depends_on = [scaleway_k8s_pool.pool]
-  content = scaleway_k8s_cluster.cluster.kubeconfig[0].config_file
+  sensitive_content = scaleway_k8s_cluster.cluster.kubeconfig[0].config_file
  filename = "/tmp/k8s/kubeconfig"
 }
 provider "kubectl" {
@ -38,7 +45,7 @@ provider "kubectl" {
 # Setup LB
 resource "local_file" "lb_yml" {
  depends_on = [local_file.kubeconfig]
-  content = templatefile("templates/lb.yml.tftpl", {
+  sensitive_content = templatefile("templates/lb.yml.tftpl", {
    lb_ip = var.k8s_ip
  })
  filename = "/tmp/k8s/lb.yml"
@ -49,14 +56,23 @@ resource "kubectl_manifest" "lb" {
 }

 # Setup registry
-resource "local_file" "reg_yml" {
-  depends_on = [local_file.kubeconfig]
-  content = templatefile("templates/reg.yml.tftpl", {
-    dockerconfigjson = var.k8s_dockerconfigjson
-  })
-  filename = "/tmp/k8s/reg.yml"
+provider "kubernetes" {
+  config_path = "${local_file.kubeconfig.filename}"
 }
-resource "kubectl_manifest" "reg" {
-  depends_on = [local_file.reg_yml]
-  yaml_body = local_file.reg_yml.content
+resource "kubernetes_secret" "reg" {
+  metadata = {
+    name = "secret-registry"
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "ghcr.io" = {
+          "username" = var.k8s_reg_user
+          "password" = var.k8s_reg_token
+          "auth"     = base64encode("${var.k8s_reg_user}:${var.k8s_reg_token}")
+        }
+      }
+    })
+  }
 }
--- a/tests/terraform/linux.tf
+++ b/tests/terraform/linux.tf
@ -2,10 +2,12 @@
 variable "linux_ip" {
  type     = string
  nullable = false
+  sensitive = true
 }
 variable "linux_ip_id" {
  type     = string
  nullable = false
+  sensitive = true
 }

 # Create cicd_bw_linux SSH key
@ -25,7 +27,7 @@ resource "scaleway_instance_server" "instance" {

 # Create Ansible inventory file
 resource "local_file" "ansible_inventory" {
-  content = templatefile("templates/linux_inventory.tftpl", {
+  sensitive_content = templatefile("templates/linux_inventory.tftpl", {
    public_ip = var.linux_ip
  })
  filename = "/tmp/linux_inventory"
--- a/tests/terraform/providers.tf
+++ b/tests/terraform/providers.tf
@ -8,5 +8,9 @@ terraform {
      source = "gavinbunney/kubectl"
      version = "1.14.0"
    }
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+      version = "2.23.0"
+    }
  }
 }
--- a/tests/terraform/swarm.tf
+++ b/tests/terraform/swarm.tf
@ -2,10 +2,12 @@
 variable "swarm_ips" {
  type     = list(string)
  nullable = false
+  sensitive = true
 }
 variable "swarm_ips_id" {
  type     = list(string)
  nullable = false
+  sensitive = true
 }

 # Create cicd_bw_swarm SSH key
@ -34,7 +36,7 @@ resource "scaleway_instance_server" "instances" {

 # Create Ansible inventory file
 resource "local_file" "ansible_inventory" {
-  content = templatefile("templates/swarm_inventory.tftpl", {
+  sensitive_content = templatefile("templates/swarm_inventory.tftpl", {
    public_ips = var.swarm_ips
  })
  filename = "/tmp/swarm_inventory"