-
Notifications
You must be signed in to change notification settings - Fork 20
137 lines (116 loc) · 3.91 KB
/
k8-infra-ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Kubernetes Infra CI
on:
push:
branches: [ "main" ]
paths:
- .github/workflows/k8-infra-ci.yaml
- deployment/kubernetes/**
- '!**.md'
- '!**.png'
- '!**.gif'
- .gitignore
pull_request:
branches: [ "main" ]
paths:
- .github/workflows/k8-infra-ci.yaml
- deployment/kubernetes/**
- '!**.md'
- '!**.png'
- '!**.gif'
- .gitignore
workflow_dispatch:
env:
KUBERNETES_INFRA_DIR: deployment/kubernetes
KUBE_AUDIT_VERSION: 0.22.0
DATREE_VERSION: 1.9.19
permissions: read-all
jobs:
helm-chart-validation:
name: Helm Chart Validation and IaC scan
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v3
with:
version: v3.10.0
- name: Download Secret Scan Rule Config File
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
curl https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml > gitleaks.toml
- name: Helm Dependency Update
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
helm dependency update
- name: Helm Lint
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
helm lint . --set-file global.secretScanRulePackConfig=./gitleaks.toml
- name: Helm Template
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
helm template resc . -f ./example-values.yaml --set-file global.secretScanRulePackConfig=./gitleaks.toml
- name: Run IaC scan using Kics
uses: checkmarx/kics-github-action@v1.6.3
with:
path: '${{ env.KUBERNETES_INFRA_DIR }}'
exclude_paths: '${{ env.KUBERNETES_INFRA_DIR }}/example-values.yaml,${{ env.KUBERNETES_INFRA_DIR }}/resc_helm_template.yaml'
fail_on: high,medium
- name: Run IaC scan using Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: '${{ env.KUBERNETES_INFRA_DIR }}'
quiet: true
soft_fail: true
output_format: json
- name: Export RESC Helm Template
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
helm template resc . -f ./example-values.yaml --set-file global.secretScanRulePackConfig=./gitleaks.toml > resc_helm_template.yaml
- name: Install Kubeaudit
run: |
curl -LO https://github.com/Shopify/kubeaudit/releases/download/v${{env.KUBE_AUDIT_VERSION}}/kubeaudit_${{env.KUBE_AUDIT_VERSION}}_linux_amd64.tar.gz
tar -xzvf kubeaudit_${{env.KUBE_AUDIT_VERSION}}_linux_amd64.tar.gz
mv kubeaudit /usr/local/bin/
- name: Run Kubeaudit Scan
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
kubeaudit all -f resc_helm_template.yaml
- name: Install Datree
run: |
curl -L -o datree.zip https://github.com/datreeio/datree/releases/download/${{env.DATREE_VERSION}}/datree-cli_${{env.DATREE_VERSION}}_Linux_x86_64.zip
unzip datree.zip -d datree
mv datree/datree /usr/local/bin/
- name: Run Datree Scan
id: datree_scan
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
datree config set offline local
datree test resc_helm_template.yaml --only-k8s-files --no-record --verbose --policy-config datree-policies.yaml
release-charts:
name: Release Charts
permissions:
contents: write
runs-on: ubuntu-latest
needs: helm-chart-validation
if: github.ref == 'refs/heads/main'
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.5.0
with:
charts_dir: deployment
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_SKIP_EXISTING: true