diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6ace..e650e2a 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,6 +1,10 @@ name: MSBuild -on: [push] +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] env: # Path to the solution file relative to the root of the project. diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..4737d06 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -42,8 +42,13 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: Trigger APIsec scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -61,4 +66,4 @@ jobs: - name: Import results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./apisec-results.sarif \ No newline at end of file + sarif_file: ./apisec-results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index ae5215a..d0b25ac 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185ad..4892930 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 689a1a0..d8eaa92 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -33,4 +39,4 @@ jobs: - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 1503319..83d4571 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -20,8 +20,14 @@ env: # Path to the CMake build directory. build: '${{ github.workspace }}/build' +permissions: + contents: read + jobs: analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Analyze runs-on: windows-latest diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8077f76..a6da087 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5323d1b..5b11482 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 618ce28..d63b462 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 + uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 with: results_file: results.sarif results_format: sarif diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 827387b..f99d441 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -19,8 +19,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 9701b1f..af220c0 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -37,8 +37,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk runs-on: ubuntu-20.04 steps: diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 49841d7..f9b29fc 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -13,10 +13,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -51,4 +58,4 @@ jobs: #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarifReport }} diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index e38fffd..073d1b6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -17,10 +17,16 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter build-and-pipeline-scan: # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml new file mode 100644 index 0000000..506819d --- /dev/null +++ b/deployments/azure-kubernetes-service-helm.yml @@ -0,0 +1,122 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. +# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. +# - CHART_PATH (path to your helm chart) +# - CHART_OVERRIDE_PATH (path to your helm chart with override values) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Helm + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + CHART_PATH: "your-chart-path" + CHART_OVERRIDE_PATH: "your-chart-override-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml new file mode 100644 index 0000000..1d33fe3 --- /dev/null +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -0,0 +1,111 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. +# Set your dockerComposeFile and kompose-version to suit your configuration. +# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kompose + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kompose' + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml new file mode 100644 index 0000000..51b7d69 --- /dev/null +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -0,0 +1,117 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. +# Set your kustomizationPath and kubectl-version to suit your configuration. +# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kustomize + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + KUSTOMIZE_PATH: "your-kustomize-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kustomize' + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index 08988ff..e61e64e 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -1,80 +1,105 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# https://github.com/Azure/aks-create-action +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository: -# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret) +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry) -# - PROJECT_NAME +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# -# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set -# any needed environment variables such as: -# - CHART_PATH -# - CHART_OVERRIDE_PATH +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please see the folllowing -# https://github.com/Azure/login -# https://github.com/Azure/aks-set-context -# https://github.com/marketplace/actions/azure-cli-action -# https://github.com/Azure/k8s-bake -# https://github.com/Azure/k8s-deploy +# For more options with the actions used below please refer to https://github.com/Azure/login -on: [push] +name: Build and deploy an app to AKS + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: build: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest steps: + # Checks out the repository this file is in - uses: actions/checkout@master - - name: Azure Login - uses: azure/login@v1 + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Build image on ACR - uses: azure/CLI@v1 - with: - azcliversion: 2.29.1 - inlineScript: | - az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} - - - name: Gets K8s context - uses: azure/aks-set-context@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - id: login + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - name: Configure deployment - uses: azure/k8s-bake@v1 + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Deploys application based on given manifest file - name: Deploys application - - uses: Azure/k8s-deploy@v1 + uses: Azure/k8s-deploy@v3.0 with: - manifests: ${{ steps.bake.outputs.manifestsBundle }} + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.PROJECT_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/properties/azure-kubernetes-service-helm.properties.json b/deployments/properties/azure-kubernetes-service-helm.properties.json new file mode 100644 index 0000000..92478b3 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-helm.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Helm", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Helm", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kompose.properties.json b/deployments/properties/azure-kubernetes-service-kompose.properties.json new file mode 100644 index 0000000..de246c3 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kompose.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kompose", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kustomize.properties.json b/deployments/properties/azure-kubernetes-service-kustomize.properties.json new file mode 100644 index 0000000..bfc71cc --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kustomize.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kustomize", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service.properties.json b/deployments/properties/azure-kubernetes-service.properties.json index 28f3725..45d4a69 100644 --- a/deployments/properties/azure-kubernetes-service.properties.json +++ b/deployments/properties/azure-kubernetes-service.properties.json @@ -1,7 +1,7 @@ { - "name": "Deploy to a AKS Cluster", - "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", + "name": "Deploy to AKS", + "description": "Deploy an application to an Azure Kubernetes Service cluster", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"] + "categories": ["Deployment", "Kubernetes", "Dockerfile"] }