From a94814d42d1691f3bfba83c4e1f0fa6a7a321f04 Mon Sep 17 00:00:00 2001 From: LH Date: Tue, 13 Jul 2021 10:16:44 +0200 Subject: [PATCH] feat: Certbot update, base image bumped, repo clean up (#47) BREAKING CHANGE: Certbot updated (9 minor versions), base image updated one based on Alpine 3.14 --- .github/workflows/ci.yml | 26 +++------- .github/workflows/ci_cd.yml | 60 ++++++++++------------ .github/workflows/regular_scan.yml | 27 ---------- .gitignore | 4 +- Dockerfile | 34 ++++++------ README.md | 2 +- SECURITY.md | 2 +- cloudflare.init.tmp | 1 - tests/.idea/.name | 2 +- tests/build.gradle | 18 ++++--- tests/settings.gradle | 2 +- tests/src/test/java/ContainerTestBase.java | 2 +- tests/src/test/java/TestConfiguration.java | 9 +++- 13 files changed, 80 insertions(+), 109 deletions(-) delete mode 100644 .github/workflows/regular_scan.yml delete mode 100644 cloudflare.init.tmp diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5a61c5b..eda74c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,13 +11,11 @@ env: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: read steps: - uses: actions/checkout@master - - - name: Set up java for tests execution - uses: actions/setup-java@v1 - with: - java-version: 11 - name: Set tag var id: vars @@ -30,17 +28,7 @@ jobs: run: docker build . -t ${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }} - name: Test Docker image - run: cd tests && sudo gradle test --info -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }} -Droot_domain=${{ secrets.ROOT_DOMAIN }} -Dacme_email=${{ secrets.ACME_EMAIL }} -Dcloudflare_token=${{ secrets.CLOUDFLARE_TOKEN }} - - - name: Scan with Phonito Security - uses: phonito/phonito-scanner-action@master - with: - image: ${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }} - phonito-token: '${{ secrets.PHONITO_TOKEN }}' - - - name: Scan with Snyk - uses: snyk/actions/docker@0.1.1 - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }} \ No newline at end of file + run: cd tests && sudo --preserve-env gradle test --info -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }} -Droot_domain=${{ secrets.ROOT_DOMAIN }} -Dacme_email=${{ secrets.ACME_EMAIL }} -Dcloudflare_token=${{ secrets.CLOUDFLARE_TOKEN }} + env: # To allow downloading packages + GITHUB_USERNAME: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index f973191..2a43e98 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -10,16 +10,14 @@ env: jobs: build: runs-on: ubuntu-latest + permissions: + contents: write # To add version tags + packages: write # To push docker image steps: - uses: actions/checkout@master - - name: Set up java for tests execution - uses: actions/setup-java@v1 - with: - java-version: 11 - - name: "Determine release version" - uses: codfish/semantic-release-action@master + uses: docker://ghcr.io/codfish/semantic-release-action:v1.9.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -29,7 +27,11 @@ jobs: - name: "Build Docker image" if: env.RELEASE_VERSION != '' run: | - docker build . -t "$IMAGE_NAME:$RELEASE_VERSION" \ + docker build . \ + --tag "$IMAGE_NAME:$RELEASE_VERSION" \ + --tag "$IMAGE_NAME:latest" \ + --tag "ghcr.io/$IMAGE_NAME:$RELEASE_VERSION" \ + --tag "ghcr.io/$IMAGE_NAME:latest" \ --label "org.label-schema.schema-version=1.0" \ --label "org.label-schema.vcs-ref=${GITHUB_SHA}" \ --label "org.label-schema.vcs-url=https://github.com/${GITHUB_REPOSITORY}" \ @@ -40,43 +42,33 @@ jobs: - name: Test Docker image if: env.RELEASE_VERSION != '' - run: cd tests && sudo gradle test -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} -Droot_domain=${{ secrets.ROOT_DOMAIN }} -Dacme_email=${{ secrets.ACME_EMAIL }} -Dcloudflare_token=${{ secrets.CLOUDFLARE_TOKEN }} + run: cd tests && sudo --preserve-env gradle test -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} -Droot_domain=${{ secrets.ROOT_DOMAIN }} -Dacme_email=${{ secrets.ACME_EMAIL }} -Dcloudflare_token=${{ secrets.CLOUDFLARE_TOKEN }} + env: # To allow downloading packages + GITHUB_USERNAME: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Scan with Phonito Security - if: env.RELEASE_VERSION != '' - uses: phonito/phonito-scanner-action@master - with: - image: ${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} - phonito-token: '${{ secrets.PHONITO_TOKEN }}' - - - name: Scan with Snyk - if: env.RELEASE_VERSION != '' - uses: snyk/actions/docker@0.1.1 - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} - - - name: "Tag image as latest" - if: env.RELEASE_VERSION != '' - run: "docker tag $IMAGE_NAME:$RELEASE_VERSION $IMAGE_NAME:latest" - + # Docker hub - name: "Log into Docker Hub" if: env.RELEASE_VERSION != '' run: "echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login --username ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin" - - name: "Push versioned image" - if: env.RELEASE_VERSION != '' - run: "docker push $IMAGE_NAME:$RELEASE_VERSION" - - - name: "Push latest image" + - name: "Push to DockerHub" if: env.RELEASE_VERSION != '' - run: "docker push $IMAGE_NAME:latest" + run: "docker push $IMAGE_NAME:$RELEASE_VERSION && docker push $IMAGE_NAME:latest" - name: "Update Docker Hub description" if: env.RELEASE_VERSION != '' - uses: peter-evans/dockerhub-description@v2.2.0 + uses: peter-evans/dockerhub-description@v2.4.3 env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} DOCKERHUB_REPOSITORY: ${{ env.IMAGE_NAME }} + + # GitHub Packages + - name: "Log into GitHub Packages" + if: env.RELEASE_VERSION != '' + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: "Push to GitHub Packages" + if: env.RELEASE_VERSION != '' + run: "docker push ghcr.io/$IMAGE_NAME:$RELEASE_VERSION && docker push ghcr.io/$IMAGE_NAME:latest" diff --git a/.github/workflows/regular_scan.yml b/.github/workflows/regular_scan.yml deleted file mode 100644 index 9e02490..0000000 --- a/.github/workflows/regular_scan.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Regular Docker image vulnerability scan -on: - schedule: - - cron: '0 6 * * *' - -env: - IMAGE_NAME: "homecentr/certbot" - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Pull Docker image - run: docker pull ${{ env.IMAGE_NAME }}:latest - - - name: Scan image for vulnerabilities - uses: phonito/phonito-scanner-action@master - with: - image: ${{ env.IMAGE_NAME }}:latest - phonito-token: '${{ secrets.PHONITO_TOKEN }}' - - - name: Scan with Snyk - uses: snyk/actions/docker@0.1.1 - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.IMAGE_NAME }}:latest \ No newline at end of file diff --git a/.gitignore b/.gitignore index 1f7244f..b503329 100644 --- a/.gitignore +++ b/.gitignore @@ -17,4 +17,6 @@ gradle-app.setting !gradle-wrapper.jar # Cache of project -.gradletasknamecache \ No newline at end of file +.gradletasknamecache + +*.tmp \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 1fca8e7..62a1ab7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ -FROM certbot/certbot:v1.6.0 as certbot +FROM certbot/certbot:v1.17.0 as certbot -FROM homecentr/cron-base:1.2.1 +FROM homecentr/cron-base:2.0.0 -ARG CERTBOT_PIP_VERSION="1.6.0" +ARG CERTBOT_PIP_VERSION="1.17.0" ENV CERTBOT_ARGS="" ENV CRON_SCHEDULE="30 * * * *" @@ -11,21 +11,25 @@ ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 COPY --from=certbot /usr/local/bin/certbot /usr/local/bin/certbot RUN apk add --no-cache \ - python3=3.8.5-r0 \ + python3=3.9.5-r1 \ # Required from Certbot version 1.5.0 - py3-six=1.15.0-r0 \ - py3-requests=2.23.0-r0 \ - py3-distro=1.5.0-r1 && \ + py3-six=1.15.0-r1 \ + py3-requests=2.25.1-r4 \ + py3-distro=1.5.0-r3 \ + py3-wheel=0.36.2-r2 \ + py3-setuptools=52.0.0-r3 && \ apk add --no-cache --virtual deps \ - python3-dev=3.8.5-r0 \ - py3-pip=20.1.1-r0 \ - gcc=9.3.0-r2 \ + python3-dev=3.9.5-r1 \ + py3-pip=20.3.4-r1 \ + gcc=10.3.1_git20210424-r2 \ libffi-dev=3.3-r2 \ - openssl-dev=1.1.1g-r0 \ - musl-dev=1.1.24-r9 &&\ - pip3 install --upgrade pip==20.1.1 && \ - pip3 install \ - setuptools==47.3.1 \ + openssl-dev=1.1.1k-r0 \ + musl-dev=1.2.2-r3 \ + cargo=1.52.0-r0 \ + && \ + pip3 install --no-cache-dir --upgrade pip==21.1.3 && \ + pip3 install --no-cache-dir \ + # setuptools==57.1.0 \ acme==${CERTBOT_PIP_VERSION} \ certbot==${CERTBOT_PIP_VERSION} \ certbot-dns-cloudflare==${CERTBOT_PIP_VERSION} \ diff --git a/README.md b/README.md index f394df8..9fa69df 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![](https://badgen.net/docker/pulls/homecentr/certbot)](https://hub.docker.com/repository/docker/homecentr/certbot) [![](https://badgen.net/docker/size/homecentr/certbot)](https://hub.docker.com/repository/docker/homecentr/certbot) -![CI/CD on master](https://github.com/homecentr/docker-certbot/workflows/CI/CD%20on%20master/badge.svg) ![Regular Docker image vulnerability scan](https://github.com/homecentr/docker-certbot/workflows/Regular%20Docker%20image%20vulnerability%20scan/badge.svg) +![CI/CD on master](https://github.com/homecentr/docker-certbot/workflows/CI/CD%20on%20master/badge.svg) # HomeCentr - certbot diff --git a/SECURITY.md b/SECURITY.md index 8bfb49e..4de4bc1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,6 +10,6 @@ Known security issues will be published in GitHub repository's Security / Securi ## Automated processes -The Docker image is scanned for vulnerabilities every 24 hours using [Phonito.io](https://phonito.io/?b=a) and [Snyk](https://snyk.io). You can see the scan status under the actions tab / Regular Docker image vulnerability scan. +The Docker image is regularly scanned for vulnerabilities with [Snyk.io](https://snyk.io/). The dependencies are automatically scanned using [Dependabot](https://dependabot.com/). Dependencies are regularly updated. You can check for pending dependency updates by listing open Pull requests with the "dependencies" label. \ No newline at end of file diff --git a/cloudflare.init.tmp b/cloudflare.init.tmp deleted file mode 100644 index b8ba491..0000000 --- a/cloudflare.init.tmp +++ /dev/null @@ -1 +0,0 @@ -dns_cloudflare_api_token = X_dcoV-VjECY1RiROctHKvigHWq5nqaOp4BSs1Yj \ No newline at end of file diff --git a/tests/.idea/.name b/tests/.idea/.name index 71d0457..dbb217e 100644 --- a/tests/.idea/.name +++ b/tests/.idea/.name @@ -1 +1 @@ -docker-$$IMAGE_NAME$$-tests \ No newline at end of file +docker-certbot-tests \ No newline at end of file diff --git a/tests/build.gradle b/tests/build.gradle index 9756a08..92a745d 100644 --- a/tests/build.gradle +++ b/tests/build.gradle @@ -1,5 +1,6 @@ plugins { id 'java' + id 'maven-publish' } group 'org.homecentr' @@ -10,16 +11,21 @@ sourceCompatibility = 1.8 repositories { mavenCentral() maven { - url "https://dl.bintray.com/homecentr/maven" + name = "GitHubPackages" + url = uri("https://maven.pkg.github.com/homecentr/lib-testcontainers-extensions") + credentials { + username = System.getenv("GITHUB_USERNAME") + password = System.getenv("GITHUB_TOKEN") + } } } dependencies { - testImplementation group: 'junit', name: 'junit', version: '4.13' - testImplementation 'org.testcontainers:testcontainers:1.14.3' - testImplementation 'io.homecentr:testcontainers-extensions:1.4.0' - testImplementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.30' - testImplementation group: 'org.slf4j', name: 'slf4j-simple', version: '1.7.30' + testImplementation group: 'junit', name: 'junit', version: '4.13.2' + testImplementation group: 'org.testcontainers', name: 'testcontainers', version: '1.15.3' + testImplementation group: 'io.homecentr', name: 'testcontainers-extensions', version: '1.5.0' + testImplementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.31' + testImplementation group: 'org.slf4j', name: 'slf4j-simple', version: '1.7.31' } test { diff --git a/tests/settings.gradle b/tests/settings.gradle index efa59b6..b528b1e 100644 --- a/tests/settings.gradle +++ b/tests/settings.gradle @@ -1,2 +1,2 @@ -rootProject.name = 'docker-$$IMAGE_NAME$$-tests' +rootProject.name = 'docker-certbot-tests' diff --git a/tests/src/test/java/ContainerTestBase.java b/tests/src/test/java/ContainerTestBase.java index a06567b..2b143bd 100644 --- a/tests/src/test/java/ContainerTestBase.java +++ b/tests/src/test/java/ContainerTestBase.java @@ -13,7 +13,7 @@ public abstract class ContainerTestBase { @BeforeClass public static void setUp() { - String dockerImageTag = System.getProperty("image_tag", "homecentr/$$IMAGE_NAME$$"); + String dockerImageTag = System.getProperty("image_tag", "homecentr/certbot"); logger.info("Tested Docker image tag: {}", dockerImageTag); diff --git a/tests/src/test/java/TestConfiguration.java b/tests/src/test/java/TestConfiguration.java index 9dfb743..69ab686 100644 --- a/tests/src/test/java/TestConfiguration.java +++ b/tests/src/test/java/TestConfiguration.java @@ -1,4 +1,5 @@ import java.io.BufferedWriter; +import java.io.File; import java.io.FileWriter; import java.io.IOException; import java.nio.file.Paths; @@ -33,7 +34,13 @@ public String getCertbotArgs() { } public void createCredentialsSecretFile() throws IOException { - try (BufferedWriter writer = new BufferedWriter(new FileWriter(cloudflareCredentialsHostPath))) { + File secretFile = new File(cloudflareCredentialsHostPath); + + if(secretFile.exists()) { + secretFile.delete(); + } + + try (BufferedWriter writer = new BufferedWriter(new FileWriter(secretFile))) { writer.write("dns_cloudflare_api_token = " + getCloudflareToken()); writer.flush(); }