tracker: add restart on token expiration for canvas tracker #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action will push the alerts changes to aws | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| skip_security_checks: | |
| description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" | |
| required: false | |
| default: "false" | |
| push: | |
| branches: | |
| - dev | |
| - api-* | |
| paths: | |
| - "api/**" | |
| - "!api/.gitignore" | |
| - "!api/routers" | |
| - "!api/app.py" | |
| - "!api/*-dev.sh" | |
| - "!api/requirements.txt" | |
| - "!api/requirements-crons.txt" | |
| name: Build and Deploy Alerts | |
| jobs: | |
| deploy: | |
| name: Deploy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| # We need to diff with old commit | |
| # to see which workers got changed. | |
| fetch-depth: 2 | |
| - uses: ./.github/composite-actions/update-keys | |
| with: | |
| domain_name: ${{ secrets.OSS_DOMAIN_NAME }} | |
| license_key: ${{ secrets.OSS_LICENSE_KEY }} | |
| jwt_secret: ${{ secrets.OSS_JWT_SECRET }} | |
| minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} | |
| minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} | |
| pg_password: ${{ secrets.OSS_PG_PASSWORD }} | |
| registry_url: ${{ secrets.OSS_REGISTRY_URL }} | |
| name: Update Keys | |
| - name: Docker login | |
| run: | | |
| docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}" | |
| - uses: azure/k8s-set-context@v1 | |
| with: | |
| method: kubeconfig | |
| kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret. | |
| id: setcontext | |
| # Caching docker images | |
| - uses: satackey/[email protected] | |
| # Ignore the failure of a step and avoid terminating the job. | |
| continue-on-error: true | |
| - name: Building and Pushing Alerts image | |
| id: build-image | |
| env: | |
| DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} | |
| IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} | |
| ENVIRONMENT: staging | |
| run: | | |
| skip_security_checks=${{ github.event.inputs.skip_security_checks }} | |
| cd api | |
| PUSH_IMAGE=0 bash -x ./build_alerts.sh | |
| [[ "x$skip_security_checks" == "xtrue" ]] || { | |
| curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ | |
| images=("alerts") | |
| for image in ${images[*]};do | |
| ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG | |
| done | |
| err_code=$? | |
| [[ $err_code -ne 0 ]] && { | |
| exit $err_code | |
| } | |
| } && { | |
| echo "Skipping Security Checks" | |
| } | |
| images=("alerts") | |
| for image in ${images[*]};do | |
| docker push $DOCKER_REPO/$image:$IMAGE_TAG | |
| done | |
| - name: Creating old image input | |
| run: | | |
| # | |
| # Create yaml with existing image tags | |
| # | |
| kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ | |
| tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt | |
| echo > /tmp/image_override.yaml | |
| for line in `cat /tmp/image_tag.txt`; | |
| do | |
| image_array=($(echo "$line" | tr ':' '\n')) | |
| cat <<EOF >> /tmp/image_override.yaml | |
| ${image_array[0]}: | |
| image: | |
| tag: ${image_array[1]} | |
| EOF | |
| done | |
| - name: Deploy to kubernetes | |
| run: | | |
| cd scripts/helmcharts/ | |
| ## Update secerts | |
| sed -i "s#openReplayContainerRegistry.*#openReplayContainerRegistry: \"${{ secrets.OSS_REGISTRY_URL }}\"#g" vars.yaml | |
| sed -i "s/postgresqlPassword: \"changeMePassword\"/postgresqlPassword: \"${{ secrets.OSS_PG_PASSWORD }}\"/g" vars.yaml | |
| sed -i "s/accessKey: \"changeMeMinioAccessKey\"/accessKey: \"${{ secrets.OSS_MINIO_ACCESS_KEY }}\"/g" vars.yaml | |
| sed -i "s/secretKey: \"changeMeMinioPassword\"/secretKey: \"${{ secrets.OSS_MINIO_SECRET_KEY }}\"/g" vars.yaml | |
| sed -i "s/jwt_secret: \"SetARandomStringHere\"/jwt_secret: \"${{ secrets.OSS_JWT_SECRET }}\"/g" vars.yaml | |
| sed -i "s/domainName: \"\"/domainName: \"${{ secrets.OSS_DOMAIN_NAME }}\"/g" vars.yaml | |
| # Update changed image tag | |
| sed -i "/alerts/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml | |
| cat /tmp/image_override.yaml | |
| # Deploy command | |
| mkdir -p /tmp/charts | |
| mv openreplay/charts/{ingress-nginx,alerts,quickwit,connector} /tmp/charts/ | |
| rm -rf openreplay/charts/* | |
| mv /tmp/charts/* openreplay/charts/ | |
| helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f - | |
| env: | |
| DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }} | |
| IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} | |
| ENVIRONMENT: staging | |
| - name: Alert slack | |
| if: ${{ failure() }} | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_CHANNEL: foss | |
| SLACK_TITLE: "Failed ${{ github.workflow }}" | |
| SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} | |
| SLACK_USERNAME: "OR Bot" | |
| SLACK_MESSAGE: "Build failed :bomb:" | |
| # - name: Debug Job | |
| # # if: ${{ failure() }} | |
| # uses: mxschmitt/action-tmate@v3 | |
| # env: | |
| # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} | |
| # IMAGE_TAG: ${{ github.sha }}-ee | |
| # ENVIRONMENT: staging | |
| # with: | |
| # limit-access-to-actor: true |