tracker: add restart on token expiration for canvas tracker #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action will push the chalice changes to aws | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| skip_security_checks: | |
| description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false" | |
| required: false | |
| default: "false" | |
| push: | |
| branches: | |
| - dev | |
| - api-* | |
| - v1.11.0-patch | |
| - actions_test | |
| paths: | |
| - "ee/api/**" | |
| - "api/**" | |
| - "!api/.gitignore" | |
| - "!api/app_alerts.py" | |
| - "!api/*-dev.sh" | |
| - "!api/requirements-*.txt" | |
| - "!ee/api/.gitignore" | |
| - "!ee/api/app_alerts.py" | |
| - "!ee/api/app_crons.py" | |
| - "!ee/api/*-dev.sh" | |
| - "!ee/api/requirements-*.txt" | |
| name: Build and Deploy Chalice EE | |
| jobs: | |
| deploy: | |
| name: Deploy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| # We need to diff with old commit | |
| # to see which workers got changed. | |
| fetch-depth: 2 | |
| - uses: ./.github/composite-actions/update-keys | |
| with: | |
| domain_name: ${{ secrets.EE_DOMAIN_NAME }} | |
| license_key: ${{ secrets.EE_LICENSE_KEY }} | |
| jwt_secret: ${{ secrets.EE_JWT_SECRET }} | |
| minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} | |
| minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} | |
| pg_password: ${{ secrets.EE_PG_PASSWORD }} | |
| registry_url: ${{ secrets.OSS_REGISTRY_URL }} | |
| name: Update Keys | |
| - name: Docker login | |
| run: | | |
| docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}" | |
| - uses: azure/k8s-set-context@v1 | |
| with: | |
| method: kubeconfig | |
| kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret. | |
| id: setcontext | |
| # Caching docker images | |
| - uses: satackey/[email protected] | |
| # Ignore the failure of a step and avoid terminating the job. | |
| continue-on-error: true | |
| - name: Building and Pushing api image | |
| id: build-image | |
| env: | |
| DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} | |
| IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee | |
| ENVIRONMENT: staging | |
| run: | | |
| skip_security_checks=${{ github.event.inputs.skip_security_checks }} | |
| cd api | |
| PUSH_IMAGE=0 bash -x ./build.sh ee | |
| [[ "x$skip_security_checks" == "xtrue" ]] || { | |
| curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ | |
| images=("chalice") | |
| for image in ${images[*]};do | |
| ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG | |
| done | |
| err_code=$? | |
| [[ $err_code -ne 0 ]] && { | |
| exit $err_code | |
| } | |
| } && { | |
| echo "Skipping Security Checks" | |
| } | |
| images=("chalice") | |
| for image in ${images[*]};do | |
| docker push $DOCKER_REPO/$image:$IMAGE_TAG | |
| done | |
| - name: Creating old image input | |
| run: | | |
| # | |
| # Create yaml with existing image tags | |
| # | |
| kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\ | |
| tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt | |
| echo > /tmp/image_override.yaml | |
| for line in `cat /tmp/image_tag.txt`; | |
| do | |
| image_array=($(echo "$line" | tr ':' '\n')) | |
| cat <<EOF >> /tmp/image_override.yaml | |
| ${image_array[0]}: | |
| image: | |
| # We've to strip off the -ee, as helm will append it. | |
| tag: `echo ${image_array[1]} | cut -d '-' -f 1` | |
| EOF | |
| done | |
| - name: Deploy to kubernetes | |
| run: | | |
| cd scripts/helmcharts/ | |
| # Update changed image tag | |
| sed -i "/chalice/{n;n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml | |
| cat /tmp/image_override.yaml | |
| # Deploy command | |
| mkdir -p /tmp/charts | |
| mv openreplay/charts/{ingress-nginx,chalice,quickwit,connector} /tmp/charts/ | |
| rm -rf openreplay/charts/* | |
| mv /tmp/charts/* openreplay/charts/ | |
| helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f - | |
| env: | |
| DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} | |
| # We're not passing -ee flag, because helm will add that. | |
| IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }} | |
| ENVIRONMENT: staging | |
| - name: Alert slack | |
| if: ${{ failure() }} | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_CHANNEL: ee | |
| SLACK_TITLE: "Failed ${{ github.workflow }}" | |
| SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} | |
| SLACK_USERNAME: "OR Bot" | |
| SLACK_MESSAGE: "Build failed :bomb:" | |
| # - name: Debug Job | |
| # # if: ${{ failure() }} | |
| # uses: mxschmitt/action-tmate@v3 | |
| # env: | |
| # DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }} | |
| # IMAGE_TAG: ${{ github.sha }}-ee | |
| # ENVIRONMENT: staging | |
| # with: | |
| # limit-access-to-actor: true |