ci

Author: Mathieu Benoit

.github/workflows/ci.yml

@@ -0,0 +1,83 @@
+name: ci
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'README.md'
+      - '.github/dependabot.yml'
+  pull_request:
+env:
+  SEVERITY: CRITICAL
+jobs:
+  job:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/[email protected]
+      - uses: google-github-actions/[email protected]
+        with:
+          project_id: ${{ secrets.CONTAINER_REGISTRY_PROJECT_ID }}
+          credentials_json: ${{ secrets.CONTAINER_REGISTRY_PUSH_PRIVATE_KEY }}
+      - uses: google-github-actions/[email protected]
+        with:
+          version: latest
+      - name: prepare environment variables
+        run: |
+          shortSha=`echo ${GITHUB_SHA} | cut -c1-7`
+          echo "IMAGE_TAG=$shortSha" >> $GITHUB_ENV
+          imageBaseName=${{ secrets.CONTAINER_REGISTRY_HOST_NAME }}/${{ secrets.CONTAINER_REGISTRY_PROJECT_ID }}/${{ secrets.CONTAINER_REGISTRY_NAME }}
+          echo "IMAGE_BASE_NAME=$imageBaseName" >> $GITHUB_ENV
+      - name: sign-in to artifact registry
+        run: |
+          gcloud auth configure-docker ${{ secrets.CONTAINER_REGISTRY_HOST_NAME }} --quiet
+      - name: manage base images
+        run: |
+          # Grab the build base image in our private registry
+          baseImage=$(cat ${_APP_NAME}/Dockerfile | grep 'FROM alpine')
+          baseImage=($baseImage)
+          docker pull ${baseImage[1]}
+          newImage=$(echo ${baseImage[1]} | sed "s,alpine,${_CONTAINER_REGISTRY_NAME}/alpine,g")
+          docker tag ${baseImage[1]} $newImage
+          docker push $newImage
+          # Grab the runtime base image in our private registry
+          baseImage=$(cat ${_APP_NAME}/Dockerfile | grep 'FROM nginxinc')
+          baseImage=($baseImage)
+          docker pull ${baseImage[1]}
+          newImage=$(echo ${baseImage[1]} | sed "s,nginxinc,${_CONTAINER_REGISTRY_NAME},g")
+          docker tag ${baseImage[1]} $newImage
+          docker push $newImage
+          # Use the base images from our own private registry
+          sed -i "s,FROM alpine,FROM ${_CONTAINER_REGISTRY_NAME}/alpine,g;s,FROM nginxinc,FROM ${_CONTAINER_REGISTRY_NAME},g" ${_APP_NAME}/Dockerfile
+      - name: build container
+        run: |
+          docker build --tag ${IMAGE_NAME} .
+          imageSize=$(printf %.2f "$(($(docker image inspect ${IMAGE_NAME} --format='{{.Size}}') * 10**2 / $(printf '%5.0f\n' 1e6)))e-2")
+          echo "IMAGE_SIZE=$imageSize"
+      - name: dockle
+        run: |
+          docker run -v /var/run/docker.sock:/var/run/docker.sock --rm goodwithtech/dockle:latest --exit-code 1 --exit-level fatal ${IMAGE_NAME}
+      - name: run trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: ${{ env.SEVERITY }}
+      - name: upload trivy scan results to GitHub security tab
+        uses: github/codeql-action/[email protected]
+        with:
+          sarif_file: 'trivy-results.sarif'
+      - name: run container locally as a test
+        run: |
+          docker run -d -p 8080:8080 --read-only --cap-drop=ALL --user=1000 ${IMAGE_NAME}
+      - name: gcloud scan
+        run: |
+          gcloud components install local-extract --quiet
+          gcloud artifacts docker images scan ${IMAGE_NAME} --format='value(response.scan)' > scan_id.txt
+          gcloud artifacts docker images list-vulnerabilities $(cat scan_id.txt) --format='table(vulnerability.effectiveSeverity, vulnerability.cvssScore, noteName, vulnerability.packageIssue[0].affectedPackage, vulnerability.packageIssue[0].affectedVersion.name, vulnerability.packageIssue[0].fixedVersion.name)'
+          gcloud artifacts docker images list-vulnerabilities $(cat scan_id.txt) --format='value(vulnerability.effectiveSeverity)' | if grep -Fxq ${{ env.SEVERITY }}; then echo 'Failed vulnerability check' && exit 1; else exit 0; fi
+      - name: push image in container registry
+        if: ${{ github.event_name == 'push' }}
+        run: |
+          docker push ${IMAGE_NAME}

README.md

@@ -2,18 +2,31 @@
 
 Put this https://alwaysupalwayson.com/asm-security as a workshop.
 
-1. Create a GKE cluster
-1. Install ASM
-1. Install OnlineBoutique
-1. Enable mTLS
-1. Setup Sidecar
-1. Setup AuthorizationPolicies
-1. Setup Ingress Gateway
-1. Setup Egress Gateway
-1. Setup NetworkPolicies
-1. Setup SLOs
-1. Misc: any Istio's features about traffic management, etc.
+1. [ ] Create a GKE cluster
+1. [ ] Install ASM
+1. [ ] Ingress Gateway
+1. [ ] Egress Gateway
+1. [ ] Install OnlineBoutique
+1. [ ] mTLS
+1. [ ] Sidecar
+1. [ ] AuthorizationPolicies
+1. [ ] NetworkPolicies
+1. [ ] Monitoring: Topology, SLOs, Traces, etc.
+1. [ ] Misc: any Istio's features about traffic management, etc.
 
-Rk:
+Further considerations:
 - Do the same with BankOfAnthos?
+- Multi-cluster?
+- MCP (control/data plane)?
 - Integrate CRfA in there? Or do another similar crfa-workshop?
+
+
+## Build and run this static web site locally
+
+```
+git clone --recurse-submodules https://github.com/mathieu-benoit/asm-workshop
+docker build -t asm-workshop .
+docker run -d -p 8080:8080 asm-workshop
+```
+
+##