clean for public release

tuxtof · tuxtof · commit dfdbadc04809 · 2023-12-12T13:33:05.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,7 +5,7 @@
 
 version: 2
 updates:
-  # Enable version updates for Go modules
+  # Enable version updates for Docker modules
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
@@ -15,4 +15,4 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "daily"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -15,11 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/nutanix-cloud-native/ntnx-api-proxy
           tags: |
@@ -30,14 +30,14 @@ jobs:
       
       - name: Login to Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
diff --git a/.github/workflows/synopsys-schedule.yaml b/.github/workflows/synopsys-schedule.yaml
@@ -1,4 +1,4 @@
-name: Black Duck Intelligent Policy Check
+name: Black Duck Daily Policy Check
 on:
   schedule:
     - cron: "0 0 * * *"
@@ -9,13 +9,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Run Synopsys Detect
-        uses: synopsys-sig/detect-action@v0.3.4
+      - name: Black Duck Full Scan
+        uses: synopsys-sig/synopsys-action@v1.6.0
         with:
-          scan-mode: INTELLIGENT
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          detect-version: 8.10.0
-          blackduck-url: ${{ secrets.BLACKDUCK_URL }}
-          blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          blackduck_scan_full: true
+          blackduck_scan_failure_severities: 'BLOCKER,CRITICAL'
diff --git a/.github/workflows/synopsys.yaml b/.github/workflows/synopsys.yaml
@@ -11,12 +11,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Run Synopsys Detect
-        uses: synopsys-sig/detect-action@v0.3.4
+      - name: Black Duck Full Scan
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: synopsys-sig/synopsys-action@v1.6.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          detect-version: 8.10.0
-          blackduck-url: ${{ secrets.BLACKDUCK_URL }}
-          blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          blackduck_scan_full: true
+          blackduck_scan_failure_severities: 'BLOCKER,CRITICAL'
+
+      - name: Black Duck PR Scan
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: synopsys-sig/synopsys-action@v1.6.0
+        with:
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          blackduck_scan_full: false
+          blackduck_automation_prcomment: true
diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
@@ -17,7 +17,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get repository name
         run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
@@ -31,7 +31,7 @@ jobs:
           docker build -t ${{ env.REPOSITORY_NAME }}:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.11.2
+        uses: aquasecurity/trivy-action@0.16.0
         with:
           image-ref: "${{ env.REPOSITORY_NAME }}:${{ github.sha }}"
           format: "sarif"
diff --git a/.gitignore b/.gitignore
@@ -3,7 +3,7 @@ cert.key
 .terraform*
 *.tfstate*
 terraform.tfvars
-terraform/cert/tls.*
-terraform/cert/ca.*
-terraform/cert/additional_ca.crt
+tofu/cert/tls.*
+tofu/cert/ca.*
+tofu/cert/additional_ca.crt
 files/docker.config
diff --git a/README.md b/README.md
@@ -10,9 +10,13 @@
 
 ---
 
+Disclaimer: The software code configuration provided herein is intended solely for illustrative purposes and serves as an example. This configuration is not officially supported.  Users are advised that the example may not be adapted for production environments, and its use is at their own risk. It is recommended that users seek professional advice for configuring the software in a production or critical environment.
+
+---
+
 This tool allows the concentration of Prism Central API calls to a single point to simplify filtering and limit access.
 
-This tool has been validated with the following components:
+This tool has been tested with the following components:
 
 PC v1 & v2 API
 - CSI 3.0
@@ -24,10 +28,10 @@ PC v3 API:
 - CSI 3.0
 
 PC v4 API:
-- CSI 3.0
-- vm-operator (beta)
+- CSI 3.0ea
+
+Tools and APIs call may evolve over time, which may require updating the proxy configuration before upgrading any dependent solutions.
 
-*** potential issue with v4 SDK and Auth Proxy ***
 
 ## How to use this image
 
@@ -45,15 +49,14 @@ services:
     restart: always
     ports:
       - 9440:9440
+      # - 8080:8080 #used for metrics export
     environment:
       FQDN: proxy-pc.demo.com
       NUTANIX_ENDPOINT: pc.demo.com
       # TRAEFIK_LOG_LEVEL: "info"
       # TRAEFIK_SERVERSTRANSPORT_ROOTCAS: /etc/traefik/cert/ca.cer
-      # AUTH_PROXY: enable
-      # NUTANIX_USERNAME: admin
-      # NUTANIX_PASSWORD: Bik7Tr750!
       # DASHBOARD: enable
+      # TRAEFIK_METRICS_PROMETHEUS: "true"
     volumes:
       - ./cert:/etc/traefik/cert
       # - ./auth:/etc/traefik/auth
@@ -95,7 +98,7 @@ Advanced configuration is possible using the following env variables:
 | TRAEFIK_LOG_LEVEL                           | Log level of proxy logs                 | false     | error   |
 | TRAEFIK_SERVERSTRANSPORT_ROOTCAS            | Path of the CA file to validate backend | false     | *none*  |
 | TRAEFIK_SERVERSTRANSPORT_INSECURESKIPVERIFY | Disable SSL certificate verification    | false     | false   |
-
+| TRAEFIK_METRICS_PROMETHEUS                  | enable metrics export via Prometheus    | false     | false   |
 
 
 ## Advanced configuration
@@ -118,6 +121,10 @@ Proxy will be available at the following address: `https://FQDN:9440/dashboard/`
 
 
 
+## Alternate install
+
+You can explore the OpenTofu install method in this [folder](tofu).
+
 ## Contributing
 
 See the [contributing docs](CONTRIBUTING.md).
@@ -136,4 +143,4 @@ Issues and enhancement requests can be submitted in the [Issues tab of this repo
 
 ## License
 
-The project is released under version 2.0 of the [Apache license](http://www.apache.org/licenses/LICENSE-2.0).
+The project is released under version 2.0 of the [Apache license](http://www.apache.org/licenses/LICENSE-2.0).
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,15 +7,14 @@ services:
     restart: always
     ports:
       - 9440:9440
+      # - 8080:8080
     environment:
       FQDN: proxy-pc.demo.com
       NUTANIX_ENDPOINT: pc.demo.com
       # TRAEFIK_LOG_LEVEL: "info"
       # TRAEFIK_SERVERSTRANSPORT_ROOTCAS: /etc/traefik/cert/ca.cer
-      # AUTH_PROXY: enable
-      # NUTANIX_USERNAME: admin
-      # NUTANIX_PASSWORD: Bik7Tr750!
       # DASHBOARD: enable
+      # TRAEFIK_METRICS_PROMETHEUS="true"
     volumes:
       - ./cert:/etc/traefik/cert
       # - ./auth:/etc/traefik/auth
diff --git a/tofu/README.md b/tofu/README.md
@@ -1,4 +1,4 @@
-# Terraform Deployment
+# OpenTofu Deployment
 
 ## Prerequisite
 
@@ -10,24 +10,24 @@
 
 ## Deployment
 
-First customize `terraform.tfvars` by your demand and initialize Terraform with:
+First customize `tofu.tfvars` by your demand and initialize OpenTofu with:
 
 ```
-terraform init
+tofu init
 ```
 
-Apply the terraform manifest by running
+Apply the OpenTofu manifest by running
 
 ```
-terraform apply
+tofu apply
 ```
 
 ## Cleanup
 
 To remove the API-Proxy run
 
 ```
-terraform destroy
+tofu destroy
 ```
 
 ## Things to know and current limitations
diff --git a/tofu/cert/README.md b/tofu/cert/README.md
diff --git a/tofu/compute.tf b/tofu/compute.tf
@@ -57,7 +57,7 @@ data "ct_config" "ignition" {
     nutanix_endpoint                 = var.nutanix_endpoint
     ssh_key                          = file(var.ssh_key)
     fqdn                             = var.fqdn
-    additional_ca                      = indent(10,file("${path.module}/cert/additional_ca.crt"))
+    additional_ca                    = indent(10,file("${path.module}/cert/additional_ca.crt"))
     ca                               = indent(10,file("${path.module}/cert/ca.crt"))
     cert                             = indent(10,file("${path.module}/cert/tls.crt"))
     key                              = indent(10,file("${path.module}/cert/tls.key"))
@@ -67,6 +67,7 @@ data "ct_config" "ignition" {
     nutanix_username                 = var.nutanix_username
     nutanix_password                 = var.nutanix_password
     dashboard                        = var.dashboard
+    metrics                          = var.metrics
     container_image                  = "${var.container_registry}/${var.container_image}"
     docker_config                    = indent(10,templatefile("docker.config.tftpl", {
       container_registry = var.container_registry
diff --git a/tofu/docker.config.tftpl b/tofu/docker.config.tftpl
diff --git a/tofu/ignition.tftpl b/tofu/ignition.tftpl
@@ -19,6 +19,7 @@ storage:
           NUTANIX_USERNAME=${nutanix_username}
           NUTANIX_PASSWORD=${nutanix_password}
           DASHBOARD=${dashboard}
+          TRAEFIK_METRICS_PROMETHEUS=${metrics}
     - path: /etc/ssl/certs/additional_ca.pem
       mode: 0644
       contents:
@@ -67,7 +68,7 @@ systemd:
         User=core
         TimeoutStartSec=0
         ExecStartPre=-/usr/bin/docker rm --force ntnx-api-proxy
-        ExecStart=/usr/bin/docker run --name ntnx-api-proxy --volume "/opt/ntnx-api-proxy/cert:/etc/traefik/cert:ro" --pull always --env-file /opt/ntnx-api-proxy/environment --log-driver=journald --expose 9440 --net host ${container_image}
+        ExecStart=/usr/bin/docker run --name ntnx-api-proxy --volume "/opt/ntnx-api-proxy/cert:/etc/traefik/cert:ro" --pull always --env-file /opt/ntnx-api-proxy/environment --log-driver=journald --expose 9440 --expose 8080 --net host ${container_image}
         ExecStop=/usr/bin/docker stop ntnx-api-proxy
         Restart=always
         RestartSec=5s
diff --git a/tofu/provider.tf b/tofu/provider.tf
diff --git a/tofu/tofu.tfvars_example b/tofu/tofu.tfvars_example
@@ -16,4 +16,5 @@ registry_pass      = ""
 fqdn                             = "PROXY FQDN"
 traefik_serverstransport_rootcas = "/etc/traefik/cert/ca.crt"
 traefik_log_level                = "info" # #possible values info / error
-dashboard                        = "enable" #possible values enable / disable
+dashboard                        = "enable" #possible values enable / disable
+metrics                          = "true" #enable Prometheus Metrics
diff --git a/tofu/variables.tf b/tofu/variables.tf
@@ -56,6 +56,10 @@ variable "traefik_log_level" {
   type = string
 }
 
+
+variable "metrics" {
+  type = string
+}
 variable "fqdn" {
   type = string
 }
