diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000..7c8474542c Binary files /dev/null and b/.DS_Store differ diff --git a/.github/workflows/iac-scan.yml b/.github/workflows/iac-scan.yml new file mode 100644 index 0000000000..a6d2eb17d3 --- /dev/null +++ b/.github/workflows/iac-scan.yml @@ -0,0 +1,21 @@ +name: Sysdig IaC Scan + +on: [push, pull_request] + +jobs: + iac-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Scan infrastructure + uses: sysdiglabs/scan-action@v6 + with: + sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }} + sysdig-secure-url: ${{ secrets.SYSDIG_SECURE_URL }} + mode: iac + # Define the path to your IaC files + iac-scan-path: './voting-app/templates' + # Optional: set a minimum severity to fail the pipeline + minimum-severity: 'high' diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml new file mode 100644 index 0000000000..616abc08aa --- /dev/null +++ b/.github/workflows/sysdig-inline-scan.yml @@ -0,0 +1,100 @@ +name: Sysdig Voting App Image Scans + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build-and-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + ############################################################ + # Authenticate Sysdig CLI Scanner + ############################################################ + - name: Download Sysdig Scanner (stable) + run: | + curl -sL https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.24.1/linux/amd64/sysdig-cli-scanner \ + -o sysdig-cli-scanner + chmod +x sysdig-cli-scanner + + - name: Verify Sysdig API token exists + run: | + if [ -z "${{ secrets.SECURE_API_TOKEN }}" ]; then + echo "ERROR: Missing SECURE_API_TOKEN secret" + exit 1 + fi + + ############################################################ + # Build Docker images for vote, worker, result + ############################################################ + + - name: Build vote image + run: docker build -t vote-app:latest ./vote + + - name: Build worker image + run: docker build -t worker-app:latest ./worker + + - name: Build result image + run: docker build -t result-app:latest ./result + + ############################################################ + # Scan Images with Sysdig CLI Scanner + ############################################################ + + - name: Scan vote image + id: scan_vote + continue-on-error: true + run: | + ./sysdig-cli-scanner \ + --apiurl https://app.us4.sysdig.com/ \ + docker://vote-app:latest + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + + - name: Scan worker image + id: scan_worker + continue-on-error: true + run: | + ./sysdig-cli-scanner \ + --apiurl https://app.us4.sysdig.com/ \ + docker://worker-app:latest + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + + - name: Scan result image + id: scan_result + continue-on-error: true + run: | + ./sysdig-cli-scanner \ + --apiurl https://app.us4.sysdig.com/ \ + docker://result-app:latest + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + + ############################################################ + # Final Security Gate (Fail AFTER all scans) + ############################################################ + + - name: Evaluate Sysdig scan results + run: | + echo "Vote scan result: ${{ steps.scan_vote.outcome }}" + echo "Worker scan result: ${{ steps.scan_worker.outcome }}" + echo "Result scan result: ${{ steps.scan_result.outcome }}" + + if [[ "${{ steps.scan_vote.outcome }}" == "failure" || \ + "${{ steps.scan_worker.outcome }}" == "failure" || \ + "${{ steps.scan_result.outcome }}" == "failure" ]]; then + echo "❌ One or more images failed Sysdig policy evaluation" + exit 1 + else + echo "✅ All images passed Sysdig policy evaluation" + fi diff --git a/voting-app/.DS_Store b/voting-app/.DS_Store new file mode 100644 index 0000000000..23ac7a3639 Binary files /dev/null and b/voting-app/.DS_Store differ diff --git a/voting-app/.helmignore b/voting-app/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/voting-app/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/voting-app/Chart.yaml b/voting-app/Chart.yaml new file mode 100644 index 0000000000..f2ade08a44 --- /dev/null +++ b/voting-app/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: voting-app +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/voting-app/templates/.DS_Store b/voting-app/templates/.DS_Store new file mode 100644 index 0000000000..61a031043e Binary files /dev/null and b/voting-app/templates/.DS_Store differ diff --git a/k8s-specifications/db-deployment.yaml b/voting-app/templates/db-deployment.yaml similarity index 100% rename from k8s-specifications/db-deployment.yaml rename to voting-app/templates/db-deployment.yaml diff --git a/k8s-specifications/db-service.yaml b/voting-app/templates/db-service.yaml similarity index 100% rename from k8s-specifications/db-service.yaml rename to voting-app/templates/db-service.yaml diff --git a/k8s-specifications/redis-deployment.yaml b/voting-app/templates/redis-deployment.yaml similarity index 100% rename from k8s-specifications/redis-deployment.yaml rename to voting-app/templates/redis-deployment.yaml diff --git a/k8s-specifications/redis-service.yaml b/voting-app/templates/redis-service.yaml similarity index 100% rename from k8s-specifications/redis-service.yaml rename to voting-app/templates/redis-service.yaml diff --git a/k8s-specifications/result-deployment.yaml b/voting-app/templates/result-deployment.yaml similarity index 100% rename from k8s-specifications/result-deployment.yaml rename to voting-app/templates/result-deployment.yaml diff --git a/k8s-specifications/result-service.yaml b/voting-app/templates/result-service.yaml similarity index 100% rename from k8s-specifications/result-service.yaml rename to voting-app/templates/result-service.yaml diff --git a/k8s-specifications/vote-deployment.yaml b/voting-app/templates/vote-deployment.yaml similarity index 100% rename from k8s-specifications/vote-deployment.yaml rename to voting-app/templates/vote-deployment.yaml diff --git a/k8s-specifications/vote-service.yaml b/voting-app/templates/vote-service.yaml similarity index 100% rename from k8s-specifications/vote-service.yaml rename to voting-app/templates/vote-service.yaml diff --git a/k8s-specifications/worker-deployment.yaml b/voting-app/templates/worker-deployment.yaml similarity index 100% rename from k8s-specifications/worker-deployment.yaml rename to voting-app/templates/worker-deployment.yaml diff --git a/voting-app/values.yaml b/voting-app/values.yaml new file mode 100644 index 0000000000..4fa1ef5c42 --- /dev/null +++ b/voting-app/values.yaml @@ -0,0 +1,161 @@ +# Default values for voting-app. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ +replicaCount: 1 + +# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ +image: + repository: nginx + # This sets the pull policy for images. + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# This is to override the chart name. +nameOverride: "" +fullnameOverride: "" + +# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ +serviceAccount: + # Specifies whether a service account should be created. + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account. + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + +# This is for setting Kubernetes Annotations to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +# This is for setting Kubernetes Labels to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ +service: + # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: ClusterIP + # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports + port: 80 + +# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +# -- Expose the service via gateway-api HTTPRoute +# Requires Gateway API resources and suitable controller installed within the cluster +# (see: https://gateway-api.sigs.k8s.io/guides/) +httpRoute: + # HTTPRoute enabled. + enabled: false + # HTTPRoute annotations. + annotations: {} + # Which Gateways this Route is attached to. + parentRefs: + - name: gateway + sectionName: http + # namespace: default + # Hostnames matching HTTP header. + hostnames: + - chart-example.local + # List of rules and filters applied. + rules: + - matches: + - path: + type: PathPrefix + value: /headers + # filters: + # - type: RequestHeaderModifier + # requestHeaderModifier: + # set: + # - name: My-Overwrite-Header + # value: this-is-the-only-value + # remove: + # - User-Agent + # - matches: + # - path: + # type: PathPrefix + # value: /echo + # headers: + # - name: version + # value: v2 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +livenessProbe: + httpGet: + path: / + port: http +readinessProbe: + httpGet: + path: / + port: http + +# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/ +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] + # - name: foo + # secret: + # secretName: mysecret + # optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {}