PoC (#1)

Signed-off-by: Nikolay Demchuk <nikolay.demchuk@flant.com> Signed-off-by: v.oleynikov <vasily.oleynikov@flant.com> Signed-off-by: Aleksandr Zimin <alexandr.zimin@flant.com> Co-authored-by: v.oleynikov <vasily.oleynikov@flant.com> Co-authored-by: Alexey Yakubov <alexey.yakubov@flant.com>
deckhouse · Mar 2, 2025 · 736f430 · 736f430
1 parent 694cba2
commit 736f430
Show file tree

Hide file tree

Showing 44 changed files with 12,300 additions and 25 deletions.
diff --git a/.github/check_previous_channel_release.sh b/.github/check_previous_channel_release.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+crane="/usr/local/bin/crane"
+repositoryName=$1
+edition=$2
+channel=$3
+version=$4
+user=$5
+password=$6
+
+echo "Module $repositoryName, edition $edition, channel $channel, version $version"
+
+if [[ "$channel" == "alpha" ]]; then
+ echo "Deploying $version to alpha channel"
+ exit 0
+elif [[ "$channel" == "beta" ]]; then
+ previousChannel="alpha"
+elif [[ "$channel" == "early-access" ]]; then
+ previousChannel="beta"
+elif [[ "$channel" == "stable" ]]; then
+ previousChannel="early-access"
+elif [[ "$channel" == "rock-solid" ]]; then
+ previousChannel="stable"
+else
+ echo "Unknown channel"
+ exit 1
+fi
+
+echo "Checking previous channel $previousChannel"
+$crane auth login -u $user -p $password registry.deckhouse.io
+previousChannelVersion=$($crane export registry.deckhouse.io/deckhouse/$edition/modules/$repositoryName/release:$previousChannel | grep -aoE '\{"version":".*"\}' | jq -r .version)
+if [[ "$version" == "$previousChannelVersion" ]]; then
+ echo "Previous channel $previousChannel version $previousChannelVersion is equal desired version $version, processing"
+ exit 0
+else
+ echo "Previous channel $previousChannel version $previousChannelVersion is not equal desired version $version, rejecting"
+ exit 1
+fi
diff --git a/.github/workflows/build_dev.yml b/.github/workflows/build_dev.yml
@@ -8,6 +8,7 @@ env:
   MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
   MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
 
+
 on:
   pull_request:
   push:

diff --git a/.github/workflows/deploy_prod.yml b/.github/workflows/deploy_prod.yml
@@ -5,16 +5,17 @@ env:
   MODULE_SOURCE_NAME: ${{ vars.PROD_MODULE_SOURCE_NAME }}
   CI_COMMIT_REF_NAME: ${{ github.ref_name }}
   MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
-  RELEASE_CHANNEL: ${{ github.event.inputs.version }}
+  RELEASE_CHANNEL: ${{ github.event.inputs.channel }}
   MODULES_REGISTRY_LOGIN: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
   MODULES_REGISTRY_PASSWORD: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
+  MODULES_READ_REGISTRY_PASSWORD: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
   MODULES_MODULE_TAG: ${{ github.event.inputs.tag }}
 
 on:
   workflow_dispatch:
-   inputs:
-      version:
-        description: "Select version"
+    inputs:
+      channel:
+        description: "Select release channel"
         type: choice
         default: alpha
         options:
@@ -53,23 +54,27 @@ jobs:
           echo $RELEASE_CHANNEL
           echo $MODULES_MODULE_TAG
         shell: bash
-        
+
   job-CE:
-     name: Edition CE
-     runs-on: [self-hosted, regular, selectel]
-     if: github.event.inputs.ce == 'true'
-     steps:
-       - run: echo "CE"
-       - name: SET VAR
-         run: |
-           echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/ce/modules" >> "$GITHUB_ENV"
-       - name: ECHO VAR
-         run: |
-           echo $MODULES_MODULE_SOURCE
-       - uses: actions/checkout@v4
-       - uses: deckhouse/modules-actions/setup@v1
-       - uses: deckhouse/modules-actions/deploy@v1
-
+    name: Edition CE
+    runs-on: [self-hosted, regular, selectel]
+    if: github.event.inputs.ce == 'true'
+    steps:
+      - run: echo "CE"
+      - name: SET VAR
+        run: |
+          echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/ce/modules" >> "$GITHUB_ENV"
+      - name: ECHO VAR
+        run: |
+          echo $MODULES_MODULE_SOURCE
+      - uses: actions/checkout@v4
+      - uses: deckhouse/modules-actions/setup@v1
+      - name: Check previous release
+        run: |
+          chmod +x .github/check_previous_channel_release.sh
+          .github/check_previous_channel_release.sh $MODULES_MODULE_NAME ce $RELEASE_CHANNEL $MODULES_MODULE_TAG license-token $MODULES_READ_REGISTRY_PASSWORD
+      - uses: deckhouse/modules-actions/deploy@v1
+
   job-EE:
     name: Edition EE
     runs-on: [self-hosted, regular, selectel]
@@ -78,14 +83,18 @@ jobs:
       - run: echo "EE"
       - name: SET VAR
         run: |
-           echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/ee/modules" >> "$GITHUB_ENV"
+          echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/ee/modules" >> "$GITHUB_ENV"
       - name: ECHO VAR
         run: |
-           echo $MODULES_MODULE_SOURCE
+          echo $MODULES_MODULE_SOURCE
       - uses: actions/checkout@v4
       - uses: deckhouse/modules-actions/setup@v1
+      - name: Check previous release
+        run: |
+          chmod +x .github/check_previous_channel_release.sh
+          .github/check_previous_channel_release.sh $MODULES_MODULE_NAME ee $RELEASE_CHANNEL $MODULES_MODULE_TAG license-token $MODULES_READ_REGISTRY_PASSWORD
       - uses: deckhouse/modules-actions/deploy@v1
-      
+
   job-FE:
     name: Edition FE
     runs-on: [self-hosted, regular, selectel]
@@ -94,10 +103,14 @@ jobs:
       - run: echo "FE"
       - name: SET VAR
         run: |
-           echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/fe/modules" >> "$GITHUB_ENV"
+          echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/fe/modules" >> "$GITHUB_ENV"
       - name: ECHO VAR
         run: |
-           echo $MODULES_MODULE_SOURCE
+          echo $MODULES_MODULE_SOURCE
       - uses: actions/checkout@v4
       - uses: deckhouse/modules-actions/setup@v1
+      - name: Check previous release
+        run: |
+          chmod +x .github/check_previous_channel_release.sh
+          .github/check_previous_channel_release.sh $MODULES_MODULE_NAME fe $RELEASE_CHANNEL $MODULES_MODULE_TAG license-token $MODULES_READ_REGISTRY_PASSWORD
       - uses: deckhouse/modules-actions/deploy@v1
diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml
@@ -0,0 +1,48 @@
+name: Trivy check for sub repos
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: Trivy check for sub repos
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Check and Install Latest Trivy
+        run: |
+          mkdir -p $HOME/bin
+
+          LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
+          CLEAN_VERSION=${LATEST_VERSION#v}
+
+          INSTALL_TRIVY=true
+
+          if [[ -f "$HOME/bin/trivy" ]]; then
+            INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+            if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
+              echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
+              INSTALL_TRIVY=false
+            else
+              echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
+            fi
+          else
+            echo "Trivy is not installed. Installing version $CLEAN_VERSION."
+          fi
+
+          if [ "$INSTALL_TRIVY" = true ]; then
+            wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
+            tar zxvf trivy.tar.gz -C $HOME/bin
+          fi
+
+          echo "$HOME/bin" >> $GITHUB_PATH
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        run: |
+          trivy fs . --quiet --config trivy.yaml
diff --git a/.github/workflows/trivy_image_check.yaml b/.github/workflows/trivy_image_check.yaml
@@ -0,0 +1,79 @@
+name: Trivy images check
+
+env:
+  MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
+  MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
+  PR_NUMBER: ${{ github.event.pull_request.number }}
+  MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }}
+  MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+  MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    name: Trivy images check
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: deckhouse/modules-actions/setup@v1
+
+      - name: Check and Install Latest Trivy
+        run: |
+          mkdir -p $HOME/bin
+
+          LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
+          CLEAN_VERSION=${LATEST_VERSION#v}
+
+          INSTALL_TRIVY=true
+
+          if [[ -f "$HOME/bin/trivy" ]]; then
+            INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+            if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
+              echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
+              INSTALL_TRIVY=false
+            else
+              echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
+            fi
+          else
+            echo "Trivy is not installed. Installing version $CLEAN_VERSION."
+          fi
+
+          if [ "$INSTALL_TRIVY" = true ]; then
+            wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
+            tar zxvf trivy.tar.gz -C $HOME/bin
+          fi
+
+          echo "$HOME/bin" >> $GITHUB_PATH
+
+      - name: Run Trivy vulnerability scanner in image mode
+        run: |
+          exit_code=0
+          image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME
+          image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER
+          
+          crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]')
+          
+          while read -r item; do
+            key=$(echo "$item" | jq -r '.key')
+            value=$(echo "$item" | jq -r '.value')
+
+            echo 'Checking image '$key' '$value
+
+            trivy image --quiet --config trivy-silent.yaml --format table $image_name@$value
+
+            result=$(trivy image --quiet --config trivy-silent.yaml --format json $image_name@$value)
+
+            vulnerabilities=$(echo "$result" | jq '[.Results[]? | select(has("Vulnerabilities")) | .Vulnerabilities | length] | add // 0')
+
+            if [ "$vulnerabilities" -gt 0 ]; then
+              echo "There are vulnerabilities in image"
+              exit_code=1
+            else
+              echo "There are no vulnerabilities in image"
+            fi
+          done <<< "$crane_output"
+
+          exit $exit_code
diff --git a/.helmignore b/.helmignore
@@ -0,0 +1,34 @@
+crds
+docs
+enabled
+hooks
+images
+lib
+Makefile
+openapi
+*.md
+release.yaml
+werf*.yaml
+
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
diff --git a/Chart.yaml b/Chart.yaml
@@ -0,0 +1,2 @@
+name: sds-elastic
+version: 0.0.1
diff --git a/README.md b/README.md
@@ -0,0 +1 @@
+# Deckhouse External module for Rook Ceph Operator
diff --git a/charts/deckhouse_lib_helm-1.11.0.tgz b/charts/deckhouse_lib_helm-1.11.0.tgz
diff --git a/crds/ceph.rook.io_cephblockpoolradosnamespaces.yaml b/crds/ceph.rook.io_cephblockpoolradosnamespaces.yaml
@@ -0,0 +1,58 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  name: cephblockpoolradosnamespaces.ceph.rook.io
+spec:
+  group: ceph.rook.io
+  names:
+    kind: CephBlockPoolRadosNamespace
+    listKind: CephBlockPoolRadosNamespaceList
+    plural: cephblockpoolradosnamespaces
+    singular: cephblockpoolradosnamespace
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            type: string
+          kind:
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              blockPoolName:
+                type: string
+            required:
+            - blockPoolName
+            type: object
+          status:
+            properties:
+              info:
+                additionalProperties:
+                  type: string
+                nullable: true
+                type: object
+              phase:
+                type: string
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ env: @@
       MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
       MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
     on:
       pull_request:
       push:
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# Deckhouse External module for Rook Ceph Operator