Compare commits
19 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 554d3da175 | |||
| e2c2f3e0ba | |||
| 4dcb378e17 | |||
| 01feac5ea5 | |||
| d6f752f5d1 | |||
| dbaa1412a9 | |||
| 5ce70dcb0f | |||
| 5f4758228f | |||
| 4768de1984 | |||
| b774297ddb | |||
| a3ddae8ca7 | |||
| 3d61e7b57c | |||
| 096e244171 | |||
| 2314e8a57b | |||
| ee27ba1774 | |||
| b07da4a40c | |||
| 249afa7cb9 | |||
| 81add9de29 | |||
| a245d88f8c |
@ -46,7 +46,7 @@ test:: ## test built artificats
|
|||||||
|
|
||||||
scan: ## Scan image using trivy
|
scan: ## Scan image using trivy
|
||||||
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
||||||
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
trivy image $(TRIVY_OPTS) --quiet --no-progress --ignorefile ./.trivyignore.yaml localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||||
|
|
||||||
# first tag and push all actual images
|
# first tag and push all actual images
|
||||||
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
||||||
@ -73,8 +73,10 @@ rm-remote-untagged: ## delete all remote untagged and in-dev images, keep 10 tag
|
|||||||
clean:: ## clean up source folder
|
clean:: ## clean up source folder
|
||||||
|
|
||||||
rm-image:
|
rm-image:
|
||||||
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
|
for t in $(TAG) latest $(EXTRA_TAGS); do \
|
||||||
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
|
test -z "$$(podman image ls -q $(IMAGE):$${t}-$(_ARCH))" || podman image rm -f $(IMAGE):$${t}-$(_ARCH); \
|
||||||
|
test -z "$$(podman image ls -q $(IMAGE):$${t})" || podman image rm -f $(IMAGE):$${t}; \
|
||||||
|
done
|
||||||
|
|
||||||
## some useful tasks during development
|
## some useful tasks during development
|
||||||
ci-pull-upstream: ## pull latest shared .ci subtree
|
ci-pull-upstream: ## pull latest shared .ci subtree
|
||||||
|
|||||||
7
.trivyignore.yaml
Normal file
7
.trivyignore.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
secrets:
|
||||||
|
- id: gcp-service-account
|
||||||
|
paths:
|
||||||
|
- "/venv/lib/python*/site-packages/pulumi_aws/glue/connection.py"
|
||||||
|
- id: private-key
|
||||||
|
paths:
|
||||||
|
- "/venv/lib/python*/site-packages/pulumi_aws/glue/connection.py"
|
||||||
@ -1,8 +1,8 @@
|
|||||||
ARG RUNTIME_VERSION="3.11"
|
ARG RUNTIME_VERSION="3.12"
|
||||||
ARG DISTRO_VERSION="3.19"
|
ARG DISTRO_VERSION="3.20"
|
||||||
|
|
||||||
FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION} AS builder
|
FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION} AS builder
|
||||||
ARG RUNTIME_VERSION="3.11"
|
ARG RUNTIME_VERSION="3.12"
|
||||||
|
|
||||||
RUN apk add --no-cache \
|
RUN apk add --no-cache \
|
||||||
autoconf \
|
autoconf \
|
||||||
@ -33,9 +33,6 @@ RUN curl -fsSL https://get.pulumi.com/ | sh -s -- --version $(pip show pulumi --
|
|||||||
# minimal pulumi
|
# minimal pulumi
|
||||||
RUN cd /root/.pulumi/bin && rm -f *dotnet *yaml *go *java && strip pulumi* || true
|
RUN cd /root/.pulumi/bin && rm -f *dotnet *yaml *go *java && strip pulumi* || true
|
||||||
|
|
||||||
# Remove AWS keys from docstring to prevent trivy alerts later
|
|
||||||
RUN sed -i -e 's/AKIA.*//' /venv/lib/python${RUNTIME_VERSION}/site-packages/pulumi_aws/lightsail/bucket_access_key.py
|
|
||||||
|
|
||||||
# Now build the final runtime, incl. running rootless containers
|
# Now build the final runtime, incl. running rootless containers
|
||||||
FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION}
|
FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION}
|
||||||
|
|
||||||
|
|||||||
@ -447,10 +447,10 @@ def _provision(cb, stacks):
|
|||||||
# Pulumi is still not thread safe
|
# Pulumi is still not thread safe
|
||||||
if _anyPulumi(step):
|
if _anyPulumi(step):
|
||||||
_threads = 1
|
_threads = 1
|
||||||
else
|
else:
|
||||||
_threads = len(step)
|
_threads = len(step)
|
||||||
|
|
||||||
with ThreadPoolExecutor(max_workers=_threads)) as group:
|
with ThreadPoolExecutor(max_workers=_threads) as group:
|
||||||
futures = []
|
futures = []
|
||||||
for stack in step:
|
for stack in step:
|
||||||
if stack.mode != "pulumi":
|
if stack.mode != "pulumi":
|
||||||
|
|||||||
@ -52,11 +52,14 @@ def resolve_outputs(outputs):
|
|||||||
def pulumi_ws(func):
|
def pulumi_ws(func):
|
||||||
@wraps(func)
|
@wraps(func)
|
||||||
def decorated(self, *args, **kwargs):
|
def decorated(self, *args, **kwargs):
|
||||||
|
cwd = None
|
||||||
# setup temp workspace
|
# setup temp workspace
|
||||||
if self.mode == "pulumi":
|
if self.mode == "pulumi":
|
||||||
self.work_dir = tempfile.mkdtemp(
|
self.work_dir = tempfile.mkdtemp(
|
||||||
dir=tempfile.gettempdir(), prefix="cloudbender-"
|
dir=tempfile.gettempdir(), prefix="cloudbender-"
|
||||||
)
|
)
|
||||||
|
cwd = os.getcwd()
|
||||||
|
os.chdir(self.work_dir)
|
||||||
|
|
||||||
# add all artifact_paths/pulumi to the search path for easier
|
# add all artifact_paths/pulumi to the search path for easier
|
||||||
# imports in the pulumi code
|
# imports in the pulumi code
|
||||||
@ -146,7 +149,8 @@ def pulumi_ws(func):
|
|||||||
try:
|
try:
|
||||||
_min_version = self._pulumi_code.MIN_CLOUDBENDER_VERSION
|
_min_version = self._pulumi_code.MIN_CLOUDBENDER_VERSION
|
||||||
if semver.compare(
|
if semver.compare(
|
||||||
semver.Version.parse(__version__.strip("v")).finalize_version(),
|
semver.Version.parse(
|
||||||
|
__version__.strip("v")).finalize_version(),
|
||||||
_min_version.strip("v")) < 0:
|
_min_version.strip("v")) < 0:
|
||||||
raise ValueError(
|
raise ValueError(
|
||||||
f"Minimal required CloudBender version is {_min_version}, but we are {__version__}!"
|
f"Minimal required CloudBender version is {_min_version}, but we are {__version__}!"
|
||||||
@ -189,7 +193,7 @@ def pulumi_ws(func):
|
|||||||
)
|
)
|
||||||
|
|
||||||
project_settings = pulumi.automation.ProjectSettings(
|
project_settings = pulumi.automation.ProjectSettings(
|
||||||
name=project_name, runtime="python", backend={"url": pulumi_backend}
|
name=project_name, runtime="python", backend=pulumi.automation.ProjectBackend(url=pulumi_backend)
|
||||||
)
|
)
|
||||||
|
|
||||||
self.pulumi_ws_opts = pulumi.automation.LocalWorkspaceOptions(
|
self.pulumi_ws_opts = pulumi.automation.LocalWorkspaceOptions(
|
||||||
@ -202,6 +206,9 @@ def pulumi_ws(func):
|
|||||||
response = func(self, *args, **kwargs)
|
response = func(self, *args, **kwargs)
|
||||||
|
|
||||||
# Cleanup temp workspace
|
# Cleanup temp workspace
|
||||||
|
if cwd:
|
||||||
|
os.chdir(cwd)
|
||||||
|
|
||||||
if self.work_dir and os.path.exists(self.work_dir):
|
if self.work_dir and os.path.exists(self.work_dir):
|
||||||
shutil.rmtree(self.work_dir)
|
shutil.rmtree(self.work_dir)
|
||||||
|
|
||||||
|
|||||||
@ -8,7 +8,6 @@ import pathlib
|
|||||||
import pprint
|
import pprint
|
||||||
import pulumi
|
import pulumi
|
||||||
import importlib
|
import importlib
|
||||||
import pkg_resources
|
|
||||||
|
|
||||||
from datetime import datetime, timedelta
|
from datetime import datetime, timedelta
|
||||||
from dateutil.tz import tzutc
|
from dateutil.tz import tzutc
|
||||||
@ -535,7 +534,6 @@ class Stack(object):
|
|||||||
logger.info("Passed.")
|
logger.info("Passed.")
|
||||||
return 0
|
return 0
|
||||||
|
|
||||||
@pulumi_ws
|
|
||||||
def get_outputs(self, include=".*", values=False):
|
def get_outputs(self, include=".*", values=False):
|
||||||
"""gets outputs of the stack"""
|
"""gets outputs of the stack"""
|
||||||
|
|
||||||
@ -852,6 +850,7 @@ class Stack(object):
|
|||||||
|
|
||||||
return status
|
return status
|
||||||
|
|
||||||
|
@pulumi_ws
|
||||||
@exec_hooks
|
@exec_hooks
|
||||||
def update(self):
|
def update(self):
|
||||||
"""Updates an existing stack"""
|
"""Updates an existing stack"""
|
||||||
@ -1305,7 +1304,6 @@ class Stack(object):
|
|||||||
logger.info(" ".join([self.region, self.stackname, text]))
|
logger.info(" ".join([self.region, self.stackname, text]))
|
||||||
|
|
||||||
def _get_pulumi_stack(self, create=False):
|
def _get_pulumi_stack(self, create=False):
|
||||||
|
|
||||||
if create:
|
if create:
|
||||||
pulumi_stack = pulumi.automation.create_or_select_stack(
|
pulumi_stack = pulumi.automation.create_or_select_stack(
|
||||||
stack_name=self.pulumi_stackname,
|
stack_name=self.pulumi_stackname,
|
||||||
@ -1314,7 +1312,7 @@ class Stack(object):
|
|||||||
opts=self.pulumi_ws_opts,
|
opts=self.pulumi_ws_opts,
|
||||||
)
|
)
|
||||||
pulumi_stack.workspace.install_plugin(
|
pulumi_stack.workspace.install_plugin(
|
||||||
"aws", pkg_resources.get_distribution("pulumi_aws").version
|
"aws", importlib.metadata.version("pulumi_aws")
|
||||||
)
|
)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
|
|||||||
@ -11,21 +11,22 @@ authors = [
|
|||||||
description = "Deploy and maintain infrastructure in automated and trackable manner"
|
description = "Deploy and maintain infrastructure in automated and trackable manner"
|
||||||
readme = "README.md"
|
readme = "README.md"
|
||||||
license = "AGPL-3.0-or-later"
|
license = "AGPL-3.0-or-later"
|
||||||
requires-python = ">=3.9"
|
requires-python = ">=3.12"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"boto3==1.34.89",
|
"boto3==1.35.46",
|
||||||
"mock==5.1.0",
|
"mock==5.1.0",
|
||||||
"Jinja2==3.1.3",
|
"Jinja2==3.1.4",
|
||||||
"click==8.1.7",
|
"click==8.1.7",
|
||||||
"pexpect==4.9.0",
|
"pexpect==4.9.0",
|
||||||
"python-minifier==2.9.0",
|
"python-minifier==2.11.2",
|
||||||
"cfn-lint==0.86.4",
|
"cfn-lint==1.12.4",
|
||||||
"ruamel.yaml==0.18.6",
|
"ruamel.yaml==0.18.6",
|
||||||
"pulumi==3.113.3",
|
"pulumi==3.137.0",
|
||||||
"pulumi-aws==6.32.0",
|
"pulumi-aws==6.56.1",
|
||||||
"pulumi-aws-native==0.103.0",
|
"pulumi-aws-native==1.3.0",
|
||||||
"pulumi-policy==1.11.0",
|
"pulumi-policy==1.13.0",
|
||||||
"pulumi-command==0.10.0",
|
"pulumi-command==1.0.1",
|
||||||
|
"pulumi_random==4.16.6",
|
||||||
]
|
]
|
||||||
|
|
||||||
classifiers = [
|
classifiers = [
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user