Add libzstd to final image

Reviewed-on: #20

.ci/podman.mk

@@ -46,7 +46,7 @@ test:: ## test built artificats
 
 scan: ## Scan image using trivy
 	echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
-	trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
+	trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
 
 # first tag and push all actual images
 # create new manifest for each tag and add all available TAG-ARCH before pushing
@@ -78,7 +78,7 @@ rm-image:
 
 ## some useful tasks during development
 ci-pull-upstream: ## pull latest shared .ci subtree
-	git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
+	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
 
 create-repo: ## create new AWS ECR public repository
 	aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)

.ci/vars/buildPodman.groovy

@@ -2,6 +2,9 @@
 
 def call(Map config=[:]) {
     pipeline {
+      options {
+        disableConcurrentBuilds()
+      }
       agent {
         node {
           label 'podman-aws-trivy'
@@ -10,6 +13,8 @@ def call(Map config=[:]) {
       stages {
         stage('Prepare') {
           steps {
+            sh 'mkdir -p reports'
+
             // we set pull tags as project adv. options
             // pull tags
             //withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
@@ -35,12 +40,13 @@ def call(Map config=[:]) {
 
         // Scan via trivy
         stage('Scan') {
-          environment {
-            TRIVY_FORMAT = "template"
-            TRIVY_OUTPUT = "reports/trivy.html"
-          }
           steps {
-            sh 'mkdir -p reports && make scan'
+            // we always scan and create the full json report
+            sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
+
+            // render custom full html report
+            sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
+
             publishHTML target: [
               allowMissing: true,
               alwaysLinkToLastBuild: true,
@@ -50,13 +56,12 @@ def call(Map config=[:]) {
               reportName: 'TrivyScan',
               reportTitles: 'TrivyScan'
             ]
+            sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
 
-            // Scan again and fail on CRITICAL vulns, if not overridden
+            // fail build if issues found above trivy threshold
             script {
-              if (config.trivyFail == 'NONE') {
+              if ( config.trivyFail ) {
-                echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
+                sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
-              } else {
-                sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
               }
             }
           }

Dockerfile

@@ -1,12 +1,13 @@
-# https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/
-# libexec is missing from >=3.17
-
 # Stage 1 - bundle base image + runtime
-FROM python:3.11-alpine3.16 AS python-alpine
+FROM python:3.12-alpine3.20 AS python-alpine
+ARG  ALPINE="v3.20"
 
 # Install GCC (Alpine uses musl but we compile and link dependencies with GCC)
-RUN apk upgrade -U --available --no-cache && \
+RUN echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \
-    apk add --no-cache \
+    wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub
+
+RUN apk -U --no-cache upgrade && \
+    apk --no-cache add \
     libstdc++
 
 
@@ -15,8 +16,7 @@ FROM python-alpine AS build-image
 ARG TAG="latest"
 
 # Install aws-lambda-cpp build dependencies
-RUN apk upgrade -U --available --no-cache && \
+RUN apk --no-cache add \
-    apk add --no-cache \
     build-base \
     libtool \
     autoconf \
@@ -25,8 +25,8 @@ RUN apk upgrade -U --available --no-cache && \
     cmake \
     libcurl \
     libffi-dev \
-    libexecinfo-dev \
+    openssl-dev \
-    openssl-dev
+    elfutils-dev
     # cargo
 
 # Install requirements
@@ -43,6 +43,9 @@ RUN sed -i -e "s/^__version__ =.*/__version__ = \"${TAG}\"/" /app/app.py
 # Stage 3 - final runtime image
 FROM python-alpine
 
+RUN apk --no-cache add \
+    zstd-libs
+
 WORKDIR /app
 COPY --from=build-image /app /app
 

app.py

@@ -261,6 +261,15 @@ def handler(event, context):
         title = "ElastiCache fail over complete"
         body = "for node {}".format(msg["ElastiCache:FailoverComplete"])
 
+    # ElasticCache update notifications
+    elif "ElastiCache:ServiceUpdateAvailableForNode" in msg:
+        title = "ElastiCache update available"
+        body = "for node {}".format(msg["ElastiCache:ServiceUpdateAvailableForNode"])
+
+    elif "ElastiCache:ServiceUpdateAvailable" in msg:
+        title = "ElastiCache update available"
+        body = "for Group {}".format(msg["ElastiCache:ServiceUpdateAvailable"])
+
     # known RDS events
     elif "Event Source" in msg and msg['Event Source'] in ["db-instance", "db-cluster-snapshot", "db-snapshot"]:
         try:

requirements.txt

@@ -1,4 +1,4 @@
-boto3==1.34.78
+boto3==1.35.17
-apprise==1.7.5
+apprise==1.9.0
-humanize==4.9.0
+humanize==4.10.0
-awslambdaric==2.0.11
+awslambdaric==2.2.1