Compare commits

..

10 Commits

Author SHA1 Message Date
de3df61608 Add libzstd to final image
Some checks failed
ZeroDownTime/sns-alert-hub/pipeline/head There was a failure building this commit
2024-09-12 19:03:44 +00:00
208749d01e feat: upgrade Alpine to 3.20, libexecinfo fixes, make tests work 2024-09-12 06:17:31 +00:00
6124f0454b Merge pull request 'chore(deps): update all non-major dependencies' (#20) from renovate/all-minor-patch into master
Reviewed-on: #20
2024-09-12 05:26:51 +00:00
565cf4d664 chore(deps): update all non-major dependencies 2024-09-12 03:38:57 +00:00
db2d719f34 Merge commit 'cd1165690a9823240549009fc9ee9114742d6448' 2024-06-25 17:15:03 +00:00
cd1165690a Squashed '.ci/' changes from 22ed100..2c44e4f
2c44e4f Disable concurrent builds
7144a42 Improve Trivy scanning logic
c1a48a6 Remove auto stash push / pop as being too dangerous
318c19e Add merge comment for subtree

git-subtree-dir: .ci
git-subtree-split: 2c44e4fd8550d30fba503a2bcccec8e0bac1c151
2024-06-25 17:15:03 +00:00
03a88e01b2 Feat: add support for group updates 2024-06-05 10:02:15 +00:00
c324ab03bb Merge pull request 'chore(deps): update all non-major dependencies' (#19) from renovate/all-minor-patch into master
Reviewed-on: #19
2024-04-15 14:15:26 +00:00
bf204c8fb4 chore(deps): update all non-major dependencies 2024-04-14 03:05:28 +00:00
1175a38d8b Upgrade base OS to Alpine 3.19, minor ElastiCache fix 2024-04-05 13:27:05 +00:00
5 changed files with 43 additions and 26 deletions

View File

@ -46,7 +46,7 @@ test:: ## test built artificats
scan: ## Scan image using trivy scan: ## Scan image using trivy
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)" echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH) trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
# first tag and push all actual images # first tag and push all actual images
# create new manifest for each tag and add all available TAG-ARCH before pushing # create new manifest for each tag and add all available TAG-ARCH before pushing
@ -78,7 +78,7 @@ rm-image:
## some useful tasks during development ## some useful tasks during development
ci-pull-upstream: ## pull latest shared .ci subtree ci-pull-upstream: ## pull latest shared .ci subtree
git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
create-repo: ## create new AWS ECR public repository create-repo: ## create new AWS ECR public repository
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION) aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)

View File

@ -2,6 +2,9 @@
def call(Map config=[:]) { def call(Map config=[:]) {
pipeline { pipeline {
options {
disableConcurrentBuilds()
}
agent { agent {
node { node {
label 'podman-aws-trivy' label 'podman-aws-trivy'
@ -10,6 +13,8 @@ def call(Map config=[:]) {
stages { stages {
stage('Prepare') { stage('Prepare') {
steps { steps {
sh 'mkdir -p reports'
// we set pull tags as project adv. options // we set pull tags as project adv. options
// pull tags // pull tags
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) { //withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
@ -35,12 +40,13 @@ def call(Map config=[:]) {
// Scan via trivy // Scan via trivy
stage('Scan') { stage('Scan') {
environment {
TRIVY_FORMAT = "template"
TRIVY_OUTPUT = "reports/trivy.html"
}
steps { steps {
sh 'mkdir -p reports && make scan' // we always scan and create the full json report
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
// render custom full html report
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
publishHTML target: [ publishHTML target: [
allowMissing: true, allowMissing: true,
alwaysLinkToLastBuild: true, alwaysLinkToLastBuild: true,
@ -50,13 +56,12 @@ def call(Map config=[:]) {
reportName: 'TrivyScan', reportName: 'TrivyScan',
reportTitles: 'TrivyScan' reportTitles: 'TrivyScan'
] ]
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
// Scan again and fail on CRITICAL vulns, if not overridden // fail build if issues found above trivy threshold
script { script {
if (config.trivyFail == 'NONE') { if ( config.trivyFail ) {
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...' sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
} else {
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
} }
} }
} }

View File

@ -1,12 +1,13 @@
# https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/
# libexec is missing from >=3.17
# Stage 1 - bundle base image + runtime # Stage 1 - bundle base image + runtime
FROM python:3.11-alpine3.16 AS python-alpine FROM python:3.12-alpine3.20 AS python-alpine
ARG ALPINE="v3.20"
# Install GCC (Alpine uses musl but we compile and link dependencies with GCC) # Install GCC (Alpine uses musl but we compile and link dependencies with GCC)
RUN apk upgrade -U --available --no-cache && \ RUN echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \
apk add --no-cache \ wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub
RUN apk -U --no-cache upgrade && \
apk --no-cache add \
libstdc++ libstdc++
@ -15,8 +16,7 @@ FROM python-alpine AS build-image
ARG TAG="latest" ARG TAG="latest"
# Install aws-lambda-cpp build dependencies # Install aws-lambda-cpp build dependencies
RUN apk upgrade -U --available --no-cache && \ RUN apk --no-cache add \
apk add --no-cache \
build-base \ build-base \
libtool \ libtool \
autoconf \ autoconf \
@ -25,8 +25,8 @@ RUN apk upgrade -U --available --no-cache && \
cmake \ cmake \
libcurl \ libcurl \
libffi-dev \ libffi-dev \
libexecinfo-dev \ openssl-dev \
openssl-dev elfutils-dev
# cargo # cargo
# Install requirements # Install requirements
@ -43,6 +43,9 @@ RUN sed -i -e "s/^__version__ =.*/__version__ = \"${TAG}\"/" /app/app.py
# Stage 3 - final runtime image # Stage 3 - final runtime image
FROM python-alpine FROM python-alpine
RUN apk --no-cache add \
zstd-libs
WORKDIR /app WORKDIR /app
COPY --from=build-image /app /app COPY --from=build-image /app /app

9
app.py
View File

@ -261,6 +261,15 @@ def handler(event, context):
title = "ElastiCache fail over complete" title = "ElastiCache fail over complete"
body = "for node {}".format(msg["ElastiCache:FailoverComplete"]) body = "for node {}".format(msg["ElastiCache:FailoverComplete"])
# ElasticCache update notifications
elif "ElastiCache:ServiceUpdateAvailableForNode" in msg:
title = "ElastiCache update available"
body = "for node {}".format(msg["ElastiCache:ServiceUpdateAvailableForNode"])
elif "ElastiCache:ServiceUpdateAvailable" in msg:
title = "ElastiCache update available"
body = "for Group {}".format(msg["ElastiCache:ServiceUpdateAvailable"])
# known RDS events # known RDS events
elif "Event Source" in msg and msg['Event Source'] in ["db-instance", "db-cluster-snapshot", "db-snapshot"]: elif "Event Source" in msg and msg['Event Source'] in ["db-instance", "db-cluster-snapshot", "db-snapshot"]:
try: try:

View File

@ -1,4 +1,4 @@
boto3==1.34.78 boto3==1.35.17
apprise==1.7.5 apprise==1.9.0
humanize==4.9.0 humanize==4.10.0
awslambdaric==2.0.11 awslambdaric==2.2.1