Skip to content

Commit

Permalink
Merge pull request #13 from rohit-smartsensesolutions/fix/helm-charts
Browse files Browse the repository at this point in the history 
fix: KICS scan errors
  • Loading branch information
@nitin-vavdiya
nitin-vavdiya authored Sep 24, 2024
2 parents a446811 + 571d994 commit 8ca1b3f
Show file tree
Hide file tree
Showing 6 changed files with 391 additions and 58 deletions.
250 changes: 250 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,250 @@
# Copyright (c) 2021-2023 Contributors to the Eclipse Foundation

# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.

# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

# SPDX-License-Identifier: Apache-2.0
---

name: Semantic Release
on:
push:
branches:
- main
- develop
pull_request:
branches:
- main
- develop

env:
IMAGE_NAMESPACE: "tractusx"
IMAGE_NAME: "managed-identity-wallet"

jobs:

semantic_release:
name: Repository Release
runs-on: ubuntu-latest
permissions:
# see https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
contents: write
pull-requests: write
packages: write
outputs:
next_release: ${{ steps.semantic-release.outputs.next_release }}
will_create_new_release: ${{ steps.semantic-release.outputs.will_create_new_release }}
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Validate Gradle wrapper
uses: gradle/wrapper-validation-action@v2

- name: Setup Helm
uses: azure/[email protected]

- name: Setup JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20

# setup helm-docs as it is needed during semantic-release
- uses: gabe565/setup-helm-docs-action@v1
name: Setup helm-docs
if: github.event_name != 'pull_request'
with:
version: v1.11.3

- name: Run semantic release
id: semantic-release
if: github.event_name != 'pull_request'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_AUTHOR_EMAIL: ${{ github.actor }}@users.noreply.github.com
GIT_COMMITTER_EMAIL: ${{ github.actor }}@users.noreply.github.com
run: |
npx --yes -p @semantic-release/exec -p @semantic-release/changelog -p @semantic-release/git -p @semantic-release/commit-analyzer -p @semantic-release/release-notes-generator semantic-release
- name: Run semantic release (dry run)
if: github.event_name == 'pull_request'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_AUTHOR_EMAIL: ${{ github.actor }}@users.noreply.github.com
GIT_COMMITTER_EMAIL: ${{ github.actor }}@users.noreply.github.com
run: |
npx --yes -p @semantic-release/exec -p @semantic-release/github -p @semantic-release/changelog -p @semantic-release/git -p @semantic-release/commit-analyzer -p @semantic-release/release-notes-generator semantic-release --dry-run
- name: Execute Gradle build
run: ./gradlew build

- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
name: build
path: ./miw/build
if-no-files-found: error
retention-days: 1

- name: Upload Helm chart artifact
uses: actions/upload-artifact@v4
with:
name: charts
path: ./charts
if-no-files-found: error
retention-days: 1

- name: Report semantic-release outputs
run: |
echo "::notice::${{ env.next_release }}"
echo "::notice::${{ env.will_create_new_release }}"
- name: Upload jar to GitHub release
if: github.event_name != 'pull_request' && steps.semantic-release.outputs.will_create_new_release == 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RELEASE_VERSION: ${{ steps.semantic-release.outputs.next_release }}
run: |
echo "::notice::Uploading jar to GitHub release"
gh release upload "v$RELEASE_VERSION" ./miw/build/libs/miw-latest.jar
docker:
name: Docker Release
needs: semantic_release
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Download build artifact
uses: actions/download-artifact@v4
with:
name: build
path: ./miw/build

- name: Download Helm chart artifact
uses: actions/download-artifact@v4
with:
name: charts
path: ./charts

# Create SemVer or ref tags dependent of trigger event
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
# Automatically prepare image tags; See action docs for more examples.
# semver patter will generate tags like these for example :1 :1.2 :1.2.3
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}},value=${{ needs.semantic_release.outputs.next_release }}
type=semver,pattern={{major}},value=${{ needs.semantic_release.outputs.next_release }}
type=semver,pattern={{major}}.{{minor}},value=${{ needs.semantic_release.outputs.next_release }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
- name: DockerHub login
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
# Use existing DockerHub credentials present as secrets
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Push image
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

# https://github.com/peter-evans/dockerhub-description
# Important step to push image description to DockerHub
- name: Update Docker Hub description
if: github.event_name != 'pull_request'
uses: peter-evans/dockerhub-description@v3
with:
# readme-filepath defaults to toplevel README.md, Only necessary if you have a dedicated file with your 'Notice for docker images'
readme-filepath: Docker-hub-notice.md
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}

helm:
name: Helm Release
needs: semantic_release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Download Helm chart artifact
uses: actions/download-artifact@v4
with:
name: charts
path: ./charts

- name: Install Helm
uses: azure/[email protected]

- name: Add Helm dependency repositories
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Release chart
if: github.event_name != 'pull_request' && needs.semantic_release.outputs.will_create_new_release == 'true'
run: |
# Package MIW chart
helm_package_path=$(helm package -u -d helm-charts ./charts/managed-identity-wallet | grep -o 'to: .*' | cut -d' ' -f2-)
echo "HELM_PACKAGE_PATH=$helm_package_path" >> $GITHUB_ENV
# Commit and push to gh-pages
git add helm-charts
git stash -- helm-charts
git reset --hard
git fetch origin
git checkout gh-pages
git stash pop
# Generate helm repo index.yaml
helm repo index . --merge index.yaml --url https://${GITHUB_REPOSITORY_OWNER}.github.io/${GITHUB_REPOSITORY#*/}/
git add index.yaml
git commit -s -m "Release ${{ needs.semantic_release.outputs.next_release }}"
git push origin gh-pages
- name: Upload chart to GitHub release
if: github.event_name != 'pull_request' && needs.semantic_release.outputs.will_create_new_release == 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RELEASE_VERSION: ${{ needs.semantic_release.outputs.next_release }}
HELM_PACKAGE_PATH: ${{ env.HELM_PACKAGE_PATH }}
run: |
echo "::notice::Uploading chart to GitHub release"
gh release upload "v$RELEASE_VERSION" "$HELM_PACKAGE_PATH"
24 changes: 10 additions & 14 deletions charts/managed-identity-wallet/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document
| serviceAccount.create | bool | `true` | Enable creation of ServiceAccount |
| serviceAccount.name | string | `""` | The name of the ServiceAccount to use. |
| tolerations | list | `[]` | Tolerations configuration |
| vcrs | object | `{"configName":"verifiable-credential-revocation-service","database":{"encryptionKey":{"secret":"","secretKey":"","value":""}},"env":{"APPLICATION_LOG_LEVEL":"DEBUG","APPLICATION_NAME":"verifiable-credential-revocation-service","APPLICATION_PORT":8081,"APPLICATION_PROFILE":"local","APP_LOG_LEVEL":"INFO","AUTH_SERVER_URL":"http://{{ .Release.Name }}-keycloak","DATABASE_CONNECTION_POOL_SIZE":10,"DATABASE_HOST":"managed-identity-wallet-postgresql","DATABASE_NAME":"vcrs_app","DATABASE_PORT":5432,"DATABASE_USERNAME":"vcrs","DATABASE_USE_SSL_COMMUNICATION":false,"DOMAIN_URL":"https://977d-203-129-213-107.ngrok-free.app","ENABLE_API_DOC":true,"ENABLE_SWAGGER_UI":true,"KEYCLOAK_CLIENT_ID":"miw_private_client","KEYCLOAK_PUBLIC_CLIENT_ID":"miw_public_client","KEYCLOAK_REALM":"miw_test","MIW_URL":"https://a888-203-129-213-107.ngrok-free.app","SERVICE_SECURITY_ENABLED":true,"VC_SCHEMA_LINK":"https://www.w3.org/2018/credentials/v1, https://cofinity-x.github.io/schema-registry/w3c/v1.0/BitstringStatusList.json"},"fullnameOverride":"verifiable-credential-revocation-service","host":"localhost","image":{"pullPolicy":"IfNotPresent","repository":"public.ecr.aws/w6s7t8e0/tractusx/verifiable-credential-revocation-service","tag":"latest"},"ingress":{"annotations":{},"className":"","enabled":false,"hosts":null,"service":{"port":8081,"type":"ClusterIP"},"tls":[]},"ingressName":"verifiable-credential-revocation-service-ingress","livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":60,"periodSeconds":15,"timeoutSeconds":30},"nameOverride":"verifiable-credential-revocation-service","readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":60,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"replicaCount":1,"resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"250m","memory":"512Mi"}},"secretName":"verifiable-credential-revocation-service","secrets":{"DATABASE_PASSWORD":"defaultpassword","password":"defaultpassword","postgres-password":"defaultpassword"},"serviceName":"verifiable-credential-revocation-service"}` | Values for Verifiable Credential Revocation Service application |
| vcrs | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":2,"minReplicas":1,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":80},"configName":"verifiable-credential-revocation-service","database":{"encryptionKey":{"secret":"","secretKey":"","value":""}},"env":{"APPLICATION_LOG_LEVEL":"DEBUG","APPLICATION_NAME":"verifiable-credential-revocation-service","APPLICATION_PORT":8081,"APPLICATION_PROFILE":"local","APP_LOG_LEVEL":"INFO","AUTH_SERVER_URL":"http://{{ .Release.Name }}-keycloak","DATABASE_CONNECTION_POOL_SIZE":10,"DATABASE_HOST":"managed-identity-wallet-postgresql","DATABASE_NAME":"vcrs_app","DATABASE_PORT":5432,"DATABASE_USERNAME":"vcrs","DATABASE_USE_SSL_COMMUNICATION":false,"DOMAIN_URL":"https://977d-203-129-213-107.ngrok-free.app","ENABLE_API_DOC":true,"ENABLE_SWAGGER_UI":true,"KEYCLOAK_CLIENT_ID":"miw_private_client","KEYCLOAK_PUBLIC_CLIENT_ID":"miw_public_client","KEYCLOAK_REALM":"miw_test","MIW_URL":"https://a888-203-129-213-107.ngrok-free.app","SERVICE_SECURITY_ENABLED":true,"VC_SCHEMA_LINK":"https://www.w3.org/2018/credentials/v1, https://cofinity-x.github.io/schema-registry/w3c/v1.0/BitstringStatusList.json"},"fullnameOverride":"verifiable-credential-revocation-service","host":"localhost","image":{"pullPolicy":"IfNotPresent","repository":"tractusx/verifiable-credential-revocation-service","tag":"latest"},"imagePullSecrets":[],"ingress":{"annotations":{},"className":"","enabled":false,"hosts":null,"service":{"port":8081,"type":"ClusterIP"},"tls":[]},"ingressName":"verifiable-credential-revocation-service-ingress","livenessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"periodSeconds":5,"timeoutSeconds":30},"nameOverride":"verifiable-credential-revocation-service","nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"readinessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"periodSeconds":30,"timeoutSeconds":30},"replicaCount":1,"resources":{},"rollingUpdate":{"enabled":true,"rollingUpdateMaxSurge":1,"rollingUpdateMaxUnavailable":0},"secretName":"verifiable-credential-revocation-service","secrets":{"DATABASE_PASSWORD":"defaultpassword","password":"defaultpassword","postgres-password":"defaultpassword"},"securityContext":{"allowPrivilegeEscalation":false},"serviceName":"verifiable-credential-revocation-service","tolerations":[],"volumeMounts":[],"volumes":[]}` | Values for Verifiable Credential Revocation Service application |
| vcrs.configName | string | `"verifiable-credential-revocation-service"` | ConfigMap Name |
| vcrs.database.encryptionKey.secret | string | `""` | Existing secret for database encryption key |
| vcrs.database.encryptionKey.secretKey | string | `""` | Existing secret key for database encryption key |
Expand All @@ -226,27 +226,23 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document
| vcrs.fullnameOverride | string | `"verifiable-credential-revocation-service"` | String to partially override common.names.fullname template (will maintain the release name) |
| vcrs.host | string | `"localhost"` | Revocation application configuration |
| vcrs.image.pullPolicy | string | `"IfNotPresent"` | PullPolicy |
| vcrs.image.repository | string | `"public.ecr.aws/w6s7t8e0/tractusx/verifiable-credential-revocation-service"` | Image repository |
| vcrs.image.repository | string | `"tractusx/verifiable-credential-revocation-service"` | Image repository |
| vcrs.image.tag | string | `"latest"` | Image tag (empty one will use "appVersion" value from chart definition) |
| vcrs.ingress.service.port | int | `8081` | Kubernetes Service port |
| vcrs.ingress.service.type | string | `"ClusterIP"` | Kubernetes Service type |
| vcrs.livenessProbe | object | `{"enabled":true,"failureThreshold":5,"initialDelaySeconds":60,"periodSeconds":15,"timeoutSeconds":30}` | Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) |
| vcrs.livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"periodSeconds":5,"timeoutSeconds":30}` | Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) |
| vcrs.livenessProbe.enabled | bool | `true` | Enables/Disables the livenessProbe at all |
| vcrs.livenessProbe.failureThreshold | int | `5` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. |
| vcrs.livenessProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before readiness probes are initiated. |
| vcrs.livenessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the probe |
| vcrs.livenessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. |
| vcrs.livenessProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before readiness probe are initiated. |
| vcrs.livenessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe |
| vcrs.livenessProbe.timeoutSeconds | int | `30` | Number of seconds after which the probe times out. |
| vcrs.nameOverride | string | `"verifiable-credential-revocation-service"` | The configmap name |
| vcrs.readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"periodSeconds":30,"timeoutSeconds":30}` | Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) |
| vcrs.readinessProbe.enabled | bool | `true` | Enables/Disables the readinessProbe at all |
| vcrs.readinessProbe.failureThreshold | int | `5` | When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. |
| vcrs.readinessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. |
| vcrs.readinessProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before readiness probe are initiated. |
| vcrs.readinessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the probe |
| vcrs.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed. |
| vcrs.readinessProbe.timeoutSeconds | int | `15` | Number of seconds after which the probe times out. |
| vcrs.resources.limits.cpu | string | `"500m"` | CPU resource limits |
| vcrs.resources.limits.memory | string | `"1Gi"` | Memory resource limits |
| vcrs.resources.requests.cpu | string | `"250m"` | CPU resource requests |
| vcrs.resources.requests.memory | string | `"512Mi"` | Memory resource requests |
| vcrs.readinessProbe.periodSeconds | int | `30` | How often (in seconds) to perform the probe |
| vcrs.readinessProbe.timeoutSeconds | int | `30` | Number of seconds after which the probe times out. |
| vcrs.secretName | string | `"verifiable-credential-revocation-service"` | The Secret name |
| vcrs.secrets.DATABASE_PASSWORD | string | `"defaultpassword"` | The Database Password |
| vcrs.secrets.password | string | `"defaultpassword"` | Postgresql password for MIW non-root User |
Expand Down
Loading

0 comments on commit 8ca1b3f

Please sign in to comment.