diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..dd260f1b --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,6 @@ +# Users referenced in this file will automatically be requested as reviewers for +# PRs that modify the given paths +# See https://help.github.com/articles/about-code-owners/, https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# All code +* @ruzickap diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..51505e79 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,23 @@ +--- +name: Bug report +about: Create a report to help us improve +title: 'Bug: This is a sample issue title' +labels: bug +assignees: ruzickap + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behaviour. + +**Expected behaviour** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 00000000..ed5ca68b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: false +contact_links: + - name: GitHub Actions Community Forum + url: https://github.com/orgs/community/discussions/ + about: Please ask questions about GitHub Actions here. + - name: GitHub Pages help + url: https://help.github.com/en/github/working-with-github-pages + about: GitHub Pages documentation here. diff --git a/.github/ISSUE_TEMPLATE/proposal.md b/.github/ISSUE_TEMPLATE/proposal.md new file mode 100644 index 00000000..ff78390b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/proposal.md @@ -0,0 +1,21 @@ +--- +name: Proposal +about: Suggest an idea for this project +title: 'Proposal: This is a sample title' +labels: proposal +assignees: ruzickap + +--- + +**Is your feature request related to a problem? Please describe** +A clear and concise description of what the problem is. Ex. I'm always +frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index d1f0d085..00000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,6 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "daily" diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 00000000..1117e58a --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,56 @@ +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + extends: [ + "config:recommended", + "docker:pinDigests", + "helpers:pinGitHubActionDigestsToSemver", + "security:openssf-scorecard", + ":disableDependencyDashboard", + ":docker", + ":disableRateLimiting", + ":enableVulnerabilityAlertsWithLabel(security)", + ], + "git-submodules": { + enabled: true, + }, + labels: [ + "renovate", + "renovate/{{replace '.*/' '' depName}}", + "renovate/{{updateType}}", + ], + lockFileMaintenance: { + enabled: true, + schedule: ["before 6am on Sunday"], + }, + packageRules: [ + { + matchUpdateTypes: ["major"], + automerge: false, + }, + { + description: "Ignore frequent renovate updates", + enabled: false, + matchPackageNames: ["renovatebot/github-action"], + matchUpdateTypes: ["patch"], + }, + { + description: "Update renovatebot/github-action minor updates on Sundays", + matchPackageNames: ["renovatebot/github-action"], + matchUpdateTypes: ["minor"], + schedule: ["* * * * 0"], + }, + ], + prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}", + rebaseWhen: "behind-base-branch", + regexManagers: [ + { + extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?.+)${{/if}}", + fileMatch: ["\\.ya?ml$", "\\.md$", "^Dockerfile$", "^entrypoint\\.sh$"], + matchStrings: [ + '# renovate: datasource=(?.+?) depName=(?.+?)( versioning=(?.+?))?( extractVersion=(?.+?))?( registryUrl=(?.+?))?\\s.*[=:]\\s*"?(?.+?)"?\\s', + ], + versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}", + }, + ], + separateMinorPatch: true, +} diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml deleted file mode 100644 index 4e8a41a0..00000000 --- a/.github/workflows/dependabot-auto-merge.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: dependabot-auto-merge - -on: - pull_request_target: - -jobs: - auto-merge: - name: Auto approve pull request, then squash and merge - runs-on: ubuntu-latest - if: github.actor == 'dependabot[bot]' - steps: - - uses: ahmadnassri/action-dependabot-auto-merge@v2 - with: - target: minor - github-token: ${{ secrets.PERSONAL_GITHUB_TOKEN_FOR_GITHUB_ACTIONS }} diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml new file mode 100644 index 00000000..faa15b59 --- /dev/null +++ b/.github/workflows/links.yml @@ -0,0 +1,38 @@ +name: Links + +on: + workflow_dispatch: + push: + paths: + - .github/workflows/links.yml + - lychee.toml + schedule: + - cron: "0 0 * * 1" + +permissions: read-all + +jobs: + linkChecker: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Setup Pages + id: pages + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0 + + - name: Restore lychee cache + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: .lycheecache + key: cache-lychee-${{ github.sha }} + restore-keys: cache-lychee- + + - name: Link Checker + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: lycheeverse/lychee-action@c053181aa0c3d17606addfe97a9075a32723548a # v1.9.3 + with: + args: ". --exclude-path CHANGELOG.md ${{ steps.pages.outputs.base_url }}" + fail: true diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml deleted file mode 100644 index cb3129c6..00000000 --- a/.github/workflows/linter.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -########################### -########################### -## Linter GitHub Actions ## -########################### -########################### -name: Lint Code Base - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: - push: - branches-ignore: - - 'master' - -############### -# Set the Job # -############### -jobs: - build: - # Name the Job - name: Lint Code Base - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v2 - - ################################ - # Run Linter against code base # - ################################ - - name: Lint Code Base - uses: docker://ghcr.io/github/super-linter:slim-v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VALIDATE_STATES: false - VALIDATE_KUBERNETES_KUBEVAL: false - FILTER_REGEX_EXCLUDE: CHANGELOG.md diff --git a/.github/workflows/markdown-check.yml b/.github/workflows/markdown-check.yml new file mode 100644 index 00000000..7bbca4b7 --- /dev/null +++ b/.github/workflows/markdown-check.yml @@ -0,0 +1,52 @@ +name: markdown-check + +on: + workflow_dispatch: + push: + branches-ignore: + - main + paths: + - "**.md" + - .github/workflows/markdown-check.yml + - .markdownlint.yml + - .mlc_config.json + - .spelling + +permissions: read-all + +jobs: + markdownlint-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Markdown Lint + uses: ruzickap/action-my-markdown-linter@919d3735df9bbc094d206521a774133ec8f3c4ca # v1.1.0 + with: + exclude: | + CHANGELOG.md + + markdown-link-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Link Checker + uses: ruzickap/action-my-markdown-link-checker@e7e8635735a15a86b081f8255022bcc251cc9003 # v1.2.0 + with: + exclude: | + CHANGELOG.md + + markdown-spell-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install Node.js LTS version + uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 + + - name: Install markdown-spellcheck + run: npm install -g markdown-spellcheck + + - name: Run mdspell + run: find . -type f \( -name "*.md" ! -name "CHANGELOG.md" \) -print0 | xargs -0 --max-args=1 --verbose mdspell --ignore-numbers --ignore-acronyms --report --en-gb diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml new file mode 100644 index 00000000..da4e06b6 --- /dev/null +++ b/.github/workflows/mega-linter.yml @@ -0,0 +1,44 @@ +--- +name: MegaLinter + +on: + workflow_dispatch: + push: + branches-ignore: + - main + +permissions: read-all + +jobs: + build: + name: MegaLinter + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Restore lychee cache + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: .lycheecache + key: cache-lychee-${{ github.sha }} + restore-keys: cache-lychee- + + - name: Extract commands from markdown files + run: | + set -euxo pipefail + echo '#!/usr/bin/env bash' > README.sh + find . -name '*.md' -print0 | while IFS= read -r -d '' FILE ; do + # Extract: ```bash ... ``` + sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh + # Extract: ```bash ... ``` + sed -n "/^ \`\`\`\(bash\|shell\)$/,/^ \`\`\`$/p" "${FILE}" | sed '/^ ```*/d; s/^ //' >> README.sh + done + chmod a+x README.sh + + - name: 💡 MegaLinter + uses: oxsecurity/megalinter@688bc7466d7ab4faa83d614c2e6f9acf42b674dc # v7.8.0 + env: + GITHUB_COMMENT_REPORTER: false + GITHUB_STATUS_REPORTER: true + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/periodic-broken-link-checks.yml b/.github/workflows/periodic-broken-link-checks.yml deleted file mode 100644 index b628c81f..00000000 --- a/.github/workflows/periodic-broken-link-checks.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: periodic-broken-link-checks - -on: - workflow_dispatch: - schedule: - - cron: '8 8 * * 2' - -jobs: - broken-link-checker: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - ref: gh-pages - - - name: Broken link checker - env: - EXCLUDE: | - mylabs.dev - ruzickap.github.io/k8s-harbor-presentation - run: | - if [ -s CNAME ]; then - INPUT_URL="https://$(cat CNAME)" - else - INPUT_URL="https://${GITHUB_REPOSITORY%/*}.github.io/${GITHUB_REPOSITORY##*/}" - fi - export INPUT_URL - INPUT_CMD_PARAMS="--buffer-size=8192 --max-connections=10 --color=always --exclude=($( echo "${EXCLUDE}" | tr '\n' '|' ))" - export INPUT_CMD_PARAMS - wget -qO- https://raw.githubusercontent.com/ruzickap/action-my-broken-link-checker/v2/entrypoint.sh | bash diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 00000000..faff21af --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,20 @@ +--- +name: release-please + +on: + workflow_dispatch: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + +jobs: + release-please-pr: + runs-on: ubuntu-latest + steps: + - uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4.0.2 + with: + release-type: simple diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 00000000..cc55c469 --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,61 @@ +--- +name: Renovate + +on: + workflow_dispatch: + inputs: + dryRun: + type: boolean + description: "Dry-Run" + logLevel: + type: choice + description: "Log-Level" + default: debug + options: + - info + - debug + - trace + push: + branches: + - main + - "!renovate/*" + schedule: + - cron: "0 0,2,4 * * *" + +env: + # https://docs.renovatebot.com/troubleshooting/#log-debug-levels + LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}" + # https://docs.renovatebot.com/self-hosted-configuration/#repositories + RENOVATE_REPOSITORIES: ${{ github.repository }} + # https://docs.renovatebot.com/self-hosted-configuration/#username + RENOVATE_USERNAME: ${{ github.repository_owner }} + # https://docs.renovatebot.com/configuration-options/#platformcommit + RENOVATE_PLATFORM_COMMIT: "true" + # https://docs.renovatebot.com/self-hosted-configuration/#dryrun + # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated + RENOVATE_DRY_RUN: "${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}" + # Renovate Automerge + RENOVATE_AUTOMERGE_TYPE: "branch" + RENOVATE_AUTOMERGE: "true" + +permissions: read-all + +jobs: + renovate: + runs-on: ubuntu-latest + concurrency: + group: renovate + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: actions/create-github-app-token@86576b355dd19da0519e0bdb63d8edb5bcf76a25 # v1.7.0 + id: app-token + with: + app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }} + private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}" + + - name: 💡 Self-hosted Renovate + uses: renovatebot/github-action@42c1d3cb1d1ca891765626ba71cdff5e757258de # v40.0.2 + with: + token: "${{ steps.app-token.outputs.token }}" diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml new file mode 100644 index 00000000..90d4309c --- /dev/null +++ b/.github/workflows/semantic-pull-request.yml @@ -0,0 +1,20 @@ +name: Semantic Pull Request + +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +permissions: + pull-requests: read + +jobs: + main: + name: Semantic Pull Request + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml deleted file mode 100644 index 98733763..00000000 --- a/.github/workflows/shellcheck.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: shellcheck - -on: - pull_request: - types: [opened, synchronize] - paths: - - '**.sh' - - .github/workflows/shellcheck.yml - push: - branches: - - master - paths: - - '**.sh' - - .github/workflows/shellcheck.yml - -jobs: - shellcheck-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Lint check - uses: azohra/shell-linter@v0.4.0 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 00000000..e872faa8 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,32 @@ +name: Close stale issues and PRs + +on: + schedule: + - cron: "30 1 * * *" + +permissions: + issues: write + pull-requests: write + +jobs: + mark-stale-issues-and-prs: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 + with: + close-issue-message: | + This issue has not seen any activity since it was marked stale. + Closing. + close-pr-message: | + This pull request has not seen any activity since it was marked stale. + Closing. + exempt-issue-labels: good-first-issue,need-help,no-stale,pinned,security + exempt-pr-labels: "autorelease: pending,good-first-issue,need-help,no-stale,pinned,security" + stale-issue-label: stale + stale-issue-message: | + This issue is stale because it has been open 60 days with no activity. + Remove stale label or comment or this will be closed in 7 days + stale-pr-label: stale + stale-pr-message: | + This PR is stale because it has been open 60 days with no activity. + Remove stale label or comment or this will be closed in 7 days. diff --git a/.github/workflows/vuepress-build-check-deploy.yml b/.github/workflows/vuepress-build-check-deploy.yml deleted file mode 100644 index 6e8a6d91..00000000 --- a/.github/workflows/vuepress-build-check-deploy.yml +++ /dev/null @@ -1,107 +0,0 @@ -name: vuepress-build-check-deploy - -on: - pull_request: - types: [opened, synchronize] - paths: - - .github/workflows/vuepress-build-check-deploy.yml - - docs/** - - .markdownlint.yml - - .spelling - - package.json - - package-lock.json - push: - branches: - - master - paths: - - .github/workflows/vuepress-build-check-deploy.yml - - docs/** - - .markdownlint.yml - - .spelling - - package.json - - package-lock.json - -jobs: - markdownlint-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Markdown Lint - uses: ruzickap/action-my-markdown-linter@v1 - with: - exclude: | - CHANGELOG.md - - markdown-spell-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Install Node.js 12 - uses: actions/setup-node@v2 - with: - node-version: 12.x - - - name: Install markdown-spellcheck - run: npm install -g markdown-spellcheck - - - name: Run mdspell - run: find . -type f \( -name "*.md" ! -name "CHANGELOG.md" \) -print0 | xargs -0 --max-args=1 --verbose mdspell --ignore-numbers --ignore-acronyms --report --en-gb - - # command-check: - # name: Command check - # runs-on: ubuntu-18.04 - - # steps: - # - uses: actions/checkout@v2 - - # - name: Update repositories - # run: sudo apt-get update - - # - name: Install necessary tools - # run: | - # sudo apt-get install -y -qq gnupg2 jq pv > /dev/null - # curl -s -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ - # curl -s -Lo kind https://github.com/kubernetes-sigs/kind/releases/download/v0.6.0/kind-linux-amd64 && chmod +x kind && sudo mv kind /usr/local/bin/ - - # - name: Run tests - # run: | - # tests/tests.sh - - vuepress-build-check-deploy: - runs-on: ubuntu-latest - needs: - # - command-check - - markdownlint-check - - markdown-spell-check - steps: - - uses: actions/checkout@v2 - - - name: Install Node.js 12 - uses: actions/setup-node@v2 - with: - node-version: 12.x - - - name: Install VuePress and build the document - run: | - npm install - npm run build - cp LICENSE docs/.vuepress/dist - sed -e "s@(part-@(https://github.com/${{ github.repository }}/tree/master/docs/part-@" -e 's@.\/.vuepress\/public\/@./@' docs/README.md > docs/.vuepress/dist/README.md - ln -s docs/.vuepress/dist ${{ github.event.repository.name }} - - - name: Check broken links - uses: ruzickap/action-my-broken-link-checker@v2 - with: - url: https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} - pages_path: . - cmd_params: '--exclude=(mylabs.dev|ruzickap.github.io/k8s-harbor-presentation) --max-connections-per-host=5 --color=always --rate-limit=5 --timeout=20 --header="User-Agent:curl/7.54.0" --skip-tls-verification' - - - name: Deploy - uses: peaceiris/actions-gh-pages@v3 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - publish_dir: ./docs/.vuepress/dist - force_orphan: true diff --git a/.github/workflows/vuepress-build.yml b/.github/workflows/vuepress-build.yml new file mode 100644 index 00000000..4bf0d056 --- /dev/null +++ b/.github/workflows/vuepress-build.yml @@ -0,0 +1,53 @@ +name: vuepress-build + +on: + workflow_dispatch: + push: + paths: + - .github/workflows/vuepress-build.yml + - docs/** + - package.json + - package-lock.json + +permissions: + contents: write + +jobs: + vuepress-build: + runs-on: ubuntu-latest + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install Node.js + uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 + with: + node-version: 16.x + + - name: Install VuePress and build the document + run: | + npm install + npm run build + cp LICENSE docs/.vuepress/dist + sed -e "s@(part-@(https://github.com/${{ github.repository }}/tree/main/docs/part-@" -e 's@.\/.vuepress\/public\/@./@' docs/README.md > docs/.vuepress/dist/README.md + ln -s docs/.vuepress/dist ${{ github.event.repository.name }} + + - name: Setup Pages + id: pages + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0 + + - name: Check broken links + uses: ruzickap/action-my-broken-link-checker@a0895a4cda23b5c90999cb9d3c8a8f44d8a8980d # v2.5.0 + with: + url: ${{ steps.pages.outputs.base_url }} + pages_path: . + cmd_params: '--exclude=(mylabs.dev) --buffer-size=8192 --max-connections-per-host=5 --color=always --rate-limit=5 --header="User-Agent:Mozilla" --skip-tls-verification' + + - name: Deploy + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 + if: ${{ github.ref == 'refs/heads/main' }} + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + publish_dir: ./docs/.vuepress/dist + force_orphan: true diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml deleted file mode 100644 index bd82e37b..00000000 --- a/.github/workflows/yamllint.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: yamllint - -on: - pull_request: - types: [opened, synchronize] - paths: - - '**.yml' - - '**.yaml' - push: - branches: - - master - paths: - - '**.yml' - - '**.yaml' - -jobs: - yamllint-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: yamllint - uses: ibiqlik/action-yamllint@v3 diff --git a/.gitignore b/.gitignore index 5fa956e3..bdf002b9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,23 +1,27 @@ # pre-commit configuration file .pre-commit-config.yaml -# release-it configuration file -.release-it.yml - -# demo-magic.sh script -demo-magic.sh - # Kubernetes kubeconfig file -kubeconfig.conf - -# README.sh script -README.sh +kubeconfig*.conf* # Vuepress Pages docs/.vuepress/dist +docs/.vuepress/.temp/ +docs/.vuepress/.cache/ # tmp directory tmp/ # Node modules node_modules/ + +# README.sh script +README.sh + +# demo-magic.sh script +demo-magic.sh + +# Terraform files +.terraform +*.tfstate* +crash.log diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 00000000..0a05081e --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,13 @@ +ignore: + # glob-parent 3.1.0 5.1.2 npm GHSA-ww39-953v-wcq6 High + - vulnerability: GHSA-ww39-953v-wcq6 + # json5 0.5.1 1.0.2 npm GHSA-9c47-m6qq-7p4h High + - vulnerability: GHSA-9c47-m6qq-7p4h + # loader-utils 0.2.17 1.4.1 npm GHSA-76p3-8jx3-jpfq Critical + - vulnerability: GHSA-76p3-8jx3-jpfq + # node-forge 0.10.0 1.3.0 npm GHSA-cfm4-qjh2-4765 High + - vulnerability: GHSA-cfm4-qjh2-4765 + # node-forge 0.10.0 1.3.0 npm GHSA-x4jg-mjrx-434g High + - vulnerability: GHSA-x4jg-mjrx-434g + # nth-check 1.0.2 2.0.1 npm GHSA-rp65-9cf3-cjxr High + - vulnerability: GHSA-rp65-9cf3-cjxr diff --git a/.jscpd.json b/.jscpd.json new file mode 100644 index 00000000..59b76a1b --- /dev/null +++ b/.jscpd.json @@ -0,0 +1,3 @@ +{ + "ignore": ["**"] +} diff --git a/.lycheeignore b/.lycheeignore new file mode 100644 index 00000000..09f9664b --- /dev/null +++ b/.lycheeignore @@ -0,0 +1 @@ +.*.mylabs.dev diff --git a/.mega-linter.yml b/.mega-linter.yml new file mode 100644 index 00000000..a768b6b9 --- /dev/null +++ b/.mega-linter.yml @@ -0,0 +1,45 @@ +# Configuration file for MegaLinter +# See all available variables at https://megalinter.io/latest/configuration/ and in linters documentation + +BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects + +DISABLE_LINTERS: + - MARKDOWN_MARKDOWN_LINK_CHECK # Using lychee instead + - SPELL_CSPELL + - TERRAFORM_TERRASCAN # Hard to configure - no documentation of the config file + +# Remove: To receive reports as email, please set variable EMAIL_REPORTER_EMAIL +EMAIL_REPORTER: false + +FAIL_IF_MISSING_LINTER_IN_FLAVOR: true + +FILTER_REGEX_EXCLUDE: CHANGELOG.md + +FORMATTERS_DISABLE_ERRORS: false + +MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml +MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: CHANGELOG.md + +# Remove initial MegaLinter graphic +PRINT_ALPACA: false + +# Disable creating report directory +REPORT_OUTPUT_FOLDER: none + +# Issue: https://github.com/bridgecrewio/checkov/issues/3839 +# The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty +REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_GHA_7 + +# Do not leave debug code in production, Insecure URL +REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138 + +REPOSITORY_KICS_ARGUMENTS: --fail-on high + +REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL + +TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: + - GITHUB_TOKEN + +TYPESCRIPT_PRETTIER_ARGUMENTS: --html-whitespace-sensitivity=ignore + +VALIDATE_ALL_CODEBASE: true diff --git a/.mlc_config.json b/.mlc_config.json new file mode 100644 index 00000000..bfb92105 --- /dev/null +++ b/.mlc_config.json @@ -0,0 +1,7 @@ +{ + "ignorePatterns": [ + { + "pattern": "https://.*.mylabs.dev" + } + ] +} diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 00000000..30a04d08 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,13 @@ +vulnerabilities: + # │ glob-parent │ CVE-2020-28469 │ HIGH │ fixed │ 3.1.0 │ 5.1.2 │ Regular expression denial of service │ + - id: CVE-2020-28469 + # │ json5 │ CVE-2022-46175 │ HIGH │ fixed │ 0.5.1 │ 2.2.2, 1.0.2 │ json5: Prototype Pollution in JSON5 via Parse Method │ + - id: CVE-2022-46175 + # │ loader-utils │ CVE-2022-37601 │ CRITICAL │ fixed │ 0.2.17 │ 2.0.3, 1.4.1 │ loader-utils: prototype pollution in function parseQuery in │ + - id: CVE-2022-37601 + # │ node-forge │ CVE-2022-24771 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification leniency in checking │ + - id: CVE-2022-24771 + # │ node-forge │ CVE-2022-24772 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification failing to check tailing │ + - id: CVE-2022-24772 + # │ nth-check │ CVE-2021-3803 │ HIGH │ fixed │ 1.0.2 │ 2.0.1 │ inefficient regular expression complexity │ + - id: CVE-2021-3803 diff --git a/.yamllint.yml b/.yamllint.yml deleted file mode 100644 index 7b6077b4..00000000 --- a/.yamllint.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# https://yamllint.readthedocs.io/en/stable/configuration.html -extends: default - -# https://yamllint.readthedocs.io/en/stable/rules.html -rules: - # 80 chars should be enough, but don't fail if a line is longer - line-length: - max: 80 - level: warning diff --git a/docs/README.md b/docs/README.md index 2590dc26..b6c93527 100644 --- a/docs/README.md +++ b/docs/README.md @@ -15,7 +15,7 @@ across clouds. * Demo GitHub repository: [https://github.com/ruzickap/k8s-harbor](https://github.com/ruzickap/k8s-harbor) * Demo Web Pages: [https://ruzickap.github.io/k8s-harbor](https://ruzickap.github.io/k8s-harbor) * Presentation git repository: [https://github.com/ruzickap/k8s-harbor-presentation](https://github.com/ruzickap/k8s-harbor-presentation) -* Presentation URL: [https://ruzickap.github.io/k8s-harbor-presentation](https://ruzickap.github.io/k8s-harbor-presentation) +* Presentation URL: [https://ruzickap.github.io/k8s-harbor-presentation/](https://ruzickap.github.io/k8s-harbor-presentation/) * YouTube: [Harbor presentation in Czech language](https://youtu.be/niZJOM7ND24) * Asciinema screencast: [https://asciinema.org/a/253519](https://asciinema.org/a/253519) * Asciinema screencast (45 minutes): [https://asciinema.org/a/278803](https://asciinema.org/a/278803) @@ -64,7 +64,6 @@ across clouds. * [Deploying Harbor Container Registry in Production](https://medium.com/@ikod/deploy-harbor-container-registry-in-production-89352fb1a114) * [How to install and use VMware Harbor private registry with Kubernetes](https://blog.inkubate.io/how-to-use-harbor-private-registry-with-kubernetes/) * [Use the Notary client for advanced users](https://docs.docker.com/notary/advanced_usage/) - * [Signing Docker images with Notary server](https://werner-dijkerman.nl/2019/02/24/signing-docker-images-with-notary-server/) * [Handy API Harbor calls (in Chinese)](https://cloud.tencent.com/developer/article/1151425) * [Swagger Editor](https://editor.swagger.io/) + Import [Harbor's swagger.yaml](https://raw.githubusercontent.com/goharbor/harbor/7b6e83090e26d171c0d0e0dacd14e2b61fab45e1/API/harbor/swagger.yaml) diff --git a/docs/part-03/README.md b/docs/part-03/README.md index c78be097..15f96d37 100644 --- a/docs/part-03/README.md +++ b/docs/part-03/README.md @@ -188,7 +188,6 @@ spec: name: letsencrypt-production-dns dns01: # Here we define a list of DNS-01 providers that can solve DNS challenges - # https://docs.cert-manager.io/en/latest/tasks/acme/configuring-dns01/index.html providers: - name: aws-route53 route53: diff --git a/files/ansible/aws_windows_server_2016.yml b/files/ansible/aws_windows_server_2016.yml index 1d497bd0..2460ce46 100644 --- a/files/ansible/aws_windows_server_2016.yml +++ b/files/ansible/aws_windows_server_2016.yml @@ -8,6 +8,7 @@ # Values for CloudFormation template system_security_settings_tmp_file: c:\\secedit-export.cfg windows_machines_ansible_user: ansible + #checkov:skip=CKV_SECRET_6:Base64 High Entropy String windows_machines_ansible_pass: ansible_secret_password aws_region: eu-central-1 aws_cf_eksctl_stack_name: "eksctl-{{ lookup('env','USER') }}-k8s-harbor-cluster" @@ -19,7 +20,6 @@ Environment: Test tasks: - - name: Get summary information about a cloudformation stack cloudformation_facts: stack_name: "{{ aws_cf_eksctl_stack_name }}" @@ -56,7 +56,7 @@ ansible_user: "{{ windows_machines_ansible_user }}" ansible_password: "{{ windows_machines_ansible_pass }}" ansible_winrm_server_cert_validation: ignore - ansible_connection: 'winrm' + ansible_connection: "winrm" groups: winservers site_name: "{{ aws_cf_stack_name }}" changed_when: false @@ -70,9 +70,12 @@ vars: domain: mylabs.dev + # kics-scan ignore-line + #checkov:skip=CKV_SECRET_6:Base64 High Entropy String master_password: really_long_secret_windows_password netbios_name: "{{ domain.split('.')[0] | upper }}" number_of_test_groups: 3 + # kics-scan ignore-line test_user_password: admin tasks: @@ -140,7 +143,8 @@ name: "{{ 'aduser%02x' | format(item) }}" description: "{{ 'User %02x - Group %02x' | format(item, (item / 2) | round(0,'ceil') | int) }}" password: "{{ test_user_password }}" - groups: ["{{ 'adgroup%02x' | format((item / 2) | round(0,'ceil') | int) }}"] + groups: + ["{{ 'adgroup%02x' | format((item / 2) | round(0,'ceil') | int) }}"] changed_when: False loop: "{{ range(1, number_of_test_groups * 2 + 1, 1)|list }}" loop_control: diff --git a/files/cert-manager-letsencrypt-aws-route53-clusterissuer.yaml b/files/cert-manager-letsencrypt-aws-route53-clusterissuer.yaml index defad504..474b302f 100644 --- a/files/cert-manager-letsencrypt-aws-route53-clusterissuer.yaml +++ b/files/cert-manager-letsencrypt-aws-route53-clusterissuer.yaml @@ -54,7 +54,6 @@ spec: name: letsencrypt-production-dns dns01: # Here we define a list of DNS-01 providers that can solve DNS challenges - # https://docs.cert-manager.io/en/latest/tasks/acme/configuring-dns01/index.html providers: - name: aws-route53 route53: diff --git a/lychee.toml b/lychee.toml new file mode 100644 index 00000000..7fd4af58 --- /dev/null +++ b/lychee.toml @@ -0,0 +1,42 @@ +# https://lychee.cli.rs/#/usage/config + +############################# Cache ############################### + +# Enable link caching. This can be helpful to avoid checking the same links on +# multiple runs +cache = true + +# Discard all cached requests older than this duration +max_cache_age = "1d" + +############################# Runtime ############################# + +# Maximum number of concurrent link checks +max_concurrency = 128 + +############################# Requests ############################ + +# Comma-separated list of accepted status codes for valid links. +accept = [999] + +############################# Exclusions ########################## + +# Exclude URLs and mail addresses from checking (supports regex) +exclude = [ + # Ignore all URLs with '$' - BASH variable in URL + '\$', + # Ignore all URLs with '{ ... }' - BASH / Ansible variable in URL + '%7B.*%7D', + # Ignore all URLs which starts with 'file://' + 'file://' +] + +# Exclude these filesystem paths from getting checked +exclude_path = [ + "CHANGELOG.md", +] + +# Exclude all private IPs from checking. +# Equivalent to setting `exclude_private`, `exclude_link_local`, and +# `exclude_loopback` to true +exclude_all_private = true diff --git a/run-k8s-harbor-full.sh b/run-k8s-harbor-full.sh index d0b5fd35..54b927e6 100755 --- a/run-k8s-harbor-full.sh +++ b/run-k8s-harbor-full.sh @@ -54,15 +54,13 @@ clear [ ! -d .git ] && git clone --quiet https://github.com/ruzickap/k8s-harbor && cd k8s-harbor sed docs/part-{01..08}/README.md \ - -e '/^## Configure AWS/,/^Create policy allowing the cert-manager to change Route 53 settings./d' \ -| \ -sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p;/^-----$/p" \ -| \ -sed \ - -e 's/^-----$/\np ""\np "################################################################################################### Press to continue"\nwait\n/' \ - -e 's/^```bash.*/\npe '"'"'/' \ - -e 's/^```$/'"'"'/' \ -> README.sh + -e '/^## Configure AWS/,/^Create policy allowing the cert-manager to change Route 53 settings./d' | + sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p;/^-----$/p" | + sed \ + -e 's/^-----$/\np ""\np "################################################################################################### Press to continue"\nwait\n/' \ + -e 's/^```bash.*/\npe '"'"'/' \ + -e 's/^```$/'"'"'/' \ + > README.sh if [ "$#" -eq 0 ]; then diff --git a/run-k8s-harbor-part1-45min.sh b/run-k8s-harbor-part1-45min.sh index fd1f2ef5..6faad222 100755 --- a/run-k8s-harbor-part1-45min.sh +++ b/run-k8s-harbor-part1-45min.sh @@ -11,12 +11,10 @@ grep mylabs.dev /etc/hosts sed docs/part-0{1..5}/README.md \ - -e '/^## Configure AWS/,/^Create policy allowing the cert-manager to change Route 53 settings./d' \ -| \ -sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p" \ -| \ -sed "/^\`\`\`*/d" \ -> README.sh + -e '/^## Configure AWS/,/^Create policy allowing the cert-manager to change Route 53 settings./d' | + sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p" | + sed "/^\`\`\`*/d" \ + > README.sh if [ "$#" -eq 0 ]; then # shellcheck disable=SC1091 diff --git a/run-k8s-harbor-part1.sh b/run-k8s-harbor-part1.sh index 37c04c78..f0986666 100755 --- a/run-k8s-harbor-part1.sh +++ b/run-k8s-harbor-part1.sh @@ -13,8 +13,6 @@ grep mylabs.dev /etc/hosts sed docs/part-0{1,2,3,4}/README.md \ -e '/^## Configure AWS/,/^Create policy allowing the cert-manager to change Route 53 settings./d' \ - -e '/^Harbor architecture:/,$d' \ -| \ -sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p" \ -| \ -sed "/^\`\`\`*/d" | sh -eux + -e '/^Harbor architecture:/,$d' | + sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p" | + sed "/^\`\`\`*/d" | sh -eux diff --git a/run-k8s-harbor-part2-45min.sh b/run-k8s-harbor-part2-45min.sh index 4e560888..f0b4a341 100755 --- a/run-k8s-harbor-part2-45min.sh +++ b/run-k8s-harbor-part2-45min.sh @@ -37,15 +37,13 @@ export DEMO_PROMPT="${GREEN}➜ ${CYAN}$ " sed docs/part-0{6..8}/README.md \ -e '/^## Upload Helm Chart using CLI/,/^## Upload signed Helm Chart using CLI/d' \ - -e '/^## Signed container image/,/^## Vulnerability scan/d' \ -| \ -sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p;/^-----$/p" \ -| \ -sed \ - -e 's/^-----$/\np ""\np "################################################################################################### Press to continue"\nwait\n/' \ - -e 's/^```bash.*/\npe '"'"'/' \ - -e 's/^```$/'"'"'/' \ -> README.sh + -e '/^## Signed container image/,/^## Vulnerability scan/d' | + sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p;/^-----$/p" | + sed \ + -e 's/^-----$/\np ""\np "################################################################################################### Press to continue"\nwait\n/' \ + -e 's/^```bash.*/\npe '"'"'/' \ + -e 's/^```$/'"'"'/' \ + > README.sh if [ "$#" -eq 0 ]; then @@ -67,7 +65,7 @@ if [ "$#" -eq 0 ]; then echo -e "\n${MY_DOMAIN} | ${EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID} | ${EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY}\n$(kubectl --kubeconfig=./kubeconfig.conf cluster-info)" if [ -z "${EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID}" ] || [ -z "${EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY}" ]; then - echo -e "\n*** One of the mandatory variables 'EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID' or 'EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY' is not set !!\n"; + echo -e "\n*** One of the mandatory variables 'EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID' or 'EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY' is not set !!\n" exit 1 fi diff --git a/run-k8s-harbor-part2.sh b/run-k8s-harbor-part2.sh index 89f028f9..680a1171 100755 --- a/run-k8s-harbor-part2.sh +++ b/run-k8s-harbor-part2.sh @@ -36,15 +36,13 @@ export DEMO_PROMPT="${GREEN}➜ ${CYAN}$ " #clear sed docs/part-{01,{04..08}}/README.md \ - -e '/^## Prepare the local working environment/,/^You should be able to access Windows Server using RDP/d' \ -| \ -sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p;/^-----$/p" \ -| \ -sed \ - -e 's/^-----$/\np ""\np "################################################################################################### Press to continue"\nwait\n/' \ - -e 's/^```bash.*/\npe '"'"'/' \ - -e 's/^```$/'"'"'/' \ -> README.sh + -e '/^## Prepare the local working environment/,/^You should be able to access Windows Server using RDP/d' | + sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p;/^-----$/p" | + sed \ + -e 's/^-----$/\np ""\np "################################################################################################### Press to continue"\nwait\n/' \ + -e 's/^```bash.*/\npe '"'"'/' \ + -e 's/^```$/'"'"'/' \ + > README.sh if [ "$#" -eq 0 ]; then @@ -66,7 +64,7 @@ if [ "$#" -eq 0 ]; then echo -e "\n${MY_DOMAIN} | ${EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID} | ${EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY}\n$(kubectl --kubeconfig=./kubeconfig.conf cluster-info)" if [ -z "${EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID}" ] || [ -z "${EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY}" ]; then - echo -e "\n*** One of the mandatory variables 'EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID' or 'EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY' is not set !!\n"; + echo -e "\n*** One of the mandatory variables 'EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID' or 'EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY' is not set !!\n" exit 1 fi @@ -79,7 +77,11 @@ EOF export KUBECONFIG=$PWD/kubeconfig.conf CLAIR_POD=$(kubectl get pods -l "app=harbor,component=clair" -n harbor-system -o jsonpath="{.items[0].metadata.name}") COUNT=0 - while ! kubectl logs -n harbor-system "${CLAIR_POD}" | grep "update finished"; do COUNT=$((COUNT+1)); echo -n "${COUNT} "; sleep 10; done + while ! kubectl logs -n harbor-system "${CLAIR_POD}" | grep "update finished"; do + COUNT=$((COUNT+1)) + echo -n "${COUNT} " + sleep 10 + done set -eux ansible localhost -m wait_for -a "port=5986 host=winad01.${MY_DOMAIN}" diff --git a/tests/tests.sh b/tests/tests.sh index abc32a52..c2dba4dc 100755 --- a/tests/tests.sh +++ b/tests/tests.sh @@ -5,7 +5,10 @@ export LETSENCRYPT_ENVIRONMENT="staging" export EKS_CERT_MANAGER_ROUTE53_AWS_ACCESS_KEY_ID="none" export EKS_CERT_MANAGER_ROUTE53_AWS_SECRET_ACCESS_KEY="none" -test -d files || ( echo -e "\n*** Run in top level directory\n"; exit 1 ) +test -d files || ( + echo -e "\n*** Run in top level directory\n" + exit 1 +) echo "*** Remove cluster (if exists)" kind get clusters | grep 'k8s-harbor-test' && kind delete cluster --name k8s-harbor-test @@ -71,14 +74,12 @@ sed docs/part-{02..09}/README.md \ -e '/"update finished"/d' \ -e 's/^aws cloudformation.*/### &/' \ -e 's/^eksctl*/### &/' \ - -e 's/^aws iam.*/### &/' \ -| \ -sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p" \ -| \ -sed \ - -e 's/^```bash.*/\npe '"'"'/' \ - -e 's/^```$/'"'"'/' \ -> README.sh + -e 's/^aws iam.*/### &/' | + sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p" | + sed \ + -e 's/^```bash.*/\npe '"'"'/' \ + -e 's/^```$/'"'"'/' \ + > README.sh # shellcheck disable=SC1091 source README.sh