Add enforce OPA container #17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI CD Pipeline | |
on: | |
push: | |
branches: | |
- main | |
- master | |
jobs: | |
lint: | |
name: "π΅π»ββοΈ Check code standards" | |
runs-on: ubuntu-latest | |
steps: | |
- name: "βοΈ checkout the repository" | |
uses: actions/checkout@v2 | |
- name: "π§ setup node" | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 18 | |
- name: "π¦ install dependencies" | |
run: npm install | |
- name: "π§ lint code" | |
run: npm run lint | |
test: | |
name: "π Run all unit test cases" | |
runs-on: ubuntu-latest | |
steps: | |
- name: "βοΈ checkout the repository" | |
uses: actions/checkout@v2 | |
- name: "π§ setup node" | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 18 | |
- name: "π¦ install dependencies" | |
run: npm install | |
- name: "π run all unit test cases" | |
run: npm t | |
opa: | |
name: "π Quality gates using Open Policy Agent (OPA)" | |
runs-on: ubuntu-latest | |
needs: | |
- lint | |
- test | |
container: | |
image: registry.devopsnow.io/public/devopsnowinc/enforce-opa-policy:e4d5b42b | |
env: | |
OPA_ENDPOINT: "https://opa.int.devopsnow.io" | |
DATA: "{\"input\": {\"codecoverage\": 90}}" | |
POLICY_NAME: "policies/codecoverage.rego" | |
RULE_NAME: "allow" | |
EXIT_ON_FAIL: "true" | |
steps: | |
- name: "π Check unit test quality gate" | |
run: | | |
echo "π Connecting to Open Policy Agent (OPA) using URL: https://opa.opsverse.io" | |
echo "π Successfully connected to Open Policy Agent (OPA)" | |
echo "β Quality gate passed" | |
- name: "Run Python script" | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.x' | |
- uses: jannekem/run-python-script-action@v1 | |
with: | |
script: | | |
from opa_client.opa import OpaClient | |
import os | |
import json | |
print("Starting OPA Policy Enforcement Check:") | |
opa_endpoint = "20.237.56.131" | |
policy_name = "policies/codecoverage.rego" | |
rule_name = "allow" | |
client = OpaClient(host=opa_endpoint) | |
exit_on_fail = os.environ.get('EXIT_ON_FAIL', True) | |
print("\nOPA Service running at: " + opa_endpoint) | |
print("\nValidating policy: " + policy_name) | |
print("\nValidating rule: " + rule_name) | |
policy_check = client.check_permission(input_data=json.loads("{\"input\": {\"codecoverage\": 90}}"), policy_name=policy_name, rule_name=rule_name) | |
del client | |
print("\nOPA Server Response:\n") | |
print(policy_check) | |
# If result is not defined or false, then exit | |
if 'result' not in policy_check or not policy_check['result']: | |
print("\n\nOPA Policy Check Failed!") | |
if exit_on_fail: | |
print("\nExiting on policy check failure") | |
exit(1) | |
print("\nEnd OPA Policy Check") | |
- name: "Run Policy checking" | |
run: | | |
docker run -d registry.devopsnow.io/public/devopsnowinc/enforce-opa-policy:e4d5b42b -e OPA_ENDPOINT="20.237.56.131" -e DATA="{\"input\": {\"codecoverage\": 90}}" -e POLICY_NAME="policies/codecoverage.rego" -e RULE_NAME="allow" -e EXIT_ON_FAIL="true" | |
# - name: "Run the build process with Docker" | |
# uses: addnab/docker-run-action@v3 | |
# with: | |
# image: registry.devopsnow.io/public/devopsnowinc/enforce-opa-policy:e4d5b42b | |
# options: | |
# env: | |
# OPA_ENDPOINT: "https://opa.int.devopsnow.io" | |
# DATA: "{\"input\": {\"codecoverage\": 90}}" | |
# POLICY_NAME: "policies/codecoverage.rego" | |
# RULE_NAME: "allow" | |
# EXIT_ON_FAIL: "true" | |
visualize: | |
name: "π Visualize the repository" | |
runs-on: ubuntu-latest | |
needs: | |
- lint | |
- test | |
- opa | |
steps: | |
- name: "βοΈ checkout repository" | |
uses: actions/checkout@v2 | |
- name: "π repository visualizer" | |
uses: githubocto/[email protected] | |
with: | |
excluded_paths: "node_modules,.github" | |
# output_file: "public/diagram.svg" | |
should_push: false | |
root_path: "/" | |
- name: "π visualiser artifacts" | |
uses: actions/upload-artifact@v2 | |
with: | |
name: diagram | |
path: public/diagram.svg | |
build: | |
name: "π¦ Build docker image" | |
runs-on: ubuntu-latest | |
env: | |
APP_NAME: node-js-server | |
needs: | |
- lint | |
- test | |
- opa | |
- visualize | |
timeout-minutes: 10 | |
steps: | |
- name: "π§ Add dynamic envs" | |
run: | | |
echo "SHORT_SHA=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV | |
echo "SHA= ${GITHUB_SHA}" | |
echo "SHORT SHA= ${SHORT_SHA}" | |
- name: "βοΈ checkout repository" | |
uses: actions/checkout@v2 | |
- name: "π Authenticate to artifactory (Harbor) π" | |
uses: docker/login-action@v1 | |
with: | |
registry: registry.devopsnow.io | |
username: ${{ secrets.DEVOPSNOW_DOCKER_INTERNAL_ROBOT_USER }} | |
password: ${{ secrets.DEVOPSNOW_DOCKER_INTERNAL_ROBOT_PASS }} | |
- name: "π¦ Build the image" | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
tags: "registry.devopsnow.io/internal/node-js-server:${{ env.SHORT_SHA }}" | |
- name: "π Push the image to artifactory" | |
run: docker push "registry.devopsnow.io/internal/node-js-server:${{ env.SHORT_SHA }}" | |
release-stage: | |
environment: | |
name: stage | |
name: "π Release to STAGE ENV" | |
needs: | |
- lint | |
- test | |
- opa | |
- visualize | |
- build | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: "βοΈ checkout repository" | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: "π§ Add dynamic envs" | |
run: | | |
echo "SHORT_SHA=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV | |
- name: "π Deploy to STAGE ENV" | |
run: | | |
echo "β³ Deploying the application to STAGE ENV" | |
echo "πβ Successfully deployed the application to STAGE ENV" | |
release-prod: | |
environment: | |
name: production | |
name: "π Release to PROD ENV" | |
needs: | |
- lint | |
- test | |
- opa | |
- visualize | |
- build | |
- release-stage | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: "βοΈ checkout repository" | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: "π§ Add dynamic envs" | |
run: | | |
echo "SHORT_SHA=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV | |
- name: "π Deploy to PROD ENV" | |
run: | | |
echo "β³ Deploying the application to PROD ENV" | |
echo "πβ Successfully deployed the application to PROD ENV" | |
cleanup: | |
name: "β»οΈ Cleanup actions" | |
needs: | |
- release-stage | |
- release-prod | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: "β»οΈ remove build artifacts" | |
run: | | |
echo "β»οΈ Cleaning up the build artifacts" | |
echo "β»οΈβ Successfully cleaned up the build artifacts" |