From 179c8d39a37aa51650d98933c7f851c2e0292786 Mon Sep 17 00:00:00 2001 From: Oscar Wieman Date: Mon, 27 Nov 2023 23:52:10 +0100 Subject: [PATCH] run image without root, optimize image size, fix comparison bug & general cleanup #minor --- .github/workflows/bump.yml | 8 ++-- .github/workflows/codeql-analysis.yml | 54 --------------------------- .github/workflows/main.yml | 16 ++++---- Dockerfile | 16 +++++--- LICENSE.md | 4 +- README.md | 4 +- auto-dns.py | 2 +- 7 files changed, 31 insertions(+), 73 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml index e593f49..d578b9b 100644 --- a/.github/workflows/bump.yml +++ b/.github/workflows/bump.yml @@ -1,19 +1,21 @@ name: Bump version + on: push: branches: - main + jobs: - build: + bump: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: '0' - name: Bump version and push tag uses: anothrNick/github-tag-action@v1 env: - GITHUB_TOKEN: ${{ secrets.MY_TOKEN }} + GITHUB_TOKEN: ${{ secrets.MY_TOKEN }} # not GITHUB_TOKEN because it does not trigger (other) github actions WITH_V: true DEFAULT_BUMP: patch diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index fa61bac..0000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: [main] - pull_request: - # The branches below must be a subset of the branches above - branches: [main] - schedule: - - cron: '0 20 * * 3' - -jobs: - analyse: - name: Analyse - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - # Override language selection by uncommenting this and choosing your languages - # with: - # languages: go, javascript, csharp, python, cpp, java - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 64f99f0..92ab3ab 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,16 +6,18 @@ on: - 'v*' jobs: - docker: + build: runs-on: ubuntu-latest + permissions: + packages: write steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Generate Docker metadata id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: | ghcr.io/${{ github.repository }} @@ -29,20 +31,20 @@ jobs: latest=true - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to GitHub Package Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . push: ${{ github.event_name != 'pull_request' }} diff --git a/Dockerfile b/Dockerfile index e61462a..64f4a0d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,16 @@ -FROM python:alpine - -WORKDIR /usr/src/app +FROM python:alpine AS build-image -RUN apk add --no-cache --update curl-dev libressl-dev musl-dev gcc +RUN apk add --no-cache --update curl-dev musl-dev gcc COPY requirements.txt ./ + +RUN python -m venv /opt/venv +ENV PATH="/opt/venv/bin:$PATH" RUN pip install --no-cache-dir -r requirements.txt +FROM python:alpine +RUN apk add --no-cache --update curl +ENV PATH="/opt/venv/bin:$PATH" +COPY --from=build-image /opt/venv /opt/venv COPY auto-dns.py ./ ENV TIMEOUT 5 @@ -14,4 +19,5 @@ ENV REGEX_DOMAIN "k8s-[0-9]+\.oscarr\.nl" ENV KUBERNETES_DOMAIN "kubernetes.oscarr.nl" ENV TEST_DOMAIN "ninoo.nl" -CMD [ "python", "./auto-dns.py" ] +USER nobody +CMD [ "python", "auto-dns.py" ] diff --git a/LICENSE.md b/LICENSE.md index c9fa135..78fb74e 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,6 +1,6 @@ -MIT License +# MIT License -Copyright (c) [2022] [Bierteam] +Copyright (c) [2023] [Bierteam] Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 4834fe6..344ef8c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Readme +# README This container will monitor the available nodes in our kubernetes cluster and will update the dns records accordingly. This only supports the cloudflare API @@ -8,6 +8,7 @@ Then it tries to connect to each of the found records and checks if there is a v If there is a succesful connection the ip of the node will be added to the pool (KUBERNETES_DOMAIN) (ipv4 and ipv6) Env variables: + ```bash TIMEOUT=5 MAIN_DOMAIN="oscarr.nl" @@ -16,4 +17,5 @@ KUBERNETES_DOMAIN="kubernetes.oscarr.nl" TEST_DOMAIN="ninoo.nl" CLOUDFLARE_API_TOKEN="SECRET" ``` + https://dash.cloudflare.com/profile/api-tokens diff --git a/auto-dns.py b/auto-dns.py index fdf5a93..0eeec03 100755 --- a/auto-dns.py +++ b/auto-dns.py @@ -32,7 +32,7 @@ kubernetesPool = {} # find all regexDomain records for record in records: - if record['type'] == "A" or "AAAA": + if record['type'] == "A" or record['type'] == "AAAA": if re.search(regexDomain, record['name']): nodes.append({"name": record['name'], "type": record['type'], "ip": record['content']}) if record['name'] == kubernetesDomain: