From f50260b9f7e2d3d10b7cf446fb72987694a9b003 Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Thu, 25 Jan 2024 18:02:36 +0100 Subject: [PATCH] initial commit --- .github/workflows/clean.yml | 16 ++++++ .github/workflows/push.yml | 109 ++++++++++++++++++++++++++++++++++++ .github/workflows/tag.yml | 49 ++++++++++++++++ .gitignore | 16 ++++++ Dockerfile | 8 +++ app.py | 37 ++++++++++++ requirements.txt | 1 + 7 files changed, 236 insertions(+) create mode 100644 .github/workflows/clean.yml create mode 100644 .github/workflows/push.yml create mode 100644 .github/workflows/tag.yml create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 app.py create mode 100644 requirements.txt diff --git a/.github/workflows/clean.yml b/.github/workflows/clean.yml new file mode 100644 index 0000000..1b049ba --- /dev/null +++ b/.github/workflows/clean.yml @@ -0,0 +1,16 @@ +--- +name: Clean Deployment + +on: delete + +jobs: + clean: + uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@main + with: + branch: ${{ github.event.ref }} + secrets: + token: ${{ secrets.GITHUB_TOKEN }} + DEV_KUBE_CONFIG_BRB: ${{ secrets.DEV_KUBE_CONFIG_BRB }} + DEV_KUBE_CONFIG_NBC: ${{ secrets.DEV_KUBE_CONFIG_NBC }} + DEV_KUBE_CONFIG_THR: ${{ secrets.DEV_KUBE_CONFIG_THR }} + DEV_KUBE_CONFIG_DBC: ${{ secrets.DEV_KUBE_CONFIG_DBC }} diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 0000000..4b9c76a --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,109 @@ +--- +name: Build and push Docker Image + +on: + push: + branches-ignore: + - dependabot/** + +permissions: + contents: read + +jobs: + build_and_push: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: actions/checkout@v3 + + - name: Docker meta Service Name + id: docker_meta_img + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: | + type=ref,event=branch,enable=false,priority=600 + type=sha,enable=true,priority=600,prefix= + - name: Log into registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: test image exists + run: | + echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV + + - name: Build and push ${{ github.repository }} + if: ${{ env.IMAGE_EXISTS == 0 }} + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + platforms: linux/amd64 + push: true + pull: true + tags: ghcr.io/${{ github.repository }}:${{ github.sha }} + labels: ${{ steps.docker_meta_img.outputs.labels }} + + branch_name: + runs-on: ubuntu-latest + outputs: + branch: ${{ steps.extract_branch.outputs.branch }} + steps: + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + + deploy: + needs: + - build_and_push + - branch_name + uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main + with: + branch: ${{ needs.branch_name.outputs.branch }} + secrets: + token: ${{ secrets.GITHUB_TOKEN }} + DEV_VAULT_BRB: ${{ secrets.DEV_VAULT_BRB }} + DEV_VAULT_NBC: ${{ secrets.DEV_VAULT_NBC }} + DEV_VAULT_THR: ${{ secrets.DEV_VAULT_THR }} + DEV_VAULT_DBC: ${{ secrets.DEV_VAULT_DBC }} + DEV_KUBE_CONFIG_BRB: ${{ secrets.DEV_KUBE_CONFIG_BRB }} + DEV_KUBE_CONFIG_NBC: ${{ secrets.DEV_KUBE_CONFIG_NBC }} + DEV_KUBE_CONFIG_THR: ${{ secrets.DEV_KUBE_CONFIG_THR }} + DEV_KUBE_CONFIG_DBC: ${{ secrets.DEV_KUBE_CONFIG_DBC }} + + deploy-successful: + needs: + - deploy + runs-on: ubuntu-latest + steps: + - run: echo "deploy was successful" + + trivy-vulnerability-scanning: + needs: + - build_and_push + - branch_name + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: run trivy vulnerability scanner + uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 + with: + image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + exit-code: 1 + ignore-unfixed: true + - name: upload trivy results + if: ${{ always() }} + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml new file mode 100644 index 0000000..5d76b95 --- /dev/null +++ b/.github/workflows/tag.yml @@ -0,0 +1,49 @@ +--- +name: Build and push Docker Image on Tag + +on: + push: + tags: + - '[0-9]*' + +jobs: + build_and_push_docker: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - uses: actions/checkout@v3 + - name: Docker meta Service Name for docker hub + id: docker_meta_img_hub + uses: docker/metadata-action@v3 + with: + images: docker.io/schulcloud/schulcloud-avcheck, quay.io/schulcloudverbund/schulcloud-avcheck + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + + - name: Log into docker registry + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + + - name: Log into quay registry + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + + - name: Build and push ${{ github.repository }} + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + platforms: linux/amd64 + push: true + pull: true + tags: ${{ steps.docker_meta_img_hub.outputs.tags }} + labels: ${{ steps.docker_meta_img_hub.outputs.labels }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..faa7717 --- /dev/null +++ b/.gitignore @@ -0,0 +1,16 @@ +.vagrant +.vscode +.project +.pydevproject +.settings +.idea +*.DS_Store +nbproject +*__pycache__ +*.pyc +*egg-info +*.log +tests +secrets +*.swp +venv diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..af129ae --- /dev/null +++ b/Dockerfile @@ -0,0 +1,8 @@ +FROM docker.io/python:3.12-alpine + +WORKDIR /usr/src/app +COPY requirements.txt requirements.txt +RUN pip3 install -r requirements.txt +COPY app.py app.py + +ENTRYPOINT ["python3", "app.py"] \ No newline at end of file diff --git a/app.py b/app.py new file mode 100644 index 0000000..2e2bf9e --- /dev/null +++ b/app.py @@ -0,0 +1,37 @@ +import logging +import os + +from pymongo import MongoClient + +logging.basicConfig(level=logging.DEBUG) + +if __name__ == '__main__': + mongo_url = os.environ.get('MONGO_URL', 'mongodb://localhost:27017/scapp') + client = MongoClient(mongo_url) + db = client.get_default_database() + + configurable_collections = ['ikwhbd'] + + pipeline = [ + { + '$match': { + 'operationType': 'delete', + 'ns.coll': {'$nin': configurable_collections} + } + } + ] + + with db.watch(pipeline) as stream: + print("Watching for delete events...") + + for change in stream: + # Extract relevant information + collection_name = change['ns']['coll'] + document_id = change['documentKey']['_id'] + + print(f"Deletion event in collection '{collection_name}' for document with ID: {document_id}") + db.ikwhbd.insert_one({ + "source": "iknowwhathasbeendeleted", + "document_id": document_id, + "collection": collection_name + }) diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..f565ca8 --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +pymongo==4.6.1 \ No newline at end of file