Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 argoyle
|
a4dc2f1111 | ||
|
argoyle
|
de61e7e9d9 |
+41
-40
@@ -1,81 +1,82 @@
|
||||
# You can override the included template(s) by including variable overrides
|
||||
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
|
||||
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
|
||||
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
|
||||
# Note that environment variables can be set in several places
|
||||
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
|
||||
variables:
|
||||
GOCACHE: "${CI_PROJECT_DIR}/_go/cache"
|
||||
DOCKER_HOST: tcp://docker:2375
|
||||
DOCKER_DRIVER: overlay2
|
||||
|
||||
before_script:
|
||||
- mkdir -p ${CI_PROJECT_DIR}/_go/{pkg,bin,cache}
|
||||
- rm -rf /go/pkg
|
||||
- ln -s ${CI_PROJECT_DIR}/_go/pkg /go/pkg
|
||||
- ln -s ${CI_PROJECT_DIR}/_go/bin /go/bin
|
||||
|
||||
- mkdir -p ${CI_PROJECT_DIR}/_go/{pkg,bin,cache}
|
||||
- rm -rf /go/pkg
|
||||
- ln -s ${CI_PROJECT_DIR}/_go/pkg /go/pkg
|
||||
- ln -s ${CI_PROJECT_DIR}/_go/bin /go/bin
|
||||
cache:
|
||||
key: "$CI_COMMIT_REF_NAME"
|
||||
paths:
|
||||
- _go
|
||||
- _go
|
||||
untracked: true
|
||||
|
||||
stages:
|
||||
- deps
|
||||
- test
|
||||
- build
|
||||
- package
|
||||
- release
|
||||
|
||||
- deps
|
||||
- test
|
||||
- build
|
||||
- package
|
||||
- release
|
||||
deps:
|
||||
stage: deps
|
||||
image: golang:1.12
|
||||
script:
|
||||
- go get -mod=readonly
|
||||
|
||||
- go get -mod=readonly
|
||||
test:
|
||||
stage: test
|
||||
dependencies:
|
||||
- deps
|
||||
- deps
|
||||
image: golang:1.12
|
||||
script:
|
||||
- go fmt $(go list ./...)
|
||||
- go vet $(go list ./...)
|
||||
- CGO_ENABLED=1 go test -mod=readonly -race $(go list ./...) -coverprofile .testCoverage.txt
|
||||
|
||||
- go fmt $(go list ./...)
|
||||
- go vet $(go list ./...)
|
||||
- CGO_ENABLED=1 go test -mod=readonly -race $(go list ./...) -coverprofile .testCoverage.txt
|
||||
build:
|
||||
stage: build
|
||||
dependencies:
|
||||
- deps
|
||||
- deps
|
||||
image: golang:1.12
|
||||
script:
|
||||
- GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod=readonly -o release/default-request-adder -ldflags '-w -s'
|
||||
- GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod=readonly -o release/default-request-adder
|
||||
-ldflags '-w -s'
|
||||
artifacts:
|
||||
paths:
|
||||
- release/
|
||||
|
||||
- release/
|
||||
package:
|
||||
stage: package
|
||||
dependencies:
|
||||
- build
|
||||
- build
|
||||
image: docker:stable
|
||||
services:
|
||||
- docker:dind
|
||||
- docker:dind
|
||||
before_script:
|
||||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
|
||||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
|
||||
script:
|
||||
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
|
||||
- docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
|
||||
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
||||
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
|
||||
|
||||
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
|
||||
- docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
|
||||
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
||||
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
|
||||
release:
|
||||
stage: release
|
||||
dependencies:
|
||||
- package
|
||||
- package
|
||||
image: docker:stable
|
||||
services:
|
||||
- docker:dind
|
||||
- docker:dind
|
||||
before_script:
|
||||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
|
||||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
|
||||
script:
|
||||
- docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
||||
- docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
|
||||
- docker push $CI_REGISTRY_IMAGE:latest
|
||||
- docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
||||
- docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
|
||||
- docker push $CI_REGISTRY_IMAGE:latest
|
||||
only:
|
||||
- master
|
||||
- master
|
||||
include:
|
||||
- template: Security/Dependency-Scanning.gitlab-ci.yml
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Default-request-adder
|
||||
A small container which periodically (every 10s) checks for a LimitRange on all non-excluded namespaces named `extreme-request-defaults` and creates it using the configured memory settings if absent.
|
||||
|
||||
See the example-dir for an example deployment-file.
|
||||
[Example deployment-file](example/deploy.yaml)
|
||||
@@ -1,3 +1,40 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: default-request-adder
|
||||
namespace: kube-system
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: default-request-adder
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["namespaces"]
|
||||
verbs: ["list"]
|
||||
- apiGroups: [""]
|
||||
resources: ["limitranges"]
|
||||
verbs: ["list","create"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: default-request-adder
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: default-request-adder
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default-request-adder
|
||||
namespace: kube-system
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -20,6 +57,7 @@ spec:
|
||||
labels:
|
||||
app: default-request-adder
|
||||
spec:
|
||||
serviceAccountName: default-request-adder
|
||||
containers:
|
||||
- name: default-request-adder
|
||||
resources:
|
||||
|
||||
@@ -54,18 +54,22 @@ func main() {
|
||||
for {
|
||||
namespaces, err := clientset.CoreV1().Namespaces().List(metav1.ListOptions{})
|
||||
if err != nil {
|
||||
panic(err.Error())
|
||||
panic(err)
|
||||
}
|
||||
|
||||
for _, ns := range namespaces.Items {
|
||||
if !nsExcluded(ns.Name, excludedNS) {
|
||||
log.Printf("Checking for LimitRange named extreme-request-defaults in namespace '%v'\n", ns.Name)
|
||||
if limitRanges, err := clientset.CoreV1().LimitRanges(ns.Name).List(metav1.ListOptions{FieldSelector: "metadata.name=extreme-request-defaults"}); err == nil && len(limitRanges.Items) == 0 {
|
||||
log.Printf("Trying to create LimitRange\n")
|
||||
if _, err := clientset.CoreV1().LimitRanges(ns.Name).Create(&limitRange); err != nil {
|
||||
log.Printf("Unable to create LimitRange in namespace '%v': Error: %v\n", ns.Name, err)
|
||||
} else {
|
||||
log.Printf("LimitRange extreme-request-defaults created in namespace '%v'\n", ns.Name)
|
||||
if limitRanges, err := clientset.CoreV1().LimitRanges(ns.Name).List(metav1.ListOptions{FieldSelector: "metadata.name=extreme-request-defaults"}); err != nil {
|
||||
panic(err)
|
||||
} else {
|
||||
if len(limitRanges.Items) == 0 {
|
||||
log.Printf("Trying to create LimitRange\n")
|
||||
if _, err := clientset.CoreV1().LimitRanges(ns.Name).Create(&limitRange); err != nil {
|
||||
log.Printf("Unable to create LimitRange in namespace '%v': Error: %v\n", ns.Name, err)
|
||||
} else {
|
||||
log.Printf("LimitRange extreme-request-defaults created in namespace '%v'\n", ns.Name)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user