Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
kube-workflow
Advanced tools
socialgouv/kube-workflow
🚀Deploy application over kubernetes
- uses: SocialGouv/kube-workflow@master
with:
environment: "dev"
token: ${{ secrets.GITHUB_TOKEN }}
kubeconfig: ${{ secrets.KUBECONFIG }}
rancherProjectId: ${{ secrets.RANCHER_PROJECT_ID }}
rancherProjectName: ${{ secrets.RANCHER_PROJECT_NAME }}
imagePackage: app
# imageName: fabrique/www
You can configure your project by adding .kube-workflow/common/values.yaml
and .kube-workflow/$ENVIRONMENT/values.yaml
.
# here you define variables shared by all helm subcharts/components
global: {}
# here you can configure components values, key same name as in `components` sections
app:
enabled: true
containerPort: 80
Here is the order, the last in the list is the last applied:
$KUBEWORKFLOW_ACTION/chart/values.yaml
(the defaults).kube-workflow/common/values.yaml
(the common project's config).kube-workflow/$ENVIRONMENT/values.yaml
Every yaml file in .kube-workflow/chart/templates
will be merged with the helm Chart templates
folder before the build.
All theses files can use the Helm templating syntax (or not if you don't need it, helm template is a superset of yaml).
Both extensions yaml and yml are accepted.
Every yaml files in .kube-workflow/env/$ENVIRONMENT
will be merged with the helm Chart templates
folder before the build, according to the environment
input (dev | preprod | prod).
All theses files can use the Helm templating syntax.
Usually, that's where you put your ConfigMap and SealedSecrets ressources.
Everything is overridable using filesystem merging.
The .kube-workflow
directoty of your project will be merged and eventually overwrite content of this repository chart
directory.
Chart.yaml
in the directory .kube-workflow
. More often, you can use kustomize to adjust the manifests.The kustomization patches are applied after Helm template rendering.
The kustomization entrypoint is $KUBEWORKFLOW_ACTION/env/$ENVIRONMENT/kustomization.yaml
.
To override it, create a file called .kube-workflow/env/$ENVIRONMENT/kustomization.yaml
in your project and containing:
resources:
- ../../common
patches:
# ... put your patches here
By doing this way you just optouted from generic kustomization for the selected environment.
If you want (and more often you want) to keep the generic kustomization, containing some infra logic defined by the advised SRE team, you can extends it like this.
resources:
- ../../autodevops/common
patches:
# ... put your patches here
You can do it as well for the common base file called by environment kustomizations, just add a file called .kube-workflow/common/kustomization.yaml
in your project and containing:
resources:
# - ../manifests.base.yaml # here is if you want to optout
- ../autodevops/common # here is if you want to extends from autodevops default settings
patches:
- target:
kind: Ingress
patch: |
- op: add
path: "/metadata/annotations~1nginx.ingress.kubernetes.io/configuration-snippet"
value: |
more_set_headers "Content-Security-Policy: default-src 'none'; connect-src 'self' https://*.gouv.fr; font-src 'self'; img-src 'self'; prefetch-src 'self' https://*.gouv.fr; script-src 'self' https://*.gouv.fr; frame-src 'self' https://*.gouv.fr; style-src 'self' 'unsafe-inline'";
more_set_headers "X-Frame-Options: deny";
more_set_headers "X-XSS-Protection: 1; mode=block";
more_set_headers "X-Content-Type-Options: nosniff";
- target:
kind: Deployment
path: ../../patches/kapp-delete-orphan.yaml
- target:
kind: Service
path: ../../patches/kapp-delete-orphan.yaml
- target:
kind: Ingress
path: ../../patches/kapp-delete-orphan.yaml
# - target:
# kind: Service
# path: ../patches/kapp.yaml
If you think you patches can be reused by other project, contribute to chart/patches folder of the action by sharing them.
required:
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
test with local kube-workflow repository and local project
# get kube-workflow
export KUBEWORKFLOW_PATH=$PWD/kube-workflow
git clone https://github.com/SocialGouv/kube-workflow $KUBEWORKFLOW_PATH
yarn --cwd $KUBEWORKFLOW_PATH
# get the project repository, here template for example
export WORKSPACE_PATH=$PWD/template
git clone https://github.com/SocialGouv/template $WORKSPACE_PATH
# run manifest generation as snapshots using symlink to tests
REPOSITORY_NAME=$(basename $WORKSPACE_PATH)
ln -s $WORKSPACE_PATH/.kube-workflow $KUBEWORKFLOW_PATH/tests/samples/$REPOSITORY_NAME
cd $KUBEWORKFLOW_PATH
yarn test -t $REPOSITORY_NAME
then check content of
to enable correct syntax recognition and coloration of yaml helm templates in vscode, enable Kubenernetes extension
Resources:
FAQs
Unknown package
The npm package kube-workflow receives a total of 1 weekly downloads. As such, kube-workflow popularity was classified as not popular.
We found that kube-workflow demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.