├── .gitignore ├── README.md ├── clusters └── digital_ocean │ ├── adservice-policy.yaml │ ├── adservice-registry.yaml │ ├── cartservice-policy.yaml │ ├── cartservice-registry.yaml │ ├── checkoutservice-policy.yaml │ ├── checkoutservice-registry.yaml │ ├── currencyservice-policy.yaml │ ├── currencyservice-registry.yaml │ ├── emailservice-policy.yaml │ ├── emailservice-registry.yaml │ ├── flux-system-automation.yaml │ ├── flux-system │ ├── gotk-components.yaml │ ├── gotk-sync.yaml │ └── kustomization.yaml │ ├── frontend-policy.yaml │ ├── frontend-registry.yaml │ ├── online-boutique-deployment.yaml │ ├── online-boutique-frontend-deployment.yaml │ ├── paymentservice-policy.yaml │ ├── paymentservice-registry.yaml │ ├── productcatalogservice-policy.yaml │ ├── productcatalogservice-registry.yaml │ ├── recommendationservice-policy.yaml │ ├── recommendationservice-registry.yaml │ ├── shippingservice-policy.yaml │ └── shippingservice-registry.yaml └── flux ├── 01-bootstrap.sh ├── 02-image-scanning.sh ├── 03-image-policy.sh └── 04-image-update.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Secure GitOps 2 | This demo illustrates Secure GitOps practices by incorporating GitHub Actions and [Deepfence ThreatMapper](https://github.com/deepfence/ThreatMapper) vulnerability scanning for Continuous Integration (CI) and [WeaveWorks Flux](https://github.com/fluxcd/flux) for Continuous Delivery (CD). 3 | 4 | Visit https://fluxcd.io/docs/guides/image-update/ for instructions on how to use Flux. 5 | -------------------------------------------------------------------------------- /clusters/digital_ocean/adservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: adservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: adservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/adservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: adservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/adservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/cartservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: cartservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: cartservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/cartservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: cartservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/cartservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/checkoutservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: checkoutservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: checkoutservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/checkoutservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: checkoutservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/checkoutservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/currencyservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: currencyservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: currencyservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/currencyservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: currencyservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/currencyservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/emailservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: emailservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: emailservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/emailservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: emailservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/emailservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/flux-system-automation.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageUpdateAutomation 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | spec: 8 | git: 9 | checkout: 10 | ref: 11 | branch: master 12 | commit: 13 | author: 14 | email: fluxcdbot@users.noreply.github.com 15 | name: fluxcdbot 16 | messageTemplate: '{{range .Updated.Images}}{{println .}}{{end}}' 17 | push: 18 | branch: master 19 | interval: 1m0s 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | update: 24 | path: ./clusters/digital_ocean 25 | strategy: Setters 26 | -------------------------------------------------------------------------------- /clusters/digital_ocean/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: GitRepository 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | spec: 8 | interval: 1m0s 9 | ref: 10 | branch: master 11 | secretRef: 12 | name: flux-system 13 | url: https://github.com/mkryshak/secure-gitops.git 14 | --- 15 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 16 | kind: Kustomization 17 | metadata: 18 | name: flux-system 19 | namespace: flux-system 20 | spec: 21 | interval: 10m0s 22 | path: ./clusters/digital_ocean 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | validation: client 28 | -------------------------------------------------------------------------------- /clusters/digital_ocean/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gotk-components.yaml 5 | - gotk-sync.yaml 6 | -------------------------------------------------------------------------------- /clusters/digital_ocean/frontend-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: frontend 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: frontend 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/frontend-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: frontend 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/frontend 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/online-boutique-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: adservice 19 | spec: 20 | selector: 21 | matchLabels: 22 | app: adservice 23 | template: 24 | metadata: 25 | labels: 26 | app: adservice 27 | spec: 28 | containers: 29 | - name: server 30 | image: registry.deepfence.net/adservice:v0.2.2 # {"$imagepolicy":"flux-system:adservice"} 31 | imagePullPolicy: Always 32 | env: 33 | - name: PORT 34 | value: "9555" 35 | #- name: DISABLE_STATS 36 | # value: "1" 37 | #- name: DISABLE_TRACING 38 | # value: "1" 39 | #- name: JAEGER_SERVICE_ADDR 40 | # value: "jaeger-collector:14268" 41 | ports: 42 | - name: grpc 43 | containerPort: 9555 44 | livenessProbe: 45 | exec: 46 | command: ["/bin/grpc_health_probe", "-addr=:9555"] 47 | initialDelaySeconds: 20 48 | periodSeconds: 15 49 | readinessProbe: 50 | exec: 51 | command: ["/bin/grpc_health_probe", "-addr=:9555"] 52 | initialDelaySeconds: 20 53 | periodSeconds: 15 54 | resources: 55 | limits: 56 | cpu: 300m 57 | memory: 300Mi 58 | requests: 59 | cpu: 200m 60 | memory: 180Mi 61 | imagePullSecrets: 62 | - name: registry.deepfence.net 63 | serviceAccountName: default 64 | terminationGracePeriodSeconds: 5 65 | --- 66 | apiVersion: apps/v1 67 | kind: Deployment 68 | metadata: 69 | name: cartservice 70 | spec: 71 | selector: 72 | matchLabels: 73 | app: cartservice 74 | template: 75 | metadata: 76 | labels: 77 | app: cartservice 78 | spec: 79 | containers: 80 | - name: server 81 | image: registry.deepfence.net/cartservice:v0.2.2 # {"$imagepolicy":"flux-system:cartservice"} 82 | imagePullPolicy: Always 83 | env: 84 | - name: REDIS_ADDR 85 | value: "redis-cart:6379" 86 | ports: 87 | - name: grpc 88 | containerPort: 7070 89 | livenessProbe: 90 | exec: 91 | command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] 92 | initialDelaySeconds: 15 93 | periodSeconds: 10 94 | readinessProbe: 95 | exec: 96 | command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] 97 | initialDelaySeconds: 15 98 | resources: 99 | limits: 100 | cpu: 300m 101 | memory: 128Mi 102 | requests: 103 | cpu: 200m 104 | memory: 64Mi 105 | imagePullSecrets: 106 | - name: registry.deepfence.net 107 | serviceAccountName: default 108 | terminationGracePeriodSeconds: 5 109 | --- 110 | apiVersion: apps/v1 111 | kind: Deployment 112 | metadata: 113 | name: checkoutservice 114 | spec: 115 | selector: 116 | matchLabels: 117 | app: checkoutservice 118 | template: 119 | metadata: 120 | labels: 121 | app: checkoutservice 122 | spec: 123 | containers: 124 | - name: server 125 | image: registry.deepfence.net/checkoutservice:v0.2.2 # {"$imagepolicy":"flux-system:checkoutservice"} 126 | imagePullPolicy: Always 127 | env: 128 | - name: PORT 129 | value: "5050" 130 | #- name: DISABLE_PROFILER 131 | # value: "1" 132 | #- name: DISABLE_STATS 133 | # value: "1" 134 | #- name: DISABLE_TRACING 135 | # value: "1" 136 | - name: CART_SERVICE_ADDR 137 | value: "cartservice:7070" 138 | - name: CURRENCY_SERVICE_ADDR 139 | value: "currencyservice:7000" 140 | - name: EMAIL_SERVICE_ADDR 141 | value: "emailservice:5000" 142 | #- name: JAEGER_SERVICE_ADDR 143 | # value: "jaeger-collector:14268" 144 | - name: PAYMENT_SERVICE_ADDR 145 | value: "paymentservice:50051" 146 | - name: PRODUCT_CATALOG_SERVICE_ADDR 147 | value: "productcatalogservice:3550" 148 | - name: SHIPPING_SERVICE_ADDR 149 | value: "shippingservice:50051" 150 | ports: 151 | - name: grpc 152 | containerPort: 5050 153 | livenessProbe: 154 | exec: 155 | command: ["/bin/grpc_health_probe", "-addr=:5050"] 156 | readinessProbe: 157 | exec: 158 | command: ["/bin/grpc_health_probe", "-addr=:5050"] 159 | resources: 160 | limits: 161 | cpu: 200m 162 | memory: 128Mi 163 | requests: 164 | cpu: 100m 165 | memory: 64Mi 166 | imagePullSecrets: 167 | - name: registry.deepfence.net 168 | serviceAccountName: default 169 | --- 170 | apiVersion: apps/v1 171 | kind: Deployment 172 | metadata: 173 | name: currencyservice 174 | spec: 175 | selector: 176 | matchLabels: 177 | app: currencyservice 178 | template: 179 | metadata: 180 | labels: 181 | app: currencyservice 182 | spec: 183 | containers: 184 | - name: server 185 | image: registry.deepfence.net/currencyservice:v0.2.2 # {"$imagepolicy":"flux-system:currencyservice"} 186 | imagePullPolicy: Always 187 | env: 188 | - name: PORT 189 | value: "7000" 190 | #- name: DISABLE_DEBUGGER 191 | # value: "1" 192 | #- name: DISABLE_PROFILER 193 | # value: "1" 194 | #- name: DISABLE_TRACING 195 | # value: "1" 196 | ports: 197 | - name: grpc 198 | containerPort: 7000 199 | livenessProbe: 200 | exec: 201 | command: ["/bin/grpc_health_probe", "-addr=:7000"] 202 | readinessProbe: 203 | exec: 204 | command: ["/bin/grpc_health_probe", "-addr=:7000"] 205 | resources: 206 | limits: 207 | cpu: 200m 208 | memory: 128Mi 209 | requests: 210 | cpu: 100m 211 | memory: 64Mi 212 | imagePullSecrets: 213 | - name: registry.deepfence.net 214 | serviceAccountName: default 215 | terminationGracePeriodSeconds: 5 216 | --- 217 | apiVersion: apps/v1 218 | kind: Deployment 219 | metadata: 220 | name: emailservice 221 | spec: 222 | selector: 223 | matchLabels: 224 | app: emailservice 225 | template: 226 | metadata: 227 | labels: 228 | app: emailservice 229 | spec: 230 | containers: 231 | - name: server 232 | image: registry.deepfence.net/emailservice:v0.2.2 # {"$imagepolicy":"flux-system:emailservice"} 233 | imagePullPolicy: Always 234 | env: 235 | - name: PORT 236 | value: "8080" 237 | - name: DISABLE_PROFILER 238 | value: "1" 239 | #- name: DISABLE_TRACING 240 | # value: "1" 241 | ports: 242 | - name: grpc 243 | containerPort: 8080 244 | livenessProbe: 245 | exec: 246 | command: ["/bin/grpc_health_probe", "-addr=:8080"] 247 | periodSeconds: 5 248 | readinessProbe: 249 | exec: 250 | command: ["/bin/grpc_health_probe", "-addr=:8080"] 251 | periodSeconds: 5 252 | resources: 253 | limits: 254 | cpu: 200m 255 | memory: 128Mi 256 | requests: 257 | cpu: 100m 258 | memory: 64Mi 259 | imagePullSecrets: 260 | - name: registry.deepfence.net 261 | serviceAccountName: default 262 | terminationGracePeriodSeconds: 5 263 | --- 264 | apiVersion: apps/v1 265 | kind: Deployment 266 | metadata: 267 | name: paymentservice 268 | spec: 269 | selector: 270 | matchLabels: 271 | app: paymentservice 272 | template: 273 | metadata: 274 | labels: 275 | app: paymentservice 276 | spec: 277 | containers: 278 | - name: server 279 | image: registry.deepfence.net/paymentservice:v0.2.2 # {"$imagepolicy":"flux-system:paymentservice"} 280 | imagePullPolicy: Always 281 | env: 282 | - name: PORT 283 | value: "50051" 284 | ports: 285 | - name: grpc 286 | containerPort: 50051 287 | livenessProbe: 288 | exec: 289 | command: ["/bin/grpc_health_probe", "-addr=:50051"] 290 | readinessProbe: 291 | exec: 292 | command: ["/bin/grpc_health_probe", "-addr=:50051"] 293 | resources: 294 | limits: 295 | cpu: 200m 296 | memory: 128Mi 297 | requests: 298 | cpu: 100m 299 | memory: 64Mi 300 | imagePullSecrets: 301 | - name: registry.deepfence.net 302 | serviceAccountName: default 303 | terminationGracePeriodSeconds: 5 304 | --- 305 | apiVersion: apps/v1 306 | kind: Deployment 307 | metadata: 308 | name: productcatalogservice 309 | spec: 310 | selector: 311 | matchLabels: 312 | app: productcatalogservice 313 | template: 314 | metadata: 315 | labels: 316 | app: productcatalogservice 317 | spec: 318 | containers: 319 | - name: server 320 | image: registry.deepfence.net/productcatalogservice:v0.2.2 # {"$imagepolicy":"flux-system:productcatalogservice"} 321 | imagePullPolicy: Always 322 | env: 323 | - name: PORT 324 | value: "3550" 325 | #- name: DISABLE_PROFILER 326 | # value: "1" 327 | #- name: DISABLE_STATS 328 | # value: "1" 329 | #- name: DISABLE_TRACING 330 | # value: "1" 331 | #- name: JAEGER_SERVICE_ADDR 332 | # value: "jaeger-collector:14268" 333 | ports: 334 | - name: grpc 335 | containerPort: 3550 336 | livenessProbe: 337 | exec: 338 | command: ["/bin/grpc_health_probe", "-addr=:3550"] 339 | readinessProbe: 340 | exec: 341 | command: ["/bin/grpc_health_probe", "-addr=:3550"] 342 | resources: 343 | limits: 344 | cpu: 200m 345 | memory: 128Mi 346 | requests: 347 | cpu: 100m 348 | memory: 64Mi 349 | imagePullSecrets: 350 | - name: registry.deepfence.net 351 | serviceAccountName: default 352 | terminationGracePeriodSeconds: 5 353 | --- 354 | apiVersion: apps/v1 355 | kind: Deployment 356 | metadata: 357 | name: recommendationservice 358 | spec: 359 | selector: 360 | matchLabels: 361 | app: recommendationservice 362 | template: 363 | metadata: 364 | labels: 365 | app: recommendationservice 366 | spec: 367 | containers: 368 | - name: server 369 | image: registry.deepfence.net/recommendationservice:v0.2.2 # {"$imagepolicy":"flux-system:recommendationservice"} 370 | imagePullPolicy: Always 371 | env: 372 | - name: PORT 373 | value: "8080" 374 | #- name: DISABLE_DEBUGGER 375 | # value: "1" 376 | #- name: DISABLE_PROFILER 377 | # value: "1" 378 | #- name: DISABLE_TRACING 379 | # value: "1" 380 | - name: PRODUCT_CATALOG_SERVICE_ADDR 381 | value: "productcatalogservice:3550" 382 | ports: 383 | - name: grpc 384 | containerPort: 8080 385 | livenessProbe: 386 | exec: 387 | command: ["/bin/grpc_health_probe", "-addr=:8080"] 388 | periodSeconds: 5 389 | readinessProbe: 390 | exec: 391 | command: ["/bin/grpc_health_probe", "-addr=:8080"] 392 | periodSeconds: 5 393 | resources: 394 | limits: 395 | cpu: 200m 396 | memory: 450Mi 397 | requests: 398 | cpu: 100m 399 | memory: 220Mi 400 | imagePullSecrets: 401 | - name: registry.deepfence.net 402 | serviceAccountName: default 403 | terminationGracePeriodSeconds: 5 404 | --- 405 | apiVersion: apps/v1 406 | kind: Deployment 407 | metadata: 408 | name: redis-cart 409 | spec: 410 | selector: 411 | matchLabels: 412 | app: redis-cart 413 | template: 414 | metadata: 415 | labels: 416 | app: redis-cart 417 | spec: 418 | containers: 419 | - name: redis 420 | image: redis:alpine 421 | imagePullPolicy: Always 422 | ports: 423 | - name: redis 424 | containerPort: 6379 425 | livenessProbe: 426 | periodSeconds: 5 427 | tcpSocket: 428 | port: 6379 429 | readinessProbe: 430 | periodSeconds: 5 431 | tcpSocket: 432 | port: 6379 433 | resources: 434 | limits: 435 | memory: 256Mi 436 | cpu: 125m 437 | requests: 438 | cpu: 70m 439 | memory: 200Mi 440 | volumeMounts: 441 | - name: redis-data 442 | mountPath: /data 443 | volumes: 444 | - name: redis-data 445 | emptyDir: {} 446 | --- 447 | apiVersion: apps/v1 448 | kind: Deployment 449 | metadata: 450 | name: shippingservice 451 | spec: 452 | selector: 453 | matchLabels: 454 | app: shippingservice 455 | template: 456 | metadata: 457 | labels: 458 | app: shippingservice 459 | spec: 460 | containers: 461 | - name: server 462 | image: registry.deepfence.net/shippingservice:v0.2.2 # {"$imagepolicy":"flux-system:recommendationservice"} 463 | imagePullPolicy: Always 464 | env: 465 | - name: PORT 466 | value: "50051" 467 | #- name: DISABLE_PROFILER 468 | # value: "1" 469 | #- name: DISABLE_STATS 470 | # value: "1" 471 | #- name: DISABLE_TRACING 472 | # value: "1" 473 | #- name: JAEGER_SERVICE_ADDR 474 | # value: "jaeger-collector:14268" 475 | - name: PRODUCT_CATALOG_SERVICE_ADDR 476 | value: "3550" 477 | ports: 478 | - name: grpc 479 | containerPort: 50051 480 | livenessProbe: 481 | exec: 482 | command: ["/bin/grpc_health_probe", "-addr=:50051"] 483 | readinessProbe: 484 | exec: 485 | command: ["/bin/grpc_health_probe", "-addr=:50051"] 486 | periodSeconds: 5 487 | resources: 488 | limits: 489 | cpu: 200m 490 | memory: 128Mi 491 | requests: 492 | cpu: 100m 493 | memory: 64Mi 494 | imagePullSecrets: 495 | - name: registry.deepfence.net 496 | serviceAccountName: default 497 | --- 498 | # Copyright 2018 Google LLC 499 | # 500 | # Licensed under the Apache License, Version 2.0 (the "License"); 501 | # you may not use this file except in compliance with the License. 502 | # You may obtain a copy of the License at 503 | # 504 | # http://www.apache.org/licenses/LICENSE-2.0 505 | # 506 | # Unless required by applicable law or agreed to in writing, software 507 | # distributed under the License is distributed on an "AS IS" BASIS, 508 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 509 | # See the License for the specific language governing permissions and 510 | # limitations under the License. 511 | 512 | apiVersion: v1 513 | kind: Service 514 | metadata: 515 | name: adservice 516 | spec: 517 | type: ClusterIP 518 | selector: 519 | app: adservice 520 | ports: 521 | - name: grpc 522 | port: 9555 523 | protocol: TCP 524 | targetPort: 9555 525 | --- 526 | apiVersion: v1 527 | kind: Service 528 | metadata: 529 | name: cartservice 530 | spec: 531 | type: ClusterIP 532 | selector: 533 | app: cartservice 534 | ports: 535 | - name: grpc 536 | port: 7070 537 | protocol: TCP 538 | targetPort: 7070 539 | --- 540 | apiVersion: v1 541 | kind: Service 542 | metadata: 543 | name: checkoutservice 544 | spec: 545 | type: ClusterIP 546 | selector: 547 | app: checkoutservice 548 | ports: 549 | - name: grpc 550 | port: 5050 551 | protocol: TCP 552 | targetPort: 5050 553 | --- 554 | apiVersion: v1 555 | kind: Service 556 | metadata: 557 | name: currencyservice 558 | spec: 559 | type: ClusterIP 560 | selector: 561 | app: currencyservice 562 | ports: 563 | - name: grpc 564 | port: 7000 565 | protocol: TCP 566 | targetPort: 7000 567 | --- 568 | apiVersion: v1 569 | kind: Service 570 | metadata: 571 | name: emailservice 572 | spec: 573 | type: ClusterIP 574 | selector: 575 | app: emailservice 576 | ports: 577 | - name: grpc 578 | port: 5000 579 | protocol: TCP 580 | targetPort: 8080 581 | --- 582 | apiVersion: v1 583 | kind: Service 584 | metadata: 585 | name: paymentservice 586 | spec: 587 | type: ClusterIP 588 | selector: 589 | app: paymentservice 590 | ports: 591 | - name: grpc 592 | port: 50051 593 | protocol: TCP 594 | targetPort: 50051 595 | --- 596 | apiVersion: v1 597 | kind: Service 598 | metadata: 599 | name: productcatalogservice 600 | spec: 601 | type: ClusterIP 602 | selector: 603 | app: productcatalogservice 604 | ports: 605 | - name: grpc 606 | port: 3550 607 | protocol: TCP 608 | targetPort: 3550 609 | --- 610 | apiVersion: v1 611 | kind: Service 612 | metadata: 613 | name: recommendationservice 614 | spec: 615 | type: ClusterIP 616 | selector: 617 | app: recommendationservice 618 | ports: 619 | - name: grpc 620 | port: 8080 621 | protocol: TCP 622 | targetPort: 8080 623 | --- 624 | apiVersion: v1 625 | kind: Service 626 | metadata: 627 | name: redis-cart 628 | spec: 629 | type: ClusterIP 630 | selector: 631 | app: redis-cart 632 | ports: 633 | - name: redis 634 | port: 6379 635 | protocol: TCP 636 | targetPort: 6379 637 | --- 638 | apiVersion: v1 639 | kind: Service 640 | metadata: 641 | name: shippingservice 642 | spec: 643 | type: ClusterIP 644 | selector: 645 | app: shippingservice 646 | ports: 647 | - name: grpc 648 | port: 50051 649 | protocol: TCP 650 | targetPort: 50051 -------------------------------------------------------------------------------- /clusters/digital_ocean/online-boutique-frontend-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: frontend 19 | spec: 20 | selector: 21 | matchLabels: 22 | app: frontend 23 | template: 24 | metadata: 25 | labels: 26 | app: frontend 27 | spec: 28 | containers: 29 | - name: server 30 | image: registry.deepfence.net/frontend:v0.2.2 # {"$imagepolicy":"flux-system:frontend"} 31 | imagePullPolicy: Always 32 | env: 33 | - name: ENV_PLATFORM 34 | value: "local" 35 | - name: PORT 36 | value: "8080" 37 | #- name: DISABLE_PROFILER 38 | # value: "1" 39 | #- name: DISABLE_TRACING 40 | # value: "1" 41 | - name: AD_SERVICE_ADDR 42 | value: "adservice:9555" 43 | - name: CART_SERVICE_ADDR 44 | value: "cartservice:7070" 45 | - name: CHECKOUT_SERVICE_ADDR 46 | value: "checkoutservice:5050" 47 | - name: CURRENCY_SERVICE_ADDR 48 | value: "currencyservice:7000" 49 | #- name: JAEGER_SERVICE_ADDR 50 | # value: "jaeger-collector:14268" 51 | - name: PRODUCT_CATALOG_SERVICE_ADDR 52 | value: "productcatalogservice:3550" 53 | - name: RECOMMENDATION_SERVICE_ADDR 54 | value: "recommendationservice:8080" 55 | - name: SHIPPING_SERVICE_ADDR 56 | value: "shippingservice:50051" 57 | ports: 58 | - name: http 59 | containerPort: 8080 60 | readinessProbe: 61 | httpGet: 62 | path: "/_healthz" 63 | port: 8080 64 | httpHeaders: 65 | - name: "Cookie" 66 | value: "shop_session-id=x-readiness-probe" 67 | initialDelaySeconds: 10 68 | livenessProbe: 69 | httpGet: 70 | path: "/_healthz" 71 | port: 8080 72 | httpHeaders: 73 | - name: "Cookie" 74 | value: "shop_session-id=x-liveness-probe" 75 | initialDelaySeconds: 10 76 | resources: 77 | limits: 78 | cpu: 200m 79 | memory: 128Mi 80 | requests: 81 | cpu: 100m 82 | memory: 64Mi 83 | imagePullSecrets: 84 | - name: registry.deepfence.net 85 | serviceAccountName: default 86 | --- 87 | # Copyright 2018 Google LLC 88 | # 89 | # Licensed under the Apache License, Version 2.0 (the "License"); 90 | # you may not use this file except in compliance with the License. 91 | # You may obtain a copy of the License at 92 | # 93 | # http://www.apache.org/licenses/LICENSE-2.0 94 | # 95 | # Unless required by applicable law or agreed to in writing, software 96 | # distributed under the License is distributed on an "AS IS" BASIS, 97 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 98 | # See the License for the specific language governing permissions and 99 | # limitations under the License. 100 | 101 | apiVersion: v1 102 | kind: Service 103 | metadata: 104 | name: frontend 105 | spec: 106 | type: ClusterIP 107 | selector: 108 | app: frontend 109 | ports: 110 | - name: http 111 | port: 80 112 | protocol: TCP 113 | targetPort: 8080 114 | --- 115 | apiVersion: v1 116 | kind: Service 117 | metadata: 118 | name: frontend-external 119 | spec: 120 | type: LoadBalancer 121 | selector: 122 | app: frontend 123 | ports: 124 | - name: http 125 | port: 80 126 | protocol: TCP 127 | targetPort: 8080 128 | -------------------------------------------------------------------------------- /clusters/digital_ocean/paymentservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: paymentservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: paymentservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/paymentservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: paymentservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/paymentservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/productcatalogservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: productcatalogservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: productcatalogservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/productcatalogservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: productcatalogservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/productcatalogservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/recommendationservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: recommendationservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: recommendationservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/recommendationservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: recommendationservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/recommendationservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /clusters/digital_ocean/shippingservice-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImagePolicy 4 | metadata: 5 | name: shippingservice 6 | namespace: flux-system 7 | spec: 8 | imageRepositoryRef: 9 | name: shippingservice 10 | policy: 11 | semver: 12 | range: '>=0.2.0 <0.3.0' 13 | -------------------------------------------------------------------------------- /clusters/digital_ocean/shippingservice-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: image.toolkit.fluxcd.io/v1alpha2 3 | kind: ImageRepository 4 | metadata: 5 | name: shippingservice 6 | namespace: flux-system 7 | spec: 8 | image: registry.deepfence.net/shippingservice 9 | interval: 30s 10 | secretRef: 11 | name: registry.deepfence.net 12 | -------------------------------------------------------------------------------- /flux/01-bootstrap.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | flux bootstrap github \ 4 | --components-extra=image-reflector-controller,image-automation-controller \ 5 | --owner=${GITHUB_USER} \ 6 | --repository=secure-gitops \ 7 | --branch=master \ 8 | --path=./clusters/digital_ocean \ 9 | --personal \ 10 | --private \ 11 | --token-auth 12 | -------------------------------------------------------------------------------- /flux/02-image-scanning.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | registry=registry.deepfence.net 4 | repo=( 5 | adservice 6 | cartservice 7 | checkoutservice 8 | currencyservice 9 | emailservice 10 | frontend 11 | paymentservice 12 | productcatalogservice 13 | recommendationservice 14 | shippingservice 15 | ) 16 | 17 | for name in "${repo[@]}"; do 18 | flux create image repository ${name} \ 19 | --image=${registry}/${name} \ 20 | --interval=0m30s \ 21 | --export > ../clusters/digital_ocean/${name}-registry.yaml 22 | sed -i '' -e '$ d' ../clusters/digital_ocean/${name}-registry.yaml 23 | echo " secretRef:" >> ../clusters/digital_ocean/${name}-registry.yaml 24 | echo " name: ${registry}" >> ../clusters/digital_ocean/${name}-registry.yaml 25 | done 26 | -------------------------------------------------------------------------------- /flux/03-image-policy.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | registry=registry.deepfence.net 4 | repo=( 5 | adservice 6 | cartservice 7 | checkoutservice 8 | currencyservice 9 | emailservice 10 | frontend 11 | paymentservice 12 | productcatalogservice 13 | recommendationservice 14 | shippingservice 15 | ) 16 | 17 | for name in "${repo[@]}"; do 18 | flux create image policy ${name} \ 19 | --image-ref=${name} \ 20 | --select-semver='>=0.2.0 <0.3.0' \ 21 | --export > ../clusters/digital_ocean/${name}-policy.yaml 22 | sed -i '' -e '$ d' ../clusters/digital_ocean/${name}-policy.yaml 23 | done 24 | -------------------------------------------------------------------------------- /flux/04-image-update.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | flux create image update flux-system \ 4 | --git-repo-ref=flux-system \ 5 | --git-repo-path="./clusters/digital_ocean" \ 6 | --checkout-branch=master \ 7 | --push-branch=master \ 8 | --author-name=fluxcdbot \ 9 | --author-email=fluxcdbot@users.noreply.github.com \ 10 | --commit-template="{{range .Updated.Images}}{{println .}}{{end}}" \ 11 | --export > ../clusters/digital_ocean/flux-system-automation.yaml 12 | 13 | sed -i '' -e '$ d' ../clusters/digital_ocean/flux-system-automation.yaml 14 | --------------------------------------------------------------------------------