Bump chart version (#37)

* Bump chart version * Updated deployment spec and pinned version * Added security scan
saidsef · Dec 8, 2022 · a148fb6 · a148fb6
1 parent 49b4ec9
commit a148fb6
Show file tree

Hide file tree

Showing 10 changed files with 45 additions and 464 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -13,7 +13,7 @@ RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/
 #     && apt-get -y install --no-install-recommends <your-package-list-here>
 
 # [Optional] Uncomment the next lines to use go get to install anything else you need
-# USER vscode
+USER vscode
 # RUN go get -x <your-dependency-or-tool>
 
 # [Optional] Uncomment this line to install global node packages.

diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -12,7 +12,7 @@ updates:
       interval: "weekly"
     pull-request-branch-name:
       separator: "-"
-  - package-ecosystem: gomod
+  - package-ecosystem: "gomod"
     directory: /
     schedule:
       interval: "weekly"

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,28 @@
+name: CI
+on:
+  workflow_run:
+    workflows:
+      - CI
+    types:
+      - completed
+    branches:
+       - main
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'pull_request' }}
+    name: Security Scan
+    steps:
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'config'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: 'trivy-results.sarif'
diff --git a/Dockerfile b/Dockerfile
@@ -14,12 +14,10 @@ RUN apk add --no-cache curl git && \
 FROM alpine:3.17
 LABEL maintainer="Said Sef <saidsef@gmail.com> (saidsef.co.uk/)"
 
-ENV fprocess="/usr/bin/geocode"
+USER nobody
 
 COPY --from=builder /app/geocode /usr/bin/
 
-USER nobody
-
 HEALTHCHECK --interval=30s --timeout=10s CMD curl --fail 'http://localhost:${PORT}/' || exit 1
 
 EXPOSE ${PORT}

diff --git a/charts/reverse-geocoding/Chart.yaml b/charts/reverse-geocoding/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: reverse-geocoding
 description: Reverse GeoCode Helm chart for Kubernetes
 type: application
-version: &version 0.2.6
+version: &version 0.2.7
 appVersion: *version
 kubeVersion: ">= 1.22"
 keywords:

diff --git a/charts/reverse-geocoding/README.md b/charts/reverse-geocoding/README.md
@@ -1,6 +1,6 @@
 # reverse-geocoding
 
-![Version: 0.2.6](https://img.shields.io/badge/Version-0.2.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.6](https://img.shields.io/badge/AppVersion-0.2.6-informational?style=flat-square)
+![Version: 0.2.7](https://img.shields.io/badge/Version-0.2.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.7](https://img.shields.io/badge/AppVersion-0.2.7-informational?style=flat-square)
 
 Reverse GeoCode Helm chart for Kubernetes
 
@@ -30,7 +30,7 @@ Kubernetes: `>= 1.22`
 | image.repository | string | `"ghcr.io/saidsef/faas-reverse-geocoding"` |  |
 | image.tag | string | `"latest"` |  |
 | imagePullSecrets | list | `[]` |  |
-| ingress.annotations | object | `{}` |  |
+| ingress.annotations."app.kubernetes.io/name" | string | `"geocode"` |  |
 | ingress.className | string | `""` |  |
 | ingress.enabled | bool | `false` |  |
 | ingress.hosts[0].host | string | `"geocode.local"` |  |

diff --git a/charts/reverse-geocoding/values.yaml b/charts/reverse-geocoding/values.yaml
@@ -3,7 +3,7 @@ replicaCount: 1
 image:
   repository: ghcr.io/saidsef/faas-reverse-geocoding
   pullPolicy: IfNotPresent
-  tag: "latest"
+  tag: "v2022.12"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -27,7 +27,12 @@ securityContext:
     - NET_BIND_SERVICE
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 1000
+  runAsGroup: 65534
+  runAsUser: 65534
+  allowPrivilegeEscalation: false
+  privileged: false
+  seccompProfile:
+    type: RuntimeDefault
 
 service:
   type: ClusterIP

diff --git a/deployment/deployment.yml b/deployment/deployment.yml
@@ -28,7 +28,7 @@ spec:
       enableServiceLinks: false
       containers:
       - name: geocode
-        image: ghcr.io/saidsef/faas-reverse-geocoding:latest
+        image: ghcr.io/saidsef/faas-reverse-geocoding:v2022.12
         imagePullPolicy: Always
         env:
           - name: "PORT"

diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/common v0.38.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	golang.org/x/sys v0.3.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect

diff --git a/go.sum b/go.sum