diff --git a/CHANGELOG.md b/CHANGELOG.md index 0249fc0..b8a4c2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +### Fixed +- [#54] Fix problem to chown files while post-upgrade script deletes the pgdata +- [#54] Upgrade makefiles to 10.2.0 ## [v14.17-3] - 2025-07-24 ### Fixed diff --git a/Makefile b/Makefile index e74bdd7..dd97f2d 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -MAKEFILES_VERSION=9.5.0 +MAKEFILES_VERSION=10.2.0 .DEFAULT_GOAL:=dogu-release diff --git a/build/make/build.mk b/build/make/build.mk index d3581de..a29f2c5 100644 --- a/build/make/build.mk +++ b/build/make/build.mk @@ -3,7 +3,7 @@ ADDITIONAL_LDFLAGS?=-extldflags -static LDFLAGS?=-ldflags "$(ADDITIONAL_LDFLAGS) -X main.Version=$(VERSION) -X main.CommitID=$(COMMIT_ID)" GOIMAGE?=golang -GOTAG?=1.23 +GOTAG?=1.24 GOOS?=linux GOARCH?=amd64 PRE_COMPILE?= diff --git a/build/make/k8s-component.mk b/build/make/k8s-component.mk index 6c1f6c4..4efe639 100644 --- a/build/make/k8s-component.mk +++ b/build/make/k8s-component.mk @@ -1,4 +1,5 @@ -COMPONENT_DEV_VERSION?=${VERSION}-dev +COMPONENT_BUILD_VERSION := $(shell date +%s) +COMPONENT_DEV_VERSION?=${VERSION}-dev.${COMPONENT_BUILD_VERSION} include ${BUILD_DIR}/make/k8s.mk @@ -15,8 +16,9 @@ HELM_RELEASE_TGZ=${HELM_TARGET_DIR}/${ARTIFACT_ID}-${VERSION}.tgz HELM_DEV_RELEASE_TGZ=${HELM_TARGET_DIR}/${ARTIFACT_ID}-${COMPONENT_DEV_VERSION}.tgz HELM_ARTIFACT_NAMESPACE?=k8s ifeq (${RUNTIME_ENV}, remote) - HELM_ARTIFACT_NAMESPACE?=testing/k8s + HELM_ARTIFACT_NAMESPACE=testing/k8s endif +$(info HELM_ARTIFACT_NAMESPACE=$(HELM_ARTIFACT_NAMESPACE)) K8S_RESOURCE_COMPONENT ?= "${K8S_RESOURCE_TEMP_FOLDER}/component-${ARTIFACT_ID}-${VERSION}.yaml" K8S_RESOURCE_COMPONENT_CR_TEMPLATE_YAML ?= $(BUILD_DIR)/make/k8s-component.tpl @@ -93,10 +95,10 @@ helm-reinstall: helm-delete helm-apply ## Uninstalls the current helm chart and .PHONY: helm-chart-import helm-chart-import: ${CHECK_VAR_TARGETS} helm-generate helm-package ${IMAGE_IMPORT_TARGET} ## Imports the currently available chart into the cluster-local registry. @if [[ ${STAGE} == "development" ]]; then \ - echo "Import ${HELM_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \ + echo "Import ${HELM_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE}..."; \ ${BINARY_HELM} push ${HELM_DEV_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ else \ - echo "Import ${HELM_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \ + echo "Import ${HELM_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE}..."; \ ${BINARY_HELM} push ${HELM_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ fi @echo "Done." @@ -142,7 +144,7 @@ ${K8S_RESOURCE_COMPONENT_CR_TEMPLATE_YAML}: ${K8S_RESOURCE_TEMP_FOLDER} fi .PHONY: component-apply -component-apply: check-k8s-namespace-env-var ${COMPONENT_PRE_APPLY_TARGETS} ${IMAGE_IMPORT_TARGET} helm-generate helm-chart-import component-generate ## Applies the component yaml resource to the actual defined context. +component-apply: isProduction check-k8s-namespace-env-var ${COMPONENT_PRE_APPLY_TARGETS} ${IMAGE_IMPORT_TARGET} helm-generate helm-chart-import component-generate ## Applies the component yaml resource to the actual defined context. @kubectl apply -f "${K8S_RESOURCE_COMPONENT}" --namespace="${NAMESPACE}" --context="${KUBE_CONTEXT_NAME}" @echo "Done." diff --git a/build/make/k8s-crd.mk b/build/make/k8s-crd.mk index 090b029..aca625d 100644 --- a/build/make/k8s-crd.mk +++ b/build/make/k8s-crd.mk @@ -1,5 +1,12 @@ -ARTIFACT_CRD_ID = $(ARTIFACT_ID)-crd -DEV_CRD_VERSION ?= ${VERSION}-dev +# we set this default to maintain compatibility with CRDs that are still inside monorepos +APPEND_CRD_SUFFIX ?= true +ifeq ($(APPEND_CRD_SUFFIX), true) + ARTIFACT_CRD_ID = $(ARTIFACT_ID)-crd +else ifeq ($(APPEND_CRD_SUFFIX), false) + ARTIFACT_CRD_ID = $(ARTIFACT_ID) +endif +CRD_BUILD_VERSION := $(shell date +%s).$(TIMESTAMP) +DEV_CRD_VERSION ?= ${VERSION}-dev.${COMPONENT_BUILD_VERSION} HELM_CRD_SOURCE_DIR ?= ${WORKDIR}/k8s/helm-crd HELM_CRD_TARGET_DIR ?= $(K8S_RESOURCE_TEMP_FOLDER)/helm-crd HELM_CRD_RELEASE_TGZ = ${HELM_CRD_TARGET_DIR}/${ARTIFACT_CRD_ID}-${VERSION}.tgz @@ -28,7 +35,7 @@ crd-add-labels: $(BINARY_YQ) @echo "Adding labels to CRD..." @for file in ${HELM_CRD_SOURCE_DIR}/templates/*.yaml ; do \ $(BINARY_YQ) -i e ".metadata.labels.app = \"ces\"" $${file} ;\ - $(BINARY_YQ) -i e ".metadata.labels.\"app.kubernetes.io/name\" = \"${ARTIFACT_ID}\"" $${file} ;\ + $(BINARY_YQ) -i e ".metadata.labels.\"app.kubernetes.io/name\" = \"${ARTIFACT_CRD_ID}\"" $${file} ;\ done .PHONY: crd-helm-generate ## Generates the Helm CRD chart @@ -83,10 +90,10 @@ ${HELM_CRD_RELEASE_TGZ}: ${BINARY_HELM} crd-helm-generate ## Generates and packa .PHONY: crd-helm-chart-import crd-helm-chart-import: ${CHECK_VAR_TARGETS} check-k8s-artifact-id crd-helm-generate crd-helm-package ## Imports the currently available Helm CRD chart into the cluster-local registry. @if [[ ${STAGE} == "development" ]]; then \ - echo "Import ${HELM_CRD_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \ + echo "Import ${HELM_CRD_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE}..."; \ ${BINARY_HELM} push ${HELM_CRD_DEV_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ else \ - echo "Import ${HELM_CRD_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \ + echo "Import ${HELM_CRD_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE}..."; \ ${BINARY_HELM} push ${HELM_CRD_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ fi @echo "Done." @@ -105,7 +112,7 @@ crd-component-generate: ${K8S_RESOURCE_TEMP_FOLDER} ## Generate the CRD componen fi .PHONY: crd-component-apply -crd-component-apply: check-k8s-namespace-env-var crd-helm-chart-import crd-component-generate ## Applies the CRD component YAML resource to the actual defined context. +crd-component-apply: isProduction check-k8s-namespace-env-var crd-helm-chart-import crd-component-generate ## Applies the CRD component YAML resource to the actual defined context. @kubectl apply -f "${K8S_RESOURCE_CRD_COMPONENT}" --namespace="${NAMESPACE}" --context="${KUBE_CONTEXT_NAME}" @echo "Done." diff --git a/build/make/k8s.mk b/build/make/k8s.mk index 2b79315..a46ff79 100644 --- a/build/make/k8s.mk +++ b/build/make/k8s.mk @@ -36,11 +36,11 @@ K3S_LOCAL_REGISTRY_PORT?=30099 # The URL of the container-registry to use. Defaults to the registry of the local-cluster. # If RUNTIME_ENV is "remote" it is "registry.cloudogu.com/testing" -CES_REGISTRY_HOST?="${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}" +CES_REGISTRY_HOST?=${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT} CES_REGISTRY_NAMESPACE ?= ifeq (${RUNTIME_ENV}, remote) - CES_REGISTRY_HOST="registry.cloudogu.com" - CES_REGISTRY_NAMESPACE="/testing" + CES_REGISTRY_HOST=registry.cloudogu.com + CES_REGISTRY_NAMESPACE=/testing endif $(info CES_REGISTRY_HOST=$(CES_REGISTRY_HOST)) @@ -203,3 +203,14 @@ envtest: ${ENVTEST} ## Download envtest-setup locally if necessary. ${ENVTEST}: $(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest) + +.PHONY: isProduction +isProduction: + @if [[ "${STAGE}" == "production" ]]; then \ + echo "Command executed in production stage. Aborting."; \ + exit 1; \ + else \ + echo "Command executed in development stage. Continuing."; \ + fi + + diff --git a/build/make/mocks.mk b/build/make/mocks.mk index 4c9697f..82723c3 100644 --- a/build/make/mocks.mk +++ b/build/make/mocks.mk @@ -1,7 +1,7 @@ ##@ Mocking MOCKERY_BIN=${UTILITY_BIN_PATH}/mockery -MOCKERY_VERSION?=v2.42.1 +MOCKERY_VERSION?=v2.53.3 MOCKERY_YAML=${WORKDIR}/.mockery.yaml ${MOCKERY_BIN}: ${UTILITY_BIN_PATH} diff --git a/build/make/prerelease.mk b/build/make/prerelease.mk index c2cc39c..5ffc3bb 100644 --- a/build/make/prerelease.mk +++ b/build/make/prerelease.mk @@ -3,4 +3,4 @@ .PHONY: prerelease_namespace prerelease_namespace: - build/make/stagex.sh prerelease_namespace \ No newline at end of file + build/make/prerelease.sh prerelease_namespace \ No newline at end of file diff --git a/build/make/prerelease.sh b/build/make/prerelease.sh old mode 100644 new mode 100755 index d976d95..ba68b73 --- a/build/make/prerelease.sh +++ b/build/make/prerelease.sh @@ -5,23 +5,49 @@ set -o pipefail prerelease_namespace() { + TIMESTAMP=$(date +"%Y%m%d%H%M%S") + # Update version in dogu.json if [ -f "dogu.json" ]; then echo "Updating name in dogu.json..." ORIG_NAME="$(jq -r ".Name" ./dogu.json)" + ORIG_VERSION="$(jq -r ".Version" ./dogu.json)" PRERELEASE_NAME="prerelease_${ORIG_NAME}" + PRERELEASE_VERSION="${ORIG_VERSION}${TIMESTAMP}" jq ".Name = \"${PRERELEASE_NAME}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json + jq ".Version = \"${PRERELEASE_VERSION}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json jq ".Image = \"registry.cloudogu.com/${PRERELEASE_NAME}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json fi # Update version in Dockerfile if [ -f "Dockerfile" ]; then echo "Updating version in Dockerfile..." - ORIG_NAME="$(grep -oP "^[ ]*NAME=\"([^\"]*)" Dockerfile | awk -F "\"" '{print $2}')" - PRERELEASE_NAME="prerelease_$( echo -e "$ORIG_NAME" | sed 's/\//\\\//g' )" - sed -i "s/\(^[ ]*NAME=\"\)\([^\"]*\)\(.*$\)/\1${PRERELEASE_NAME}\3/" Dockerfile - fi + LABEL_BLOCK=$(sed -n '/^LABEL[[:space:]]/ {N; /NAME=".*"/ {N; /VERSION=".*"/ {p}}}' Dockerfile) + + # Extract NAME and VERSION from the LABEL block + ORIG_NAME=$(echo "$LABEL_BLOCK" | sed -n 's/.*NAME="\([^"]*\)".*/\1/p') + ORIG_VERSION=$(echo "$LABEL_BLOCK" | sed -n 's/.*VERSION="\([^"]*\)".*/\1/p') + # Output the extracted values for debugging + echo "ORIG_NAME Dockerfile: ${ORIG_NAME}" + echo "ORIG_VERSION Dockerfile: ${ORIG_VERSION}" + + # Prepare prerelease name and version + PRERELEASE_NAME="prerelease_$(echo -e "$ORIG_NAME" | sed 's/\//\\\//g')" + PRERELEASE_VERSION="${ORIG_VERSION}${TIMESTAMP}" + + # Output the new values for debugging + echo "PRERELEASE_NAME Dockerfile: ${PRERELEASE_NAME}" + echo "PRERELEASE_VERSION Dockerfile: ${PRERELEASE_VERSION}" + + # Only replace NAME= and VERSION= and only inside the LABEL block + # This assumes LABEL block is between 'LABEL' and first non-indented line + sed -i '/^LABEL/,/^[^[:space:]]/ { + s/\(NAME="\)[^"]*\("\)/\1'"${PRERELEASE_NAME}"'\2/ + s/\(VERSION="\)[^"]*\("\)/\1'"${PRERELEASE_VERSION}"'\2/ + }' Dockerfile + fi + } diff --git a/build/make/release.mk b/build/make/release.mk index 328f7ba..1fab1d6 100644 --- a/build/make/release.mk +++ b/build/make/release.mk @@ -4,7 +4,7 @@ .PHONY: dogu-release dogu-release: ## Start a dogu release - build/make/release.sh dogu + build/make/release.sh dogu "${FIXED_CVE_LIST}" $(DRY_RUN) .PHONY: node-release node-release: ## Start a node package release @@ -14,6 +14,10 @@ node-release: ## Start a node package release go-release: ## Start a go tool release build/make/release.sh go-tool +.PHONY: image-release +image-release: ## Start a go tool release + build/make/release.sh image + .PHONY: dogu-cve-release dogu-cve-release: ## Start a dogu release of a new build if the local build fixes critical CVEs @bash -c "build/make/release_cve.sh \"${REGISTRY_USERNAME}\" \"${REGISTRY_PASSWORD}\" \"${TRIVY_IMAGE_SCAN_FLAGS}\" \"${DRY_RUN}\" \"${CVE_SEVERITY}\"" diff --git a/build/make/self-update.mk b/build/make/self-update.mk index 33a6a72..3bed1ab 100644 --- a/build/make/self-update.mk +++ b/build/make/self-update.mk @@ -24,4 +24,9 @@ copy-new-files: .PHONY: update-build-libs update-build-libs: @echo "Check for newer Build-Lib versions" - build/make/self-update.sh buildlibs \ No newline at end of file + build/make/self-update.sh buildlibs + +.PHONY: set-dogu-version +set-dogu-version: + @echo "Set Version of Dogu without Release" + build/make/self-update.sh versions \ No newline at end of file diff --git a/build/make/self-update.sh b/build/make/self-update.sh index 72df125..6af39e8 100755 --- a/build/make/self-update.sh +++ b/build/make/self-update.sh @@ -3,6 +3,10 @@ set -o errexit set -o nounset set -o pipefail + +# shellcheck disable=SC1090 +source "$(pwd)/build/make/release_functions.sh" + TYPE="${1}" update_build_libs() { @@ -34,12 +38,23 @@ get_highest_version() { # Patch Jenkinsfile update_jenkinsfile() { sed -i "s/ces-build-lib@[[:digit:]].[[:digit:]].[[:digit:]]/ces-build-lib@$(get_highest_version ces)/g" Jenkinsfile - sed -i "s/dugu-build-lib@[[:digit:]].[[:digit:]].[[:digit:]]/dogu-build-lib@$(get_highest_version dogu)/g" Jenkinsfile + sed -i "s/dogu-build-lib@v[[:digit:]].[[:digit:]].[[:digit:]]/dogu-build-lib@v$(get_highest_version dogu)/g" Jenkinsfile +} + +# Patch Dogu Version without Release +set_dogu_version() { + CURRENT_TOOL_VERSION=$(get_current_version_by_dogu_json) + echo "$(tput setaf 1)ATTENTION: Make sure that the new version corresponds to the current software version$(tput sgr0)" + NEW_RELEASE_VERSION="$(read_new_version)" + validate_new_version "${NEW_RELEASE_VERSION}" + update_versions "${NEW_RELEASE_VERSION}" } # switch for script entrypoint if [[ "${TYPE}" == "buildlibs" ]];then update_build_libs +elif [[ "${TYPE}" == "versions" ]];then + set_dogu_version else echo "Unknown target ${TYPE}" fi diff --git a/build/make/static-analysis.mk b/build/make/static-analysis.mk index 00c406f..0989b74 100644 --- a/build/make/static-analysis.mk +++ b/build/make/static-analysis.mk @@ -2,14 +2,14 @@ STATIC_ANALYSIS_DIR=$(TARGET_DIR)/static-analysis GOIMAGE?=golang -GOTAG?=1.23 +GOTAG?=1.24 CUSTOM_GO_MOUNT?=-v /tmp:/tmp REVIEW_DOG=$(TMP_DIR)/bin/reviewdog LINT=$(TMP_DIR)/bin/golangci-lint -LINT_VERSION?=v1.61.0 +LINT_VERSION?=v2.1.6 # ignore tests and mocks -LINTFLAGS=--tests=false --exclude-files="^.*_mock.go$$" --exclude-files="^.*/mock.*.go$$" --timeout 10m --issues-exit-code 0 +LINTFLAGS=--tests=false --timeout 10m --issues-exit-code 0 ADDITIONAL_LINTER=-E bodyclose -E containedctx -E contextcheck -E decorder -E dupl -E errname -E forcetypeassert -E funlen -E unparam .PHONY: static-analysis @@ -47,7 +47,7 @@ $(STATIC_ANALYSIS_DIR)/static-analysis.log: $(STATIC_ANALYSIS_DIR) $(STATIC_ANALYSIS_DIR)/static-analysis-cs.log: $(STATIC_ANALYSIS_DIR) @echo "run static analysis with export to checkstyle format" - @$(LINT) $(LINTFLAGS) run --out-format=checkstyle ./... $(ADDITIONAL_LINTER) > $@ + @$(LINT) $(LINTFLAGS) --output.checkstyle.path stdout run ./... $(ADDITIONAL_LINTER) > $@ $(STATIC_ANALYSIS_DIR): $(LINT) @mkdir -p $(STATIC_ANALYSIS_DIR) diff --git a/build/make/test-common.mk b/build/make/test-common.mk index 6eaa0da..efc0bc7 100644 --- a/build/make/test-common.mk +++ b/build/make/test-common.mk @@ -1,6 +1,6 @@ GO_JUNIT_REPORT=$(UTILITY_BIN_PATH)/go-junit-report -GO_JUNIT_REPORT_VERSION=v1.0.0 +GO_JUNIT_REPORT_VERSION=v2.1.0 $(GO_JUNIT_REPORT): $(UTILITY_BIN_PATH) @echo "Download go-junit-report..." - @$(call go-get-tool,$@,github.com/jstemmer/go-junit-report@$(GO_JUNIT_REPORT_VERSION)) + @$(call go-get-tool,$@,github.com/jstemmer/go-junit-report/v2@$(GO_JUNIT_REPORT_VERSION)) diff --git a/build/make/test-unit.mk b/build/make/test-unit.mk index 6838b1c..c6994a4 100644 --- a/build/make/test-unit.mk +++ b/build/make/test-unit.mk @@ -1,6 +1,7 @@ ##@ Unit testing UNIT_TEST_DIR=$(TARGET_DIR)/unit-tests +XUNIT_JSON=$(UNIT_TEST_DIR)/report.json XUNIT_XML=$(UNIT_TEST_DIR)/unit-tests.xml UNIT_TEST_LOG=$(UNIT_TEST_DIR)/unit-tests.log COVERAGE_REPORT=$(UNIT_TEST_DIR)/coverage.out @@ -8,10 +9,16 @@ COVERAGE_REPORT=$(UNIT_TEST_DIR)/coverage.out PRE_UNITTESTS?= POST_UNITTESTS?= +ASJSON?= + .PHONY: unit-test -unit-test: $(XUNIT_XML) ## Start unit tests +unit-test: $(XUNIT_JSON) ## Start unit tests + +ifeq ($(ENVIRONMENT),ci) +ASJSON='-json' +endif -$(XUNIT_XML): $(SRC) $(GO_JUNIT_REPORT) +$(XUNIT_JSON): $(SRC) $(GO_JUNIT_REPORT) ifneq ($(strip $(PRE_UNITTESTS)),) @make $(PRE_UNITTESTS) endif @@ -20,13 +27,15 @@ endif @echo 'mode: set' > ${COVERAGE_REPORT} @rm -f $(UNIT_TEST_LOG) || true @for PKG in $(PACKAGES) ; do \ - ${GO_CALL} test -v $$PKG -coverprofile=${COVERAGE_REPORT}.tmp 2>&1 | tee $(UNIT_TEST_LOG).tmp ; \ + ${GO_CALL} test -v $$PKG -coverprofile=${COVERAGE_REPORT}.tmp ${ASJSON} 2>&1 | tee $(UNIT_TEST_LOG).tmp ; \ cat ${COVERAGE_REPORT}.tmp | tail +2 >> ${COVERAGE_REPORT} ; \ rm -f ${COVERAGE_REPORT}.tmp ; \ cat $(UNIT_TEST_LOG).tmp >> $(UNIT_TEST_LOG) ; \ rm -f $(UNIT_TEST_LOG).tmp ; \ done - @cat $(UNIT_TEST_LOG) | $(GO_JUNIT_REPORT) > $@ + @cat $(UNIT_TEST_LOG) >> $@ + @cat $(UNIT_TEST_LOG) | $(GO_JUNIT_REPORT) -parser gojson > $(XUNIT_XML) + @if grep '^FAIL' $(UNIT_TEST_LOG); then \ exit 1; \ fi diff --git a/build/make/trivyscan.mk b/build/make/trivyscan.mk new file mode 100644 index 0000000..577853c --- /dev/null +++ b/build/make/trivyscan.mk @@ -0,0 +1,9 @@ +# used to create switch the dogu to a prerelease namespace +# e.g. official/usermgmt -> prerelease_official/usermgmt + +# scan a already build dogu image with trivy +# usage: make trivysan - will scan with severity CRITICAL +# make SEVERITY="HIGH, CRITICAL" trivysacn - will scan with different severity options (e.g. HIGH and CRITICAL) +.PHONY: trivyscan +trivyscan: + build/make/trivyscan.sh scan $(SEVERITY) \ No newline at end of file diff --git a/build/make/trivyscan.sh b/build/make/trivyscan.sh new file mode 100755 index 0000000..1fa050d --- /dev/null +++ b/build/make/trivyscan.sh @@ -0,0 +1,19 @@ +#!/bin/bash +set -o errexit +set -o nounset +set -o pipefail + +# scan a already build image for CVE findings +# Get tag name from dogu.json +trivy_scan() { + echo "Build image and get Tag-Name:" + IMAGE_TAG="$(jq ".Image" --raw-output dogu.json):$(jq ".Version" --raw-output dogu.json)" + docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --severity $SEVERITY $IMAGE_TAG +} + +TYPE="${1}" +SEVERITY="${2:-"CRITICAL"}" + +if [[ "${TYPE}" == "scan" ]];then + trivy_scan +fi \ No newline at end of file diff --git a/resources/post-upgrade.sh b/resources/post-upgrade.sh index 84402e4..853eff2 100755 --- a/resources/post-upgrade.sh +++ b/resources/post-upgrade.sh @@ -8,6 +8,8 @@ source "$(dirname "${BASH_SOURCE[0]}")/util.sh" function prepareForBackup() { isBackupAvailable=true + chownPgdata + # Moving backup and emptying PGDATA directory mv "${PGDATA}"/postgresqlFullBackup.dump /tmp/postgresqlFullBackup.dump @@ -186,7 +188,7 @@ function killPostgresql() { # Postgres is still running sleep 0.1 done - echo "postgresql successfully killed (this is expected during post upgrade)" + echo "postgresql successfully stopped (this is expected during post upgrade)" } function runPostUpgrade() { diff --git a/resources/startup.sh b/resources/startup.sh index bdf6526..b59d5ff 100755 --- a/resources/startup.sh +++ b/resources/startup.sh @@ -120,18 +120,14 @@ function setDoguLogLevel() { } function runMain() { - chown -R postgres "$PGDATA" - - # create /run/postgresql, if not existent - mkdir -p /run/postgresql - chown postgres:postgres /run/postgresql - # check whether post-upgrade script is still running while [[ "$(doguctl config "local_state" -d "empty")" == "upgrading" ]]; do echo "Upgrade script is running. Waiting..." sleep 3 done + chownPgdata + if [ -z "$(ls -A "$PGDATA")" ]; then initializePostgreSQL fi diff --git a/resources/util.sh b/resources/util.sh index 10e83c5..8071f2b 100644 --- a/resources/util.sh +++ b/resources/util.sh @@ -5,27 +5,35 @@ set -o pipefail function initializePostgreSQL() { - # set stage for health check - doguctl state installing + # set stage for health check + doguctl state installing - # install database - gosu postgres initdb + # install database + gosu postgres initdb - # postgres user - POSTGRES_USER="postgres" + # postgres user + POSTGRES_USER="postgres" - # store the user - doguctl config user "${POSTGRES_USER}" + # store the user + doguctl config user "${POSTGRES_USER}" - # create random password - POSTGRES_PASSWORD=$(doguctl random) + # create random password + POSTGRES_PASSWORD=$(doguctl random) - # store the password encrypted - doguctl config -e password "${POSTGRES_PASSWORD}" + # store the password encrypted + doguctl config -e password "${POSTGRES_PASSWORD}" - # open port - sed -ri "s/^#(listen_addresses\s*=\s*)\S+/\1'*'/" "$PGDATA"/postgresql.conf + # open port + sed -ri "s/^#(listen_addresses\s*=\s*)\S+/\1'*'/" "$PGDATA"/postgresql.conf - # set generated password - echo "ALTER USER ${POSTGRES_USER} WITH SUPERUSER PASSWORD '${POSTGRES_PASSWORD}';" | gosu 2>/dev/null 1>&2 postgres postgres --single -jE + # set generated password + echo "ALTER USER ${POSTGRES_USER} WITH SUPERUSER PASSWORD '${POSTGRES_PASSWORD}';" | gosu 2>/dev/null 1>&2 postgres postgres --single -jE +} + +function chownPgdata() { + chown -R postgres "$PGDATA" + + # create /run/postgresql, if not existent + mkdir -p /run/postgresql + chown postgres:postgres /run/postgresql } \ No newline at end of file