eSlider/flamingo-tech-test
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 11 Wiki Activity

Compare commits

base: eSlider:v0.0.9
Branches Tags
eSlider:master
eSlider:v0.0.12 eSlider:v0.0.11 eSlider:v0.0.10 eSlider:v0.0.9 eSlider:v0.0.8 eSlider:v0.0.7 eSlider:v0.0.6 eSlider:v0.0.5 eSlider:v0.0.4 eSlider:v0.0.3 eSlider:v0.0.2 eSlider:v0.0.1
...
compare: eSlider:v0.0.11
Branches Tags
eSlider:master
eSlider:v0.0.12 eSlider:v0.0.11 eSlider:v0.0.10 eSlider:v0.0.9 eSlider:v0.0.8 eSlider:v0.0.7 eSlider:v0.0.6 eSlider:v0.0.5 eSlider:v0.0.4 eSlider:v0.0.3 eSlider:v0.0.2 eSlider:v0.0.1

2 Commits
v0.0.9 ... v0.0.11

Author SHA1 Message Date
Andriy Oblivantsev
8e99fe7614 Add Trivy CVE scan, container registry docs, and update diagrams
Helm Chart CI & Release / Lint Helm Chart (push) Successful in 9s
Details
Helm Chart CI & Release / Semantic Release (push) Successful in 2m1s
Details 
- Add Trivy vulnerability scan step to CI (HIGH/CRITICAL, warn-only)
- Add Container Registry section to README with pull examples
- Update architecture doc and HLD with crane + Trivy details

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-19 21:38:05 +00:00
Andriy Oblivantsev
bd723dbd05 Rename container package to flamingo-tech-test
Helm Chart CI & Release / Lint Helm Chart (push) Successful in 9s
Details
Helm Chart CI & Release / Semantic Release (push) Successful in 2m1s
Details 
Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-19 21:30:33 +00:00
4 changed files with 41 additions and 5 deletions
Expand all files Collapse all files
.github/workflows/release.yaml
Vendored
+17 -1
View File
@@ -131,7 +131,7 @@ jobs:
CHART_TAG="${{ steps.version.outputs.new_tag }}" CHART_TAG="${{ steps.version.outputs.new_tag }}"
SRC="docker.io/fleetdm/fleet:v${APP_VER}" SRC="docker.io/fleetdm/fleet:v${APP_VER}"
OWNER=$(echo "${{ gitea.repository_owner }}" | tr '[:upper:]' '[:lower:]') OWNER=$(echo "${{ gitea.repository_owner }}" | tr '[:upper:]' '[:lower:]')
DST="git.produktor.io/${OWNER}/fleet" DST="git.produktor.io/${OWNER}/flamingo-tech-test"
crane auth login git.produktor.io -u "${{ gitea.actor }}" -p "${{ secrets.REPO_TOKEN }}" crane auth login git.produktor.io -u "${{ gitea.actor }}" -p "${{ secrets.REPO_TOKEN }}"
crane copy "${SRC}" "${DST}:${APP_VER}" crane copy "${SRC}" "${DST}:${APP_VER}"
@@ -139,6 +139,22 @@ jobs:
crane tag "${DST}:${APP_VER}" "latest" crane tag "${DST}:${APP_VER}" "latest"
echo "Mirrored ${SRC} → ${DST}:{${APP_VER},${CHART_TAG},latest}" echo "Mirrored ${SRC} → ${DST}:{${APP_VER},${CHART_TAG},latest}"
- name: Trivy vulnerability scan
run: |
TRIVY_VER="0.58.2"
curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VER}/trivy_${TRIVY_VER}_Linux-64bit.tar.gz" \
| tar -xz -C /usr/local/bin trivy
APP_VER=$(grep '^appVersion:' fleetdm-stack/Chart.yaml | awk '{print $2}' | tr -d '"')
OWNER=$(echo "${{ gitea.repository_owner }}" | tr '[:upper:]' '[:lower:]')
IMAGE="git.produktor.io/${OWNER}/flamingo-tech-test:${APP_VER}"
export TRIVY_USERNAME="${{ gitea.actor }}"
export TRIVY_PASSWORD="${{ secrets.REPO_TOKEN }}"
echo "Scanning ${IMAGE} for vulnerabilities..."
trivy image --severity HIGH,CRITICAL --exit-code 0 "${IMAGE}"
- name: Create tag - name: Create tag
run: | run: |
git config user.name "Gitea Actions" git config user.name "Gitea Actions"
README.md
+19
View File
@@ -144,6 +144,25 @@ For production, configure proper TLS and a stable DNS name for agents.
1. **Basic CI pipeline** — Gitea Actions lint on push, release on tag (see [.github/workflows/release.yaml](.github/workflows/release.yaml)) 1. **Basic CI pipeline** — Gitea Actions lint on push, release on tag (see [.github/workflows/release.yaml](.github/workflows/release.yaml))
2. **Exposed Fleet UI**`make port-forward` on port 8585 (+ ingress `fleet.localhost`) 2. **Exposed Fleet UI**`make port-forward` on port 8585 (+ ingress `fleet.localhost`)
3. **`fleet prepare db`** — Handled by `autoApplySQLMigrations: true` in the Fleet Helm chart 3. **`fleet prepare db`** — Handled by `autoApplySQLMigrations: true` in the Fleet Helm chart
4. **Container image mirroring** — CI mirrors the upstream `fleetdm/fleet` image to the [Gitea OCI registry](https://git.produktor.io/eSlider/-/packages) using `crane` (daemonless)
5. **Trivy vulnerability scan** — Each release scans the mirrored image for HIGH/CRITICAL CVEs
## Container Registry
The CI pipeline mirrors the FleetDM image to the Gitea container registry on every release.
```bash
# Pull the latest mirrored image
docker pull git.produktor.io/eslider/flamingo-tech-test:latest
# Pull a specific app version
docker pull git.produktor.io/eslider/flamingo-tech-test:4.80.1
# Pull by chart release tag
docker pull git.produktor.io/eslider/flamingo-tech-test:v0.0.10
```
Browse all available tags at [git.produktor.io/eSlider/-/packages/container/flamingo-tech-test/latest](https://git.produktor.io/eSlider/-/packages/container/flamingo-tech-test/latest).
## Project Structure ## Project Structure
docs/architecture-design-company-inc.md
+1 -1
View File
@@ -147,7 +147,7 @@ All container images are stored in **GCP Artifact Registry** in the `company-inc
- **Image retention policy** — keep the latest 10 tagged images per service; automatically garbage-collect untagged manifests older than 30 days. - **Image retention policy** — keep the latest 10 tagged images per service; automatically garbage-collect untagged manifests older than 30 days.
- **Access control** — CI service account has `roles/artifactregistry.writer`; GKE node service accounts have `roles/artifactregistry.reader`. No human push access. - **Access control** — CI service account has `roles/artifactregistry.writer`; GKE node service accounts have `roles/artifactregistry.reader`. No human push access.
*For self-hosted Git platforms (e.g. Gitea), the built-in OCI container registry can serve the same role at zero additional cost, with Trivy added as a CI step for vulnerability scanning.* *For self-hosted Git platforms (e.g. Gitea), the built-in OCI container registry can serve the same role at zero additional cost. In the practical part of this project, this is demonstrated: the CI pipeline mirrors the upstream FleetDM image to the Gitea OCI registry using `crane` (a daemonless image tool), then scans it with **Trivy** for HIGH/CRITICAL CVEs before publishing the release.*
#### Deployment Pipelines (CI/CD Integration) #### Deployment Pipelines (CI/CD Integration)
docs/architecture-hld.md
+4 -3
View File
@@ -29,7 +29,7 @@ flowchart TB
Blue[Blue — new release<br/>smoke tests] Blue[Blue — new release<br/>smoke tests]
end end
subgraph Workloads subgraph Workloads
API[Backend — Python / Flask<br/>HPA · 23 replicas] API[Backend — Python / Flask<br/>HPA · 2-3 replicas]
SPA[Frontend — React SPA<br/>Nginx] SPA[Frontend — React SPA<br/>Nginx]
end end
Redis[Redis — Memorystore<br/>Session / Cache] Redis[Redis — Memorystore<br/>Session / Cache]
@@ -94,8 +94,9 @@ flowchart LR
flowchart LR flowchart LR
Dev[Developer] -->|push| Repo[Git Repo] Dev[Developer] -->|push| Repo[Git Repo]
Repo -->|webhook| CI[CI Pipeline<br/>lint · test · build] Repo -->|webhook| CI[CI Pipeline<br/>lint · test · build]
CI -->|docker build + push| Registry[Container Registry<br/>Artifact Registry / Gitea OCI] CI -->|crane copy / docker push| Registry[Container Registry<br/>Artifact Registry / Gitea OCI]
CI -->|scan image| Trivy[Trivy<br/>CVE scan] Registry -->|scan image| Trivy[Trivy<br/>HIGH + CRITICAL CVEs]
Trivy -->|pass| CI2[Publish Release]
CI -->|update manifests| GitOps[GitOps Repo] CI -->|update manifests| GitOps[GitOps Repo]
GitOps -->|sync| Argo[ArgoCD] GitOps -->|sync| Argo[ArgoCD]
Argo -->|blue-green deploy| GKE[GKE Cluster] Argo -->|blue-green deploy| GKE[GKE Cluster]