apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45052 Commits
5917 Branches
582 Tags
1.8 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 915f198ecb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '915f198ecb'
${ noResults }
grafana/scripts/drone/events/cron.star

194 lines
5.8 KiB
Raw Blame History

"""
This module provides functions for cronjob pipelines and steps used within.
"""
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
)
load(
"scripts/drone/utils/images.star",
"images",
)
load("scripts/drone/vault.star", "from_secret")
aquasec_trivy_image = "aquasec/trivy:0.21.0"
def cronjobs():
return [
scan_docker_image_pipeline("latest"),
scan_docker_image_pipeline("main"),
scan_docker_image_pipeline("latest-ubuntu"),
scan_docker_image_pipeline("main-ubuntu"),
scan_build_test_publish_docker_image_pipeline(),
grafana_com_nightly_pipeline(),
]
def authenticate_gcr_step():
return {
"name": "authenticate-gcr",
"image": "docker:dind",
"commands": ["echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io"],
"environment": {
"GCR_CREDENTIALS": from_secret("gcr_credentials"),
},
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}, {"name": "config", "path": "/root/.docker/"}],
}
def cron_job_pipeline(cronName, name, steps):
return {
"kind": "pipeline",
"type": "docker",
"platform": {
"os": "linux",
"arch": "amd64",
},
"name": name,
"trigger": {
"event": "cron",
"cron": cronName,
},
"clone": {
"retries": 3,
},
"steps": steps,
"volumes": [
{
"name": "docker",
"host": {
"path": "/var/run/docker.sock",
},
},
{
"name": "config",
"temp": {},
},
],
}
def scan_docker_image_pipeline(tag):
"""Generates a cronjob pipeline for nightly scans of grafana Docker images.
Args:
tag: determines which image tag is scanned.
Returns:
Drone cronjob pipeline.
"""
docker_image = "grafana/grafana:{}".format(tag)
return cron_job_pipeline(
cronName = "nightly",
name = "scan-" + docker_image + "-image",
steps = [
authenticate_gcr_step(),
scan_docker_image_unknown_low_medium_vulnerabilities_step(docker_image),
scan_docker_image_high_critical_vulnerabilities_step(docker_image),
slack_job_failed_step("grafana-backend-ops", docker_image),
],
)
def scan_build_test_publish_docker_image_pipeline():
"""Generates a cronjob pipeline for nightly scans of grafana Docker images.
Returns:
Drone cronjob pipeline.
"""
return cron_job_pipeline(
cronName = "nightly",
name = "scan-build-test-and-publish-docker-images",
steps = [
authenticate_gcr_step(),
scan_docker_image_unknown_low_medium_vulnerabilities_step("all"),
scan_docker_image_high_critical_vulnerabilities_step("all"),
slack_job_failed_step("grafana-backend-ops", "build-images"),
],
)
def scan_docker_image_unknown_low_medium_vulnerabilities_step(docker_image):
"""Generates a step for scans of Grafana Docker images.
Args:
docker_image: determines which image is scanned.
Returns:
Drone cronjob step .
"""
cmds = []
if docker_image == "all":
for key in images:
cmds = cmds + ["trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM " + images[key]]
else:
cmds = ["trivy image --exit-code 0 --severity UNKNOWN,LOW,MEDIUM " + docker_image]
return {
"name": "scan-unknown-low-medium-vulnerabilities",
"image": aquasec_trivy_image,
"commands": cmds,
"depends_on": ["authenticate-gcr"],
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}, {"name": "config", "path": "/root/.docker/"}],
}
def scan_docker_image_high_critical_vulnerabilities_step(docker_image):
"""Generates a step for scans of Grafana Docker images.
Args:
docker_image: determines which image is scanned.
Returns:
Drone cronjob step .
"""
cmds = []
if docker_image == "all":
for key in images:
cmds = cmds + ["trivy --exit-code 1 --severity HIGH,CRITICAL " + images[key]]
else:
cmds = ["trivy image --exit-code 1 --severity HIGH,CRITICAL " + docker_image]
return {
"name": "scan-high-critical-vulnerabilities",
"image": aquasec_trivy_image,
"commands": cmds,
"depends_on": ["authenticate-gcr"],
"environment": {
"GOOGLE_APPLICATION_CREDENTIALS": from_secret("gcr_credentials_json"),
},
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}, {"name": "config", "path": "/root/.docker/"}],
}
def slack_job_failed_step(channel, image):
return {
"name": "slack-notify-failure",
"image": images["plugins_slack"],
"settings": {
"webhook": from_secret("slack_webhook_backend"),
"channel": channel,
"template": "Nightly docker image scan job for " +
image +
" failed: {{build.link}}",
},
"when": {"status": "failure"},
}
def post_to_grafana_com_step():
return {
"name": "post-to-grafana-com",
"image": images["publish"],
"environment": {
"GRAFANA_COM_API_KEY": from_secret("grafana_api_key"),
"GCP_KEY": from_secret("gcp_key"),
},
"depends_on": ["compile-build-cmd"],
"commands": ["./bin/build publish grafana-com --edition oss"],
}
def grafana_com_nightly_pipeline():
return cron_job_pipeline(
cronName = "grafana-com-nightly",
name = "grafana-com-nightly",
steps = [
compile_build_cmd(),
post_to_grafana_com_step(),
],
)