Lab06

.github/workflows/ansible-deploy.yml

@@ -0,0 +1,76 @@
+---
+name: Ansible Deployment
+
+on:
+  push:
+    branches: [ main, master ]
+    paths:
+      - 'ansible/**'
+      - '.github/workflows/ansible-deploy.yml'
+  pull_request:
+    branches: [ main, master ]
+    paths:
+      - 'ansible/**'
+
+jobs:
+  lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: |
+          pip install ansible ansible-lint
+
+      - name: Run ansible-lint
+        run: |
+          cd ansible
+          ansible-lint playbooks/*.yml
+
+  deploy:
+    name: Deploy Application
+    needs: lint
+    runs-on: self-hosted
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Ansible
+        run: pip install ansible
+
+      - name: Deploy with Ansible
+        env:
+          ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+        run: |
+          cd ansible
+          echo "$ANSIBLE_VAULT_PASSWORD" > /tmp/vault_pass
+          ansible-playbook playbooks/deploy.yml \
+            --vault-password-file /tmp/vault_pass \
+            -i inventory/hosts.ini
+          rm /tmp/vault_pass
+
+      - name: Verify Deployment
+        run: |
+          sleep 10
+          curl -f http://127.0.0.1:8000 || exit 1
+          curl -f http://127.0.0.1:8000/health || exit 1
+
+      - name: Display Deployment Summary
+        if: always()
+        run: |
+          echo "Deployment completed successfully!"
+          docker ps | grep devops || echo "Container may still be starting..."
+

.github/workflows/python-ci.yml

@@ -0,0 +1,152 @@
+name: Python CI
+
+on:
+  push:
+    branches:
+      - master
+      - main
+      - lab03
+    paths:
+      - 'app_python/**'
+      - '.github/workflows/python-ci.yml'
+  pull_request:
+    branches:
+      - master
+      - main
+    paths:
+      - 'app_python/**'
+      - '.github/workflows/python-ci.yml'
+
+# Cancel in-progress workflow runs when a new push occurs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Test and Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+          cache-dependency-path: 'app_python/requirements.txt'
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('app_python/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Install dependencies
+        run: |
+          cd app_python
+          pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install pylint
+
+      - name: Run linter (pylint)
+        run: |
+          cd app_python
+          pylint app.py --disable=C0114,C0116,R0801 || true
+        continue-on-error: true
+
+      - name: Run tests
+        run: |
+          cd app_python
+          pytest -v --tb=short
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+          cache-dependency-path: 'app_python/requirements.txt'
+
+      - name: Install dependencies
+        run: |
+          cd app_python
+          pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/python@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high --file=app_python/requirements.txt
+
+  docker:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    needs: [test, security]
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/lab03')
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKER_USERNAME }}/devops-info-service
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,prefix=,format=short
+            type=raw,value={{date 'YYYY.MM.DD'}}
+
+      - name: Generate version tag
+        id: version
+        run: |
+          # Using CalVer format: YYYY.MM.DD
+          VERSION=$(date +%Y.%m.%d)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Generated version: $VERSION"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./app_python
+          file: ./app_python/Dockerfile
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_USERNAME }}/devops-info-service:latest
+            ${{ secrets.DOCKER_USERNAME }}/devops-info-service:${{ steps.version.outputs.version }}
+            ${{ secrets.DOCKER_USERNAME }}/devops-info-service:${{ github.sha }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Image digest
+        run: echo "Image pushed successfully with tags - latest, ${{ steps.version.outputs.version }}, ${{ github.sha }}"
+

.gitignore

@@ -1 +1,9 @@
-test
+test
+
+# Ansible
+*.retry
+.vault_pass
+.vault_password
+ansible/inventory/*.pyc
+ansible/__pycache__/
+

ansible/.gitignore

@@ -0,0 +1,24 @@
+# Ansible generated files
+*.retry
+*.pyc
+__pycache__/
+
+# Vault password file — NEVER commit
+.vault_pass
+.vault_password
+
+# Local inventory overrides
+inventory/local.ini
+
+# Python virtualenv
+venv/
+.venv/
+
+# Compiled Python
+*.pyc
+*.pyo
+
+# Temporary files
+*.tmp
+*.log
+

ansible/ansible.cfg

@@ -0,0 +1,14 @@
+[defaults]
+inventory         = inventory/hosts.ini
+roles_path        = roles
+host_key_checking = False
+remote_user       = vagrant
+retry_files_enabled = False
+stdout_callback   = yaml
+interpreter_python = auto_silent
+
+[privilege_escalation]
+become       = True
+become_method = sudo
+become_user  = root
+