diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6375ebf79..729a9f8f3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -35,12 +35,12 @@ jobs: python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV - name: Initialize CodeQL - uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 with: languages: ${{ matrix.language }} config-file: ./.github/codeql.yml setup-python-dependencies: false - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index ebaa8992b..963e833ec 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -95,7 +95,7 @@ jobs: # Build cached image - name: Build image if: inputs.CACHE == true - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 with: context: . file: ${{ inputs.DOCKERFILE }} @@ -108,7 +108,7 @@ jobs: # Build non-cached image - name: Build image if: inputs.CACHE != true - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 with: context: . file: ${{ inputs.DOCKERFILE }} diff --git a/.github/workflows/linux-build.yml b/.github/workflows/linux-build.yml index fd48430bf..c8167fc7e 100644 --- a/.github/workflows/linux-build.yml +++ b/.github/workflows/linux-build.yml @@ -97,7 +97,7 @@ jobs: # Build testing package image - name: Build package image if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' || inputs.RELEASE == '1.6' - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 with: context: . load: true @@ -109,7 +109,7 @@ jobs: # Build non-testing package image - name: Build package image if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev' && inputs.RELEASE != 'ui' && inputs.RELEASE != '1.6' - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 with: context: . load: true @@ -145,7 +145,7 @@ jobs: images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }} - name: Build test image if: inputs.TEST == true - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 with: context: . file: tests/linux/Dockerfile-${{ inputs.LINUX }} diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml index 94b87bab8..adbe20e1f 100644 --- a/.github/workflows/push-docker.yml +++ b/.github/workflows/push-docker.yml @@ -70,7 +70,7 @@ jobs: images: bunkerity/${{ inputs.IMAGE }} # Build and push - name: Build and push - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 with: context: . file: ${{ inputs.DOCKERFILE }} diff --git a/.github/workflows/push-github.yml b/.github/workflows/push-github.yml index 73acddc88..39fb49cc8 100644 --- a/.github/workflows/push-github.yml +++ b/.github/workflows/push-github.yml @@ -51,7 +51,7 @@ jobs: # Create release - name: Create release if: inputs.VERSION != 'testing' - uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 + uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 with: body: | Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/ @@ -75,7 +75,7 @@ jobs: # Create release - name: Create release if: inputs.VERSION == 'testing' - uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 + uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 with: body: | **The testing version of BunkerWeb should not be used in production, please use the latest stable version instead.** diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 4d35e34c0..64f533707 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -25,6 +25,6 @@ jobs: results_format: sarif publish_results: true - name: "Upload SARIF results to code scanning" - uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 with: sarif_file: results.sarif diff --git a/docs/integrations.md b/docs/integrations.md index 170df3dda..2d301c5e4 100644 --- a/docs/integrations.md +++ b/docs/integrations.md @@ -714,6 +714,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: sa-bunkerweb + namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -745,6 +746,7 @@ spec: annotations: bunkerweb.io/INSTANCE: "yes" spec: + serviceAccountName: sa-bunkerweb containers: # using bunkerweb as name is mandatory - name: bunkerweb diff --git a/docs/web-ui.md b/docs/web-ui.md index d59f33230..3b3220443 100644 --- a/docs/web-ui.md +++ b/docs/web-ui.md @@ -418,10 +418,21 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th resources: ["ingresses"] verbs: ["get", "watch", "list"] --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + namespace: default + name: role-bunkerweb-logs + rules: + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] + --- apiVersion: v1 kind: ServiceAccount metadata: name: sa-bunkerweb + namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -437,6 +448,20 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th name: cr-bunkerweb apiGroup: rbac.authorization.k8s.io --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: rolebinding-bunkerweb-logs + namespace: default + subjects: + - kind: ServiceAccount + name: sa-bunkerweb + namespace: default + roleRef: + kind: Role + name: role-bunkerweb-logs + apiGroup: rbac.authorization.k8s.io + --- apiVersion: apps/v1 kind: DaemonSet metadata: @@ -453,6 +478,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th annotations: bunkerweb.io/INSTANCE: "yes" spec: + serviceAccountName: sa-bunkerweb containers: # using bunkerweb as name is mandatory - name: bunkerweb @@ -534,7 +560,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th env: - name: KUBERNETES_MODE value: "yes" - - name: "DATABASE_URI" + - name: DATABASE_URI value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" --- apiVersion: apps/v1 @@ -561,7 +587,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th env: - name: KUBERNETES_MODE value: "yes" - - name: "DATABASE_URI" + - name: DATABASE_URI value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" --- apiVersion: apps/v1 @@ -608,14 +634,14 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th env: - name: MYSQL_RANDOM_ROOT_PASSWORD value: "yes" - - name: "MYSQL_DATABASE" + - name: MYSQL_DATABASE value: "db" - - name: "MYSQL_USER" + - name: MYSQL_USER value: "bunkerweb" - - name: "MYSQL_PASSWORD" + - name: MYSQL_PASSWORD value: "changeme" volumeMounts: - - mountPath: "/var/lib/mysql" + - mountPath: /var/lib/mysql name: vol-db volumes: - name: vol-db @@ -646,7 +672,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th env: - name: KUBERNETES_MODE value: "YES" - - name: "DATABASE_URI" + - name: DATABASE_URI value: "mariadb+pymysql://bunkerweb:testor@svc-bunkerweb-db:3306/db" --- apiVersion: v1 @@ -1264,10 +1290,21 @@ After a successful login/password combination, you will be prompted to enter you resources: ["ingresses"] verbs: ["get", "watch", "list"] --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + namespace: default + name: role-bunkerweb-logs + rules: + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] + --- apiVersion: v1 kind: ServiceAccount metadata: name: sa-bunkerweb + namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -1283,6 +1320,20 @@ After a successful login/password combination, you will be prompted to enter you name: cr-bunkerweb apiGroup: rbac.authorization.k8s.io --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: rolebinding-bunkerweb-logs + namespace: default + subjects: + - kind: ServiceAccount + name: sa-bunkerweb + namespace: default + roleRef: + kind: Role + name: role-bunkerweb-logs + apiGroup: rbac.authorization.k8s.io + --- apiVersion: apps/v1 kind: DaemonSet metadata: @@ -1299,6 +1350,7 @@ After a successful login/password combination, you will be prompted to enter you annotations: bunkerweb.io/INSTANCE: "yes" spec: + serviceAccountName: sa-bunkerweb containers: # using bunkerweb as name is mandatory - name: bunkerweb @@ -1377,7 +1429,7 @@ After a successful login/password combination, you will be prompted to enter you env: - name: KUBERNETES_MODE value: "yes" - - name: "DATABASE_URI" + - name: DATABASE_URI value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" --- apiVersion: apps/v1 @@ -1404,7 +1456,7 @@ After a successful login/password combination, you will be prompted to enter you env: - name: KUBERNETES_MODE value: "yes" - - name: "DATABASE_URI" + - name: DATABASE_URI value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" --- apiVersion: apps/v1 @@ -1451,14 +1503,14 @@ After a successful login/password combination, you will be prompted to enter you env: - name: MYSQL_RANDOM_ROOT_PASSWORD value: "yes" - - name: "MYSQL_DATABASE" + - name: MYSQL_DATABASE value: "db" - - name: "MYSQL_USER" + - name: MYSQL_USER value: "bunkerweb" - - name: "MYSQL_PASSWORD" + - name: MYSQL_PASSWORD value: "changeme" volumeMounts: - - mountPath: "/var/lib/mysql" + - mountPath: /var/lib/mysql name: vol-db volumes: - name: vol-db @@ -1493,7 +1545,7 @@ After a successful login/password combination, you will be prompted to enter you value: "changeme" - name: KUBERNETES_MODE value: "YES" - - name: "DATABASE_URI" + - name: DATABASE_URI value: "mariadb+pymysql://bunkerweb:testor@svc-bunkerweb-db:3306/db" --- apiVersion: v1 @@ -1564,6 +1616,9 @@ After a successful login/password combination, you will be prompted to enter you metadata: name: ingress annotations: + bunkerweb.io/www.example.com_SERVE_FILES: "no" + bunkerweb.io/www.example.com_USE_CLIENT_CACHE: "yes" + bunkerweb.io/www.example.com_USE_GZIP: "yes" bunkerweb.io/www.example.com_USE_UI: "yes" bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: '400 404 405 413 429 500 501 502 503 504' bunkerweb.io/www.example.com_MAX_CLIENT_SIZE: '50m' diff --git a/examples/prestashop/tests.json b/examples/prestashop/tests.json.backup similarity index 75% rename from examples/prestashop/tests.json rename to examples/prestashop/tests.json.backup index 354b54baf..219a48655 100644 --- a/examples/prestashop/tests.json +++ b/examples/prestashop/tests.json.backup @@ -2,11 +2,11 @@ "name": "prestashop", "kinds": ["docker", "autoconf", "swarm", "kubernetes"], "timeout": 240, - "delay": 240, + "delay": 300, "tests": [ { "type": "string", - "url": "https://www.example.com/administration", + "url": "https://www.example.com", "string": "prestashop", "tls": "www.example.com" }