Lab18

.github/workflows/ansible-deploy.yml

@@ -0,0 +1,107 @@
+name: Ansible Deployment
+
+on:
+  push:
+    paths:
+      - 'ansible/**'
+      - '.github/workflows/ansible-deploy.yml'
+  pull_request:
+    paths:
+      - 'ansible/**'
+      - '.github/workflows/ansible-deploy.yml'
+
+jobs:
+  lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: |
+          pip install ansible ansible-lint
+
+      - name: Create vault password file
+        run: |
+          echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > .vault_pass
+          chmod 600 .vault_pass
+        working-directory: ansible
+
+      - name: Run ansible-lint
+        run: |
+          ansible-lint playbooks/*.yml
+        working-directory: ansible
+
+      - name: Cleanup vault password
+        if: always()
+        run: |
+          rm -f ansible/.vault_pass
+
+  deploy:
+    name: Deploy Application
+    needs: lint
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main')
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Ansible
+        run: |
+          pip install ansible
+
+      - name: Install Ansible collections
+        run: |
+          ansible-galaxy collection install community.docker
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -H ${{ secrets.VM_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Create vault password file
+        run: |
+          echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > /tmp/vault_pass
+          chmod 600 /tmp/vault_pass
+
+      - name: Update inventory with secrets
+        run: |
+          cd ansible
+          sed -i "s/ansible_host=127.0.0.1 ansible_port=2222/ansible_host=${{ secrets.VM_HOST }} ansible_port=22/" inventory/hosts.ini
+          sed -i "s|ansible_ssh_private_key_file=.*|ansible_ssh_private_key_file=~/.ssh/id_rsa|" inventory/hosts.ini
+          sed -i "s/ansible_user=vagrant/ansible_user=${{ secrets.VM_USER }}/" inventory/hosts.ini
+
+      - name: Deploy with Ansible
+        run: |
+          cd ansible
+          ansible-playbook playbooks/deploy.yml \
+            --vault-password-file /tmp/vault_pass \
+            -i inventory/hosts.ini
+
+      - name: Cleanup vault password
+        if: always()
+        run: |
+          rm -f /tmp/vault_pass
+
+      - name: Wait for application to start
+        run: sleep 10
+
+      - name: Verify application deployment
+        run: |
+          curl -f http://${{ secrets.VM_HOST }}:5000 || exit 1
+          curl -f http://${{ secrets.VM_HOST }}:5000/health || exit 1

.github/workflows/python-ci.yml

@@ -0,0 +1,143 @@
+name: Python CI/CD Pipeline
+
+on:
+  push:
+    branches:
+      - master
+      - lab03
+    paths:
+      - 'app_python/**'
+      - '.github/workflows/python-ci.yml'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - 'app_python/**'
+      - '.github/workflows/python-ci.yml'
+
+env:
+  PYTHON_VERSION: '3.13'
+  APP_NAME: devops-info-service
+  DOCKER_IMAGE: haruyume/devops-info-service
+  WORKING_DIR: app_python
+
+jobs:
+  test:
+    name: Test & Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'pip'
+          cache-dependency-path: |
+            ${{ env.WORKING_DIR }}/requirements.txt
+            ${{ env.WORKING_DIR }}/requirements-dev.txt
+
+      - name: Install dependencies
+        working-directory: ${{ env.WORKING_DIR }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install -r requirements-dev.txt
+
+      - name: Lint with Ruff
+        working-directory: ${{ env.WORKING_DIR }}
+        run: |
+          # Check for syntax errors and undefined names
+          ruff check . --select=E9,F63,F7,F82 --target-version=py313
+          # Run full linting
+          ruff check . --target-version=py313
+        continue-on-error: false
+
+      - name: Run unit tests
+        working-directory: ${{ env.WORKING_DIR }}
+        run: |
+          pytest -v --tb=short
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install dependencies
+        working-directory: ${{ env.WORKING_DIR }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run Snyk security scan
+        uses: snyk/actions/python@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high --file=${{ env.WORKING_DIR }}/requirements.txt
+
+  build-push:
+    name: Build & Push Docker Image
+    runs-on: ubuntu-latest
+    needs: test
+    # Only push images on master and lab03 branches (not on PRs from forks)
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/lab03')
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.DOCKER_IMAGE }}
+          tags: |
+            # Calendar versioning with build number
+            type=raw,value={{date 'YYYY.MM.DD'}}-${{ github.run_number }}
+            # Monthly rolling tag
+            type=raw,value={{date 'YYYY.MM'}}
+            # Latest tag
+            type=raw,value=latest
+          labels: |
+            org.opencontainers.image.title=${{ env.APP_NAME }}
+            org.opencontainers.image.description=DevOps Info Service - Flask application
+            org.opencontainers.image.vendor=DevOps Core Course
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./${{ env.WORKING_DIR }}
+          file: ./${{ env.WORKING_DIR }}/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+          platforms: linux/amd64,linux/arm64
+
+      - name: Image digest
+        run: echo "Image pushed with digest ${{ steps.build-push.outputs.digest }}"

.gitignore

@@ -1 +1,3 @@
-test
+test
+result
+labs/lab18/app_python/result

README.md

@@ -3,6 +3,7 @@
 [![Labs](https://img.shields.io/badge/Labs-18-blue)](#labs)
 [![Exam](https://img.shields.io/badge/Exam-Optional-green)](#exam-alternative)
 [![Duration](https://img.shields.io/badge/Duration-18%20Weeks-lightgrey)](#course-roadmap)
+[![Ansible Deployment](https://github.com/haruyume/DevOps-Core-Course/actions/workflows/ansible-deploy.yml/badge.svg)](https://github.com/haruyume/DevOps-Core-Course/actions/workflows/ansible-deploy.yml)
 
 Master **production-grade DevOps practices** through hands-on labs. Build, containerize, deploy, monitor, and scale applications using industry-standard tools.