Gonzo's DevOps assesment

A Dockerfile that runs Litecoin 0.18.1 in a container. I have been checking some info, specifically here and here, but just to gather some info to build the entrypoint script and finally I have created my own solution.

Build it with:
docker build . -t "litecoin:0.18.1"

Run it with:
docker run --name my-litecoin -d -p 9332:9332 -p 9333:9333 -p 19332:19332 -p 19333:19333 -p 19444:19444 litecoin:0.18.1

You can check logs with:
docker logs my-litecoin -f

I have not used anchore to scan image vulnerabilities. I have used AWS solution as it is quiet simple and it is integrated in the ECR. You just need to create like this to scan automatically images on push:
aws ecr create-repository --repository-name stuff/litecoin --image-scanning-configuration scanOnPush=true --region eu-west-1

Tag it and push it:
docker tag litecoin:0.18.1 0881XXXXXX.dkr.ecr.eu-west-1.amazonaws.com/stuff/litecoin:0.18.1 docker push 0881XXXXXX.dkr.ecr.eu-west-1.amazonaws.com/stuff/litecoin:10.18.1

You can inspect vulnerabilities from the portal or with aws cli with: aws ecr describe-image-scan-findings --repository-name stuff/litecoin --image-id imageTag=0.18.1 --region eu-west-1

As it have detected one High vulnerability with glibc, I have fixed it updating needed packages from testing sources because this is a new vulnerability and it has not been backported yet to stable.

Kubernetes StatefulSet to run the above, using persistent volume claims and resource limits. I have created one simple litecoin.yaml StatefulSet with one persistent volume for the previous litecoin container.
I have also defined some limits to the container with a memory request of 256Mi and a CPU ussage of ¼ of a core. And also I have set a sum of limited resources for all of its containers in the limits section.

A simple build and deployment pipeline for the above using groovy/Jenkinsfile, Travis CI or Gitlab CI.
As I am always using Jenkins and nowadays I am using GitHub Actions I have decided to build a simple pipeline in GitHub Actions to build and deploy the previous litecoin example. You can find it in .github/workflows/ci.yaml and have comments inline.

Basically, it will do:

• Execute on some specific branches
• Assign some variables according to the branches (master|main -> prod, develop -> dev, etc)
• Configure AWS credentials and log to AWS ECR
• Build, tag and push litecoin to AWS ECR
• Kubectl and Helm installation
• Execute my python script that parse secrets stored in Vault and populate them in Helm yaml chart
• Finally it install it deploy StatefulSet with helm

I have one grep and aws example in the Dockerfile (plus ather extra things like variables expansion in bash):
RUN SUM=$(curl -s -i https://download.litecoin.org/litecoin-${LITECOIN_VERSION}/linux/litecoin-${LITECOIN_VERSION}-linux-signatures.asc | grep litecoin-${LITECOIN_VERSION}-x86_64-linux-gnu.tar.gz | awk '{print $1}') && echo "${SUM} litecoin.tar.gz" | sha256sum -c -

Here, I grep for litecoin tar.gz SHA256 line in the asc file, I choose the first element with awk and I compare it with the previous downloaded litcoin tar.gz source.

I love Python, to automate things when Bash is not enough. In the script tools/vaultValues.py you can find one example of one Python program I did to parse one Helm yaml chart and look for the secrets in one Hashicorp Vault and populate them. There are some tricky things like loop nested dictionary. I did it 18 months ago. Now I thing there are some kind of official solutions to do this, but not 2 years ago, so I did my own solution.
I will be happy to explain it in a tech meeting. Feel free to use it if you find useful.

And I also loves Terraform and I work with it every day. Check terraform dir for the needed files.
Sufix is populated depending on the env by the terraform workspace (prod, dev, qa, etc).