This demo shows how to build a Docker container from a Python Flask app, push it to an Azure Container Registry, and then run the container on an Azure Container Instance.
This project implements DoD DevSecOps for PaaS Enterprise Applications. DevOps or DevSecOps is fundamental to any but the most trivial projects.
The Actions included create a full DevSecOps pipeline to deploy to an AKS Cluster or an Azure Container Instance. The pipelines follow the guidelines of DoD DevSecOps, implementing:
- Code Scanning
- Running automated tests
- Test coverage reports
- Container Build
- Dependency checks
- Container scan
- Docker push to configured registry
- Deploy to an AKS Cluster
The app itself is simple but unimportant -- replace with any other app and the constructs of the GitHub action should remain the same.
- An Azure Subscription
- A resource group called "Demo"
- An Azure Container Repository resource created in the Demo resource group
- Enable the Admin User Login/Password in the Azure Container Registry
Clone the repository and you've got it. Install dependencies with the requirements.txt file
The Dockerfile supplied will work for any Flask app on Ubuntu
This is optional, but a useful step on a Developer machine, to verify that your Docker image will build properly.
docker build -t flask-container-action:latest .
Here, the image is called flask-container-action, and it's tagged as latest.
This is optional, but a useful step on a Developer machine, to verify that your Docker image will run properly.
Docker run -p 80:80 flask-container-action
Here, the local port 80 is mapped to a container port 80.
You can do this on your own machine if you have Azure CLI installed, or simply in the portal from the Cloud Shell (Bash).
az ad sp create-for-rbac --name "rc-az-action" --sdk-auth --role contributor --scopes /subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/Demo
Here, the create-for-rbac command is used to create a Service Principal called rc-az-action, and it's granted contributor rights on the scope of the Demo Resource Group in the subscription specified. Replace the "xxx.." with your actual subscription id.
Copy the resulting JSON response, and save it in a GitHub secret in your repository, as shown below:
The Demo Resource Group is where I've created the Azure Container Repository.
GitHub Secrets to create:
- "AZ_CREDS": JSON Response from step Above
- "REGISTRY_PASSWORD": The Password for the Azure Container Registry
- "REGISTRY_USERNAME": The Username for the Azure Container Registry
The script supplied in the workflows folder should work if you've followed the directions accurately.