cld2labs/ubuntu22.04-deployment-scripts

.github/workflows/code-scans.yaml

@@ -0,0 +1,167 @@
+name: SDLE Scans
+
+on:
+  workflow_dispatch:
+    inputs:
+      PR_number:
+        description: 'Pull request number'
+        required: true
+  push:
+    branches: [ main ]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+concurrency:
+  group: sdle-${{ github.event.inputs.PR_number || github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+
+# -----------------------------
+# 1) Trivy Scan
+# -----------------------------
+  trivy_scan:
+    name: Trivy Vulnerability Scan
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.PR_number && format('refs/pull/{0}/merge', github.event.inputs.PR_number) || '' }}
+
+      - name: Create report directory
+        run: mkdir -p trivy-reports
+
+      - name: Run Trivy FS Scan
+        uses: aquasecurity/[email protected]
+        continue-on-error: true
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,misconfig,secret'
+          severity: 'CRITICAL,HIGH'
+          format: 'table'
+          output: 'trivy-reports/trivy_scan_report.txt'
+
+      - name: Run Trivy Image Scan - vllm-cpu
+        uses: aquasecurity/[email protected]
+        continue-on-error: true
+        with:
+          scan-type: 'image'
+          image-ref: 'public.ecr.aws/q9t5s3a7/vllm-cpu-release-repo:v0.10.2'
+          severity: 'HIGH,CRITICAL'
+          format: 'table'
+          output: 'trivy-reports/trivy-vllm-cpu.txt'
+
+      - name: Upload Trivy Reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-reports
+          path: trivy-reports/
+
+      - name: Show Trivy FS Report in Logs
+        if: always()
+        run: |
+          echo "========= TRIVY FS SCAN FINDINGS ========="
+          cat trivy-reports/trivy_scan_report.txt || echo "No FS scan report found"
+          echo "=========================================="
+
+# -----------------------------
+# 2) Bandit Scan
+# -----------------------------
+  bandit_scan:
+    name: Bandit security scan
+    runs-on: self-hosted
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.inputs.PR_number && format('refs/pull/{0}/merge', github.event.inputs.PR_number) || '' }}
+        submodules: 'recursive'
+        fetch-depth: 0
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.x"
+    - name: Install Bandit
+      run: pip install bandit
+    - name: Create Bandit configuration
+      run: |
+        cat > .bandit << 'EOF'
+        [bandit]
+        exclude_dirs = tests,test,venv,.venv,node_modules
+        skips = B101
+        EOF
+      shell: bash
+    - name: Run Bandit scan
+      run: |
+        bandit -r . -ll -iii -f screen
+        bandit -r . -ll -iii -f html -o bandit-report.html
+    - name: Upload Bandit Report
+      uses: actions/upload-artifact@v4
+      with:
+        name: bandit-report
+        path: bandit-report.html
+        retention-days: 30
+# -----------------------------
+# 3) ShellCheck Scan
+# -----------------------------
+  shellcheck_scan:
+    name: ShellCheck script analysis
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.PR_number && format('refs/pull/{0}/merge', github.event.inputs.PR_number) || '' }}
+
+      - name: Create report directory
+        run: mkdir -p shellcheck-reports
+
+      - name: Install ShellCheck
+        run: |
+          # Check if shellcheck is already installed
+          if ! command -v shellcheck &> /dev/null; then
+            wget -qO- "https://github.com/koalaman/shellcheck/releases/download/stable/shellcheck-stable.linux.x86_64.tar.xz" | tar -xJv
+            sudo cp shellcheck-stable/shellcheck /usr/local/bin/
+            rm -rf shellcheck-stable
+          fi
+          shellcheck --version
+
+      - name: Find shell scripts
+        id: find_scripts
+        run: |
+          SCRIPT_COUNT=$(find . -type f -name "*.sh" ! -path "./.git/*" | wc -l)
+          echo "Shell scripts found: $SCRIPT_COUNT"
+          echo "script_count=$SCRIPT_COUNT" >> $GITHUB_OUTPUT
+
+      - name: Run ShellCheck
+        if: steps.find_scripts.outputs.script_count > 0
+        continue-on-error: true
+        run: |
+          echo "ShellCheck Analysis Report" > shellcheck-reports/shellcheck-report.txt
+          echo "==========================" >> shellcheck-reports/shellcheck-report.txt
+          echo "" >> shellcheck-reports/shellcheck-report.txt
+
+          find . -type f -name "*.sh" ! -path "./.git/*" | while read -r script; do
+            echo "Checking: $script" >> shellcheck-reports/shellcheck-report.txt
+            shellcheck -f gcc "$script" >> shellcheck-reports/shellcheck-report.txt 2>&1 || true
+            echo "" >> shellcheck-reports/shellcheck-report.txt
+          done
+
+          cat shellcheck-reports/shellcheck-report.txt
+
+      - name: Create empty report if no scripts
+        if: steps.find_scripts.outputs.script_count == 0
+        run: |
+          echo "ShellCheck Analysis Report" > shellcheck-reports/shellcheck-report.txt
+          echo "No shell scripts found to analyze." >> shellcheck-reports/shellcheck-report.txt
+
+      - name: Upload ShellCheck Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: shellcheck-report
+          path: shellcheck-reports/shellcheck-report.txt

core/helm-charts/apisix-helm/Chart.yaml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 apiVersion: v2
 name: auth-apisix

core/helm-charts/apisix-helm/openshift-values.yaml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
 # APISIX Namespace
@@ -33,9 +33,9 @@ apisix:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists
@@ -76,9 +76,9 @@ apisix:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists
@@ -105,9 +105,9 @@ apisix:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists

core/helm-charts/apisix-helm/values.yaml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
 # APISIX Namespace
@@ -28,9 +28,9 @@ apisix:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists
@@ -64,9 +64,9 @@ apisix:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists
@@ -93,9 +93,9 @@ apisix:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists

core/helm-charts/ceph/operator-values.yaml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 image:
   repository: docker.io/rook/ceph

core/helm-charts/fluentbit/fluebit-values.yml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
 fluent-bit:

core/helm-charts/fluentbit/fluentbit-config.yml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 apiVersion: v1
 data:

core/helm-charts/genai-gateway-trace/charts/langfuse/Chart.yaml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 apiVersion: v2
 name: langfuse

core/helm-charts/genai-gateway-trace/charts/langfuse/values.lint.yaml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 # This file is used to validate the Chart and sets some values for required fields. It is not used for the deployment.
 # Example usage: `helm lint . --values values.lint.yaml`

core/helm-charts/genai-gateway-trace/charts/langfuse/values.yaml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 # Langfuse Helm Chart Configuration
 
@@ -148,9 +148,9 @@ langfuse:
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
-          - key: role
+          - key: ei-infra-eligible
             operator: In
-            values: ["infra"]
+            values: ["true"]
         - matchExpressions:
           - key: node-role.kubernetes.io/control-plane
             operator: Exists
@@ -509,9 +509,9 @@ postgresql:
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
-          - key: role
+          - key: ei-infra-eligible
             operator: In
-            values: ["infra"]
+            values: ["true"]
         - matchExpressions:
           - key: node-role.kubernetes.io/control-plane
             operator: Exists
@@ -536,9 +536,9 @@ postgresql:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists
@@ -596,9 +596,9 @@ redis:
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
-          - key: role
+          - key: ei-infra-eligible
             operator: In
-            values: ["infra"]
+            values: ["true"]
         - matchExpressions:
           - key: node-role.kubernetes.io/control-plane
             operator: Exists
@@ -625,9 +625,9 @@ redis:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists
@@ -660,9 +660,9 @@ clickhouse:
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
-          - key: role
+          - key: ei-infra-eligible
             operator: In
-            values: ["infra"]
+            values: ["true"]
         - matchExpressions:
           - key: node-role.kubernetes.io/control-plane
             operator: Exists
@@ -690,9 +690,9 @@ clickhouse:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
-            - key: role
+            - key: ei-infra-eligible
               operator: In
-              values: ["infra"]
+              values: ["true"]
           - matchExpressions:
             - key: node-role.kubernetes.io/control-plane
               operator: Exists
@@ -887,9 +887,9 @@ s3:
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
-          - key: role
+          - key: ei-infra-eligible
             operator: In
-            values: ["infra"]
+            values: ["true"]
         - matchExpressions:
           - key: node-role.kubernetes.io/control-plane
             operator: Exists

core/helm-charts/genai-gateway/Chart.yaml

@@ -1,4 +1,4 @@
-# Copyright (C) 2024-2025 Intel Corporation
+# Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 apiVersion: v2
 name: genaigateway