From b96b6f3e4ceb1ff4f5a5c88f56fed17edca268cc Mon Sep 17 00:00:00 2001 From: Carroline790 Date: Sun, 24 May 2026 04:40:59 +0530 Subject: [PATCH 1/7] Add eks_cleanup helper script --- eks_cleanup.sh | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100755 eks_cleanup.sh diff --git a/eks_cleanup.sh b/eks_cleanup.sh new file mode 100755 index 0000000000..005214ed18 --- /dev/null +++ b/eks_cleanup.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -euo pipefail + +REGION=${1:-ap-south-1} + +echo "=== Using AWS region: $REGION ===" + +echo +echo "=== 1) Show EKS clusters in this region ===" +aws eks list-clusters --region "$REGION" || echo "aws eks list-clusters failed" + +echo +echo "=== 2) Show eksctl clusters in this region (if any) ===" +eksctl get cluster --region "$REGION" || echo "no eksctl clusters found (ok)" + +echo +echo "=== 3) Kubeconfig contexts BEFORE cleanup ===" +kubectl config get-contexts || echo "kubectl config get-contexts failed" + +echo +echo "=== 4) Deleting dead EKS contexts from kubeconfig (those whose clusters no longer exist) ===" + +# Get list of EKS clusters that still exist in this region +EXISTING_CLUSTERS_JSON=$(aws eks list-clusters --region "$REGION" --output json || echo '{"clusters": []}') +EXISTING_CLUSTERS=$(echo "$EXISTING_CLUSTERS_JSON" | jq -r '.clusters[]?') + +# Get all kubeconfig contexts +CONTEXTS=$(kubectl config get-contexts -o name 2>/dev/null || true) + +for ctx in $CONTEXTS; do + # Only touch contexts that look like AWS EKS ARNs + if [[ "$ctx" == arn:aws:eks:* ]]; then + CLUSTER_NAME=$(echo "$ctx" | awk -F'/' '{print $NF}') + if ! grep -q "^$CLUSTER_NAME$" <<< "$EXISTING_CLUSTERS"; then + echo " - Context '$ctx' points to deleted EKS cluster '$CLUSTER_NAME'. Deleting context." + kubectl config delete-context "$ctx" || true + kubectl config delete-cluster "$ctx" || true + else + echo " - Context '$ctx' points to existing cluster '$CLUSTER_NAME' (keeping)." + fi + fi +done + +echo +echo "=== 5) Kubeconfig contexts AFTER cleanup ===" +kubectl config get-contexts || echo "kubectl config get-contexts failed" + +echo +echo "=== 6) Check for leftover AWS resources (you delete manually if needed) ===" + +echo +echo "--- Load Balancers (ELBv2) in $REGION ---" +aws elbv2 describe-load-balancers --region "$REGION" --output table || echo "No ELBv2 load balancers or command failed" + +echo +echo "--- Target Groups in $REGION ---" +aws elbv2 describe-target-groups --region "$REGION" --output table || echo "No target groups or command failed" + +echo +echo "--- EBS Volumes in $REGION ---" +aws ec2 describe-volumes --region "$REGION" --output table || echo "No volumes or command failed" + +echo +echo "--- Security Groups in $REGION ---" +aws ec2 describe-security-groups --region "$REGION" --output table || echo "No security groups or command failed" + +echo +echo "--- CloudFormation stacks in $REGION ---" +aws cloudformation list-stacks --region "$REGION" --output table || echo "No stacks or command failed" + +echo +echo "=== Done. Review the above resource lists and delete anything you know is safe to remove via the AWS console (or CLI). ===" From 7b6e22535b06b0d5157f59443186910365edc7cc Mon Sep 17 00:00:00 2001 From: Carroline790 Date: Sun, 24 May 2026 04:47:51 +0530 Subject: [PATCH 2/7] Remove cleanup script --- eks_cleanup.sh | 72 -------------------------------------------------- 1 file changed, 72 deletions(-) delete mode 100755 eks_cleanup.sh diff --git a/eks_cleanup.sh b/eks_cleanup.sh deleted file mode 100755 index 005214ed18..0000000000 --- a/eks_cleanup.sh +++ /dev/null @@ -1,72 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -REGION=${1:-ap-south-1} - -echo "=== Using AWS region: $REGION ===" - -echo -echo "=== 1) Show EKS clusters in this region ===" -aws eks list-clusters --region "$REGION" || echo "aws eks list-clusters failed" - -echo -echo "=== 2) Show eksctl clusters in this region (if any) ===" -eksctl get cluster --region "$REGION" || echo "no eksctl clusters found (ok)" - -echo -echo "=== 3) Kubeconfig contexts BEFORE cleanup ===" -kubectl config get-contexts || echo "kubectl config get-contexts failed" - -echo -echo "=== 4) Deleting dead EKS contexts from kubeconfig (those whose clusters no longer exist) ===" - -# Get list of EKS clusters that still exist in this region -EXISTING_CLUSTERS_JSON=$(aws eks list-clusters --region "$REGION" --output json || echo '{"clusters": []}') -EXISTING_CLUSTERS=$(echo "$EXISTING_CLUSTERS_JSON" | jq -r '.clusters[]?') - -# Get all kubeconfig contexts -CONTEXTS=$(kubectl config get-contexts -o name 2>/dev/null || true) - -for ctx in $CONTEXTS; do - # Only touch contexts that look like AWS EKS ARNs - if [[ "$ctx" == arn:aws:eks:* ]]; then - CLUSTER_NAME=$(echo "$ctx" | awk -F'/' '{print $NF}') - if ! grep -q "^$CLUSTER_NAME$" <<< "$EXISTING_CLUSTERS"; then - echo " - Context '$ctx' points to deleted EKS cluster '$CLUSTER_NAME'. Deleting context." - kubectl config delete-context "$ctx" || true - kubectl config delete-cluster "$ctx" || true - else - echo " - Context '$ctx' points to existing cluster '$CLUSTER_NAME' (keeping)." - fi - fi -done - -echo -echo "=== 5) Kubeconfig contexts AFTER cleanup ===" -kubectl config get-contexts || echo "kubectl config get-contexts failed" - -echo -echo "=== 6) Check for leftover AWS resources (you delete manually if needed) ===" - -echo -echo "--- Load Balancers (ELBv2) in $REGION ---" -aws elbv2 describe-load-balancers --region "$REGION" --output table || echo "No ELBv2 load balancers or command failed" - -echo -echo "--- Target Groups in $REGION ---" -aws elbv2 describe-target-groups --region "$REGION" --output table || echo "No target groups or command failed" - -echo -echo "--- EBS Volumes in $REGION ---" -aws ec2 describe-volumes --region "$REGION" --output table || echo "No volumes or command failed" - -echo -echo "--- Security Groups in $REGION ---" -aws ec2 describe-security-groups --region "$REGION" --output table || echo "No security groups or command failed" - -echo -echo "--- CloudFormation stacks in $REGION ---" -aws cloudformation list-stacks --region "$REGION" --output table || echo "No stacks or command failed" - -echo -echo "=== Done. Review the above resource lists and delete anything you know is safe to remove via the AWS console (or CLI). ===" From 4cd7c37e1d105e90e5a326a61afa10f169b2d296 Mon Sep 17 00:00:00 2001 From: Carroline790 Date: Sun, 24 May 2026 04:52:07 +0530 Subject: [PATCH 3/7] Sysdig IaC test: update vote replicas --- k8s-specifications/vote-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-specifications/vote-deployment.yaml b/k8s-specifications/vote-deployment.yaml index 165a9478f8..f84a98a55e 100644 --- a/k8s-specifications/vote-deployment.yaml +++ b/k8s-specifications/vote-deployment.yaml @@ -5,7 +5,7 @@ metadata: app: vote name: vote spec: - replicas: 1 + replicas: 2 selector: matchLabels: app: vote From 647bc20097f251ffc4179d87e76dbdce6a53b982 Mon Sep 17 00:00:00 2001 From: Carroline790 Date: Sun, 24 May 2026 05:06:40 +0530 Subject: [PATCH 4/7] Sysdig IaC test: update vote replicas --- k8s-specifications/vote-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-specifications/vote-deployment.yaml b/k8s-specifications/vote-deployment.yaml index f84a98a55e..748fbed519 100644 --- a/k8s-specifications/vote-deployment.yaml +++ b/k8s-specifications/vote-deployment.yaml @@ -5,7 +5,7 @@ metadata: app: vote name: vote spec: - replicas: 2 + replicas: 3 selector: matchLabels: app: vote From 8ec77c4bfce17869b2feb795cef50734b74f985a Mon Sep 17 00:00:00 2001 From: Carroline790 Date: Sun, 24 May 2026 12:40:15 +0530 Subject: [PATCH 5/7] Add GitHub Action to build and scan voting app images with Sysdig --- .../workflows/build-and-scan-voting-app.yml | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 .github/workflows/build-and-scan-voting-app.yml diff --git a/.github/workflows/build-and-scan-voting-app.yml b/.github/workflows/build-and-scan-voting-app.yml new file mode 100644 index 0000000000..8c62149662 --- /dev/null +++ b/.github/workflows/build-and-scan-voting-app.yml @@ -0,0 +1,97 @@ +name: Build and Scan Voting App Images + +on: + push: + branches: [ main ] + pull_request: + +jobs: + build-and-scan: + runs-on: ubuntu-latest + + env: + # Use secret if you created SYSDIG_SECURE_URL secret; otherwise hardcode here + SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + ####################################### + # Build images for vote, result, worker + ####################################### + + - name: Build vote image + run: | + docker build \ + -t vote-app:latest \ + ./vote + + - name: Build result image + run: | + docker build \ + -t result-app:latest \ + ./result + + - name: Build worker image + run: | + docker build \ + -t worker-app:latest \ + ./worker + + ####################################### + # Scan vote image with Sysdig + ####################################### + - name: Scan vote image with Sysdig + uses: sysdiglabs/scan-action@v6 + with: + image-tag: vote-app:latest + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ env.SYSDIG_SECURE_URL }} + sarif-file: vote-sarif.json + + ####################################### + # Scan result image with Sysdig + ####################################### + - name: Scan result image with Sysdig + uses: sysdiglabs/scan-action@v6 + with: + image-tag: result-app:latest + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ env.SYSDIG_SECURE_URL }} + sarif-file: result-sarif.json + + ####################################### + # Scan worker image with Sysdig + ####################################### + - name: Scan worker image with Sysdig + uses: sysdiglabs/scan-action@v6 + with: + image-tag: worker-app:latest + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ env.SYSDIG_SECURE_URL }} + sarif-file: worker-sarif.json + + ####################################### + # Upload SARIF files to GitHub (optional) + ####################################### + - name: Upload vote SARIF + if: success() || failure() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: vote-sarif.json + + - name: Upload result SARIF + if: success() || failure() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: result-sarif.json + + - name: Upload worker SARIF + if: success() || failure() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: worker-sarif.json From b00ba32cfcf854801b1acee5b88e2b8aa0327dbb Mon Sep 17 00:00:00 2001 From: Carroline790 Date: Sun, 24 May 2026 12:44:17 +0530 Subject: [PATCH 6/7] Simplify Sysdig scan workflow for debugging --- .../workflows/build-and-scan-voting-app.yml | 74 +------------------ 1 file changed, 2 insertions(+), 72 deletions(-) diff --git a/.github/workflows/build-and-scan-voting-app.yml b/.github/workflows/build-and-scan-voting-app.yml index 8c62149662..9e68c11acd 100644 --- a/.github/workflows/build-and-scan-voting-app.yml +++ b/.github/workflows/build-and-scan-voting-app.yml @@ -9,10 +9,6 @@ jobs: build-and-scan: runs-on: ubuntu-latest - env: - # Use secret if you created SYSDIG_SECURE_URL secret; otherwise hardcode here - SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} - steps: - name: Checkout repository uses: actions/checkout@v4 @@ -20,78 +16,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - ####################################### - # Build images for vote, result, worker - ####################################### - - name: Build vote image - run: | - docker build \ - -t vote-app:latest \ - ./vote - - - name: Build result image - run: | - docker build \ - -t result-app:latest \ - ./result + run: docker build -t vote-app:latest ./vote - - name: Build worker image - run: | - docker build \ - -t worker-app:latest \ - ./worker - - ####################################### - # Scan vote image with Sysdig - ####################################### - name: Scan vote image with Sysdig uses: sysdiglabs/scan-action@v6 with: image-tag: vote-app:latest sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - sysdig-secure-url: ${{ env.SYSDIG_SECURE_URL }} - sarif-file: vote-sarif.json - - ####################################### - # Scan result image with Sysdig - ####################################### - - name: Scan result image with Sysdig - uses: sysdiglabs/scan-action@v6 - with: - image-tag: result-app:latest - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - sysdig-secure-url: ${{ env.SYSDIG_SECURE_URL }} - sarif-file: result-sarif.json - - ####################################### - # Scan worker image with Sysdig - ####################################### - - name: Scan worker image with Sysdig - uses: sysdiglabs/scan-action@v6 - with: - image-tag: worker-app:latest - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - sysdig-secure-url: ${{ env.SYSDIG_SECURE_URL }} - sarif-file: worker-sarif.json - - ####################################### - # Upload SARIF files to GitHub (optional) - ####################################### - - name: Upload vote SARIF - if: success() || failure() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: vote-sarif.json - - - name: Upload result SARIF - if: success() || failure() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: result-sarif.json - - - name: Upload worker SARIF - if: success() || failure() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: worker-sarif.json + sysdig-secure-url: ${{ secrets.SYSDIG_SECURE_URL }} From 85807bfdc0cd0565abef72d23c3b5053aee4796c Mon Sep 17 00:00:00 2001 From: Carroline790 Date: Tue, 26 May 2026 11:37:15 +0530 Subject: [PATCH 7/7] Sysdig IaC test: update vote deployment --- k8s-specifications/vote-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-specifications/vote-deployment.yaml b/k8s-specifications/vote-deployment.yaml index 748fbed519..165a9478f8 100644 --- a/k8s-specifications/vote-deployment.yaml +++ b/k8s-specifications/vote-deployment.yaml @@ -5,7 +5,7 @@ metadata: app: vote name: vote spec: - replicas: 3 + replicas: 1 selector: matchLabels: app: vote