chore: release/v0.7.1

.github/workflows/README.md

@@ -68,14 +68,6 @@ workloads run using [GitHub self-hosted runners](https://help.github.com/en/acti
 - builds and pushes images to official GCR repo tagged with git commit
 - builds and pushes images to official GCR repo tagged as latest
 
-### Update-Website.yaml
-
-#### Triggers
-- release merged and commits pushed to main
-
-#### Actions
-- push new prod version of the website to App Engine
-
 ### Push-Tags.yaml
 
 #### Triggers
@@ -164,12 +156,27 @@ workloads run using [GitHub self-hosted runners](https://help.github.com/en/acti
 - Checks kubernetes manifests to ensure develop is pinned to `latest`, and main is pinned to a version
 - Checks telemetry id to ensure develop is on `test` and main is on `prod`
 
-### Staging-Website.yml
+### Prod-Website.yaml
+
+#### Triggers
+- release merged and commits pushed to main
+
+#### Actions
+- push new prod version of the website to App Engine
+
+### Manual-Website.yml
 
 #### Triggers
-- on each new push to develop
 - on manual trigger
 
 #### Actions
 - sets up a pre-prod GAE website deployment in `stackdriver-sandbox-230822`
 
+### Develop-Website.yml
+
+#### Triggers
+- on each new push to develop
+
+#### Actions
+- sets up a pre-prod GAE website deployment in `stackdriver-sandbox-230822`
+

.github/workflows/ci.yml

@@ -39,6 +39,15 @@ jobs:
         if [[ -n $(git status -s) ]]; then
           exit 1
         fi
+    - name: Validate Schema of SRE Recipes Configs
+      run: |
+        set -x
+        # install dependencies
+        curl https://bootstrap.pypa.io/pip/3.5/get-pip.py -o get-pip.py
+        python3 get-pip.py
+        python3 -m pip install -r tests/requirements.txt
+        # run validations
+        python3 tests/recipes/validate_recipe_configs.py
     - name: Test Custom Cloud Shell Image Build
       run: |
         set -x

sre-recipes/recipes/encoding_recipe/__init__.py → .github/workflows/develop-website.yml

@@ -11,3 +11,24 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
+name: "Stage Website - Develop"
+on:
+  push:
+    # run on pushes to develop
+    branches:
+    - develop
+env:
+  PROJECT_ID: stackdriver-sandbox-230822
+jobs:
+  stage-website:
+    runs-on: [self-hosted, push-privilege]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Deploy Staged Website to App Engine
+      timeout-minutes: 20
+      run: |
+        set -x
+        cp website/app.yaml website/staging.app.yaml
+        echo "service: develop" >> website/staging.app.yaml
+        gcloud app deploy website/staging.app.yaml

.github/workflows/e2e-latest.yml

@@ -73,6 +73,7 @@ jobs:
         docker run --rm \
           -e project_id=${{ env.PROJECT_ID }} \
           -e service_wait=1 \
+          -e PYTHONDONTWRITEBYTECODE=1 \
           -v ~/.config:/root/.config \
           -v `pwd`:/sandbox-shared \
           --entrypoint /sandbox-shared/.github/workflows/e2e_scripts/run_install.sh \
@@ -90,9 +91,22 @@ jobs:
         docker run --rm \
           -e GOOGLE_CLOUD_PROJECT=${{ env.PROJECT_ID }} \
           -e ZONE=$CLUSTER_ZONE \
+          -e PYTHONDONTWRITEBYTECODE=1 \
           -e LOADGEN_ZONE=$LOADGEN_ZONE \
           -v ~/.config:/root/.config \
           test-provisioning:$GITHUB_SHA
+    - name: Run SRE Recipes Tests
+      timeout-minutes: 30
+      run: |
+        # build cloud shell image
+        docker build -t test-cloud-shell:$GITHUB_SHA ./cloud-shell
+        # run test script
+        docker run --rm \
+          -v ~/.config:/root/.config \
+          -v `pwd`:/sandbox-shared \
+          -e PYTHONDONTWRITEBYTECODE=1 \
+          --entrypoint /sandbox-shared/tests/recipes/test_recommendation_crash_recipe.sh \
+          test-cloud-shell:$GITHUB_SHA
     - name: Run Monitoring Integration Tests
       timeout-minutes: 30
       run: |

.github/workflows/e2e-release.yml

@@ -60,6 +60,7 @@ jobs:
           -e release_repo=${{ steps.website_variables.outputs.repo }} \
           -e release_branch=${{ steps.website_variables.outputs.branch }} \
           -e ISTIO_VERSION=1.7.1 \
+          -e PYTHONDONTWRITEBYTECODE=1 \
           -v ~/.config:/root/.config \
           -v `pwd`:/sandbox-shared \
           --entrypoint /sandbox-shared/.github/workflows/e2e_scripts/run_install.sh \
@@ -87,6 +88,7 @@ jobs:
           -e GOOGLE_CLOUD_PROJECT=${{ env.PROJECT_ID }} \
           -e ZONE=$CLUSTER_ZONE \
           -e LOADGEN_ZONE=$LOADGEN_ZONE \
+          -e PYTHONDONTWRITEBYTECODE=1 \
           -v ~/.config:/root/.config \
           test-provisioning:$GITHUB_SHA-release
     - name: Run Monitoring Integration Tests
@@ -115,6 +117,7 @@ jobs:
           -e release_dir=${{ steps.website_variables.outputs.dir }} \
           -v ~/.config:/root/.config \
           -v `pwd`:/sandbox-shared \
+          -e PYTHONDONTWRITEBYTECODE=1 \
           --entrypoint /sandbox-shared/.github/workflows/e2e_scripts/run_install.sh \
           ${{ steps.website_variables.outputs.cloudshell_image }}
     - name: Clean Project State

.github/workflows/e2e-upgrade.yml

@@ -64,6 +64,7 @@ jobs:
           -e release_repo=${{ steps.website_variables.outputs.repo }} \
           -e release_branch=${{ steps.website_variables.outputs.branch }} \
           -e ISTIO_VERSION=1.7.1 \
+          -e PYTHONDONTWRITEBYTECODE=1 \
           -v ~/.config:/root/.config \
           -v `pwd`:/sandbox-shared \
           --entrypoint /sandbox-shared/.github/workflows/e2e_scripts/run_install.sh \
@@ -103,6 +104,7 @@ jobs:
         docker run --rm \
           -e project_id=${{ env.PROJECT_ID }} \
           -e service_wait=1 \
+          -e PYTHONDONTWRITEBYTECODE=1 \
           -v ~/.config:/root/.config \
           -v `pwd`:/sandbox-shared \
           --entrypoint /sandbox-shared/.github/workflows/e2e_scripts/run_install.sh \
@@ -121,6 +123,7 @@ jobs:
           -e GOOGLE_CLOUD_PROJECT=${{ env.PROJECT_ID }} \
           -e ZONE=$CLUSTER_ZONE \
           -e LOADGEN_ZONE=$LOADGEN_ZONE \
+          -e PYTHONDONTWRITEBYTECODE=1 \
           -v ~/.config:/root/.config \
           test-provisioning:$GITHUB_SHA
     - name: Run Monitoring Integration Tests

.github/workflows/make-release.yml

@@ -24,34 +24,32 @@ jobs:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/develop'
     steps:
-      - name: Validation
+      - name: Git Setup
         run: |
           set -x
-          export NEW_VERSION=${{ github.event.inputs.version }}
+          # clone repo
+          git clone https://github.com/GoogleCloudPlatform/cloud-ops-sandbox.git
+          cd cloud-ops-sandbox
+          git checkout develop
+          git config --global user.email "[email protected]"
+          git config --global user.name "CI"
           # validate version number (format: v0.0.0)
+          export NEW_VERSION=${{ github.event.inputs.version }}
           if [[ ! "${NEW_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
               echo "${NEW_VERSION} argument must conform to regex string:  ^v[0-9]+\.[0-9]+\.[0-9]+$ "
               echo "ex. v1.0.1"
               exit 1
           fi
           # ensure not duplicate
-          if [[ "$NEW_VERSION" == $(git tag | grep $NEW_VERSION | cat) ]]; then
+          if [[ ! -z $(git tag | grep $NEW_VERSION | cat) ]]; then
             echo "$NEW_VERSION" tag already exists in project
             exit 1
           fi
-          if [[ "$NEW_VERSION" == $(git branch | grep "release/$NEW_VERSION" | cat) ]]; then
-            echo "$NEW_VERSION" branch already exists in project
+          if [[ ! -z $(git branch -a | grep "release/$NEW_VERSION" | cat) ]]; then
+            echo "release/$NEW_VERSION" branch already exists in project
             exit 1
           fi
-      - name: Git Setup
-        run: |
-          set -x
-          git clone https://github.com/daniel-sanche/cloud-ops-sandbox.git
-          cd cloud-ops-sandbox
-          git checkout develop
-          git config --global user.email "[email protected]"
-          git config --global user.name "CI"
-
+          # create new release branch
           git fetch
           git checkout -b "release/${{ github.event.inputs.version }}"
           git merge --strategy-option theirs main
@@ -76,28 +74,20 @@ jobs:
           sed -i -e "s/cloudshell_git_branch=v\([0-9\.]\+\)/cloudshell_git_branch=${NEW_VERSION}/g" ${REPO_ROOT}/website/deploy/index.html;
           sed -i -e "s/productVersion': 'v\([0-9\.]\+\)/productVersion': '${NEW_VERSION}/g" ${REPO_ROOT}/website/deploy/index.html;
           sed -i -e "s/uncertified:v\([0-9\.]\+\)/uncertified:${NEW_VERSION}/g" ${REPO_ROOT}/website/deploy/index.html;
+          sed -i -e "s/version = \"v\([0-9\.]\+\)\"/version = \"${NEW_VERSION}\"/g" ${REPO_ROOT}/website/config.toml;
           # update custom Cloud Shell image variable
           sed -i -e "s/VERSION=v\([0-9\.]\+\)/VERSION=${NEW_VERSION}/g" ${REPO_ROOT}/cloud-shell/Dockerfile;
 
            # update telemetry Pub/Sub topic in telemetry.py from "Test" topic to "Production" topic
            PROD_TOPIC="telemetry_prod"
            TEST_TOPIC="telemetry_test"
            sed -i -e "s/topic_id = \"${TEST_TOPIC}\"/topic_id = \"${PROD_TOPIC}\"/g" ${REPO_ROOT}/terraform/telemetry.py;
-      - name: Push changes
-        uses: ad-m/github-push-action@65392840bda2e774394d5cd38ca33e5918aec2d3
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          branch:  "release/${{ github.event.inputs.version  }}"
-          directory: cloud-ops-sandbox
-          tags: true
       - name: Build PR Body
         run: |
           cd cloud-ops-sandbox
           # find the changes commited to develop since last release
           PREV_HASH=$(git merge-base develop main)
           RECENT_HASH=$(git rev-parse develop)
-          DIFF=$(git log ${PREV_HASH}...${RECENT_HASH} --oneline)
-          echo -e $DIFF
 
           # print version number as title
           export NEW_VERSION=${{ github.event.inputs.version  }}
@@ -111,11 +101,11 @@ jobs:
             regexes=$(echo $i | tr "/" "\n" | tail -n 1)
             # create grep statements for each regex
             grep_formatted_regex=$(echo "--grep ^$regexes" | awk -F'|' -v OFS=" --grep ^" '$1=$1')
-            if [[ ! -z $(git log ${LAST_HASH}...${FIRST_HASH} $grep_formatted_regex)  ]]; then
+            if [[ ! -z $(git log ${PREV_HASH}...${RECENT_HASH} $grep_formatted_regex)  ]]; then
               # print the category title
               echo "### $title" >> PR.txt
               # print the commits in the category
-              git log ${LAST_HASH}...${FIRST_HASH} $grep_formatted_regex --oneline | cut -d " " -f2- | awk '{print "- " $0}' >> PR.txt
+              git log ${PREV_HASH}...${RECENT_HASH} $grep_formatted_regex --oneline | cut -d " " -f2- | awk '{print "- " $0}' >> PR.txt
               echo "" >> PR.txt
             fi
           done
@@ -125,6 +115,7 @@ jobs:
           echo 'PULL_REQUEST_BODY<<EOF' >> $GITHUB_ENV
           cat PR.txt >> $GITHUB_ENV
           echo 'EOF' >> $GITHUB_ENV
+          rm PR.txt
       - name: Commit Changes
         run: |
           set -x
@@ -134,6 +125,13 @@ jobs:
           git add .
           git commit -m "chore: update tags for release ${NEW_VERSION}"
           git tag "${NEW_VERSION}"
+      - name: Push changes
+        uses: ad-m/github-push-action@65392840bda2e774394d5cd38ca33e5918aec2d3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          branch:  "release/${{ github.event.inputs.version  }}"
+          directory: cloud-ops-sandbox
+          tags: true
       - name: Create Pull Request
         uses: vsoch/pull-request-action@29dbfc0acd2ac96b0ec14b9fd53fa12136130058
         env:

.github/workflows/manual-website-stage.yml → .github/workflows/manual-website.yml

@@ -12,12 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: "Stage Website"
+name: "Stage Website - Manual"
 on:
-  push:
-    # run on pushes to develop
-    branches:
-    - develop
   workflow_dispatch:
     inputs:
       name:

.github/workflows/update-website.yml → .github/workflows/prod-website.yml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: "Update Website"
+name: "Prod Website"
 on:
   push:
     # run on pushes to main (after merging release branches)

.github/workflows/update-custom-image.yml

@@ -30,9 +30,11 @@ on:
 jobs:
   build-trigger:
     runs-on: [self-hosted, push-privilege]
-    timeout-minutes: 30
+    timeout-minutes: 100
     steps:
     - uses: actions/checkout@v2
+      with:
+        ref: develop
     - name: Run Cloud Build Trigger
       id: cloud_build
       run: |

.gitignore

@@ -17,4 +17,5 @@ terraform/istio/istioctl
 terraform/istio/istio-*/**
 .token
 skaffold
-website/resources*
+website/resources*
+srerecipes.log

CODE_OF_CONDUCT.md

@@ -0,0 +1,43 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project,
+and in the interest of fostering an open and welcoming community,
+we pledge to respect all people who contribute through reporting issues,
+posting feature requests, updating documentation,
+submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project
+a harassment-free experience for everyone,
+regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information,
+such as physical or electronic
+addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct,
+project maintainers commit themselves to fairly and consistently
+applying these principles to every aspect of managing this project.
+Project maintainers who do not follow or enforce the Code of Conduct
+may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported by opening an issue
+or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0,
+available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

README.md

@@ -40,7 +40,7 @@ With Sandbox, we provide a tool that automatically provisions a new demo cluster
 
 Click the Cloud Shell button for automated one-click installation of a new Sandbox cluster in a new Google Cloud Project.
 
-[![Open in Cloud Shell](http://www.gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/GoogleCloudPlatform/cloud-ops-sandbox.git&cloudshell_git_branch=v0.7.0&shellonly=true&cloudshell_image=gcr.io/stackdriver-sandbox-230822/cloudshell-image/uncertified:v0.7.0&cloudshell_tutorial=docs/tutorial.md)
+[![Open in Cloud Shell](http://www.gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/GoogleCloudPlatform/cloud-ops-sandbox.git&cloudshell_git_branch=v0.7.1&shellonly=true&cloudshell_image=gcr.io/stackdriver-sandbox-230822/cloudshell-image/uncertified:v0.7.1&cloudshell_tutorial=docs/tutorial.md)
 
 __Note__: If installation stops due to billing account errors, set up the billing account and type: `sandboxctl create`.
 

SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+To report a security issue, please use [g.co/vulnz](https://g.co/vulnz).
+
+The Google Security Team will respond within 5 working days of your report on g.co/vulnz.
+
+We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue.