Skip to content

Commit

Permalink
Merge pull request #18 from bcgov/feature/ghcrimage
Browse files Browse the repository at this point in the history
Update openshift templates to depend on ghcr.io container registry image
  • Loading branch information
kyle1morel authored Mar 25, 2024
2 parents 3ff2c95 + 2bfb2c4 commit 00e1d91
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 147 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@

# ClamAV Mirror [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE) [![Lifecycle:Stable](https://img.shields.io/badge/Lifecycle-Stable-97ca00)](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md)

[![Docker](https://github.com/bcgov/clamav-mirror/actions/workflows/docker-image.yaml/badge.svg)](https://github.com/bcgov/clamav-mirror/actions/workflows/docker-image.yaml)
[![Docker](https://github.com/bcgov/clamav-mirror/actions/workflows/on-push.yaml/badge.svg)](https://github.com/bcgov/clamav-mirror/actions/workflows/docker-image.yaml)

![Image of ClamAV](https://www.clamav.net/assets/clamav-trademark.png)

Expand Down
1 change: 1 addition & 0 deletions docker/src/Caddyfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@

:8080 {
file_server browse
log
root * /mnt/cvdupdate/databases
}
58 changes: 4 additions & 54 deletions openshift/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ This application can be deployed onto Openshift. This readme will outline how to
## Table of Contents

- [Infrastructure](#infrastructure)
- [Openshift Deployment Prerequisites](#openshift-deployment-prerequisites)
- [Environment Setup - ConfigMaps and Secrets](#environment-setup---configmaps-and-secrets)
- [Build Config & Deployment](#build-config--deployment)
- [Templates](#templates)
Expand All @@ -18,25 +17,11 @@ This application has a relatively simple architecture to achieve the following:
1. Act as a mirror for the ClamAV Database files within the cluster
2. Periodically fetch and update the definition files from upstream

![Infrastructure](infrastructure.png)
![Infrastructure](infrastructure.png)
**Figure 1 - General Openshift infrastructure diagram**

We achieve the first objective by leveraging Caddy in High Availability mode to host the files, and utilize an Openshift CronJob to update the definition files 3 times a day using the cvdupdate library. The definition files are stored on a persistent volume claim and updated as needed. In order to minimize the potential attack surface, we drop all network traffic that does not come from the cluster itself in the Openshift route definition.

## Openshift Deployment Prerequisites

We assume you are logged into OpenShift and are in the repo/openshift local directory. We will run the scripts from there.

### Add Default Kubernetes Network Policies

Your namespace should already be a Network Policy named similar to `platform-services-controlled-deny-by-default`. Before deploying, ensure that you have the Network Policy `allow-from-openshift-ingress` by running the following:

``` sh
export NAMESPACE=<yournamespace>

oc process -n $NAMESPACE -f https://raw.githubusercontent.com/wiki/bcgov/nr-get-token/assets/templates/default.np.yaml | oc apply -n $NAMESPACE -f -
```

## Environment Setup - ConfigMaps and Secrets

This application requires a Config Map to define the Caddyfile configuration. However, this is embedded as a part of the deployment template, so no manual steps are required to have it be deployed. This application does not need to manage secrets.
Expand All @@ -47,40 +32,7 @@ This application is currently designed as a single application pod deployment. I

## Templates

The Jenkins pipeline heavily leverages Openshift Templates in order to ensure that all of the environment variables, settings, and contexts are pushed to Openshift correctly. Files ending with `.bc.yaml` specify the build configurations, while files ending with `.dc.yaml` specify the components required for deployment.

### Build Configurations

Build configurations will emit and handle the chained builds or standard builds as necessary. They take in the following parameters:

| Name | Required | Description |
| --- | --- | --- |
| BASE_IMAGE | yes | Base Image to build from |
| REPO_NAME | yes | Application repository name |
| SOURCE_REPO_REF | yes | Git Pull Request Reference (i.e. 'pull/CHANGE_ID/head') |
| SOURCE_REPO_URL | yes | Git Repository URL |

The template can be manually invoked and deployed via Openshift CLI. For example:

```sh
export NAMESPACE=<yournamespace>

oc process -n $NAMESPACE -f openshift/app.bc.yaml -p REPO_NAME=clamav-mirror -p SOURCE_REPO_URL=https://github.com/bcgov/clamav-mirror.git -p SOURCE_REPO_REF=master -o yaml | oc apply -n $NAMESPACE -f -
```

Note that these build configurations do not have any triggers defined. They need to be started manually in the console, or by an equivalent oc command for example:

```sh
oc start-build -n $NAMESPACE <buildname> --follow
```

While this deployment does not use explicitly managed tags (sticks with the latest build tag instead), we generally tag the resultant image so that the deployment config will know which exact image to use. The equivalent oc command for example is:

```sh
oc tag -n $NAMESPACE <buildname>:latest <buildname>:master
```

*Note: Remember to swap out the bracketed values with the appropriate values!*
The templates are mainly used for defining the yaml manifests needed for this application to run and update correctly in an Openshift environment.

### Deployment Configurations

Expand All @@ -93,7 +45,6 @@ Our application template take in mainly the following parameters:
| APP_NAME | yes | short name for the application |
| INSTANCE | yes | The name of this instance of the application |
| NAMESPACE | yes | which namespace/"environment" are we deploying to? dev, test, prod? |
| REPO_NAME | yes | Application repository name |
| ROUTE_HOST | yes | The host the route will use to expose service outside cluster |

Deployment invocation can be done manually with the following for example:
Expand All @@ -102,7 +53,7 @@ Deployment invocation can be done manually with the following for example:
export NAMESPACE=<yournamespace>
export APP_NAME=<yourappshortname>

oc process -n $NAMESPACE -f openshift/app.dc.yaml -p APP_NAME=$APP_NAME -p INSTANCE=master -p NAMESPACE=$NAMESPACE -p REPO_NAME=clamav-mirror -p ROUTE_HOST=clamav-mirror.apps.silver.devops.gov.bc.ca -o yaml | oc apply -n $NAMESPACE -f -
oc process -n $NAMESPACE -f openshift/app.dc.yaml -p APP_NAME=$APP_NAME -p INSTANCE=master -p NAMESPACE=$NAMESPACE -p ROUTE_HOST=clamav-mirror.apps.silver.devops.gov.bc.ca -o yaml | oc apply -n $NAMESPACE -f -
```

Due to the triggers that are set in the deploymentconfig, the deployment will begin automatically. However, you can deploy manually by use the following command for example:
Expand All @@ -124,7 +75,6 @@ Our application template take in mainly the following parameters:
| APP_NAME | yes | short name for the application |
| INSTANCE | yes | The name of this instance of the application |
| NAMESPACE | yes | which namespace/"environment" are we deploying to? dev, test, prod? |
| REPO_NAME | yes | Application repository name |
| CRON_SCHEDULE | no | CronJob crontab schedule |

Cronjob invocation can be done manually with the following for example:
Expand All @@ -133,7 +83,7 @@ Cronjob invocation can be done manually with the following for example:
export NAMESPACE=<yournamespace>
export APP_NAME=<yourappshortname>

oc process -n $NAMESPACE -f openshift/app.cronjob.yaml -p APP_NAME=$APP_NAME -p INSTANCE=master -p NAMESPACE=$NAMESPACE -p REPO_NAME=clamav-mirror -o yaml | oc apply -n $NAMESPACE -f -
oc process -n $NAMESPACE -f openshift/app.cronjob.yaml -p APP_NAME=$APP_NAME -p INSTANCE=master -p NAMESPACE=$NAMESPACE -o yaml | oc apply -n $NAMESPACE -f -
```

#### Manual Run
Expand Down
68 changes: 0 additions & 68 deletions openshift/app.bc.yaml

This file was deleted.

19 changes: 13 additions & 6 deletions openshift/app.cronjob.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,14 @@ labels:
app.kubernetes.io/name: python
app.kubernetes.io/managed-by: template
app.kubernetes.io/part-of: ${APP_NAME}-${INSTANCE}
app.kubernetes.io/version: "3.9"
app.kubernetes.io/version: "3.12"
app.openshift.io/runtime: python
template: "${REPO_NAME}-updater-template"
metadata:
name: "${REPO_NAME}-updater-dc"
objects:
- apiVersion: batch/v1beta1
kind: CronJob
- kind: CronJob
apiVersion: batch/v1
metadata:
name: "${APP_NAME}-updater"
spec:
Expand All @@ -32,7 +32,7 @@ objects:
app.kubernetes.io/name: python
app.kubernetes.io/managed-by: template
app.kubernetes.io/part-of: ${APP_NAME}-${INSTANCE}
app.kubernetes.io/version: "3.9"
app.kubernetes.io/version: "3.12"
app.openshift.io/runtime: python
template: "${REPO_NAME}-updater-template"
spec:
Expand All @@ -55,7 +55,7 @@ objects:
spec:
containers:
- name: updater
image: "${IMAGE_REGISTRY}/${NAMESPACE}/${REPO_NAME}-app:latest"
image: "${IMAGE_REGISTRY}/${NAMESPACE}/${REPO_NAME}:${IMAGE_TAG}"
imagePullPolicy: IfNotPresent
command:
- "./entrypoint.sh"
Expand Down Expand Up @@ -95,15 +95,22 @@ parameters:
description: The base docker registry
displayName: Docker Image Registry
required: true
value: image-registry.openshift-image-registry.svc:5000
value: ghcr.io
- name: IMAGE_TAG
description: The docker image tag
displayName: Docker Image Tag
required: true
value: latest
- name: NAMESPACE
description: Target namespace reference (i.e. 'wfezkf-dev')
displayName: Target Namespace
required: true
value: bcgov
- name: REPO_NAME
description: Application repository name
displayName: Repository Name
required: true
value: clamav-mirror
# https://crontab.guru/every-8-hours
- name: CRON_SCHEDULE
description: CronJob crontab schedule
Expand Down
35 changes: 17 additions & 18 deletions openshift/app.dc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ labels:
app.openshift.io/runtime: golang
template: "${REPO_NAME}-app-template"
objects:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
- kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: "allow-openshift-ingress-to-${APP_NAME}-app"
spec:
Expand All @@ -37,8 +37,8 @@ objects:
network.openshift.io/policy-group: ingress
policyTypes:
- Ingress
- apiVersion: v1
kind: ConfigMap
- kind: ConfigMap
apiVersion: v1
metadata:
name: "${APP_NAME}-caddyfile"
data:
Expand All @@ -52,10 +52,11 @@ objects:
:8080 {
file_server browse
log
root * ${DATA_DIR}/databases
}
- apiVersion: v1
kind: DeploymentConfig
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: "${APP_NAME}-app"
spec:
Expand Down Expand Up @@ -84,12 +85,12 @@ objects:
spec:
containers:
- name: app
image: "${IMAGE_REGISTRY}/${NAMESPACE}/${REPO_NAME}-app:latest"
image: "${IMAGE_REGISTRY}/${NAMESPACE}/${REPO_NAME}:${IMAGE_TAG}"
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
imagePullPolicy: IfNotPresent
imagePullPolicy: Always
livenessProbe:
tcpSocket:
port: 8080
Expand Down Expand Up @@ -136,15 +137,6 @@ objects:
test: false
triggers:
- type: ConfigChange
- imageChangeParams:
automatic: true
containerNames:
- app
from:
kind: ImageStreamTag
name: "${REPO_NAME}-app:latest"
namespace: "${NAMESPACE}"
type: ImageChange
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
Expand Down Expand Up @@ -208,15 +200,22 @@ parameters:
description: The base docker registry
displayName: Docker Image Registry
required: true
value: image-registry.openshift-image-registry.svc:5000
value: ghcr.io
- name: IMAGE_TAG
description: The docker image tag
displayName: Docker Image Tag
required: true
value: latest
- name: NAMESPACE
description: Target namespace reference (i.e. 'wfezkf-dev')
displayName: Target Namespace
required: true
value: bcgov
- name: REPO_NAME
description: Application repository name
displayName: Repository Name
required: true
value: clamav-mirror
- name: ROUTE_HOST
description: The host the route will use to expose service outside cluster
displayName: Route host
Expand Down

0 comments on commit 00e1d91

Please sign in to comment.