Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Dockerfile base image, Kustomize resources, Django minor version #490

Merged
merged 6 commits into from
Dec 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 14 additions & 12 deletions .github/workflows/image-build-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ name: "Build Docker image and run Trivy vulnerability scan"
on:
push:
# Publish `master` as `latest` image.
branches: [ master ]
# Publish `2.*` tags as releases.
tags: [ '2.*' ]
branches: [master]
# Publish tagged commits as releases.
tags: ["*"]
pull_request:
branches: [ master ]
branches: [master]

env:
REGISTRY: ghcr.io
Expand Down Expand Up @@ -77,16 +77,18 @@ jobs:
# Run vulnerability scan on built image
#----------------------------------------------
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
scan-type: "image"
scanners: "vuln"
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
vuln-type: 'os,library'
severity: 'HIGH,CRITICAL'
format: 'sarif'
output: 'trivy-results.sarif'
vuln-type: "os,library"
severity: "HIGH,CRITICAL"
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
sarif_file: "trivy-results.sarif"
6 changes: 3 additions & 3 deletions .github/workflows/run-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ name: "Run Django unit tests"
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [ master ]
branches: [master]
pull_request:
branches: [ master ]
branches: [master]
workflow_dispatch:

jobs:
Expand Down Expand Up @@ -36,7 +36,7 @@ jobs:
uses: actions/setup-python@v5
id: setup-python
with:
python-version: '3.12'
python-version: "3.12"
#----------------------------------------------
# Install GDAL into the environment
#----------------------------------------------
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/secret-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@ jobs:
name: Scan project for secrets
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Secret scanning
uses: trufflesecurity/trufflehog@main
with:
base: ""
head: ${{ github.ref_name }}
extra_args: --only-verified
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Secret scanning
uses: trufflesecurity/trufflehog@main
with:
base: ""
head: ${{ github.ref_name }}
extra_args: --only-verified
6 changes: 3 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1
# Prepare the base environment.
FROM python:3.12.6-alpine AS builder_base
FROM python:3.12.8-alpine AS builder_base
LABEL [email protected]
LABEL org.opencontainers.image.source=https://github.com/dbca-wa/it-assets

Expand All @@ -26,11 +26,11 @@ RUN apk add --no-cache \
proj \
binutils \
&& ln -s /usr/lib/libproj.so.25 /usr/lib/libproj.so \
&& ln -s /usr/lib/libgdal.so.35 /usr/lib/libgdal.so \
&& ln -s /usr/lib/libgdal.so.36 /usr/lib/libgdal.so \
&& ln -s /usr/lib/libgeos_c.so.1 /usr/lib/libgeos_c.so
WORKDIR /app
COPY poetry.lock pyproject.toml ./
ARG POETRY_VERSION=1.8.3
ARG POETRY_VERSION=1.8.5
RUN pip install --no-cache-dir --root-user-action=ignore poetry==${POETRY_VERSION} \
&& poetry config virtualenvs.create false \
&& poetry install --no-interaction --no-ansi --only main
Expand Down
10 changes: 5 additions & 5 deletions kustomize/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Declarative management of IT Assets Kubernetes resources using Kustomize.

# How to use
## How to use

Within an overlay directory, create a `.env` file to contain required secret
values in the format KEY=value (i.e. `overlays/uat/.env`). Required values:
Expand All @@ -22,8 +22,8 @@ Run `kubectl` with the `-k` flag to generate resources for a given overlay:
kubectl apply -k kustomize/overlays/uat --namespace sss --dry-run=client
```

# References:
## References

* https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/
* https://github.com/kubernetes-sigs/kustomize
* https://github.com/kubernetes-sigs/kustomize/tree/master/examples
- <https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/>
- <https://github.com/kubernetes-sigs/kustomize>
- <https://github.com/kubernetes-sigs/kustomize/tree/master/examples>
8 changes: 4 additions & 4 deletions kustomize/base/clusterip.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
spec:
type: ClusterIP
ports:
- name: wsgi
port: 8080
protocol: TCP
targetPort: 8080
- name: wsgi
port: 8080
protocol: TCP
targetPort: 8080
130 changes: 69 additions & 61 deletions kustomize/base/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,73 +2,81 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: itassets-deployment
labels:
app: itassets-deployment
spec:
selector:
matchLabels:
app: itassets-deployment
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: itassets-deployment
spec:
containers:
- name: itassets
image: ghcr.io/dbca-wa/it-assets
env:
- name: ALLOWED_HOSTS
value: ".dbca.wa.gov.au"
- name: CSRF_TRUSTED_ORIGINS
value: "https://*.dbca.wa.gov.au"
- name: CSRF_COOKIE_SECURE
value: "True"
- name: SESSION_COOKIE_SECURE
value: "True"
- name: TZ
value: "Australia/Perth"
resources:
requests:
memory: "100Mi"
cpu: "5m"
limits:
memory: "4096Mi"
cpu: "1000m"
startupProbe:
httpGet:
path: /livez
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 15
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
livenessProbe:
httpGet:
path: /livez
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /readyz
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 10
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: tmpfs-ram
- name: itassets
image: ghcr.io/dbca-wa/it-assets
env:
- name: ALLOWED_HOSTS
value: ".dbca.wa.gov.au"
- name: CSRF_TRUSTED_ORIGINS
value: "https://*.dbca.wa.gov.au"
- name: CSRF_COOKIE_SECURE
value: "True"
- name: SESSION_COOKIE_SECURE
value: "True"
- name: TZ
value: "Australia/Perth"
resources:
requests:
memory: "100Mi"
cpu: "5m"
limits:
memory: "4096Mi"
cpu: "1000m"
startupProbe:
httpGet:
path: /livez
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 15
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
livenessProbe:
httpGet:
path: /livez
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /readyz
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 10
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: tmpfs-ram
volumes:
- name: tmpfs-ram
emptyDir:
Expand Down
46 changes: 23 additions & 23 deletions kustomize/base/postgres_fdw.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,27 +9,27 @@ spec:
template:
spec:
containers:
- name: itassets-postgres-fdw
image: ghcr.io/dbca-wa/postgres-oracle-fdw:16-3.4
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: "Australia/Perth"
- name: POSTGRES_DB
value: "fdw"
resources:
requests:
memory: "128Mi"
cpu: "10m"
limits:
memory: "1Gi"
cpu: "1000m"
securityContext:
runAsUser: 999
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
- name: itassets-postgres-fdw
image: ghcr.io/dbca-wa/postgres-oracle-fdw:16-3.4
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: "Australia/Perth"
- name: POSTGRES_DB
value: "fdw"
resources:
requests:
memory: "128Mi"
cpu: "10m"
limits:
memory: "1Gi"
cpu: "1000m"
securityContext:
runAsUser: 999
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
restartPolicy: Always
8 changes: 4 additions & 4 deletions kustomize/base/postgres_fdw_service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ spec:
type: ClusterIP
clusterIP: None
ports:
- name: default
port: 42
protocol: TCP
targetPort: 42
- name: default
port: 42
protocol: TCP
targetPort: 42
Loading
Loading