Merge pull request #307 from ropable/master

Add def save_tracertrak_feed function, mgmt command, Kustomize cronjob, bump dependency minor versions
dbca-wa · Dec 2, 2024 · cfe752f · cfe752f
2 parents 3280dd5 + 9917a43
commit cfe752f
Show file tree

Hide file tree

Showing 20 changed files with 623 additions and 394 deletions.
diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml
@@ -77,15 +77,18 @@ jobs:
       # Run vulnerability scan on built image
       #----------------------------------------------
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
-          scan-type: 'image'
+          scan-type: "image"
+          scanners: "vuln"
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          vuln-type: 'os,library'
-          severity: 'HIGH,CRITICAL'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+          vuln-type: "os,library"
+          severity: "HIGH,CRITICAL"
+          format: "sarif"
+          output: "trivy-results.sarif"
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
diff --git a/kustomize/base/deployment.yaml b/kustomize/base/deployment.yaml
@@ -2,71 +2,79 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: resourcetracking-deployment
+  labels:
+    app: resourcetracking-deployment
 spec:
+  selector:
+    matchLabels:
+      app: resourcetracking-deployment
   strategy:
     type: RollingUpdate
   template:
+    metadata:
+      labels:
+        app: resourcetracking-deployment
     spec:
       containers:
-      - name: resourcetracking
-        image: ghcr.io/dbca-wa/resource_tracking
-        env:
-        - name: ALLOWED_HOSTS
-          value: ".dbca.wa.gov.au"
-        - name: CSRF_TRUSTED_ORIGINS
-          value: "https://*.dbca.wa.gov.au"
-        - name: CSRF_COOKIE_SECURE
-          value: "True"
-        - name: SESSION_COOKIE_SECURE
-          value: "True"
-        - name: TZ
-          value: "Australia/Perth"
-        resources:
-          requests:
-            memory: "100Mi"
-            cpu: "5m"
-          limits:
-            memory: "2Gi"
-            cpu: "1000m"
-        startupProbe:
-          httpGet:
-            path: /livez
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 3
-          periodSeconds: 3
-          timeoutSeconds: 3
-          successThreshold: 1
-          failureThreshold: 3
-        livenessProbe:
-          httpGet:
-            path: /livez
-            port: 8080
-            scheme: HTTP
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-          timeoutSeconds: 5
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: 8080
-            scheme: HTTP
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-          timeoutSeconds: 5
-        securityContext:
-          runAsNonRoot: true
-          privileged: false
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
-        volumeMounts:
-          - mountPath: /tmp
-            name: tmpfs-ram
+        - name: resourcetracking
+          image: ghcr.io/dbca-wa/resource_tracking
+          env:
+            - name: ALLOWED_HOSTS
+              value: ".dbca.wa.gov.au"
+            - name: CSRF_TRUSTED_ORIGINS
+              value: "https://*.dbca.wa.gov.au"
+            - name: CSRF_COOKIE_SECURE
+              value: "True"
+            - name: SESSION_COOKIE_SECURE
+              value: "True"
+            - name: TZ
+              value: "Australia/Perth"
+          resources:
+            requests:
+              memory: "100Mi"
+              cpu: "5m"
+            limits:
+              memory: "2Gi"
+              cpu: "1000m"
+          startupProbe:
+            httpGet:
+              path: /livez
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 3
+            periodSeconds: 3
+            timeoutSeconds: 3
+            successThreshold: 1
+            failureThreshold: 3
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 8080
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8080
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+            timeoutSeconds: 5
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmpfs-ram
       volumes:
         - name: tmpfs-ram
           emptyDir:

diff --git a/kustomize/base/service.yaml b/kustomize/base/service.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-  - name: wsgi
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
+    - name: wsgi
+      port: 8080
+      protocol: TCP
+      targetPort: 8080
diff --git a/kustomize/overlays/prod/cronjobs/harvest-tracertrak/kustomization.yaml b/kustomize/overlays/prod/cronjobs/harvest-tracertrak/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../template
+nameSuffix: -harvest-tracertrak
+patches:
+  - target:
+      kind: CronJob
+      name: resourcetracking-cronjob
+    path: patch.yaml
+  - target:
+      kind: CronJob
+      name: resourcetracking-cronjob
+    options:
+      allowNameChange: true
+    patch: |-
+      - op: replace
+        path: /spec/jobTemplate/spec/template/spec/containers/0/name
+        value: resourcetracking-cronjob-harvest-tracertrak
diff --git a/kustomize/overlays/prod/cronjobs/harvest-tracertrak/patch.yaml b/kustomize/overlays/prod/cronjobs/harvest-tracertrak/patch.yaml
@@ -0,0 +1,37 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: resourcetracking-cronjob
+spec:
+  schedule: "*/2 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: resourcetracking-cronjob
+              imagePullPolicy: IfNotPresent
+              args: ["manage.py", "harvest_tracertrak_feed"]
+              env:
+                - name: DATABASE_URL
+                  valueFrom:
+                    secretKeyRef:
+                      name: resourcetracking-env-prod
+                      key: DATABASE_URL
+                - name: TRACERTRAK_URL
+                  valueFrom:
+                    secretKeyRef:
+                      name: resourcetracking-env-prod
+                      key: TRACERTRAK_URL
+                - name: TRACERTRAK_AUTH_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: resourcetracking-env-prod
+                      key: TRACERTRAK_AUTH_TOKEN
+                - name: SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: resourcetracking-env-prod
+                      key: SENTRY_DSN
+                - name: SENTRY_ENVIRONMENT
+                  value: "prod"