Merge pull request dbca-wa#103 from ropable/master

Reorganise Kustomize resources, run Docker image as numeric non-root user
ropable · Aug 24, 2023 · fbfb4e8 · fbfb4e8
2 parents f9efed7 + f601cdc
commit fbfb4e8
Show file tree

Hide file tree

Showing 18 changed files with 69 additions and 45 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -12,18 +12,24 @@ RUN apt-get update -y \
 # Install Python libs using Poetry.
 FROM builder_base_ibms as python_libs_ibms
 WORKDIR /app
-ENV POETRY_VERSION=1.5.1
-RUN pip install "poetry==$POETRY_VERSION"
-COPY poetry.lock pyproject.toml /app/
+ARG POETRY_VERSION=1.6.1
+RUN pip install poetry=="${POETRY_VERSION}"
+COPY poetry.lock pyproject.toml ./
 RUN poetry config virtualenvs.create false \
   && poetry install --no-interaction --no-ansi --only main
 
+# Install a non-root user.
+ARG UID=10001
+ARG GID=10001
+RUN groupadd -g "${GID}" appuser \
+  && useradd --no-create-home --no-log-init --uid "${UID}" --gid "${GID}" appuser
+
 # Install the project.
 FROM python_libs_ibms
 COPY manage.py gunicorn.py ./
 COPY ibms_project ./ibms_project
 RUN python manage.py collectstatic --noinput
-# Run the application as the www-data user.
-USER www-data
+
+USER ${UID}
 EXPOSE 8080
 CMD ["gunicorn", "ibms_project.wsgi", "--config", "gunicorn.py"]
diff --git a/ibms_project/settings.py b/ibms_project/settings.py
@@ -20,7 +20,7 @@
 SECURE_REFERRER_POLICY = env('SECURE_REFERRER_POLICY', None)
 SECURE_HSTS_SECONDS = env('SECURE_HSTS_SECONDS', 0)
 if not DEBUG:
-    ALLOWED_HOSTS = env('ALLOWED_DOMAINS', 'localhost').split(',')
+    ALLOWED_HOSTS = env('ALLOWED_HOSTS', 'localhost').split(',')
 else:
     ALLOWED_HOSTS = ['*']
 INTERNAL_IPS = ['127.0.0.1', '::1']
@@ -80,7 +80,7 @@
 ]
 SITE_TITLE = 'Integrated Business Management System'
 SITE_ACRONYM = 'IBMS'
-APPLICATION_VERSION_NO = '2.8.0'
+APPLICATION_VERSION_NO = '2.8.1'
 MANAGERS = (
     ('Zen Wee', '[email protected]', '9219 9928'),
     ('Graham Holmes', '[email protected]', '9881 9212'),

diff --git a/kustomize/base/deployment.yaml b/kustomize/base/deployment.yaml
@@ -3,14 +3,15 @@ kind: Deployment
 metadata:
   name: ibms-deployment
 spec:
+  replicas: 2
   strategy:
     type: RollingUpdate
   template:
     spec:
       containers:
       - name: ibms
         env:
-        - name: ALLOWED_DOMAINS
+        - name: ALLOWED_HOSTS
           value: ".dbca.wa.gov.au"
         - name: EMAIL_HOST
           value: "smtp.lan.fyi"
@@ -50,8 +51,11 @@ spec:
           failureThreshold: 3
           timeoutSeconds: 2
         securityContext:
+          runAsNonRoot: true
+          privileged: false
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL
+          readOnlyRootFilesystem: false
       restartPolicy: Always
diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml
@@ -1,4 +1,3 @@
-namespace: ibms
 resources:
 - deployment.yaml
-- namespace.yaml
+- service.yaml
diff --git a/kustomize/base/namespace.yaml b/kustomize/base/namespace.yaml
diff --git a/kustomize/overlays/uat/service.yaml → kustomize/base/service.yaml b/kustomize/overlays/uat/service.yaml → kustomize/base/service.yaml
@@ -9,6 +9,3 @@ spec:
     port: 8080
     protocol: TCP
     targetPort: 8080
-  selector:
-    app: ibms-uat
-    variant: uat
diff --git a/.../overlays/prod/deployment_prod_patch.yaml → ...omize/overlays/prod/deployment_patch.yaml b/.../overlays/prod/deployment_prod_patch.yaml → ...omize/overlays/prod/deployment_patch.yaml
@@ -15,11 +15,11 @@ spec:
     spec:
       containers:
       - name: ibms
-        image: dbcawa/ibms:2.6.5
+        image: ghcr.io/dbca-wa/ibms:2.8.1
         imagePullPolicy: IfNotPresent
         env:
         - name: IBMS_URL
-          value: "https://ibms-aks.dbca.wa.gov.au"
+          value: "https://ibms.dbca.wa.gov.au"
         - name: DATABASE_URL
           valueFrom:
             secretKeyRef:

diff --git a/kustomize/overlays/prod/ingress.yaml b/kustomize/overlays/prod/ingress.yaml
@@ -1,9 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: ibms
-  labels:
-    app: ibms-prod
+  name: ibms-ingress
 spec:
   ingressClassName: nginx
   rules:

diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml
@@ -1,18 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: ibms
 nameSuffix: -prod
 secretGenerator:
-- envs:
+- name: ibms-env
+  type: Opaque
+  envs:
   - .env
-  name: ibms-env
 resources:
 - ../../base
-- service.yaml
 - ingress.yaml
+- pdb.yaml
 labels:
 - includeSelectors: true
   pairs:
     variant: prod
 patches:
-- path: deployment_prod_patch.yaml
+- path: deployment_patch.yaml
+- path: service_patch.yaml
diff --git a/kustomize/overlays/prod/pdb.yaml b/kustomize/overlays/prod/pdb.yaml
@@ -0,0 +1,10 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: ibms-pdb
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: ibms-prod
+      variant: prod
diff --git a/kustomize/overlays/prod/service.yaml → kustomize/overlays/prod/service_patch.yaml b/kustomize/overlays/prod/service.yaml → kustomize/overlays/prod/service_patch.yaml
@@ -4,11 +4,6 @@ metadata:
   name: ibms-clusterip
 spec:
   type: ClusterIP
-  ports:
-  - name: wsgi
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
   selector:
     app: ibms-prod
     variant: prod
diff --git a/...ze/overlays/uat/deployment_uat_patch.yaml → kustomize/overlays/uat/deployment_patch.yaml b/...ze/overlays/uat/deployment_uat_patch.yaml → kustomize/overlays/uat/deployment_patch.yaml
@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: ibms
-        image: ghcr.io/dbca-wa/ibms:latest
+        image: ghcr.io/dbca-wa/ibms
         imagePullPolicy: Always
         env:
         - name: IBMS_URL

diff --git a/kustomize/overlays/uat/ingress.yaml b/kustomize/overlays/uat/ingress.yaml
@@ -1,9 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: ibms
-  labels:
-    app: ibms-uat
+  name: ibms-ingress
 spec:
   ingressClassName: nginx
   rules:

diff --git a/kustomize/overlays/uat/kustomization.yaml b/kustomize/overlays/uat/kustomization.yaml
@@ -1,18 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: ibms
 nameSuffix: -uat
 secretGenerator:
-- envs:
+- name: ibms-env
+  type: Opaque
+  envs:
   - .env
-  name: ibms-env
 resources:
 - ../../base
-- service.yaml
 - ingress.yaml
+- pdb.yaml
 labels:
 - includeSelectors: true
   pairs:
     variant: uat
 patches:
-- path: deployment_uat_patch.yaml
+- path: deployment_patch.yaml
+- path: service_patch.yaml
diff --git a/kustomize/overlays/uat/pdb.yaml b/kustomize/overlays/uat/pdb.yaml
@@ -0,0 +1,10 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: ibms-pdb
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: ibms-uat
+      variant: uat
diff --git a/kustomize/overlays/uat/service_patch.yaml b/kustomize/overlays/uat/service_patch.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ibms-clusterip
+spec:
+  type: ClusterIP
+  selector:
+    app: ibms-uat
+    variant: uat
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "ibms"
-version = "2.8.0"
+version = "2.8.1"
 description = "Integrated Business Management System corporate application"
 authors = ["Ashley Felton <[email protected]>"]
 license = "Apache-2.0"