diff --git a/Dockerfile b/Dockerfile index 6e38baf..f53a303 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,18 +12,24 @@ RUN apt-get update -y \ # Install Python libs using Poetry. FROM builder_base_ibms as python_libs_ibms WORKDIR /app -ENV POETRY_VERSION=1.5.1 -RUN pip install "poetry==$POETRY_VERSION" -COPY poetry.lock pyproject.toml /app/ +ARG POETRY_VERSION=1.6.1 +RUN pip install poetry=="${POETRY_VERSION}" +COPY poetry.lock pyproject.toml ./ RUN poetry config virtualenvs.create false \ && poetry install --no-interaction --no-ansi --only main +# Install a non-root user. +ARG UID=10001 +ARG GID=10001 +RUN groupadd -g "${GID}" appuser \ + && useradd --no-create-home --no-log-init --uid "${UID}" --gid "${GID}" appuser + # Install the project. FROM python_libs_ibms COPY manage.py gunicorn.py ./ COPY ibms_project ./ibms_project RUN python manage.py collectstatic --noinput -# Run the application as the www-data user. -USER www-data + +USER ${UID} EXPOSE 8080 CMD ["gunicorn", "ibms_project.wsgi", "--config", "gunicorn.py"] diff --git a/ibms_project/settings.py b/ibms_project/settings.py index 2aaac61..c9b8978 100644 --- a/ibms_project/settings.py +++ b/ibms_project/settings.py @@ -20,7 +20,7 @@ SECURE_REFERRER_POLICY = env('SECURE_REFERRER_POLICY', None) SECURE_HSTS_SECONDS = env('SECURE_HSTS_SECONDS', 0) if not DEBUG: - ALLOWED_HOSTS = env('ALLOWED_DOMAINS', 'localhost').split(',') + ALLOWED_HOSTS = env('ALLOWED_HOSTS', 'localhost').split(',') else: ALLOWED_HOSTS = ['*'] INTERNAL_IPS = ['127.0.0.1', '::1'] @@ -80,7 +80,7 @@ ] SITE_TITLE = 'Integrated Business Management System' SITE_ACRONYM = 'IBMS' -APPLICATION_VERSION_NO = '2.8.0' +APPLICATION_VERSION_NO = '2.8.1' MANAGERS = ( ('Zen Wee', 'zen.wee@dbca.wa.gov.au', '9219 9928'), ('Graham Holmes', 'graham.holmes@dbca.wa.gov.au', '9881 9212'), diff --git a/kustomize/base/deployment.yaml b/kustomize/base/deployment.yaml index 3ad2138..810c4bd 100644 --- a/kustomize/base/deployment.yaml +++ b/kustomize/base/deployment.yaml @@ -3,6 +3,7 @@ kind: Deployment metadata: name: ibms-deployment spec: + replicas: 2 strategy: type: RollingUpdate template: @@ -10,7 +11,7 @@ spec: containers: - name: ibms env: - - name: ALLOWED_DOMAINS + - name: ALLOWED_HOSTS value: ".dbca.wa.gov.au" - name: EMAIL_HOST value: "smtp.lan.fyi" @@ -50,8 +51,11 @@ spec: failureThreshold: 3 timeoutSeconds: 2 securityContext: + runAsNonRoot: true + privileged: false allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: false restartPolicy: Always diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml index c46a93c..a944d00 100644 --- a/kustomize/base/kustomization.yaml +++ b/kustomize/base/kustomization.yaml @@ -1,4 +1,3 @@ -namespace: ibms resources: - deployment.yaml -- namespace.yaml +- service.yaml diff --git a/kustomize/base/namespace.yaml b/kustomize/base/namespace.yaml deleted file mode 100644 index 0abbcff..0000000 --- a/kustomize/base/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ibms diff --git a/kustomize/overlays/uat/service.yaml b/kustomize/base/service.yaml similarity index 77% rename from kustomize/overlays/uat/service.yaml rename to kustomize/base/service.yaml index 7128134..d0efb76 100644 --- a/kustomize/overlays/uat/service.yaml +++ b/kustomize/base/service.yaml @@ -9,6 +9,3 @@ spec: port: 8080 protocol: TCP targetPort: 8080 - selector: - app: ibms-uat - variant: uat diff --git a/kustomize/overlays/prod/deployment_prod_patch.yaml b/kustomize/overlays/prod/deployment_patch.yaml similarity index 87% rename from kustomize/overlays/prod/deployment_prod_patch.yaml rename to kustomize/overlays/prod/deployment_patch.yaml index 57a53b6..c06ae2c 100644 --- a/kustomize/overlays/prod/deployment_prod_patch.yaml +++ b/kustomize/overlays/prod/deployment_patch.yaml @@ -15,11 +15,11 @@ spec: spec: containers: - name: ibms - image: dbcawa/ibms:2.6.5 + image: ghcr.io/dbca-wa/ibms:2.8.1 imagePullPolicy: IfNotPresent env: - name: IBMS_URL - value: "https://ibms-aks.dbca.wa.gov.au" + value: "https://ibms.dbca.wa.gov.au" - name: DATABASE_URL valueFrom: secretKeyRef: diff --git a/kustomize/overlays/prod/ingress.yaml b/kustomize/overlays/prod/ingress.yaml index 5f4ddc1..d4a2427 100644 --- a/kustomize/overlays/prod/ingress.yaml +++ b/kustomize/overlays/prod/ingress.yaml @@ -1,9 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: ibms - labels: - app: ibms-prod + name: ibms-ingress spec: ingressClassName: nginx rules: diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml index a8086fb..2d240d8 100644 --- a/kustomize/overlays/prod/kustomization.yaml +++ b/kustomize/overlays/prod/kustomization.yaml @@ -1,18 +1,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: ibms nameSuffix: -prod secretGenerator: -- envs: +- name: ibms-env + type: Opaque + envs: - .env - name: ibms-env resources: - ../../base -- service.yaml - ingress.yaml +- pdb.yaml labels: - includeSelectors: true pairs: variant: prod patches: -- path: deployment_prod_patch.yaml +- path: deployment_patch.yaml +- path: service_patch.yaml diff --git a/kustomize/overlays/prod/pdb.yaml b/kustomize/overlays/prod/pdb.yaml new file mode 100644 index 0000000..8fb8da3 --- /dev/null +++ b/kustomize/overlays/prod/pdb.yaml @@ -0,0 +1,10 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: ibms-pdb +spec: + minAvailable: 1 + selector: + matchLabels: + app: ibms-prod + variant: prod diff --git a/kustomize/overlays/prod/service.yaml b/kustomize/overlays/prod/service_patch.yaml similarity index 63% rename from kustomize/overlays/prod/service.yaml rename to kustomize/overlays/prod/service_patch.yaml index 412d780..b38cad7 100644 --- a/kustomize/overlays/prod/service.yaml +++ b/kustomize/overlays/prod/service_patch.yaml @@ -4,11 +4,6 @@ metadata: name: ibms-clusterip spec: type: ClusterIP - ports: - - name: wsgi - port: 8080 - protocol: TCP - targetPort: 8080 selector: app: ibms-prod variant: prod diff --git a/kustomize/overlays/uat/deployment_uat_patch.yaml b/kustomize/overlays/uat/deployment_patch.yaml similarity index 93% rename from kustomize/overlays/uat/deployment_uat_patch.yaml rename to kustomize/overlays/uat/deployment_patch.yaml index 7994b89..806fb95 100644 --- a/kustomize/overlays/uat/deployment_uat_patch.yaml +++ b/kustomize/overlays/uat/deployment_patch.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: ibms - image: ghcr.io/dbca-wa/ibms:latest + image: ghcr.io/dbca-wa/ibms imagePullPolicy: Always env: - name: IBMS_URL diff --git a/kustomize/overlays/uat/ingress.yaml b/kustomize/overlays/uat/ingress.yaml index cb2a4f3..71c307c 100644 --- a/kustomize/overlays/uat/ingress.yaml +++ b/kustomize/overlays/uat/ingress.yaml @@ -1,9 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: ibms - labels: - app: ibms-uat + name: ibms-ingress spec: ingressClassName: nginx rules: diff --git a/kustomize/overlays/uat/kustomization.yaml b/kustomize/overlays/uat/kustomization.yaml index 44fcfb0..0563f11 100644 --- a/kustomize/overlays/uat/kustomization.yaml +++ b/kustomize/overlays/uat/kustomization.yaml @@ -1,18 +1,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: ibms nameSuffix: -uat secretGenerator: -- envs: +- name: ibms-env + type: Opaque + envs: - .env - name: ibms-env resources: - ../../base -- service.yaml - ingress.yaml +- pdb.yaml labels: - includeSelectors: true pairs: variant: uat patches: -- path: deployment_uat_patch.yaml +- path: deployment_patch.yaml +- path: service_patch.yaml diff --git a/kustomize/overlays/uat/pdb.yaml b/kustomize/overlays/uat/pdb.yaml new file mode 100644 index 0000000..5c92572 --- /dev/null +++ b/kustomize/overlays/uat/pdb.yaml @@ -0,0 +1,10 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: ibms-pdb +spec: + minAvailable: 1 + selector: + matchLabels: + app: ibms-uat + variant: uat diff --git a/kustomize/overlays/uat/service_patch.yaml b/kustomize/overlays/uat/service_patch.yaml new file mode 100644 index 0000000..8b024a4 --- /dev/null +++ b/kustomize/overlays/uat/service_patch.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Service +metadata: + name: ibms-clusterip +spec: + type: ClusterIP + selector: + app: ibms-uat + variant: uat diff --git a/poetry.lock b/poetry.lock index 726541d..f187439 100644 --- a/poetry.lock +++ b/poetry.lock @@ -660,13 +660,13 @@ tests = ["pytest"] [[package]] name = "pygments" -version = "2.15.1" +version = "2.16.1" description = "Pygments is a syntax highlighting package written in Python." optional = false python-versions = ">=3.7" files = [ - {file = "Pygments-2.15.1-py3-none-any.whl", hash = "sha256:db2db3deb4b4179f399a09054b023b6a586b76499d36965813c71aa8ed7b5fd1"}, - {file = "Pygments-2.15.1.tar.gz", hash = "sha256:8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c"}, + {file = "Pygments-2.16.1-py3-none-any.whl", hash = "sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692"}, + {file = "Pygments-2.16.1.tar.gz", hash = "sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29"}, ] [package.extras] diff --git a/pyproject.toml b/pyproject.toml index 90e97a6..cf903f9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "ibms" -version = "2.8.0" +version = "2.8.1" description = "Integrated Business Management System corporate application" authors = ["Ashley Felton "] license = "Apache-2.0"