From 1d9db9afeb4f9ae747464424ceb4859ae9760e50 Mon Sep 17 00:00:00 2001
From: Ashley Felton <ashley@ropable.com>
Date: Wed, 23 Aug 2023 14:02:36 +0800
Subject: [PATCH 1/8] ALLOWED_DOMAINS -> ALLOWED_HOSTS in settings.

---
 ibms_project/settings.py      | 2 +-
 kustomize/base/namespace.yaml | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)
 delete mode 100644 kustomize/base/namespace.yaml

diff --git a/ibms_project/settings.py b/ibms_project/settings.py
index 2aaac61..a626edb 100644
--- a/ibms_project/settings.py
+++ b/ibms_project/settings.py
@@ -20,7 +20,7 @@
 SECURE_REFERRER_POLICY = env('SECURE_REFERRER_POLICY', None)
 SECURE_HSTS_SECONDS = env('SECURE_HSTS_SECONDS', 0)
 if not DEBUG:
-    ALLOWED_HOSTS = env('ALLOWED_DOMAINS', 'localhost').split(',')
+    ALLOWED_HOSTS = env('ALLOWED_HOSTS', 'localhost').split(',')
 else:
     ALLOWED_HOSTS = ['*']
 INTERNAL_IPS = ['127.0.0.1', '::1']
diff --git a/kustomize/base/namespace.yaml b/kustomize/base/namespace.yaml
deleted file mode 100644
index 0abbcff..0000000
--- a/kustomize/base/namespace.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ibms

From 47e705237a67cf0d1a4461a9927822784e567433 Mon Sep 17 00:00:00 2001
From: Ashley Felton <ashley@ropable.com>
Date: Wed, 23 Aug 2023 14:07:36 +0800
Subject: [PATCH 2/8] Update Dockerfile: create custom appuser, update Poetry
 version.

---
 Dockerfile | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6e38baf..3c312bf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,18 +12,24 @@ RUN apt-get update -y \
 # Install Python libs using Poetry.
 FROM builder_base_ibms as python_libs_ibms
 WORKDIR /app
-ENV POETRY_VERSION=1.5.1
-RUN pip install "poetry==$POETRY_VERSION"
-COPY poetry.lock pyproject.toml /app/
+ARG POETRY_VERSION=1.6.1
+RUN pip install poetry=="${POETRY_VERSION}"
+COPY poetry.lock pyproject.toml ./
 RUN poetry config virtualenvs.create false \
   && poetry install --no-interaction --no-ansi --only main
 
+# Install a non-root user.
+ARG UID=10001
+ARG GID=10001
+RUN groupadd -g "${GID}" appuser \
+  && useradd --no-create-home --no-log-init --uid "${UID}" --gid "${GID}" appuser
+
 # Install the project.
 FROM python_libs_ibms
 COPY manage.py gunicorn.py ./
 COPY ibms_project ./ibms_project
 RUN python manage.py collectstatic --noinput
-# Run the application as the www-data user.
-USER www-data
+
+USER appuser
 EXPOSE 8080
 CMD ["gunicorn", "ibms_project.wsgi", "--config", "gunicorn.py"]

From 4a32e435db5a07640873ecdf6ea41d2418d8fc77 Mon Sep 17 00:00:00 2001
From: Ashley Felton <ashley@ropable.com>
Date: Wed, 23 Aug 2023 14:34:28 +0800
Subject: [PATCH 3/8] Run as non-numeric user in Dockerfile so Kubernetes may
 confirm running as non-root.

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 3c312bf..f53a303 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,6 +30,6 @@ COPY manage.py gunicorn.py ./
 COPY ibms_project ./ibms_project
 RUN python manage.py collectstatic --noinput
 
-USER appuser
+USER ${UID}
 EXPOSE 8080
 CMD ["gunicorn", "ibms_project.wsgi", "--config", "gunicorn.py"]

From 04e8993d90b3195cb5eeb619a48c2cd75d475fc8 Mon Sep 17 00:00:00 2001
From: Ashley Felton <ashley@ropable.com>
Date: Wed, 23 Aug 2023 14:45:40 +0800
Subject: [PATCH 4/8] Added PodDisruptionBudget policy to Kustomize templates.

---
 kustomize/base/deployment.yaml                     |  6 +++++-
 kustomize/base/kustomization.yaml                  |  2 --
 kustomize/overlays/prod/deployment_prod_patch.yaml |  4 ++--
 kustomize/overlays/prod/ingress.yaml               |  4 +---
 kustomize/overlays/prod/kustomization.yaml         |  2 +-
 kustomize/overlays/prod/pdb.yaml                   | 10 ++++++++++
 kustomize/overlays/uat/ingress.yaml                |  4 +---
 kustomize/overlays/uat/kustomization.yaml          |  2 +-
 kustomize/overlays/uat/pdb.yaml                    | 10 ++++++++++
 9 files changed, 31 insertions(+), 13 deletions(-)
 create mode 100644 kustomize/overlays/prod/pdb.yaml
 create mode 100644 kustomize/overlays/uat/pdb.yaml

diff --git a/kustomize/base/deployment.yaml b/kustomize/base/deployment.yaml
index 3ad2138..810c4bd 100644
--- a/kustomize/base/deployment.yaml
+++ b/kustomize/base/deployment.yaml
@@ -3,6 +3,7 @@ kind: Deployment
 metadata:
   name: ibms-deployment
 spec:
+  replicas: 2
   strategy:
     type: RollingUpdate
   template:
@@ -10,7 +11,7 @@ spec:
       containers:
       - name: ibms
         env:
-        - name: ALLOWED_DOMAINS
+        - name: ALLOWED_HOSTS
           value: ".dbca.wa.gov.au"
         - name: EMAIL_HOST
           value: "smtp.lan.fyi"
@@ -50,8 +51,11 @@ spec:
           failureThreshold: 3
           timeoutSeconds: 2
         securityContext:
+          runAsNonRoot: true
+          privileged: false
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL
+          readOnlyRootFilesystem: false
       restartPolicy: Always
diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml
index c46a93c..33a2efb 100644
--- a/kustomize/base/kustomization.yaml
+++ b/kustomize/base/kustomization.yaml
@@ -1,4 +1,2 @@
-namespace: ibms
 resources:
 - deployment.yaml
-- namespace.yaml
diff --git a/kustomize/overlays/prod/deployment_prod_patch.yaml b/kustomize/overlays/prod/deployment_prod_patch.yaml
index 57a53b6..75b7707 100644
--- a/kustomize/overlays/prod/deployment_prod_patch.yaml
+++ b/kustomize/overlays/prod/deployment_prod_patch.yaml
@@ -15,11 +15,11 @@ spec:
     spec:
       containers:
       - name: ibms
-        image: dbcawa/ibms:2.6.5
+        image: dbcawa/ibms:2.8.0
         imagePullPolicy: IfNotPresent
         env:
         - name: IBMS_URL
-          value: "https://ibms-aks.dbca.wa.gov.au"
+          value: "https://ibms.dbca.wa.gov.au"
         - name: DATABASE_URL
           valueFrom:
             secretKeyRef:
diff --git a/kustomize/overlays/prod/ingress.yaml b/kustomize/overlays/prod/ingress.yaml
index 5f4ddc1..d4a2427 100644
--- a/kustomize/overlays/prod/ingress.yaml
+++ b/kustomize/overlays/prod/ingress.yaml
@@ -1,9 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: ibms
-  labels:
-    app: ibms-prod
+  name: ibms-ingress
 spec:
   ingressClassName: nginx
   rules:
diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml
index a8086fb..05bc349 100644
--- a/kustomize/overlays/prod/kustomization.yaml
+++ b/kustomize/overlays/prod/kustomization.yaml
@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: ibms
 nameSuffix: -prod
 secretGenerator:
 - envs:
@@ -10,6 +9,7 @@ resources:
 - ../../base
 - service.yaml
 - ingress.yaml
+- pdb.yaml
 labels:
 - includeSelectors: true
   pairs:
diff --git a/kustomize/overlays/prod/pdb.yaml b/kustomize/overlays/prod/pdb.yaml
new file mode 100644
index 0000000..8fb8da3
--- /dev/null
+++ b/kustomize/overlays/prod/pdb.yaml
@@ -0,0 +1,10 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: ibms-pdb
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: ibms-prod
+      variant: prod
diff --git a/kustomize/overlays/uat/ingress.yaml b/kustomize/overlays/uat/ingress.yaml
index cb2a4f3..71c307c 100644
--- a/kustomize/overlays/uat/ingress.yaml
+++ b/kustomize/overlays/uat/ingress.yaml
@@ -1,9 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: ibms
-  labels:
-    app: ibms-uat
+  name: ibms-ingress
 spec:
   ingressClassName: nginx
   rules:
diff --git a/kustomize/overlays/uat/kustomization.yaml b/kustomize/overlays/uat/kustomization.yaml
index 44fcfb0..36c9271 100644
--- a/kustomize/overlays/uat/kustomization.yaml
+++ b/kustomize/overlays/uat/kustomization.yaml
@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: ibms
 nameSuffix: -uat
 secretGenerator:
 - envs:
@@ -10,6 +9,7 @@ resources:
 - ../../base
 - service.yaml
 - ingress.yaml
+- pdb.yaml
 labels:
 - includeSelectors: true
   pairs:
diff --git a/kustomize/overlays/uat/pdb.yaml b/kustomize/overlays/uat/pdb.yaml
new file mode 100644
index 0000000..5c92572
--- /dev/null
+++ b/kustomize/overlays/uat/pdb.yaml
@@ -0,0 +1,10 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: ibms-pdb
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: ibms-uat
+      variant: uat

From 60e722e74d809f3e42b8d0d6a4f7816c831793bd Mon Sep 17 00:00:00 2001
From: Ashley Felton <ashley@ropable.com>
Date: Wed, 23 Aug 2023 15:27:20 +0800
Subject: [PATCH 5/8] Update secretGenerator resource definitions.

---
 kustomize/overlays/prod/kustomization.yaml | 5 +++--
 kustomize/overlays/uat/kustomization.yaml  | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml
index 05bc349..01ae194 100644
--- a/kustomize/overlays/prod/kustomization.yaml
+++ b/kustomize/overlays/prod/kustomization.yaml
@@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 nameSuffix: -prod
 secretGenerator:
-- envs:
+- name: ibms-env
+  type: Opaque
+  envs:
   - .env
-  name: ibms-env
 resources:
 - ../../base
 - service.yaml
diff --git a/kustomize/overlays/uat/kustomization.yaml b/kustomize/overlays/uat/kustomization.yaml
index 36c9271..6538761 100644
--- a/kustomize/overlays/uat/kustomization.yaml
+++ b/kustomize/overlays/uat/kustomization.yaml
@@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 nameSuffix: -uat
 secretGenerator:
-- envs:
+- name: ibms-env
+  type: Opaque
+  envs:
   - .env
-  name: ibms-env
 resources:
 - ../../base
 - service.yaml

From ad7dff3edfe62dd9628bc0edc92bec349b73098a Mon Sep 17 00:00:00 2001
From: Ashley Felton <ashley@ropable.com>
Date: Wed, 23 Aug 2023 15:36:53 +0800
Subject: [PATCH 6/8] Factor overlays/*/service.yaml into base.

---
 kustomize/base/kustomization.yaml                        | 1 +
 kustomize/{overlays/uat => base}/service.yaml            | 3 ---
 ...{deployment_prod_patch.yaml => deployment_patch.yaml} | 0
 kustomize/overlays/prod/kustomization.yaml               | 4 ++--
 .../overlays/prod/{service.yaml => service_patch.yaml}   | 5 -----
 .../{deployment_uat_patch.yaml => deployment_patch.yaml} | 0
 kustomize/overlays/uat/kustomization.yaml                | 4 ++--
 kustomize/overlays/uat/service_patch.yaml                | 9 +++++++++
 8 files changed, 14 insertions(+), 12 deletions(-)
 rename kustomize/{overlays/uat => base}/service.yaml (77%)
 rename kustomize/overlays/prod/{deployment_prod_patch.yaml => deployment_patch.yaml} (100%)
 rename kustomize/overlays/prod/{service.yaml => service_patch.yaml} (63%)
 rename kustomize/overlays/uat/{deployment_uat_patch.yaml => deployment_patch.yaml} (100%)
 create mode 100644 kustomize/overlays/uat/service_patch.yaml

diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml
index 33a2efb..a944d00 100644
--- a/kustomize/base/kustomization.yaml
+++ b/kustomize/base/kustomization.yaml
@@ -1,2 +1,3 @@
 resources:
 - deployment.yaml
+- service.yaml
diff --git a/kustomize/overlays/uat/service.yaml b/kustomize/base/service.yaml
similarity index 77%
rename from kustomize/overlays/uat/service.yaml
rename to kustomize/base/service.yaml
index 7128134..d0efb76 100644
--- a/kustomize/overlays/uat/service.yaml
+++ b/kustomize/base/service.yaml
@@ -9,6 +9,3 @@ spec:
     port: 8080
     protocol: TCP
     targetPort: 8080
-  selector:
-    app: ibms-uat
-    variant: uat
diff --git a/kustomize/overlays/prod/deployment_prod_patch.yaml b/kustomize/overlays/prod/deployment_patch.yaml
similarity index 100%
rename from kustomize/overlays/prod/deployment_prod_patch.yaml
rename to kustomize/overlays/prod/deployment_patch.yaml
diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml
index 01ae194..2d240d8 100644
--- a/kustomize/overlays/prod/kustomization.yaml
+++ b/kustomize/overlays/prod/kustomization.yaml
@@ -8,7 +8,6 @@ secretGenerator:
   - .env
 resources:
 - ../../base
-- service.yaml
 - ingress.yaml
 - pdb.yaml
 labels:
@@ -16,4 +15,5 @@ labels:
   pairs:
     variant: prod
 patches:
-- path: deployment_prod_patch.yaml
+- path: deployment_patch.yaml
+- path: service_patch.yaml
diff --git a/kustomize/overlays/prod/service.yaml b/kustomize/overlays/prod/service_patch.yaml
similarity index 63%
rename from kustomize/overlays/prod/service.yaml
rename to kustomize/overlays/prod/service_patch.yaml
index 412d780..b38cad7 100644
--- a/kustomize/overlays/prod/service.yaml
+++ b/kustomize/overlays/prod/service_patch.yaml
@@ -4,11 +4,6 @@ metadata:
   name: ibms-clusterip
 spec:
   type: ClusterIP
-  ports:
-  - name: wsgi
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
   selector:
     app: ibms-prod
     variant: prod
diff --git a/kustomize/overlays/uat/deployment_uat_patch.yaml b/kustomize/overlays/uat/deployment_patch.yaml
similarity index 100%
rename from kustomize/overlays/uat/deployment_uat_patch.yaml
rename to kustomize/overlays/uat/deployment_patch.yaml
diff --git a/kustomize/overlays/uat/kustomization.yaml b/kustomize/overlays/uat/kustomization.yaml
index 6538761..0563f11 100644
--- a/kustomize/overlays/uat/kustomization.yaml
+++ b/kustomize/overlays/uat/kustomization.yaml
@@ -8,7 +8,6 @@ secretGenerator:
   - .env
 resources:
 - ../../base
-- service.yaml
 - ingress.yaml
 - pdb.yaml
 labels:
@@ -16,4 +15,5 @@ labels:
   pairs:
     variant: uat
 patches:
-- path: deployment_uat_patch.yaml
+- path: deployment_patch.yaml
+- path: service_patch.yaml
diff --git a/kustomize/overlays/uat/service_patch.yaml b/kustomize/overlays/uat/service_patch.yaml
new file mode 100644
index 0000000..8b024a4
--- /dev/null
+++ b/kustomize/overlays/uat/service_patch.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ibms-clusterip
+spec:
+  type: ClusterIP
+  selector:
+    app: ibms-uat
+    variant: uat

From d5ab4ddfc6ad59fbbe6d2cca2d4f55a06db19657 Mon Sep 17 00:00:00 2001
From: Ashley Felton <ashley@ropable.com>
Date: Thu, 24 Aug 2023 12:38:30 +0800
Subject: [PATCH 7/8] Use correct ibms image for prod workload.

---
 kustomize/overlays/prod/deployment_patch.yaml | 2 +-
 kustomize/overlays/uat/deployment_patch.yaml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kustomize/overlays/prod/deployment_patch.yaml b/kustomize/overlays/prod/deployment_patch.yaml
index 75b7707..fd93854 100644
--- a/kustomize/overlays/prod/deployment_patch.yaml
+++ b/kustomize/overlays/prod/deployment_patch.yaml
@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: ibms
-        image: dbcawa/ibms:2.8.0
+        image: ghcr.io/dbca-wa/ibms:2.8.0
         imagePullPolicy: IfNotPresent
         env:
         - name: IBMS_URL
diff --git a/kustomize/overlays/uat/deployment_patch.yaml b/kustomize/overlays/uat/deployment_patch.yaml
index 7994b89..806fb95 100644
--- a/kustomize/overlays/uat/deployment_patch.yaml
+++ b/kustomize/overlays/uat/deployment_patch.yaml
@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: ibms
-        image: ghcr.io/dbca-wa/ibms:latest
+        image: ghcr.io/dbca-wa/ibms
         imagePullPolicy: Always
         env:
         - name: IBMS_URL

From f601cdc831cee8861de5bef3fb90bd7208b8b5bd Mon Sep 17 00:00:00 2001
From: Ashley Felton <ashley@ropable.com>
Date: Thu, 24 Aug 2023 12:42:53 +0800
Subject: [PATCH 8/8] Update project minor version.

---
 ibms_project/settings.py                      | 2 +-
 kustomize/overlays/prod/deployment_patch.yaml | 2 +-
 poetry.lock                                   | 6 +++---
 pyproject.toml                                | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ibms_project/settings.py b/ibms_project/settings.py
index a626edb..c9b8978 100644
--- a/ibms_project/settings.py
+++ b/ibms_project/settings.py
@@ -80,7 +80,7 @@
 ]
 SITE_TITLE = 'Integrated Business Management System'
 SITE_ACRONYM = 'IBMS'
-APPLICATION_VERSION_NO = '2.8.0'
+APPLICATION_VERSION_NO = '2.8.1'
 MANAGERS = (
     ('Zen Wee', 'zen.wee@dbca.wa.gov.au', '9219 9928'),
     ('Graham Holmes', 'graham.holmes@dbca.wa.gov.au', '9881 9212'),
diff --git a/kustomize/overlays/prod/deployment_patch.yaml b/kustomize/overlays/prod/deployment_patch.yaml
index fd93854..c06ae2c 100644
--- a/kustomize/overlays/prod/deployment_patch.yaml
+++ b/kustomize/overlays/prod/deployment_patch.yaml
@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: ibms
-        image: ghcr.io/dbca-wa/ibms:2.8.0
+        image: ghcr.io/dbca-wa/ibms:2.8.1
         imagePullPolicy: IfNotPresent
         env:
         - name: IBMS_URL
diff --git a/poetry.lock b/poetry.lock
index 726541d..f187439 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -660,13 +660,13 @@ tests = ["pytest"]
 
 [[package]]
 name = "pygments"
-version = "2.15.1"
+version = "2.16.1"
 description = "Pygments is a syntax highlighting package written in Python."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "Pygments-2.15.1-py3-none-any.whl", hash = "sha256:db2db3deb4b4179f399a09054b023b6a586b76499d36965813c71aa8ed7b5fd1"},
-    {file = "Pygments-2.15.1.tar.gz", hash = "sha256:8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c"},
+    {file = "Pygments-2.16.1-py3-none-any.whl", hash = "sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692"},
+    {file = "Pygments-2.16.1.tar.gz", hash = "sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29"},
 ]
 
 [package.extras]
diff --git a/pyproject.toml b/pyproject.toml
index 90e97a6..cf903f9 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "ibms"
-version = "2.8.0"
+version = "2.8.1"
 description = "Integrated Business Management System corporate application"
 authors = ["Ashley Felton <ashley.felton@dbca.wa.gov.au>"]
 license = "Apache-2.0"