Skip to content

Commit

Permalink
Merge pull request #107 from ropable/master
Browse files Browse the repository at this point in the history 
Increment Dockerfile base image, update Kustomize resources, bump Django minor version
  • Loading branch information
@ropable
ropable authored Dec 10, 2024
2 parents 22f44d8 + 681103b commit 06cd79c
Show file tree
Hide file tree
Showing 13 changed files with 630 additions and 607 deletions.
11 changes: 11 additions & 0 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
repos:
- repo: local
hooks:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail --no-update'
# For running trufflehog in docker, use the following entry instead:
# entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
language: system
stages: ["pre-commit", "pre-push"]
8 changes: 4 additions & 4 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1
# Prepare the base environment.
FROM python:3.11.10-slim AS builder_base_csw
FROM python:3.11.11-slim AS builder_base_csw
LABEL [email protected]
LABEL org.opencontainers.image.source=https://github.com/dbca-wa/csw

Expand All @@ -13,8 +13,8 @@ RUN apt-get update -y \
# Install Python libs using Poetry.
FROM builder_base_csw AS python_libs_csw
WORKDIR /app
ARG POETRY_VERSION=1.8.3
RUN pip install --root-user-action=ignore poetry=="${POETRY_VERSION}"
ARG POETRY_VERSION=1.8.5
RUN pip install --root-user-action=ignore poetry==${POETRY_VERSION}
COPY poetry.lock pyproject.toml ./
RUN poetry config virtualenvs.create false \
&& poetry install --no-interaction --no-ansi --only main
Expand All @@ -23,7 +23,7 @@ RUN poetry config virtualenvs.create false \
ARG UID=10001
ARG GID=10001
RUN groupadd -g "${GID}" appuser \
&& useradd --no-create-home --no-log-init --uid "${UID}" --gid "${GID}" appuser
&& useradd --no-create-home --no-log-init --uid ${UID} --gid ${GID} appuser

# Install the project.
FROM python_libs_csw
Expand Down
10 changes: 5 additions & 5 deletions kustomize/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Declarative management of CSW Kubernetes resources using Kustomize.

# How to use
## How to use

Within an overlay directory, create a `.env` file to contain required secret
values in the format KEY=value (i.e. `overlays/uat/.env`). Required values:
Expand All @@ -22,8 +22,8 @@ Run `kubectl` with the `-k` flag to generate resources for a given overlay:
kubectl apply -k kustomize/overlays/uat --namespace sss --dry-run=client
```

# References:
## References

* https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/
* https://github.com/kubernetes-sigs/kustomize
* https://github.com/kubernetes-sigs/kustomize/tree/master/examples
- <https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/>
- <https://github.com/kubernetes-sigs/kustomize>
- <https://github.com/kubernetes-sigs/kustomize/tree/master/examples>
124 changes: 62 additions & 62 deletions kustomize/base/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,68 +16,68 @@ spec:
app: csw-deployment
spec:
containers:
- name: csw
image: ghcr.io/dbca-wa/csw
imagePullPolicy: Always
env:
- name: ALLOWED_HOSTS
value: ".dbca.wa.gov.au"
- name: CSRF_TRUSTED_ORIGINS
value: "https://*.dbca.wa.gov.au"
- name: CSRF_COOKIE_SECURE
value: "True"
- name: SESSION_COOKIE_SECURE
value: "True"
- name: TZ
value: "Australia/Perth"
resources:
requests:
memory: "100Mi"
cpu: "5m"
limits:
memory: "2Gi"
cpu: "1000m"
startupProbe:
httpGet:
path: /livez
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 15
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
livenessProbe:
httpGet:
path: /livez
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /readyz
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 10
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: tmpfs-ram
- name: csw
image: ghcr.io/dbca-wa/csw
imagePullPolicy: Always
env:
- name: ALLOWED_HOSTS
value: ".dbca.wa.gov.au"
- name: CSRF_TRUSTED_ORIGINS
value: "https://*.dbca.wa.gov.au"
- name: CSRF_COOKIE_SECURE
value: "True"
- name: SESSION_COOKIE_SECURE
value: "True"
- name: TZ
value: "Australia/Perth"
resources:
requests:
memory: "100Mi"
cpu: "5m"
limits:
memory: "2Gi"
cpu: "1000m"
startupProbe:
httpGet:
path: /livez
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 15
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
livenessProbe:
httpGet:
path: /livez
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /readyz
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 10
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: tmpfs-ram
volumes:
- name: tmpfs-ram
emptyDir:
Expand Down
8 changes: 4 additions & 4 deletions kustomize/base/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
spec:
type: ClusterIP
ports:
- name: wsgi
port: 8080
protocol: TCP
targetPort: 8080
- name: wsgi
port: 8080
protocol: TCP
targetPort: 8080
76 changes: 38 additions & 38 deletions kustomize/overlays/prod/deployment_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,41 +6,41 @@ spec:
template:
spec:
containers:
- name: csw
imagePullPolicy: IfNotPresent
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: csw-env-prod
key: DATABASE_URL
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: csw-env-prod
key: SECRET_KEY
- name: BASE_URL
valueFrom:
secretKeyRef:
name: csw-env-prod
key: BASE_URL
- name: CORS_URL
valueFrom:
secretKeyRef:
name: csw-env-prod
key: CORS_URL
- name: AZURE_ACCOUNT_NAME
valueFrom:
secretKeyRef:
name: csw-env-prod
key: AZURE_ACCOUNT_NAME
- name: AZURE_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: csw-env-prod
key: AZURE_ACCOUNT_KEY
- name: AZURE_CONTAINER
valueFrom:
secretKeyRef:
name: csw-env-prod
key: AZURE_CONTAINER
- name: csw
imagePullPolicy: IfNotPresent
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: csw-env-prod
key: DATABASE_URL
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: csw-env-prod
key: SECRET_KEY
- name: BASE_URL
valueFrom:
secretKeyRef:
name: csw-env-prod
key: BASE_URL
- name: CORS_URL
valueFrom:
secretKeyRef:
name: csw-env-prod
key: CORS_URL
- name: AZURE_ACCOUNT_NAME
valueFrom:
secretKeyRef:
name: csw-env-prod
key: AZURE_ACCOUNT_NAME
- name: AZURE_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: csw-env-prod
key: AZURE_ACCOUNT_KEY
- name: AZURE_CONTAINER
valueFrom:
secretKeyRef:
name: csw-env-prod
key: AZURE_CONTAINER
20 changes: 10 additions & 10 deletions kustomize/overlays/prod/ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,13 @@ metadata:
spec:
ingressClassName: nginx
rules:
- host: csw.dbca.wa.gov.au
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: csw-clusterip-prod
port:
number: 8080
- host: csw.dbca.wa.gov.au
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: csw-clusterip-prod
port:
number: 8080
2 changes: 2 additions & 0 deletions kustomize/overlays/prod/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ secretGenerator:
type: Opaque
envs:
- .env
generatorOptions:
disableNameSuffixHash: true
labels:
- includeSelectors: true
pairs:
Expand Down
74 changes: 37 additions & 37 deletions kustomize/overlays/uat/deployment_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,40 +6,40 @@ spec:
template:
spec:
containers:
- name: csw
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: csw-env-uat
key: DATABASE_URL
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: csw-env-uat
key: SECRET_KEY
- name: BASE_URL
valueFrom:
secretKeyRef:
name: csw-env-uat
key: BASE_URL
- name: CORS_URL
valueFrom:
secretKeyRef:
name: csw-env-uat
key: CORS_URL
- name: AZURE_ACCOUNT_NAME
valueFrom:
secretKeyRef:
name: csw-env-uat
key: AZURE_ACCOUNT_NAME
- name: AZURE_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: csw-env-uat
key: AZURE_ACCOUNT_KEY
- name: AZURE_CONTAINER
valueFrom:
secretKeyRef:
name: csw-env-uat
key: AZURE_CONTAINER
- name: csw
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: csw-env-uat
key: DATABASE_URL
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: csw-env-uat
key: SECRET_KEY
- name: BASE_URL
valueFrom:
secretKeyRef:
name: csw-env-uat
key: BASE_URL
- name: CORS_URL
valueFrom:
secretKeyRef:
name: csw-env-uat
key: CORS_URL
- name: AZURE_ACCOUNT_NAME
valueFrom:
secretKeyRef:
name: csw-env-uat
key: AZURE_ACCOUNT_NAME
- name: AZURE_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: csw-env-uat
key: AZURE_ACCOUNT_KEY
- name: AZURE_CONTAINER
valueFrom:
secretKeyRef:
name: csw-env-uat
key: AZURE_CONTAINER
Loading

0 comments on commit 06cd79c

Please sign in to comment.