Merge pull request #80 from ropable/master

Update Kustomize definitions, update project dependency versions
dbca-wa · Apr 18, 2024 · addf97d · addf97d
2 parents 2f59103 + 6cd8cd1
commit addf97d
Show file tree

Hide file tree

Showing 18 changed files with 587 additions and 541 deletions.
diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml
@@ -22,38 +22,67 @@ jobs:
       packages: write
       security-events: write
     steps:
+      #----------------------------------------------
+      # Checkout repo
+      #----------------------------------------------
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      #----------------------------------------------
+      # Set up Docker BuildX environment
+      #----------------------------------------------
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      #----------------------------------------------
+      # Log Docker into the GitHub Container Repository
+      #----------------------------------------------
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      #----------------------------------------------
+      # Extract Docker image metadata from GitHub events
+      #----------------------------------------------
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
             latest=true
+      #----------------------------------------------
+      # Build and push Docker image (not on PR)
+      #----------------------------------------------
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+  scan:
+    name: Image vulnerability scan
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    steps:
+      #----------------------------------------------
+      # Run vulnerability scan on built image
+      #----------------------------------------------
       - name: Run Trivy vuln scanner on Docker image
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}'
-          ignore-unfixed: true
+          scan-type: 'image'
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: 'HIGH,CRITICAL'
           format: 'sarif'
           output: 'trivy-results.sarif'
       - name: Upload Trivy scan results to GitHub Security tab

diff --git a/csw/middleware.py b/csw/middleware.py
@@ -1,4 +1,9 @@
+from django.db import connections
 from django.http import HttpResponse, HttpResponseServerError
+import logging
+
+
+LOGGER = logging.getLogger("django")
 
 
 class HealthCheckMiddleware(object):
@@ -8,9 +13,9 @@ def __init__(self, get_response):
 
     def __call__(self, request):
         if request.method == "GET":
-            if request.path == "/readiness":
+            if request.path == "/readyz":
                 return self.readiness(request)
-            elif request.path == "/liveness":
+            elif request.path == "/livez":
                 return self.liveness(request)
         return self.get_response(request)
 
@@ -25,14 +30,13 @@ def readiness(self, request):
         being present.
         """
         try:
-            from django.db import connections
-            for name in connections:
-                cursor = connections[name].cursor()
-                cursor.execute("SELECT 1;")
-                row = cursor.fetchone()
-                if row is None:
-                    return HttpResponseServerError("db: invalid response")
+            cursor = connections["default"].cursor()
+            cursor.execute("SELECT 1;")
+            row = cursor.fetchone()
+            if row is None:
+                return HttpResponseServerError("Database: invalid response")
         except Exception as e:
-            return HttpResponseServerError("db: cannot connect to database.")
+            LOGGER.exception(e)
+            return HttpResponseServerError("Database: unable to connect")
 
         return HttpResponse("OK")
diff --git a/csw/settings.py b/csw/settings.py
@@ -17,7 +17,7 @@
 CSRF_COOKIE_HTTPONLY = env('CSRF_COOKIE_HTTPONLY', False)
 SESSION_COOKIE_SECURE = env('SESSION_COOKIE_SECURE', False)
 if not DEBUG:
-    ALLOWED_HOSTS = env('ALLOWED_DOMAINS', '').split(',')
+    ALLOWED_HOSTS = env('ALLOWED_HOSTS', 'localhost').split(',')
 else:
     ALLOWED_HOSTS = ['*']
 INTERNAL_IPS = ['127.0.0.1', '::1']

diff --git a/kustomize/base/deployment.yaml b/kustomize/base/deployment.yaml
@@ -2,18 +2,25 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: csw-deployment
+  labels:
+    app: csw-deployment
 spec:
-  replicas: 2
   strategy:
     type: RollingUpdate
+  selector:
+    matchLabels:
+      app: csw-deployment
   template:
+    metadata:
+      labels:
+        app: csw-deployment
     spec:
       containers:
       - name: csw
         image: ghcr.io/dbca-wa/csw
         imagePullPolicy: Always
         env:
-        - name: ALLOWED_DOMAINS
+        - name: ALLOWED_HOSTS
           value: ".dbca.wa.gov.au"
         - name: CSRF_COOKIE_SECURE
           value: "True"
@@ -24,28 +31,40 @@ spec:
         resources:
           requests:
             memory: "128Mi"
-            cpu: "25m"
+            cpu: "10m"
           limits:
-            memory: "4096Mi"
+            memory: "2048Mi"
             cpu: "1000m"
-        livenessProbe:
+        startupProbe:
           httpGet:
-            path: /liveness
+            path: /livez
             port: 8080
             scheme: HTTP
           initialDelaySeconds: 3
-          periodSeconds: 3
+          periodSeconds: 15
+          timeoutSeconds: 10
+          successThreshold: 1
           failureThreshold: 3
-          timeoutSeconds: 2
+        livenessProbe:
+          httpGet:
+            path: /livez
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          failureThreshold: 3
+          timeoutSeconds: 10
         readinessProbe:
           httpGet:
-            path: /readiness
+            path: /readyz
             port: 8080
             scheme: HTTP
-          initialDelaySeconds: 3
-          periodSeconds: 3
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
           failureThreshold: 3
-          timeoutSeconds: 2
+          timeoutSeconds: 10
         securityContext:
           runAsNonRoot: true
           privileged: false

diff --git a/kustomize/base/deployment_hpa.yaml b/kustomize/base/deployment_hpa.yaml
@@ -0,0 +1,17 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: csw-deployment-hpa
+spec:
+  minReplicas: 1
+  maxReplicas: 3
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+  metrics:
+    - resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 250
+      type: Resource
diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml
@@ -1,3 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
   - deployment.yaml
+  - deployment_hpa.yaml
   - service.yaml
diff --git a/kustomize/overlays/prod/deployment_hpa_patch.yaml b/kustomize/overlays/prod/deployment_hpa_patch.yaml
@@ -0,0 +1,7 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: csw-deployment-hpa
+spec:
+  scaleTargetRef:
+    name: csw-deployment-prod
diff --git a/kustomize/overlays/prod/deployment_patch.yaml b/kustomize/overlays/prod/deployment_patch.yaml
@@ -2,16 +2,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: csw-deployment
-  labels:
-    app: csw-prod
 spec:
-  selector:
-    matchLabels:
-      app: csw-prod
   template:
-    metadata:
-      labels:
-        app: csw-prod
     spec:
       containers:
       - name: csw

diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml
@@ -1,22 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 nameSuffix: -prod
+resources:
+  - ../../base
+  - ingress.yaml
+  - pdb.yaml
 secretGenerator:
   - name: csw-env
     type: Opaque
     envs:
       - .env
-resources:
-  - ../../base
-  - ingress.yaml
-  - pdb.yaml
 labels:
   - includeSelectors: true
     pairs:
       variant: prod
-images:
-  - name: ghcr.io/dbca-wa/csw
-    newTag: 1.3.9
 patches:
   - path: deployment_patch.yaml
+  - path: deployment_hpa_patch.yaml
   - path: service_patch.yaml
+images:
+  - name: ghcr.io/dbca-wa/csw
+    newTag: 1.3.10
diff --git a/kustomize/overlays/prod/pdb.yaml b/kustomize/overlays/prod/pdb.yaml
@@ -6,5 +6,5 @@ spec:
   minAvailable: 1
   selector:
     matchLabels:
-      app: csw-prod
+      app: csw-deployment
       variant: prod
diff --git a/kustomize/overlays/prod/service_patch.yaml b/kustomize/overlays/prod/service_patch.yaml
@@ -5,5 +5,5 @@ metadata:
 spec:
   type: ClusterIP
   selector:
-    app: csw-prod
+    app: csw-deployment
     variant: prod
diff --git a/kustomize/overlays/uat/deployment_hpa_patch.yaml b/kustomize/overlays/uat/deployment_hpa_patch.yaml
@@ -0,0 +1,7 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: csw-deployment-hpa
+spec:
+  scaleTargetRef:
+    name: csw-deployment-uat
diff --git a/kustomize/overlays/uat/deployment_patch.yaml b/kustomize/overlays/uat/deployment_patch.yaml
@@ -2,16 +2,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: csw-deployment
-  labels:
-    app: csw-uat
 spec:
-  selector:
-    matchLabels:
-      app: csw-uat
   template:
-    metadata:
-      labels:
-        app: csw-uat
     spec:
       containers:
       - name: csw

diff --git a/kustomize/overlays/uat/kustomization.yaml b/kustomize/overlays/uat/kustomization.yaml
@@ -1,19 +1,20 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 nameSuffix: -uat
+resources:
+  - ../../base
+  - ingress.yaml
+  - pdb.yaml
 secretGenerator:
   - name: csw-env
     type: Opaque
     envs:
       - .env
-resources:
-  - ../../base
-  - ingress.yaml
-  - pdb.yaml
 labels:
   - includeSelectors: true
     pairs:
       variant: uat
 patches:
   - path: deployment_patch.yaml
+  - path: deployment_hpa_patch.yaml
   - path: service_patch.yaml
diff --git a/kustomize/overlays/uat/pdb.yaml b/kustomize/overlays/uat/pdb.yaml
@@ -6,5 +6,5 @@ spec:
   minAvailable: 1
   selector:
     matchLabels:
-      app: csw-uat
+      app: csw-deployment
       variant: uat
diff --git a/kustomize/overlays/uat/service_patch.yaml b/kustomize/overlays/uat/service_patch.yaml
@@ -5,5 +5,5 @@ metadata:
 spec:
   type: ClusterIP
   selector:
-    app: csw-uat
+    app: csw-deployment
     variant: uat