From 6b86aba7239e698b1b8452b42f164a6e02409f73 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Wed, 20 Mar 2024 08:13:30 +0100 Subject: [PATCH 1/7] Rename cost allocation DBs (#119) * Rename C2 * Rename Prod to Platform --- .github/workflows/deploy-database.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-database.yml b/.github/workflows/deploy-database.yml index 3ea67fc..bc29298 100644 --- a/.github/workflows/deploy-database.yml +++ b/.github/workflows/deploy-database.yml @@ -27,12 +27,12 @@ jobs: - name: "platform" ref: "refs/heads/release" client-id: "5dd06410-a4dd-4616-8fda-090d23b1528c" - server: "sql-radix-cost-allocation-prod.database.windows.net" + server: "sql-radix-cost-allocation-platform.database.windows.net" - name: "c2" ref: "refs/heads/release" client-id: "820a9ea1-9d2f-4056-9271-d2865cc70fb6" - server: "sql-radix-cost-allocation-c2-prod.database.windows.net" + server: "sql-radix-cost-allocation-c2.database.windows.net" env: connection: >- From 179f887f4cb3e00622b30249c3c75754e1723893 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Thu, 21 Mar 2024 08:50:56 +0100 Subject: [PATCH 2/7] Update Client IDs for new managed identities (#120) --- .github/workflows/build-push.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index a41235e..b67bdcd 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -18,25 +18,25 @@ jobs: - name: "dev" ref: "refs/heads/master" acr-name: "radixdev" - client-id: "6e96429a-3ad5-40ee-b961-6de864d878fc" + client-id: "64b117a6-dc1c-4697-a000-ef251333bdc4" subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" - name: "playground" ref: "refs/heads/release" acr-name: "radixdev" - client-id: "6e96429a-3ad5-40ee-b961-6de864d878fc" + client-id: "4b607a0a-b4f7-4918-8586-0f1ee8a69d5b" subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" - name: "platform" ref: "refs/heads/release" acr-name: "radixprod" - client-id: "9304412c-98e6-414c-bde4-c5d5047add70" + client-id: "e7b711a6-8b96-4d19-b9d4-35e260af7e65" subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" - name: "c2" ref: "refs/heads/release" acr-name: "radixc2prod" - client-id: "9304412c-98e6-414c-bde4-c5d5047add70" + client-id: "03efd84e-6142-48e3-97cd-6d49e6aa3f93" subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" steps: From 99098c0f8e172bcf2d88b2c7f9237c0cc0d67f8d Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Fri, 12 Apr 2024 15:53:28 +0200 Subject: [PATCH 3/7] Update readme (#122) --- Makefile | 16 ++++++++++++++++ README.md | 20 ++++---------------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/Makefile b/Makefile index bb780f0..73928df 100644 --- a/Makefile +++ b/Makefile @@ -18,9 +18,25 @@ test: lint: bootstrap golangci-lint run --max-same-issues 0 +.PHONY: mocks +mocks: bootstrap + mockgen -source ./pkg/repository/repository.go -destination ./pkg/repository/mock/repository.go -package mock + mockgen -source ./pkg/listers/limitrange.go -destination ./pkg/listers/mock/limitrange.go -package mock + mockgen -source ./pkg/listers/node.go -destination ./pkg/listers/mock/node.go -package mock + mockgen -source ./pkg/listers/pod.go -destination ./pkg/listers/mock/pod.go -package mock + mockgen -source ./pkg/listers/radixregistration.go -destination ./pkg/listers/mock/radixregistration.go -package mock + mockgen -source ./pkg/listers/containerbulkdto.go -destination ./pkg/listers/mock/containerbulkdto.go -package mock + mockgen -source ./pkg/listers/nodebulkdto.go -destination ./pkg/listers/mock/nodebulkdto.go -package mock + + + HAS_GOLANGCI_LINT := $(shell command -v golangci-lint;) +HAS_MOCKGEN := $(shell command -v mockgen;) bootstrap: ifndef HAS_GOLANGCI_LINT curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.55.2 endif +ifndef HAS_MOCKGEN + go install github.com/golang/mock/mockgen@v1.6.0 +endif diff --git a/README.md b/README.md index a5f7958..1be3286 100644 --- a/README.md +++ b/README.md @@ -20,15 +20,13 @@ sqlcmd -S ${SERVER_NAME}.database.windows.net -d ${DATABASE_NAME} -G --variables ## Deploy to cluster -Installation on cluster is handled by flux through [flux repo](https://github.com/equinor/radix-flux). Before being installed, it requires that there exist a namespace called `radix-cost-allocation`. In that namespace there must be a secret called `cost-db-secret` that contains the database password. This is handled through the setup script in [radix-platform](https://github.com/equinor/radix-platform) +Installation on cluster is handled by flux through [flux repo](https://github.com/equinor/radix-flux). -tag in git repository (in master branch) - matching to the version of Version in docs/docs.go +tag in git repository (in master branch) - matching to the version of Version in charts/Chart.yaml ## Developing -You need Go installed. Make sure `GOPATH` and `GOROOT` are properly set up. - -Also needed: +You need: - [`gomock`](https://github.com/golang/mock) (GO111MODULE=on go get github.com/golang/mock/mockgen@v1.5.0) @@ -42,18 +40,8 @@ Want to contribute? Read our [contributing guidelines](./CONTRIBUTING.md) We use gomock to generate mocks used in unit test. You need to regenerate mocks if you make changes to any of the interface types used by the application; **Repository** -Repository: -``` -$ mockgen -source ./pkg/repository/repository.go -destination ./pkg/repository/mock/repository.go -package mock -``` -listers: ``` -$ mockgen -source ./pkg/listers/limitrange.go -destination ./pkg/listers/mock/limitrange.go -package mock -$ mockgen -source ./pkg/listers/node.go -destination ./pkg/listers/mock/node.go -package mock -$ mockgen -source ./pkg/listers/pod.go -destination ./pkg/listers/mock/pod.go -package mock -$ mockgen -source ./pkg/listers/radixregistration.go -destination ./pkg/listers/mock/radixregistration.go -package mock -$ mockgen -source ./pkg/listers/containerbulkdto.go -destination ./pkg/listers/mock/containerbulkdto.go -package mock -$ mockgen -source ./pkg/listers/nodebulkdto.go -destination ./pkg/listers/mock/nodebulkdto.go -package mock +make mocks ``` ## Update version From 8cd842464c317856a22c1e512c7de4bf82cae81f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= Date: Mon, 15 Apr 2024 12:44:57 +0200 Subject: [PATCH 4/7] allow configurable volumes and security context in helm values --- charts/Chart.yaml | 2 +- charts/templates/deployment.yaml | 26 ++++++++++++++++---------- charts/values.yaml | 19 +++++++++++++++++++ 3 files changed, 36 insertions(+), 11 deletions(-) diff --git a/charts/Chart.yaml b/charts/Chart.yaml index a47d461..5390693 100644 --- a/charts/Chart.yaml +++ b/charts/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 appVersion: 1.0.0 -version: 1.0.0 +version: 1.1.0 description: Pull cost data from containers and push to sql server name: radix-cost-allocation diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml index 158fb60..d4d4a90 100644 --- a/charts/templates/deployment.yaml +++ b/charts/templates/deployment.yaml @@ -23,17 +23,18 @@ spec: {{- end }} spec: serviceAccount: {{ include "cost-allocation.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - supplementalGroups: - - 1000 + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} env: - name: CRON_SCHEDULE value: {{ .Values.cronSchedule | quote }} @@ -53,7 +54,12 @@ spec: value: {{ .Values.appNameExcludeList }} resources: {{- toYaml .Values.resources | nindent 12 }} - securityContext: - privileged: false - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + diff --git a/charts/values.yaml b/charts/values.yaml index 1a439f2..c80cc39 100644 --- a/charts/values.yaml +++ b/charts/values.yaml @@ -49,3 +49,22 @@ resources: requests: cpu: 50m memory: 100Mi + +podSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + supplementalGroups: + - 1000 + +securityContext: + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + +# Additional volumes to add to the radix-cost-allocation pod. +volumes: [] + +# Additional volume mounts to add to the radix-cost-allocation container. +volumeMounts: [] From 9c1c1f9bb67bb6990436aa71dc5696b6ebbd38e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= Date: Mon, 15 Apr 2024 12:51:56 +0200 Subject: [PATCH 5/7] update app version --- charts/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/Chart.yaml b/charts/Chart.yaml index 5390693..5d93508 100644 --- a/charts/Chart.yaml +++ b/charts/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.0.0 +appVersion: 1.1.0 version: 1.1.0 description: Pull cost data from containers and push to sql server name: radix-cost-allocation From b06228cde283d7523fae2321ce1b3dcdd8d7078a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= Date: Mon, 15 Apr 2024 13:18:12 +0200 Subject: [PATCH 6/7] add workflow_dispatch to deploy database action --- .github/workflows/deploy-database.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy-database.yml b/.github/workflows/deploy-database.yml index bc29298..87f5aec 100644 --- a/.github/workflows/deploy-database.yml +++ b/.github/workflows/deploy-database.yml @@ -3,6 +3,8 @@ name: Deploy Database on: push: branches: [master, release] + workflow_dispatch: + permissions: id-token: write From 54a39a6cfcbe1210d15845a5c8d340a25a25c32a Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Mon, 15 Apr 2024 14:44:29 +0200 Subject: [PATCH 7/7] Open ACR firewall before running ACR task (#125) * Open ACR firewall before running ACR task * TEST * Revert TEST --- .github/workflows/build-push.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index b67bdcd..ccde902 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -4,6 +4,7 @@ on: branches: - master - release + workflow_dispatch: permissions: id-token: write contents: read @@ -50,6 +51,19 @@ jobs: tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" subscription-id: ${{matrix.target.subscription-id}} + - name: Get GitHub Public IP + if: matrix.target.ref == github.ref + id: github_public_ip + run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT + + - name: Add GitHub IP to ACR + if: matrix.target.ref == github.ref + id: update_firewall + run: az acr network-rule add + --name ${{matrix.target.acr-name}} + --subscription ${{matrix.target.subscription-id}} + --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} + - name: Generate image tag if: matrix.target.ref == github.ref id: tag @@ -80,4 +94,10 @@ jobs: --set REPOSITORY_NAME=${IMAGE_NAME} \ --set CACHE="" \ --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max" - + + - name: Revoke GitHub IP on ACR + if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed + run: az acr network-rule remove + --name ${{matrix.target.acr-name}} + --subscription ${{matrix.target.subscription-id}} + --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}