diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 95415fd..339e3d2 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,5 @@ /.github/ @ditkrg/devops /kubernetes/ @ditkrg/devops + +/.dockerignore @ditkrg/devops +/Dockerfile @ditkrg/devops diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fd57540 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +--- +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + target-branch: dev + schedule: + interval: "daily" + reviewers: + - "ditkrg/devops" + + - package-ecosystem: "npm" + directory: "/" + target-branch: dev + schedule: + interval: "daily" diff --git a/.github/workflows/deploy-base.yaml b/.github/workflows/deploy-base.yaml index 1147efd..902813c 100644 --- a/.github/workflows/deploy-base.yaml +++ b/.github/workflows/deploy-base.yaml @@ -14,8 +14,7 @@ on: required: true secrets: - KUBECONFIG: - required: true + KUBECONFIG: { required: true } env: NAMESPACE: dit-docs @@ -30,20 +29,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Kubectl tool installer - uses: Azure/setup-kubectl@v1 + uses: Azure/setup-kubectl@v3 - - uses: azure/k8s-set-context@v1 + - uses: azure/k8s-set-context@v3 with: method: kubeconfig kubeconfig: ${{ secrets.KUBECONFIG }} - name: Setup Kustomize uses: imranismail/setup-kustomize@v1 - with: - kustomize-version: "4.4.1" - name: Edit kustomization file working-directory: kubernetes/base diff --git a/.github/workflows/deploy-dev.yaml b/.github/workflows/deploy-dev.yaml index a910982..c689c7a 100644 --- a/.github/workflows/deploy-dev.yaml +++ b/.github/workflows/deploy-dev.yaml @@ -1,64 +1,43 @@ +--- name: Deploy To Development on: push: branches: - dev + paths-ignore: - "README.md" - ".vscode/**" + - ".github/**" + - "!.github/workflows/tests-base.yaml" + - "!.github/workflows/deploy-base.yaml" + - "!.github/workflows/deploy-dev.yaml" + concurrency: group: deploy-dev cancel-in-progress: true jobs: - setup: - name: Setup - runs-on: ubuntu-20.04 - env: - IMAGE: "reg.dev.krd/dit-docs/dsm-client:${{ github.ref_name }}" - steps: - - name: Extract image name - run: echo "Using image name $IMAGE" - outputs: - image: ${{ env.IMAGE }} - image-sha: ${{ env.IMAGE }}-${{ github.sha }} - test: - uses: ditkrg/dit-digital-service-manual/.github/workflows/tests-base.yaml@dev + uses: ./.github/workflows/tests-base.yaml - build-push: - name: Build and Push - needs: [setup, test] - runs-on: ubuntu-20.04 - timeout-minutes: 10 - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to Registry - uses: docker/login-action@v1 - with: - registry: reg.dev.krd - username: ${{ secrets.HARBOR_PUBLIC_USER }} - password: ${{ secrets.HARBOR_PUBLIC_TOKEN }} - - - name: Build and push Docker images - uses: docker/build-push-action@v2 - with: - push: true - tags: |- - ${{ needs.setup.outputs.image }} - ${{ needs.setup.outputs.image-sha }} - cache-from: type=registry,ref=${{ needs.setup.outputs.image }} - cache-to: type=inline + build: + uses: ditkrg/build-image-workflow/.github/workflows/workflow.yaml@v1 + needs: test + with: + image: dit-docs/dsm-client + runs-on: "['ubuntu-latest']" + secrets: + username: ${{ secrets.HARBOR_PUBLIC_USER }} + password: ${{ secrets.HARBOR_PUBLIC_TOKEN }} deploy: - uses: ditkrg/dit-digital-service-manual/.github/workflows/deploy-base.yaml@dev - needs: [setup, build-push] + uses: ./.github/workflows/deploy-base.yaml + needs: build with: - image: ${{ needs.setup.outputs.image-sha }} + image: ${{ needs.build.outputs.tag }} env_url: https://service-manual.docs.dev.krd env_name: development diff --git a/.github/workflows/deploy-production.yaml b/.github/workflows/deploy-production.yaml index 9b3b294..8a6924e 100644 --- a/.github/workflows/deploy-production.yaml +++ b/.github/workflows/deploy-production.yaml @@ -1,64 +1,43 @@ +--- name: Deploy To Production on: push: branches: - main + paths-ignore: - "README.md" - ".vscode/**" + - ".github/**" + - "!.github/workflows/tests-base.yaml" + - "!.github/workflows/deploy-base.yaml" + - "!.github/workflows/deploy-production.yaml" + concurrency: group: deploy-production - cancel-in-progress: true + cancel-in-progress: false jobs: - setup: - name: Setup - runs-on: ubuntu-20.04 - env: - IMAGE: "reg.dev.krd/dit-docs/dsm-client:${{ github.ref_name }}" - steps: - - name: Extract image name - run: echo "Using image name $IMAGE" - outputs: - image: ${{ env.IMAGE }} - image-sha: ${{ env.IMAGE }}-${{ github.sha }} - test: uses: ditkrg/dit-digital-service-manual/.github/workflows/tests-base.yaml@main - build-push: - name: Build and Push - needs: [setup, test] - runs-on: ubuntu-20.04 - timeout-minutes: 10 - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to Registry - uses: docker/login-action@v1 - with: - registry: reg.dev.krd - username: ${{ secrets.HARBOR_PUBLIC_USER }} - password: ${{ secrets.HARBOR_PUBLIC_TOKEN }} - - - name: Build and push Docker images - uses: docker/build-push-action@v2 - with: - push: true - tags: |- - ${{ needs.setup.outputs.image }} - ${{ needs.setup.outputs.image-sha }} - cache-from: type=registry,ref=${{ needs.setup.outputs.image }} - cache-to: type=inline + build: + uses: ditkrg/build-image-workflow/.github/workflows/workflow.yaml@v1 + needs: test + with: + image: dit-docs/dsm-client + runs-on: "['ubuntu-latest']" + secrets: + username: ${{ secrets.HARBOR_PUBLIC_USER }} + password: ${{ secrets.HARBOR_PUBLIC_TOKEN }} deploy: - uses: ditkrg/dit-digital-service-manual/.github/workflows/deploy-base.yaml@main - needs: [setup, build-push] + uses: ./.github/workflows/deploy-base.yaml + needs: build with: - image: ${{ needs.setup.outputs.image-sha }} + image: ${{ needs.build.outputs.tag }} env_url: https://docs.digital.gov.krd env_name: production diff --git a/.github/workflows/tests-base.yaml b/.github/workflows/tests-base.yaml index 2388bd3..5ea6033 100644 --- a/.github/workflows/tests-base.yaml +++ b/.github/workflows/tests-base.yaml @@ -1,6 +1,16 @@ +--- name: Run Tests on: + push: + branches-ignore: + - dev + - main + + paths-ignore: + - "README.md" + - ".vscode/**" + workflow_call: jobs: @@ -11,15 +21,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Kubectl tool installer - uses: Azure/setup-kubectl@v1 + uses: Azure/setup-kubectl@v3 - name: Setup Kustomize uses: imranismail/setup-kustomize@v1 - with: - kustomize-version: "4.4.1" - name: Build k8s manifests working-directory: kubernetes @@ -27,6 +35,6 @@ jobs: envs=( "development" "production" ) for i in "${envs[@]}" - do + do kustomize build "$i" done diff --git a/.github/workflows/tests-run.yaml b/.github/workflows/tests-run.yaml deleted file mode 100644 index 3283f54..0000000 --- a/.github/workflows/tests-run.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Run Tests - -on: - push: - branches-ignore: - - dev - - staging - - main - paths-ignore: - - "README.md" - - ".vscode/**" - -jobs: - run-tests: - name: Run Tests - timeout-minutes: 10 - runs-on: ubuntu-20.04 - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Kubectl tool installer - uses: Azure/setup-kubectl@v1 - - - name: Setup Kustomize - uses: imranismail/setup-kustomize@v1 - with: - kustomize-version: "4.4.1" - - - name: Build k8s manifests - working-directory: kubernetes - run: | - envs=( "development" "production" ) - - for i in "${envs[@]}" - do - kustomize build "$i" - done diff --git a/Dockerfile b/Dockerfile index 71a9664..25c53a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:16 as build-stage +FROM node:16 as build WORKDIR /app @@ -13,7 +13,18 @@ COPY *.js ./ RUN npm run build -FROM nginx:stable-alpine AS production +RUN echo "nobody:x:1001:1001:nobody:/:" > /etc_passwd +RUN chown -R 1001:1001 /app/build -COPY --from=build-stage /app/build /usr/share/nginx/html -EXPOSE 80 +FROM reg.dev.krd/hub.docker/joseluisq/static-web-server:2 AS production + +COPY --from=build /app/build /public +COPY --from=build /etc_passwd /etc/passwd + +ENV SERVER_PORT=8080 +ENV SERVER_LOG_LEVEL=info +ENV SERVER_FALLBACK_PAGE=/public/404.html + +USER nobody + +EXPOSE 8080 diff --git a/kubernetes/base/deployment.yaml b/kubernetes/base/deployment.yaml index 4f643af..ed0f39e 100644 --- a/kubernetes/base/deployment.yaml +++ b/kubernetes/base/deployment.yaml @@ -7,6 +7,7 @@ metadata: app: dsm-client spec: + replicas: 2 selector: matchLabels: app: dsm-client @@ -17,33 +18,32 @@ spec: app: dsm-client spec: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + containers: - name: dsm-client image: IMAGE - resources: - limits: - memory: 32Mi - cpu: 500m - requests: - memory: 32Mi - cpu: 5m + ports: - name: http - containerPort: 80 + containerPort: 8080 + + resources: + limits: + cpu: 100m + memory: 32Mi + requests: + cpu: 5m + memory: 32Mi livenessProbe: tcpSocket: port: http - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 readinessProbe: tcpSocket: port: http periodSeconds: 5 - timeoutSeconds: 3 - failureThreshold: 3 - successThreshold: 1 - initialDelaySeconds: 5 diff --git a/kubernetes/base/ingress.yaml b/kubernetes/base/ingress.yaml index 8152274..13b996e 100644 --- a/kubernetes/base/ingress.yaml +++ b/kubernetes/base/ingress.yaml @@ -6,6 +6,8 @@ metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer spec: + tls: + - secretName: ingress-cert-dit-docs-dsm-client rules: - http: paths: @@ -14,5 +16,4 @@ spec: backend: service: name: service - port: - number: 80 + port: { name: http } diff --git a/kubernetes/base/service.yaml b/kubernetes/base/service.yaml index 54983f3..e643219 100644 --- a/kubernetes/base/service.yaml +++ b/kubernetes/base/service.yaml @@ -10,4 +10,6 @@ spec: app: dsm-client ports: - port: 80 + name: http + targetPort: http type: ClusterIP diff --git a/kubernetes/development/patches/ingress-host.yaml b/kubernetes/development/patches/ingress-host.yaml index 3f572b8..d96f46a 100644 --- a/kubernetes/development/patches/ingress-host.yaml +++ b/kubernetes/development/patches/ingress-host.yaml @@ -1,9 +1,8 @@ +--- - op: add path: /spec/rules/0/host value: service-manual.docs.dev.krd - op: add - path: /spec/tls + path: /spec/tls/0/hosts value: - - hosts: - - service-manual.docs.dev.krd - secretName: ingress-cert-dit-docs-dsm-client + - service-manual.docs.dev.krd diff --git a/kubernetes/production/patches/ingress-host.yaml b/kubernetes/production/patches/ingress-host.yaml index 3837674..ce6a775 100644 --- a/kubernetes/production/patches/ingress-host.yaml +++ b/kubernetes/production/patches/ingress-host.yaml @@ -1,9 +1,8 @@ +--- - op: add path: /spec/rules/0/host value: docs.digital.gov.krd - op: add - path: /spec/tls + path: /spec/tls/0/hosts value: - - hosts: - - docs.digital.gov.krd - secretName: ingress-cert-dit-docs-dsm-client + - docs.digital.gov.krd