Merge pull request dbca-wa#490 from ropable/master

Update Dockerfile base image, Kustomize resources, Django minor version
ropable · Dec 10, 2024 · b696c4f · b696c4f
2 parents a83a093 + fb7cc6d
commit b696c4f
Show file tree

Hide file tree

Showing 32 changed files with 1,309 additions and 1,293 deletions.
diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml
@@ -3,11 +3,11 @@ name: "Build Docker image and run Trivy vulnerability scan"
 on:
   push:
     # Publish `master` as `latest` image.
-    branches: [ master ]
-    # Publish `2.*` tags as releases.
-    tags: [ '2.*' ]
+    branches: [master]
+    # Publish tagged commits as releases.
+    tags: ["*"]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 env:
   REGISTRY: ghcr.io
@@ -77,16 +77,18 @@ jobs:
       # Run vulnerability scan on built image
       #----------------------------------------------
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
-          scan-type: 'image'
-          scanners: 'vuln'
+          scan-type: "image"
+          scanners: "vuln"
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          vuln-type: 'os,library'
-          severity: 'HIGH,CRITICAL'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+          vuln-type: "os,library"
+          severity: "HIGH,CRITICAL"
+          format: "sarif"
+          output: "trivy-results.sarif"
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -3,9 +3,9 @@ name: "Run Django unit tests"
 on:
   # Triggers the workflow on push or pull request events but only for the master branch
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
-    branches: [ master ]
+    branches: [master]
   workflow_dispatch:
 
 jobs:
@@ -36,7 +36,7 @@ jobs:
         uses: actions/setup-python@v5
         id: setup-python
         with:
-          python-version: '3.12'
+          python-version: "3.12"
       #----------------------------------------------
       # Install GDAL into the environment
       #----------------------------------------------

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -13,13 +13,13 @@ jobs:
     name: Scan project for secrets
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - name: Secret scanning
-      uses: trufflesecurity/trufflehog@main
-      with:
-        base: ""
-        head: ${{ github.ref_name }}
-        extra_args: --only-verified
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Secret scanning
+        uses: trufflesecurity/trufflehog@main
+        with:
+          base: ""
+          head: ${{ github.ref_name }}
+          extra_args: --only-verified
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 # Prepare the base environment.
-FROM python:3.12.6-alpine AS builder_base
+FROM python:3.12.8-alpine AS builder_base
 LABEL [email protected]
 LABEL org.opencontainers.image.source=https://github.com/dbca-wa/it-assets
 
@@ -26,11 +26,11 @@ RUN apk add --no-cache \
   proj \
   binutils \
   && ln -s /usr/lib/libproj.so.25 /usr/lib/libproj.so \
-  && ln -s /usr/lib/libgdal.so.35 /usr/lib/libgdal.so \
+  && ln -s /usr/lib/libgdal.so.36 /usr/lib/libgdal.so \
   && ln -s /usr/lib/libgeos_c.so.1 /usr/lib/libgeos_c.so
 WORKDIR /app
 COPY poetry.lock pyproject.toml ./
-ARG POETRY_VERSION=1.8.3
+ARG POETRY_VERSION=1.8.5
 RUN pip install --no-cache-dir --root-user-action=ignore poetry==${POETRY_VERSION} \
   && poetry config virtualenvs.create false \
   && poetry install --no-interaction --no-ansi --only main

diff --git a/kustomize/README.md b/kustomize/README.md
@@ -2,7 +2,7 @@
 
 Declarative management of IT Assets Kubernetes resources using Kustomize.
 
-# How to use
+## How to use
 
 Within an overlay directory, create a `.env` file to contain required secret
 values in the format KEY=value (i.e. `overlays/uat/.env`). Required values:
@@ -22,8 +22,8 @@ Run `kubectl` with the `-k` flag to generate resources for a given overlay:
 kubectl apply -k kustomize/overlays/uat --namespace sss --dry-run=client
 ```
 
-# References:
+## References
 
-* https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/
-* https://github.com/kubernetes-sigs/kustomize
-* https://github.com/kubernetes-sigs/kustomize/tree/master/examples
+- <https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/>
+- <https://github.com/kubernetes-sigs/kustomize>
+- <https://github.com/kubernetes-sigs/kustomize/tree/master/examples>
diff --git a/kustomize/base/clusterip.yaml b/kustomize/base/clusterip.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-  - name: wsgi
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
+    - name: wsgi
+      port: 8080
+      protocol: TCP
+      targetPort: 8080
diff --git a/kustomize/base/deployment.yaml b/kustomize/base/deployment.yaml
@@ -2,73 +2,81 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: itassets-deployment
+  labels:
+    app: itassets-deployment
 spec:
+  selector:
+    matchLabels:
+      app: itassets-deployment
   strategy:
     type: RollingUpdate
   template:
+    metadata:
+      labels:
+        app: itassets-deployment
     spec:
       containers:
-      - name: itassets
-        image: ghcr.io/dbca-wa/it-assets
-        env:
-        - name: ALLOWED_HOSTS
-          value: ".dbca.wa.gov.au"
-        - name: CSRF_TRUSTED_ORIGINS
-          value: "https://*.dbca.wa.gov.au"
-        - name: CSRF_COOKIE_SECURE
-          value: "True"
-        - name: SESSION_COOKIE_SECURE
-          value: "True"
-        - name: TZ
-          value: "Australia/Perth"
-        resources:
-          requests:
-            memory: "100Mi"
-            cpu: "5m"
-          limits:
-            memory: "4096Mi"
-            cpu: "1000m"
-        startupProbe:
-          httpGet:
-            path: /livez
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 3
-          periodSeconds: 15
-          timeoutSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        livenessProbe:
-          httpGet:
-            path: /livez
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 0
-          periodSeconds: 15
-          successThreshold: 1
-          failureThreshold: 3
-          timeoutSeconds: 10
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 0
-          periodSeconds: 15
-          successThreshold: 1
-          failureThreshold: 3
-          timeoutSeconds: 10
-        securityContext:
-          runAsNonRoot: true
-          privileged: false
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
-        volumeMounts:
-          - mountPath: /tmp
-            name: tmpfs-ram
+        - name: itassets
+          image: ghcr.io/dbca-wa/it-assets
+          env:
+            - name: ALLOWED_HOSTS
+              value: ".dbca.wa.gov.au"
+            - name: CSRF_TRUSTED_ORIGINS
+              value: "https://*.dbca.wa.gov.au"
+            - name: CSRF_COOKIE_SECURE
+              value: "True"
+            - name: SESSION_COOKIE_SECURE
+              value: "True"
+            - name: TZ
+              value: "Australia/Perth"
+          resources:
+            requests:
+              memory: "100Mi"
+              cpu: "5m"
+            limits:
+              memory: "4096Mi"
+              cpu: "1000m"
+          startupProbe:
+            httpGet:
+              path: /livez
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 3
+            periodSeconds: 15
+            timeoutSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 15
+            successThreshold: 1
+            failureThreshold: 3
+            timeoutSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 15
+            successThreshold: 1
+            failureThreshold: 3
+            timeoutSeconds: 10
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmpfs-ram
       volumes:
         - name: tmpfs-ram
           emptyDir:

diff --git a/kustomize/base/postgres_fdw.yaml b/kustomize/base/postgres_fdw.yaml
@@ -9,27 +9,27 @@ spec:
   template:
     spec:
       containers:
-      - name: itassets-postgres-fdw
-        image: ghcr.io/dbca-wa/postgres-oracle-fdw:16-3.4
-        imagePullPolicy: IfNotPresent
-        env:
-        - name: TZ
-          value: "Australia/Perth"
-        - name: POSTGRES_DB
-          value: "fdw"
-        resources:
-          requests:
-            memory: "128Mi"
-            cpu: "10m"
-          limits:
-            memory: "1Gi"
-            cpu: "1000m"
-        securityContext:
-          runAsUser: 999
-          privileged: false
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: false
+        - name: itassets-postgres-fdw
+          image: ghcr.io/dbca-wa/postgres-oracle-fdw:16-3.4
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: "Australia/Perth"
+            - name: POSTGRES_DB
+              value: "fdw"
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "10m"
+            limits:
+              memory: "1Gi"
+              cpu: "1000m"
+          securityContext:
+            runAsUser: 999
+            privileged: false
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: false
       restartPolicy: Always
diff --git a/kustomize/base/postgres_fdw_service.yaml b/kustomize/base/postgres_fdw_service.yaml
@@ -6,7 +6,7 @@ spec:
   type: ClusterIP
   clusterIP: None
   ports:
-  - name: default
-    port: 42
-    protocol: TCP
-    targetPort: 42
+    - name: default
+      port: 42
+      protocol: TCP
+      targetPort: 42