From 5ea0d55704de4ddb0981d557f0c0215c747073dc Mon Sep 17 00:00:00 2001 From: adityababumallisettiHO Date: Mon, 10 Feb 2025 16:36:33 +0000 Subject: [PATCH 1/6] CSL-139: Add kube files for html-pdf-converter and hof-rds-api components * html-pdf microservice is used to convert submitted form data to PDF, which is then sent to the iCasework system and attached to the user's confirmation email. * hof rds api is used to communicate with AWS RDS instances to store and retrieve data. * Any unused Pipeline steps are removed --- .drone.yml | 24 +---- .gitignore | 1 - Dockerfile | 2 +- bin/deploy.sh | 5 +- kube/app/deployment.yml | 106 ++++++++++++++----- kube/file-vault/file-vault-deployment.yml | 36 ++++++- kube/hof-rds-api/deployment.yml | 118 ++++++++++++++++++++++ kube/hof-rds-api/ingress.yml | 49 +++++++++ kube/hof-rds-api/networkpolicy.yml | 28 +++++ kube/hof-rds-api/service.yml | 27 +++++ kube/html-pdf/html-pdf-deployment.yml | 86 ++++++++++++++++ kube/html-pdf/html-pdf-network-policy.yml | 28 +++++ kube/html-pdf/html-pdf-service.yml | 26 +++++ 13 files changed, 481 insertions(+), 55 deletions(-) create mode 100644 kube/hof-rds-api/deployment.yml create mode 100644 kube/hof-rds-api/ingress.yml create mode 100644 kube/hof-rds-api/networkpolicy.yml create mode 100644 kube/hof-rds-api/service.yml create mode 100644 kube/html-pdf/html-pdf-deployment.yml create mode 100644 kube/html-pdf/html-pdf-network-policy.yml create mode 100644 kube/html-pdf/html-pdf-service.yml diff --git a/.drone.yml b/.drone.yml index 0645cb6..fdfedba 100644 --- a/.drone.yml +++ b/.drone.yml @@ -53,29 +53,6 @@ sonar_scanner: &sonar_scanner commands: - sonar-scanner -Dproject.settings=./sonar-project.properties -ui_integration_tests: &ui_integration_tests - <<: *node_image - environment: - NOTIFY_STUB: true - commands: - - yarn run test:ui-integration - -accessibility_tests: &accessibility_tests - pull: if-not-exists - image: buildkite/puppeteer:8.0.0@sha256:b6cebc17bfa8e7a7abfc3ab14d6f2ddbdf42b9e81b8ad786c6693385665998d5 - environment: - NOTIFY_STUB: true - ENVIRONMENT: DRONE - volumes: - - name: dockersock - path: /root/.dockersock - commands: - - yarn run test:accessibility - -acceptance_tests: &acceptance_tests - pull: if-not-exists - image: mcr.microsoft.com/playwright:v1.12.3-focal - steps: - name: clone_repos pull: if-not-exists @@ -292,6 +269,7 @@ steps: event: push depends_on: - get_pr_branch + - deploy_to_uat # Deploy to Staging environment - name: deploy_to_stg diff --git a/.gitignore b/.gitignore index 60e9c96..84727e0 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,6 @@ coverage .env output/ *.iml -anchore-reports .nyc_output .vscode .vscode-server diff --git a/Dockerfile b/Dockerfile index 38c5f6f..0d0e25d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM node:20.18.0-alpine3.20@sha256:d504f23acdda979406cf3bdbff0dff7933e5c4ec183d USER root # Update the package index and upgrade all installed packages to their latest versions -RUN apk update && apk upgrade +RUN apk update && apk upgrade --no-cache # Setup nodejs group & nodejs user RUN addgroup --system nodejs --gid 998 && \ diff --git a/bin/deploy.sh b/bin/deploy.sh index 2215fef..f2c1c50 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -5,6 +5,7 @@ export INGRESS_INTERNAL_ANNOTATIONS=$HOF_CONFIG/ingress-internal-annotations.yam export INGRESS_EXTERNAL_ANNOTATIONS=$HOF_CONFIG/ingress-external-annotations.yaml export CONFIGMAP_VALUES=$HOF_CONFIG/configmap-values.yaml export NGINX_SETTINGS=$HOF_CONFIG/nginx-settings.yaml +export DATA_SERVICE_INTERNAL_ANNOTATIONS=$HOF_CONFIG/data-service-internal-annotations.yaml export FILEVAULT_NGINX_SETTINGS=$HOF_CONFIG/filevault-nginx-settings.yaml export FILEVAULT_INGRESS_EXTERNAL_ANNOTATIONS=$HOF_CONFIG/filevault-ingress-external-annotations.yaml @@ -14,8 +15,8 @@ if [[ $1 == 'tear_down' ]]; then export KUBE_NAMESPACE=$BRANCH_ENV export DRONE_SOURCE_BRANCH=$(cat /root/.dockersock/branch_name.txt) - $kd --delete -f kube/configmaps/configmap.yml - $kd --delete -f kube/redis -f kube/app -f kube/file-vault + $kd --delete -f kube/configmaps/configmap.yml -f kube/hof-rds-api + $kd --delete -f kube/redis -f kube/html-pdf -f kube/app -f kube/file-vault -f kube/file-vault echo "Torn Down Branch - $APP_NAME-$DRONE_SOURCE_BRANCH.internal.branch.sas-notprod.homeoffice.gov.uk" exit 0 fi diff --git a/kube/app/deployment.yml b/kube/app/deployment.yml index 6f31ddf..0d8660c 100644 --- a/kube/app/deployment.yml +++ b/kube/app/deployment.yml @@ -14,11 +14,6 @@ metadata: name: {{ .APP_NAME }} {{ end }} spec: - {{ if eq .KUBE_NAMESPACE .PROD_ENV }} - replicas: 2 - {{ else }} - replicas: 1 - {{ end }} selector: matchLabels: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} @@ -48,6 +43,7 @@ spec: ports: - containerPort: 8080 envFrom: + - configMapRef: - configMapRef: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} name: {{ .APP_NAME }}-configmap-{{ .DRONE_SOURCE_BRANCH }} @@ -68,6 +64,11 @@ spec: {{ else }} value: redis {{ end }} + - name: SESSION_SECRET + valueFrom: + secretKeyRef: + name: session-secret + key: session-secret # - name: NOTIFY_KEY # valueFrom: # secretKeyRef: @@ -75,6 +76,22 @@ spec: # key: notify-key - name: USE_MOCKS value: "false" + - name: PDF_CONVERTER_URL + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + value: https://html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }}:10443/convert + {{ else }} + value: https://html-pdf-converter:10443/convert + {{ end }} + - name: FILE_VAULT_URL + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + value: https://fv-{{ .APP_NAME }}.sas.homeoffice.gov.uk/file + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + value: https://fv-{{ .APP_NAME }}.stg.sas.homeoffice.gov.uk/file + {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} + value: https://fv-{{ .APP_NAME }}.uat.sas-notprod.homeoffice.gov.uk/file + {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} + value: https://fv-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk/file + {{ end }} - name: FILE_VAULT_CLIENT_SECRET valueFrom: secretKeyRef: @@ -95,21 +112,62 @@ spec: secretKeyRef: name: file-vault-user key: password - - name: SESSION_SECRET + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) (eq .KUBE_NAMESPACE .STG_ENV)}} + - name: ALLOW_SKIP + value: "true" + - name: SKIP_EMAIL + value: "sas-hof-test@digital.homeoffice.gov.uk" + {{ end }} + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + - name: DATASERVICE_SERVICE_HOST + value: dataservice-{{ .DRONE_SOURCE_BRANCH }} + - name: DATASERVICE_SERVICE_PORT_HTTPS + value: "10443" + {{ end }} + - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: - name: session-secret - key: session-secret - - name: FILE_VAULT_URL - {{ if eq .KUBE_NAMESPACE .PROD_ENV }} - value: https://fv-{{ .APP_NAME }}.sas.homeoffice.gov.uk/file - {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} - value: https://fv-{{ .APP_NAME }}.uat.sas-notprod.homeoffice.gov.uk/file - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - value: https://fv-{{ .APP_NAME }}.stg.sas.homeoffice.gov.uk/file - {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} - value: https://fv-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk/file - {{ end }} + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-s3-bucket + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-s3-bucket-stg + {{ else }} + name: {{ .APP_NAME }}-s3-bucket-prod + {{ end }} + key: access_key_id + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-s3-bucket + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-s3-bucket-stg + {{ else }} + name: {{ .APP_NAME }}-s3-bucket-prod + {{ end }} + key: secret_access_key + - name: AWS_KMS_KEY_ID + valueFrom: + secretKeyRef: + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-s3-bucket + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-s3-bucket-stg + {{ else }} + name: {{ .APP_NAME }}-s3-bucket-prod + {{ end }} + key: kms_key_id + - name: AWS_BUCKET + valueFrom: + secretKeyRef: + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-s3-bucket + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-s3-bucket-stg + {{ else }} + name: {{ .APP_NAME }}-s3-bucket-prod + {{ end }} + key: name {{ if not (eq .KUBE_NAMESPACE .BRANCH_ENV) }} livenessProbe: httpGet: @@ -126,11 +184,11 @@ spec: {{ end }} resources: requests: - memory: 30Mi - cpu: 30m + memory: 256Mi + cpu: 100m limits: + cpu: 250m memory: 512Mi - cpu: 600m volumeMounts: - mountPath: /public name: public @@ -140,20 +198,22 @@ spec: image: quay.io/ukhomeofficedigital/nginx-proxy-govuk@sha256:4470064d0b1d20ae08c5fd85551576cb687f342a22d6cb456fda9b2c4ce8c8df resources: requests: - memory: 10Mi - cpu: 10m + memory: 20Mi + cpu: 20m limits: memory: 256Mi cpu: 300m env: {{ file .NGINX_SETTINGS | indent 12 }} ports: + - containerPort: 10080 - containerPort: 10443 volumeMounts: - mountPath: /public name: public securityContext: runAsNonRoot: true + volumes: - name: public emptyDir: {} diff --git a/kube/file-vault/file-vault-deployment.yml b/kube/file-vault/file-vault-deployment.yml index 7734f20..ffb790d 100644 --- a/kube/file-vault/file-vault-deployment.yml +++ b/kube/file-vault/file-vault-deployment.yml @@ -66,7 +66,7 @@ spec: {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} value: https://fv-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk - name: DEBUG - value: "*" + value: "true" {{ end }} - name: PORT value: "3000" @@ -75,22 +75,46 @@ spec: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: - name: s3-bucket + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-s3-bucket + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-s3-bucket-stg + {{ else }} + name: {{ .APP_NAME }}-s3-bucket-prod + {{ end }} key: access_key_id - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - name: s3-bucket + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-s3-bucket + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-s3-bucket-stg + {{ else }} + name: {{ .APP_NAME }}-s3-bucket-prod + {{ end }} key: secret_access_key - name: AWS_KMS_KEY_ID valueFrom: secretKeyRef: - name: s3-bucket + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-s3-bucket + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-s3-bucket-stg + {{ else }} + name: {{ .APP_NAME }}-s3-bucket-prod + {{ end }} key: kms_key_id - name: AWS_BUCKET valueFrom: secretKeyRef: - name: s3-bucket + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-s3-bucket + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-s3-bucket-stg + {{ else }} + name: {{ .APP_NAME }}-s3-bucket-prod + {{ end }} key: name - name: AWS_PASSWORD valueFrom: @@ -115,6 +139,8 @@ spec: limits: memory: 1024Mi cpu: 200m + requests: + memory: 512Mi envFrom: - configMapRef: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} diff --git a/kube/hof-rds-api/deployment.yml b/kube/hof-rds-api/deployment.yml new file mode 100644 index 0000000..9ed5312 --- /dev/null +++ b/kube/hof-rds-api/deployment.yml @@ -0,0 +1,118 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: data-service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: data-service + {{ end }} +spec: + selector: + matchLabels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: data-service-{{ .DRONE_SOURCE_BRANCH }} + service: data-service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: data-service + service: data-service + {{ end }} + template: + metadata: + labels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: data-service-{{ .DRONE_SOURCE_BRANCH }} + service: data-service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: data-service + service: data-service + {{ end }} + build: "{{.DRONE_BUILD_NUMBER}}" + commit: "{{.DRONE_COMMIT_SHA}}" + spec: + containers: + - name: data-service + # release v2.0.1 + image: quay.io/ukhomeofficedigital/hof-rds-api:16bc712744851373e533d94ecf04724836be8247 + imagePullPolicy: Always + envFrom: + - configMapRef: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: {{ .APP_NAME }}-configmap-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: {{ .APP_NAME }}-configmap + {{ end }} + env: + - name: SERVICE_NAME + value: "csl" + - name: MAX_PAYLOAD_SIZE + value: "30mb" + - name: REQUEST_TIMEOUT + value: "10000" + - name: HTTPS_PORT + value: "3443" + - name: DB_HOST + valueFrom: + secretKeyRef: + key: endpoint + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-notprod-rds + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-rds-stg + {{ else }} + name: {{ .APP_NAME }}-rds-prod + {{ end }} + - name: DB_NAME + valueFrom: + secretKeyRef: + key: db_name + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-notprod-rds + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-rds-stg + {{ else }} + name: {{ .APP_NAME }}-rds-prod + {{ end }} + - name: DB_USER + valueFrom: + secretKeyRef: + key: username + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-notprod-rds + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-rds-stg + {{ else }} + name: {{ .APP_NAME }}-rds-prod + {{ end }} + - name: DB_PASS + valueFrom: + secretKeyRef: + key: password + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + name: {{ .APP_NAME }}-notprod-rds + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + name: {{ .APP_NAME }}-rds-stg + {{ else }} + name: {{ .APP_NAME }}-rds-prod + {{ end }} + resources: + requests: + memory: 4Gi + cpu: 200m + limits: + memory: 8Gi + cpu: 400m + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + volumes: + - name: certs + secret: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + secretName: branch-tls-external + {{ else }} + secretName: data-service-cert-cmio + {{ end }} diff --git a/kube/hof-rds-api/ingress.yml b/kube/hof-rds-api/ingress.yml new file mode 100644 index 0000000..44183b1 --- /dev/null +++ b/kube/hof-rds-api/ingress.yml @@ -0,0 +1,49 @@ +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: data-service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: data-service + {{ end }} +{{ file .DATA_SERVICE_INTERNAL_ANNOTATIONS | indent 2 }} +spec: + ingressClassName: nginx-internal + tls: + - hosts: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + - {{ .APP_NAME }}-data-service.internal.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + - {{ .APP_NAME }}-data-service.internal.stg.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} + - {{ .APP_NAME }}-data-service.internal.uat.sas-notprod.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} + - data-service-{{ .DRONE_BUILD_NUMBER }}.branch.sas-notprod.homeoffice.gov.uk + - data-service-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk + {{ end }} + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + secretName: branch-tls-internal + {{ else }} + secretName: data-service-cert-cmio + {{ end }} + rules: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + - host: {{ .APP_NAME }}-data-service.internal.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + - host: {{ .APP_NAME }}-data-service.internal.stg.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} + - host: {{ .APP_NAME }}-data-service.internal.uat.sas-notprod.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} + - host: data-service-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk + {{ end }} + http: + paths: + - path: / + backend: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + serviceName: data-service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + serviceName: data-service + {{ end }} + servicePort: 10443 diff --git a/kube/hof-rds-api/networkpolicy.yml b/kube/hof-rds-api/networkpolicy.yml new file mode 100644 index 0000000..e6509de --- /dev/null +++ b/kube/hof-rds-api/networkpolicy.yml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: data-service-permit-access-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: data-service-permit-access + {{ end }} +spec: + ingress: + - from: + - podSelector: + matchLabels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: {{ .APP_NAME }}-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: {{ .APP_NAME }} + {{ end }} + ports: + - port: 3443 + protocol: TCP + - podSelector: + matchLabels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: data-service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: data-service + {{ end }} diff --git a/kube/hof-rds-api/service.yml b/kube/hof-rds-api/service.yml new file mode 100644 index 0000000..9489278 --- /dev/null +++ b/kube/hof-rds-api/service.yml @@ -0,0 +1,27 @@ +--- +apiVersion: v1 +kind: Service +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: dataservice-{{ .DRONE_SOURCE_BRANCH }} + labels: + name: dataservice-{{ .DRONE_SOURCE_BRANCH }} + role: service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: dataservice + labels: + name: dataservice + role: service + {{ end }} + +spec: + selector: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: data-service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: data-service + {{ end }} + ports: + - name: https + port: 10443 + targetPort: 3443 diff --git a/kube/html-pdf/html-pdf-deployment.yml b/kube/html-pdf/html-pdf-deployment.yml new file mode 100644 index 0000000..024b5e2 --- /dev/null +++ b/kube/html-pdf/html-pdf-deployment.yml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + name: html-pdf-converter + {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} + annotations: + downscaler/uptime: {{ .NON_PROD_AVAILABILITY }} + name: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + annotations: + downscaler/uptime: {{ .NON_PROD_AVAILABILITY }} + name: html-pdf-converter + {{ end }} +spec: + selector: + matchLabels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: html-pdf-converter + {{ end }} + template: + metadata: + labels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + service: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: html-pdf-converter + service: html-pdf-converter + {{ end }} + spec: + containers: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + - name: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + - name: html-pdf-converter + {{ end }} + # html-pdf-converter:v2.1.0 + image: quay.io/ukhomeofficedigital/html-pdf-converter@sha256:45814848f0c1d56169ab90990891b03d52d59d7558255cfca8ed2ce2a02d034e + imagePullPolicy: Always + resources: + requests: + memory: 10Mi + cpu: 10m + limits: + cpu: 250m + memory: 256Mi + env: + - name: APP_PORT + value: "8001" + securityContext: + runAsNonRoot: true + + - name: nginx-proxy + # nginx-proxy-govuk:v4 + image: quay.io/ukhomeofficedigital/nginx-proxy-govuk@sha256:4470064d0b1d20ae08c5fd85551576cb687f342a22d6cb456fda9b2c4ce8c8df + resources: + requests: + memory: 10Mi + cpu: 10m + limits: + cpu: 250m + memory: 256Mi + env: + - name: PROXY_SERVICE_HOST + value: 127.0.0.1 + - name: PROXY_SERVICE_PORT + value: "8001" + - name: ENABLE_UUID_PARAM + value: "FALSE" + - name: HTTPS_REDIRECT + value: "FALSE" + - name: NAXSI_USE_DEFAULT_RULES + value: "FALSE" + - name: PORT_IN_HOST_HEADER + value: "FALSE" + - name: ERROR_REDIRECT_CODES + value: "599" + securityContext: + runAsNonRoot: true + ports: + - containerPort: 10080 + - containerPort: 10443 diff --git a/kube/html-pdf/html-pdf-network-policy.yml b/kube/html-pdf/html-pdf-network-policy.yml new file mode 100644 index 0000000..1743834 --- /dev/null +++ b/kube/html-pdf/html-pdf-network-policy.yml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: html-pdf-converter-allow-ingress-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: html-pdf-converter-allow-ingress + {{ end }} +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + name: {{ .KUBE_NAMESPACE }} + ports: + - port: 10080 + protocol: TCP + - port: 10443 + protocol: TCP + podSelector: + matchLabels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: html-pdf-converter + {{ end }} + policyTypes: + - Ingress diff --git a/kube/html-pdf/html-pdf-service.yml b/kube/html-pdf/html-pdf-service.yml new file mode 100644 index 0000000..46983a0 --- /dev/null +++ b/kube/html-pdf/html-pdf-service.yml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + labels: + name: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + role: service + {{ else }} + name: html-pdf-converter + labels: + name: html-pdf-converter + role: service + {{ end }} +spec: + ports: + - name: http + port: 10080 + - name: https + port: 10443 + selector: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: html-pdf-converter-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: html-pdf-converter + {{ end }} From 7e3593040e4058233587ec666f800592b0795ac7 Mon Sep 17 00:00:00 2001 From: adityababumallisettiHO Date: Tue, 11 Feb 2025 16:17:20 +0000 Subject: [PATCH 2/6] CSL-139: PR requested Changes * Ingress removed for data-service micorservice which mostly uses Service for communication * SKIP email removed which is not required * Exclude S3 bucket secret ref from app deployment.yaml * S3 bucket secret names updated to use s3-bucket, same for all services --- bin/deploy.sh | 3 +- kube/app/deployment.yml | 56 ++--------------------- kube/file-vault/file-vault-deployment.yml | 34 ++------------ kube/hof-rds-api/ingress.yml | 49 -------------------- 4 files changed, 11 insertions(+), 131 deletions(-) delete mode 100644 kube/hof-rds-api/ingress.yml diff --git a/bin/deploy.sh b/bin/deploy.sh index f2c1c50..59c193d 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -5,7 +5,6 @@ export INGRESS_INTERNAL_ANNOTATIONS=$HOF_CONFIG/ingress-internal-annotations.yam export INGRESS_EXTERNAL_ANNOTATIONS=$HOF_CONFIG/ingress-external-annotations.yaml export CONFIGMAP_VALUES=$HOF_CONFIG/configmap-values.yaml export NGINX_SETTINGS=$HOF_CONFIG/nginx-settings.yaml -export DATA_SERVICE_INTERNAL_ANNOTATIONS=$HOF_CONFIG/data-service-internal-annotations.yaml export FILEVAULT_NGINX_SETTINGS=$HOF_CONFIG/filevault-nginx-settings.yaml export FILEVAULT_INGRESS_EXTERNAL_ANNOTATIONS=$HOF_CONFIG/filevault-ingress-external-annotations.yaml @@ -16,7 +15,7 @@ if [[ $1 == 'tear_down' ]]; then export DRONE_SOURCE_BRANCH=$(cat /root/.dockersock/branch_name.txt) $kd --delete -f kube/configmaps/configmap.yml -f kube/hof-rds-api - $kd --delete -f kube/redis -f kube/html-pdf -f kube/app -f kube/file-vault -f kube/file-vault + $kd --delete -f kube/redis -f kube/html-pdf -f kube/app -f kube/file-vault echo "Torn Down Branch - $APP_NAME-$DRONE_SOURCE_BRANCH.internal.branch.sas-notprod.homeoffice.gov.uk" exit 0 fi diff --git a/kube/app/deployment.yml b/kube/app/deployment.yml index 0d8660c..1f42b12 100644 --- a/kube/app/deployment.yml +++ b/kube/app/deployment.yml @@ -14,6 +14,11 @@ metadata: name: {{ .APP_NAME }} {{ end }} spec: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + replicas: 2 + {{ else }} + replicas: 1 + {{ end }} selector: matchLabels: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} @@ -43,7 +48,6 @@ spec: ports: - containerPort: 8080 envFrom: - - configMapRef: - configMapRef: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} name: {{ .APP_NAME }}-configmap-{{ .DRONE_SOURCE_BRANCH }} @@ -112,62 +116,12 @@ spec: secretKeyRef: name: file-vault-user key: password - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) (eq .KUBE_NAMESPACE .STG_ENV)}} - - name: ALLOW_SKIP - value: "true" - - name: SKIP_EMAIL - value: "sas-hof-test@digital.homeoffice.gov.uk" - {{ end }} {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} - name: DATASERVICE_SERVICE_HOST value: dataservice-{{ .DRONE_SOURCE_BRANCH }} - name: DATASERVICE_SERVICE_PORT_HTTPS value: "10443" {{ end }} - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} - name: {{ .APP_NAME }}-s3-bucket - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - name: {{ .APP_NAME }}-s3-bucket-stg - {{ else }} - name: {{ .APP_NAME }}-s3-bucket-prod - {{ end }} - key: access_key_id - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} - name: {{ .APP_NAME }}-s3-bucket - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - name: {{ .APP_NAME }}-s3-bucket-stg - {{ else }} - name: {{ .APP_NAME }}-s3-bucket-prod - {{ end }} - key: secret_access_key - - name: AWS_KMS_KEY_ID - valueFrom: - secretKeyRef: - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} - name: {{ .APP_NAME }}-s3-bucket - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - name: {{ .APP_NAME }}-s3-bucket-stg - {{ else }} - name: {{ .APP_NAME }}-s3-bucket-prod - {{ end }} - key: kms_key_id - - name: AWS_BUCKET - valueFrom: - secretKeyRef: - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} - name: {{ .APP_NAME }}-s3-bucket - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - name: {{ .APP_NAME }}-s3-bucket-stg - {{ else }} - name: {{ .APP_NAME }}-s3-bucket-prod - {{ end }} - key: name {{ if not (eq .KUBE_NAMESPACE .BRANCH_ENV) }} livenessProbe: httpGet: diff --git a/kube/file-vault/file-vault-deployment.yml b/kube/file-vault/file-vault-deployment.yml index ffb790d..e93c63d 100644 --- a/kube/file-vault/file-vault-deployment.yml +++ b/kube/file-vault/file-vault-deployment.yml @@ -66,7 +66,7 @@ spec: {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} value: https://fv-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk - name: DEBUG - value: "true" + value: "*" {{ end }} - name: PORT value: "3000" @@ -75,46 +75,22 @@ spec: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} - name: {{ .APP_NAME }}-s3-bucket - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - name: {{ .APP_NAME }}-s3-bucket-stg - {{ else }} - name: {{ .APP_NAME }}-s3-bucket-prod - {{ end }} + name: s3-bucket key: access_key_id - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} - name: {{ .APP_NAME }}-s3-bucket - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - name: {{ .APP_NAME }}-s3-bucket-stg - {{ else }} - name: {{ .APP_NAME }}-s3-bucket-prod - {{ end }} + name: s3-bucket key: secret_access_key - name: AWS_KMS_KEY_ID valueFrom: secretKeyRef: - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} - name: {{ .APP_NAME }}-s3-bucket - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - name: {{ .APP_NAME }}-s3-bucket-stg - {{ else }} - name: {{ .APP_NAME }}-s3-bucket-prod - {{ end }} + name: s3-bucket key: kms_key_id - name: AWS_BUCKET valueFrom: secretKeyRef: - {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} - name: {{ .APP_NAME }}-s3-bucket - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - name: {{ .APP_NAME }}-s3-bucket-stg - {{ else }} - name: {{ .APP_NAME }}-s3-bucket-prod - {{ end }} + name: s3-bucket key: name - name: AWS_PASSWORD valueFrom: diff --git a/kube/hof-rds-api/ingress.yml b/kube/hof-rds-api/ingress.yml deleted file mode 100644 index 44183b1..0000000 --- a/kube/hof-rds-api/ingress.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} - name: data-service-{{ .DRONE_SOURCE_BRANCH }} - {{ else }} - name: data-service - {{ end }} -{{ file .DATA_SERVICE_INTERNAL_ANNOTATIONS | indent 2 }} -spec: - ingressClassName: nginx-internal - tls: - - hosts: - {{ if eq .KUBE_NAMESPACE .PROD_ENV }} - - {{ .APP_NAME }}-data-service.internal.sas.homeoffice.gov.uk - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - - {{ .APP_NAME }}-data-service.internal.stg.sas.homeoffice.gov.uk - {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} - - {{ .APP_NAME }}-data-service.internal.uat.sas-notprod.homeoffice.gov.uk - {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} - - data-service-{{ .DRONE_BUILD_NUMBER }}.branch.sas-notprod.homeoffice.gov.uk - - data-service-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk - {{ end }} - {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} - secretName: branch-tls-internal - {{ else }} - secretName: data-service-cert-cmio - {{ end }} - rules: - {{ if eq .KUBE_NAMESPACE .PROD_ENV }} - - host: {{ .APP_NAME }}-data-service.internal.sas.homeoffice.gov.uk - {{ else if eq .KUBE_NAMESPACE .STG_ENV }} - - host: {{ .APP_NAME }}-data-service.internal.stg.sas.homeoffice.gov.uk - {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} - - host: {{ .APP_NAME }}-data-service.internal.uat.sas-notprod.homeoffice.gov.uk - {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} - - host: data-service-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk - {{ end }} - http: - paths: - - path: / - backend: - {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} - serviceName: data-service-{{ .DRONE_SOURCE_BRANCH }} - {{ else }} - serviceName: data-service - {{ end }} - servicePort: 10443 From 6d81c4314281238ba98715e3688cd2ee47cc9909 Mon Sep 17 00:00:00 2001 From: adityababumallisettiHO Date: Tue, 11 Feb 2025 16:39:39 +0000 Subject: [PATCH 3/6] CSL-139: Add replicas in production for backend microservices * html-pdf-converter, data-service and filevault are now set to 2 replicas in production * We dont have HPA enabled hence team decided to have 2 replicas --- kube/file-vault/file-vault-deployment.yml | 5 +++++ kube/hof-rds-api/deployment.yml | 5 +++++ kube/html-pdf/html-pdf-deployment.yml | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/kube/file-vault/file-vault-deployment.yml b/kube/file-vault/file-vault-deployment.yml index e93c63d..149e5e3 100644 --- a/kube/file-vault/file-vault-deployment.yml +++ b/kube/file-vault/file-vault-deployment.yml @@ -14,6 +14,11 @@ metadata: name: file-vault {{ end }} spec: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + replicas: 2 + {{ else }} + replicas: 1 + {{ end }} selector: matchLabels: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} diff --git a/kube/hof-rds-api/deployment.yml b/kube/hof-rds-api/deployment.yml index 9ed5312..4e26efc 100644 --- a/kube/hof-rds-api/deployment.yml +++ b/kube/hof-rds-api/deployment.yml @@ -8,6 +8,11 @@ metadata: name: data-service {{ end }} spec: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + replicas: 2 + {{ else }} + replicas: 1 + {{ end }} selector: matchLabels: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} diff --git a/kube/html-pdf/html-pdf-deployment.yml b/kube/html-pdf/html-pdf-deployment.yml index 024b5e2..9914bc4 100644 --- a/kube/html-pdf/html-pdf-deployment.yml +++ b/kube/html-pdf/html-pdf-deployment.yml @@ -14,6 +14,11 @@ metadata: name: html-pdf-converter {{ end }} spec: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + replicas: 2 + {{ else }} + replicas: 1 + {{ end }} selector: matchLabels: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} From 2b21c3df9f0c8dca923268eb88ec972e71cee1c1 Mon Sep 17 00:00:00 2001 From: adityababumallisettiHO Date: Tue, 11 Feb 2025 16:54:38 +0000 Subject: [PATCH 4/6] CSL-139: Add html-pdf-converter, data services to the deploy scripts * We need these to be included in deploy scripts to enable deployment with Drone --- bin/deploy.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/deploy.sh b/bin/deploy.sh index 59c193d..9811930 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -28,19 +28,19 @@ if [[ ${KUBE_NAMESPACE} == ${BRANCH_ENV} ]]; then $kd -f kube/redis -f kube/file-vault -f kube/app elif [[ ${KUBE_NAMESPACE} == ${UAT_ENV} ]]; then $kd -f kube/configmaps/configmap.yml - $kd -f kube/redis + $kd -f kube/redis -f kube/hof-rds-api -f kube/html-pdf $kd -f kube/file-vault/file-vault-service.yml -f kube/file-vault/file-vault-ingress.yml $kd -f kube/file-vault/file-vault-deployment.yml -f kube/file-vault/file-vault-network-policy.yml $kd -f kube/app elif [[ ${KUBE_NAMESPACE} == ${STG_ENV} ]]; then $kd -f kube/configmaps/configmap.yml - $kd -f kube/redis + $kd -f kube/redis -f kube/hof-rds-api -f kube/html-pdf $kd -f kube/file-vault/file-vault-service.yml -f kube/file-vault/file-vault-ingress.yml $kd -f kube/file-vault/file-vault-deployment.yml -f kube/file-vault/file-vault-network-policy.yml $kd -f kube/app elif [[ ${KUBE_NAMESPACE} == ${PROD_ENV} ]]; then $kd -f kube/configmaps/configmap.yml - $kd -f kube/redis + $kd -f kube/redis -f kube/hof-rds-api -f kube/html-pdf $kd -f kube/file-vault/file-vault-service.yml -f kube/file-vault/file-vault-ingress.yml $kd -f kube/file-vault/file-vault-deployment.yml -f kube/file-vault/file-vault-network-policy.yml $kd -f kube/app/service.yml -f kube/app/ingress-external.yml From 8feb208142debd6314cc844a50974a05f94fd413 Mon Sep 17 00:00:00 2001 From: adityababumallisettiHO Date: Tue, 11 Feb 2025 17:13:06 +0000 Subject: [PATCH 5/6] CSL-139: Add missing html-pdf and hof-rds-api to Branch Env * Adds html-pdf and hof-rds-api deployments to Branch env * Included in deploy.sh scripts --- bin/deploy.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/deploy.sh b/bin/deploy.sh index 9811930..0cfa932 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -25,7 +25,8 @@ export DRONE_SOURCE_BRANCH=$(echo $DRONE_SOURCE_BRANCH | tr '[:upper:]' '[:lower if [[ ${KUBE_NAMESPACE} == ${BRANCH_ENV} ]]; then $kd -f kube/configmaps -f kube/certs - $kd -f kube/redis -f kube/file-vault -f kube/app + $kd -f kube/redis -f kube/hof-rds-api -f kube/html-pdf -f kube/file-vault + $kd -f kube/app elif [[ ${KUBE_NAMESPACE} == ${UAT_ENV} ]]; then $kd -f kube/configmaps/configmap.yml $kd -f kube/redis -f kube/hof-rds-api -f kube/html-pdf From b7eb5999ac1b22e718f310e574e65d935ddc5a45 Mon Sep 17 00:00:00 2001 From: adityababumallisettiHO Date: Tue, 11 Feb 2025 17:28:45 +0000 Subject: [PATCH 6/6] CSL-139: Fix Pipeline issue while deploying hof-rds-api --- kube/hof-rds-api/networkpolicy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kube/hof-rds-api/networkpolicy.yml b/kube/hof-rds-api/networkpolicy.yml index e6509de..c8048a7 100644 --- a/kube/hof-rds-api/networkpolicy.yml +++ b/kube/hof-rds-api/networkpolicy.yml @@ -19,7 +19,7 @@ spec: ports: - port: 3443 protocol: TCP - - podSelector: + podSelector: matchLabels: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} name: data-service-{{ .DRONE_SOURCE_BRANCH }}