Increment Dockerfile base image, update Kustomize resources, bump Django minor version

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+- repo: local
+  hooks:
+    - id: trufflehog
+      name: TruffleHog
+      description: Detect secrets in your data.
+      entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail --no-update'
+      # For running trufflehog in docker, use the following entry instead:
+      # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
+      language: system
+      stages: ["pre-commit", "pre-push"]

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 # Prepare the base environment.
-FROM python:3.11.10-slim AS builder_base_csw
+FROM python:3.11.11-slim AS builder_base_csw
 LABEL [email protected]
 LABEL org.opencontainers.image.source=https://github.com/dbca-wa/csw
 
@@ -13,8 +13,8 @@ RUN apt-get update -y \
 # Install Python libs using Poetry.
 FROM builder_base_csw AS python_libs_csw
 WORKDIR /app
-ARG POETRY_VERSION=1.8.3
-RUN pip install --root-user-action=ignore poetry=="${POETRY_VERSION}"
+ARG POETRY_VERSION=1.8.5
+RUN pip install --root-user-action=ignore poetry==${POETRY_VERSION}
 COPY poetry.lock pyproject.toml ./
 RUN poetry config virtualenvs.create false \
   && poetry install --no-interaction --no-ansi --only main
@@ -23,7 +23,7 @@ RUN poetry config virtualenvs.create false \
 ARG UID=10001
 ARG GID=10001
 RUN groupadd -g "${GID}" appuser \
-  && useradd --no-create-home --no-log-init --uid "${UID}" --gid "${GID}" appuser
+  && useradd --no-create-home --no-log-init --uid ${UID} --gid ${GID} appuser
 
 # Install the project.
 FROM python_libs_csw

kustomize/README.md

@@ -2,7 +2,7 @@
 
 Declarative management of CSW Kubernetes resources using Kustomize.
 
-# How to use
+## How to use
 
 Within an overlay directory, create a `.env` file to contain required secret
 values in the format KEY=value (i.e. `overlays/uat/.env`). Required values:
@@ -22,8 +22,8 @@ Run `kubectl` with the `-k` flag to generate resources for a given overlay:
 kubectl apply -k kustomize/overlays/uat --namespace sss --dry-run=client
 ```
 
-# References:
+## References
 
-* https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/
-* https://github.com/kubernetes-sigs/kustomize
-* https://github.com/kubernetes-sigs/kustomize/tree/master/examples
+- <https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/>
+- <https://github.com/kubernetes-sigs/kustomize>
+- <https://github.com/kubernetes-sigs/kustomize/tree/master/examples>

kustomize/base/deployment.yaml

@@ -16,68 +16,68 @@ spec:
         app: csw-deployment
     spec:
       containers:
-      - name: csw
-        image: ghcr.io/dbca-wa/csw
-        imagePullPolicy: Always
-        env:
-        - name: ALLOWED_HOSTS
-          value: ".dbca.wa.gov.au"
-        - name: CSRF_TRUSTED_ORIGINS
-          value: "https://*.dbca.wa.gov.au"
-        - name: CSRF_COOKIE_SECURE
-          value: "True"
-        - name: SESSION_COOKIE_SECURE
-          value: "True"
-        - name: TZ
-          value: "Australia/Perth"
-        resources:
-          requests:
-            memory: "100Mi"
-            cpu: "5m"
-          limits:
-            memory: "2Gi"
-            cpu: "1000m"
-        startupProbe:
-          httpGet:
-            path: /livez
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 3
-          periodSeconds: 15
-          timeoutSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        livenessProbe:
-          httpGet:
-            path: /livez
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 0
-          periodSeconds: 15
-          successThreshold: 1
-          failureThreshold: 3
-          timeoutSeconds: 10
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 0
-          periodSeconds: 15
-          successThreshold: 1
-          failureThreshold: 3
-          timeoutSeconds: 10
-        securityContext:
-          runAsNonRoot: true
-          privileged: false
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
-        volumeMounts:
-          - mountPath: /tmp
-            name: tmpfs-ram
+        - name: csw
+          image: ghcr.io/dbca-wa/csw
+          imagePullPolicy: Always
+          env:
+            - name: ALLOWED_HOSTS
+              value: ".dbca.wa.gov.au"
+            - name: CSRF_TRUSTED_ORIGINS
+              value: "https://*.dbca.wa.gov.au"
+            - name: CSRF_COOKIE_SECURE
+              value: "True"
+            - name: SESSION_COOKIE_SECURE
+              value: "True"
+            - name: TZ
+              value: "Australia/Perth"
+          resources:
+            requests:
+              memory: "100Mi"
+              cpu: "5m"
+            limits:
+              memory: "2Gi"
+              cpu: "1000m"
+          startupProbe:
+            httpGet:
+              path: /livez
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 3
+            periodSeconds: 15
+            timeoutSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 15
+            successThreshold: 1
+            failureThreshold: 3
+            timeoutSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 15
+            successThreshold: 1
+            failureThreshold: 3
+            timeoutSeconds: 10
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmpfs-ram
       volumes:
         - name: tmpfs-ram
           emptyDir:

kustomize/base/service.yaml

@@ -5,7 +5,7 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-  - name: wsgi
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
+    - name: wsgi
+      port: 8080
+      protocol: TCP
+      targetPort: 8080

kustomize/overlays/prod/deployment_patch.yaml

@@ -6,41 +6,41 @@ spec:
   template:
     spec:
       containers:
-      - name: csw
-        imagePullPolicy: IfNotPresent
-        env:
-        - name: DATABASE_URL
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-prod
-              key: DATABASE_URL
-        - name: SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-prod
-              key: SECRET_KEY
-        - name: BASE_URL
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-prod
-              key: BASE_URL
-        - name: CORS_URL
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-prod
-              key: CORS_URL
-        - name: AZURE_ACCOUNT_NAME
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-prod
-              key: AZURE_ACCOUNT_NAME
-        - name: AZURE_ACCOUNT_KEY
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-prod
-              key: AZURE_ACCOUNT_KEY
-        - name: AZURE_CONTAINER
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-prod
-              key: AZURE_CONTAINER
+        - name: csw
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-prod
+                  key: DATABASE_URL
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-prod
+                  key: SECRET_KEY
+            - name: BASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-prod
+                  key: BASE_URL
+            - name: CORS_URL
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-prod
+                  key: CORS_URL
+            - name: AZURE_ACCOUNT_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-prod
+                  key: AZURE_ACCOUNT_NAME
+            - name: AZURE_ACCOUNT_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-prod
+                  key: AZURE_ACCOUNT_KEY
+            - name: AZURE_CONTAINER
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-prod
+                  key: AZURE_CONTAINER

kustomize/overlays/prod/ingress.yaml

@@ -5,13 +5,13 @@ metadata:
 spec:
   ingressClassName: nginx
   rules:
-  - host: csw.dbca.wa.gov.au
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: csw-clusterip-prod
-            port:
-              number: 8080
+    - host: csw.dbca.wa.gov.au
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: csw-clusterip-prod
+                port:
+                  number: 8080

kustomize/overlays/prod/kustomization.yaml

@@ -10,6 +10,8 @@ secretGenerator:
     type: Opaque
     envs:
       - .env
+generatorOptions:
+  disableNameSuffixHash: true
 labels:
   - includeSelectors: true
     pairs:

kustomize/overlays/uat/deployment_patch.yaml

@@ -6,40 +6,40 @@ spec:
   template:
     spec:
       containers:
-      - name: csw
-        env:
-        - name: DATABASE_URL
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-uat
-              key: DATABASE_URL
-        - name: SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-uat
-              key: SECRET_KEY
-        - name: BASE_URL
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-uat
-              key: BASE_URL
-        - name: CORS_URL
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-uat
-              key: CORS_URL
-        - name: AZURE_ACCOUNT_NAME
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-uat
-              key: AZURE_ACCOUNT_NAME
-        - name: AZURE_ACCOUNT_KEY
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-uat
-              key: AZURE_ACCOUNT_KEY
-        - name: AZURE_CONTAINER
-          valueFrom:
-            secretKeyRef:
-              name: csw-env-uat
-              key: AZURE_CONTAINER
+        - name: csw
+          env:
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-uat
+                  key: DATABASE_URL
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-uat
+                  key: SECRET_KEY
+            - name: BASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-uat
+                  key: BASE_URL
+            - name: CORS_URL
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-uat
+                  key: CORS_URL
+            - name: AZURE_ACCOUNT_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-uat
+                  key: AZURE_ACCOUNT_NAME
+            - name: AZURE_ACCOUNT_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-uat
+                  key: AZURE_ACCOUNT_KEY
+            - name: AZURE_CONTAINER
+              valueFrom:
+                secretKeyRef:
+                  name: csw-env-uat
+                  key: AZURE_CONTAINER