Merge pull request #14 from mshujamalik-ebi/k8s_build_changes

K8s build changes for new cluster migration

Merge pull request #14 from mshujamalik-ebi/k8s_build_changes
K8s build changes for new cluster migration
09fb04e2 · Sandeep Kadam · GitHub · 85e5d4ae · bce3b416 · 09fb04e2
Unverified Commit 09fb04e2 authored 1 month ago by Sandeep Kadam Committed by GitHub 1 month ago
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
-image: ebiwd/alpine-ssh:3.6
-
-#project specific variables can be defined here, or overridden project settings
 variables:
-  DEV_SERVER: ebi-cli
-  DEV_DEST: /nfs/public/rw/webdevel/projects/static/test/wwwdev.ebi.ac.uk/style-lab
-  DEV_URL: http://wwwdev.ebi.ac.uk/style-lab
-
-  PROD_SERVER: ebi-cli wp-p1m-14
-  PROD_DEST: /nfs/public/rw/webdevel/projects/static/live/www.ebi.ac.uk/style-lab
-  PROD_URL: https://www.ebi.ac.uk/style-lab
+  GIT_SUBMODULE_STRATEGY: recursive
+  DOCKER_DRIVER: overlay2
+  GIT_STRATEGY: fetch
+  CS_DOCKERFILE_PATH: $CI_PROJECT_DIR/Dockerfile

-  SSH_OWNER: wd_adm
-
-# do not define here, put in project variables
-  SSH_OWNER_KEY: secret-key
+# Can't use the {::8} notation to get a short sha in the variables section, so exporting below
+before_script:
+  - export CI_COMMIT_SHA_SHORT=${CI_COMMIT_SHA::8}
+  - export IMAGE_NAME=$CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA-$CI_PIPELINE_ID

 stages:
  - build
-  - deploy
+  - test
  - deploy_dev
  - deploy_prod

 build:
-  stage: build
-  image: node:12
-  tags:
-    - docker
-  before_script:
-    - npm install -g bower gulp
-    - cd ${CI_PROJECT_DIR}
-    - npm install --quiet
-    - bower --allow-root install --quiet
-  script:
-    - npm run build
-  cache:
-    paths:
-      - node_modules
-      - bower_components
-  artifacts:
-    paths:
-      - dist
-
-#setup ssh keys
-.deploy_setup: &deploy_setup
-  tags:
-    - docker
-  before_script:
-    - add-ssh-key ${SSH_OWNER} "${SSH_OWNER_KEY}"
-    - add-search-domain ebi.ac.uk
-
-deploy_dev: &deploy_vm
-  <<: *deploy_setup
-  variables:
-    NAME: dev
-    URL: ${DEV_URL}
-    DEST: ${DEV_DEST}
-    VMS: ${DEV_SERVER}
-  stage: deploy
-  script:
-    - for VM in ${VMS}; do
-        rsync -acv --delete-after ${CI_PROJECT_DIR}/dist/. ${SSH_OWNER}@${VM}:${DEST}/;
-      done
-  only:
-    - master
-  environment:
-    name: ${NAME}
-    url: ${URL}
-
-deploy_live:
-  <<: *deploy_vm
-  only:
-    - tags
-  variables:
-    NAME: live
-    URL: ${PROD_URL}
-    DEST: ${PROD_DEST}
-    VMS: ${PROD_SERVER}
-
-build_docker:
-  image: docker:stable
  stage: build
  tags:
    - dind
-  before_script:
-    - export CI_COMMIT_SHA_SHORT=${CI_COMMIT_SHA::8}
-    - export IMAGE_NAME=$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker build -t $IMAGE_NAME .
    - docker push $IMAGE_NAME

+container_scanning:
+  stage: test
+  tags:
+    - dind2
+  rules:
+      - if: $CI_COMMIT_BRANCH == 'master'
+  variables:
+    # To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your
+    # `.gitlab-ci.yml` file and set it to `fetch`.
+    # For details, see the following links:
+    # https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
+    # https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting
+    GIT_STRATEGY: fetch
+    IMAGE_NAME: $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA-$CI_PIPELINE_ID
+    CS_IMAGE: $IMAGE_NAME
+    CS_DOCKERFILE_PATH: $CI_PROJECT_DIR/Dockerfile
+    SECURE_LOG_LEVEL: "debug"
+    # allow_failure: true
+    # artifacts:
+    #   reports:
+    #     container_scanning: gl-container-scanning-report.json
+      #     dependency_scanning: gl-dependency-scanning-report.json
+      #   paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json]
+
+include:
+  - template: Jobs/Container-Scanning.gitlab-ci.yml
+
 # Reusable template, requires the $KUBE_CONFIG and $NAMESPACE variables to be set
 # This subsitutes the environment variable $IMAGE_NAME in the overlay file, and deploys
 .template: &deploy
  image: ebiwd/alpine-ssh:latest
-  # Can't use the {::8} notation to get a short sha in the variables section, so exporting below
-  # Also the CI_REGISTRY variable is set incorrectly in GitLab - so exporting to correct value
-  before_script:
-    - export CI_COMMIT_SHA_SHORT=${CI_COMMIT_SHA::8}
-    - export IMAGE_NAME=$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - mkdir -p $HOME/.kube
    - echo -n $KUBE_CONFIG | base64 -d > $HOME/.kube/config
    - envsubst '$IMAGE_NAME' < k8s/overlays/caas/ci_image.yaml > file.tmp && mv file.tmp k8s/overlays/caas/ci_image.yaml
    - kubectl kustomize k8s/overlays/caas/ | kubectl --namespace=$NAMESPACE apply -f -

-deploy_to_hh_dev:
-  stage: deploy_dev
-  only:
-    - master
-  variables:
-    NAMESPACE: static-sites-dev
-    KUBE_CONFIG: $HH_KUBE_CONFIG
-  <<: *deploy
-
-deploy_to_hx_dev:
-  stage: deploy_dev
-  only:
-    - master
-  variables:
-    NAMESPACE: static-sites-dev
-    KUBE_CONFIG: $HX_KUBE_CONFIG
-  <<: *deploy
-
 deploy_to_hh_wp_dev:
  stage: deploy_dev
  only:
    - master
  variables:
    NAMESPACE: static-sites-dev
-    KUBE_CONFIG: $HH_WP_KUBE_CONFIG
+    KUBE_CONFIG: $HH_EBIWD_STATIC_KUBE_CONFIG
  <<: *deploy

 deploy_to_hx_wp_dev:
@@ -138,34 +76,7 @@ deploy_to_hx_wp_dev:
    - master
  variables:
    NAMESPACE: static-sites-dev
-    KUBE_CONFIG: $HX_WP_KUBE_CONFIG
-  <<: *deploy
-
-deploy_to_ehk_hx_dev:
-  stage: deploy_dev
-  only:
-    - master
-  variables:
-    NAMESPACE: static-sites-dev
-    KUBE_CONFIG: $EHK_HH_KUBE_CONFIG
-  <<: *deploy
-
-deploy_to_hh_prod:
-  stage: deploy_prod
-  only:
-    - tags
-  variables:
-    NAMESPACE: static-sites-prod
-    KUBE_CONFIG: $HH_KUBE_CONFIG
-  <<: *deploy
-
-deploy_to_hx_prod:
-  stage: deploy_prod
-  only:
-    - tags
-  variables:
-    NAMESPACE: static-sites-prod
-    KUBE_CONFIG: $HX_KUBE_CONFIG
+    KUBE_CONFIG: $HX_EBIWD_STATIC_KUBE_CONFIG
  <<: *deploy

 deploy_to_hh_wp_prod:
@@ -174,7 +85,7 @@ deploy_to_hh_wp_prod:
    - tags
  variables:
    NAMESPACE: static-sites-prod
-    KUBE_CONFIG: $HH_WP_KUBE_CONFIG
+    KUBE_CONFIG: $HH_EBIWD_STATIC_KUBE_CONFIG
  <<: *deploy

 deploy_to_hx_wp_prod:
@@ -183,14 +94,5 @@ deploy_to_hx_wp_prod:
    - tags
  variables:
    NAMESPACE: static-sites-prod
-    KUBE_CONFIG: $HX_WP_KUBE_CONFIG
-  <<: *deploy
-
-deploy_to_ehk_hx_prod:
-  stage: deploy_prod
-  only:
-    - tags
-  variables:
-    NAMESPACE: static-sites-prod
-    KUBE_CONFIG: $EHK_HH_KUBE_CONFIG
+    KUBE_CONFIG: $HX_EBIWD_STATIC_KUBE_CONFIG
  <<: *deploy
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,7 +18,7 @@ RUN npm install --quiet && \
 	bower --allow-root install --quiet && \
 	npm run build

-FROM nginxinc/nginx-unprivileged:1.16.0-alpine
+FROM nginxinc/nginx-unprivileged:1.27-alpine

 COPY docker-assets/default.conf /etc/nginx/conf.d/default.conf
 COPY web/index.html /usr/share/nginx/html/index.html

--- a/docker-assets/default.conf
+++ b/docker-assets/default.conf
 server {
-    listen               8080;
-    server_name          localhost;
-    root                 /usr/share/nginx/html;
-    index                index.html;
-    absolute_redirect    off;
+    listen              8080;
+    server_name         localhost;
+    absolute_redirect   off;
+    root                /usr/share/nginx/html;
+    index               index.html;
+    #Security hardning
+    server_tokens off;
+
+    location ~ \.(php|phtml|php3|php4|php5|pl|py|jsp|asp|exe|shtml|sh|cgi|suspected)$ {
+      deny all;
+    }

    location / {
-        try_files         $uri/ $uri =404;
-        expires           1m;
-        add_header        Cache-Control "public";
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+        add_header Content-Security-Policy "base-uri 'self'" always;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Content-Type-Options "nosniff";
+        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' '*';
+        expires         5m;
+        add_header      Cache-Control "public";
+        try_files       $uri.html $uri/ $uri =404;
    }

-    # caching for static assets
-    location ~* \.(?:jpg|jpeg|gif|png|ico|xml|css|js)$ {
-        expires           1d;
-        add_header        Cache-Control "public";
+    location /favicon.ico {
+        expires         7d;
    }

-    error_page  403              /errorpages/403.html;
-    error_page  404              /errorpages/404.html;
-    error_page  500 502 503 504  /errorpages/500.html;
-}
+    location /robots.txt {
+        expires         1d;
+    }
+
+    error_page  404              /not-found.html;

+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    location = /ping {
+        default_type    text/plain;
+        return          200 "pong";
+    }
+}
--- a/docker-compose.yml
+++ b/docker-compose.yml
-version: "2"
-
 services:
  nginx:
    build: .

--- a/k8s/base/deployment.yaml
+++ b/k8s/base/deployment.yaml
@@ -2,6 +2,8 @@ apiVersion: v1
 kind: Service
 metadata:
  name: style-lab-service
+  labels:
+    app: style-lab-service
 spec:
  type: NodePort
  ports:

--- a/k8s/base/kustomization.yaml
+++ b/k8s/base/kustomization.yaml
-commonLabels:
-  app: style-lab
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+labels:
+- includeSelectors: true
+  pairs:
+    app: style-lab
 resources:
-  - deployment.yaml
+- deployment.yaml
\ No newline at end of file
--- a/k8s/overlays/caas/kustomization.yaml
+++ b/k8s/overlays/caas/kustomization.yaml
-commonLabels:
-  varient: caas
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+labels:
+- includeSelectors: true
+  pairs:
+    varient: caas
 commonAnnotations:
  note: CaaS varients
-bases:
- - ../../base
+resources:
+- ../../base
 patches:
- - ci_image.yaml
- - replicas.yaml
- - probes.yaml
- - registry_credentials.yaml
+- path: ./ci_image.yaml
+- path: ./replicas.yaml
+- path: ./probes.yaml
+- path: ./registry_credentials.yaml