Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HOFF-774: Update boilerplate code with DevOps setup #3

Open
wants to merge 2 commits into
base: HOF-113-william
Choose a base branch
from
Open

HOFF-774: Update boilerplate code with DevOps setup #3

wants to merge 2 commits into from

Conversation

adityababumallisettiHO
Copy link

@adityababumallisettiHO adityababumallisettiHO commented Aug 2, 2024
edited
Loading

What?

DevOps setup has been changing time to time. We have used new feature on different services. for eg: ACRS uses ECR image repo. COA has the fixed Cron Jobs.

Why?

  • We have recently started seeing rate limiting issue. One of the reason is using letsencrypt-prod cluster issuer for all env. Due to the limit of issuing 50 certs a week. This limit gets exceeded quite often forcing us to use zerossl-production. We can avoid this situation by using letsencrypt-staging in lower env. This is advised by ACP team
  • I have updated ingress url. It would be easier for ACP to add and for us to request the URLs with wild cards. ACP also suggests us using "*.branch.sas-notprod.homeoffice.gov.uk" for file vault, data service, and app front end ingress.
  • Trivy step to scan Base OS image vulnerabilties and Node packages as discussed in one of the Meetings. and the path is set to a global CVE exception file. Now also reports with a dependency tree.
  • Latest Node Image tested on COA and has no high and medium vulnerabilities

HOW?
Necessary files have been updated as explained in WHY?

Anything Else?
Our team is not sure of using the Redis secret? Some services using session-secret some use redis secret. But there is no reference of the secret being used .
File vault and Nginx-proxy contaners are using same ports. this could split the incoming traffic between both containers. We have notice it in COA. and Developer deleted the container ports.
I am planning to use Yaml Anchors and alias for few steps in upcoming projects. Once tested. I will add to this repo.
For IMA and ACRS we used internal ingress for dataservice end point. As this is backend service.

@adityababumallisettiHO
HOFF-774: Update boilerplate code
1b83d91 
* Update to the ones used in latest deployments
* COA has the latest cron steps and Node Image
* ACRS is using private repository ECR
* Ingresses have been updated
@adityababumallisettiHO adityababumallisettiHO self-assigned this Aug 2, 2024
@adityababumallisettiHO
HOFF-774: Remove the tag from push to ECR
5a0b034 
* This tag can cause issues if git branch has special characters
* we use drone commit sha as a tag for all the hof services
@sulthan-ahmed
Copy link

I'm lost
Perhaps the skeleton app should be for the public and no devops

and the hof-boiler-plate should be for our team

Let's talk to @william-gu-hof

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sulthan-ahmed sulthan-ahmed Awaiting requested review from sulthan-ahmed

@william-gu-hof william-gu-hof Awaiting requested review from william-gu-hof

Assignees

@adityababumallisettiHO adityababumallisettiHO

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adityababumallisettiHO @sulthan-ahmed