From 1b83d91f792d880f00fef70755828f6dc17f3d81 Mon Sep 17 00:00:00 2001 From: adityababumallisettiHO Date: Fri, 2 Aug 2024 16:22:40 +0100 Subject: [PATCH 1/2] HOFF-774: Update boilerplate code * Update to the ones used in latest deployments * COA has the latest cron steps and Node Image * ACRS is using private repository ECR * Ingresses have been updated --- .drone.yml | 145 ++++++++++++++++++---------- Dockerfile | 29 ++++++ kube/app/ingress-external.yml | 7 +- kube/certs/certificate-external.yml | 6 +- kube/certs/certificate-internal.yml | 6 +- kube/hof-rds-api/ingress.yml | 4 +- 6 files changed, 135 insertions(+), 62 deletions(-) create mode 100644 Dockerfile diff --git a/.drone.yml b/.drone.yml index 58aaa04..c07cdc3 100644 --- a/.drone.yml +++ b/.drone.yml @@ -11,7 +11,7 @@ environment: BRANCH_ENV: sas-hof-boilerplate-branch PRODUCTION_URL: www.hof-boilerplate.homeoffice.gov.uk IMAGE_URL: quay.io/ukhomeofficedigital - IMAGE_REPO: hof-boilerplate + IMAGE_REPO: sas/hof-boilerplate GIT_REPO: UKHomeOffice/hof-skeleton HOF_CONFIG: hof-services-config/Hof_Boilerplate NON_PROD_AVAILABILITY: Mon-Sun 08:00-23:00 Europe/London @@ -25,7 +25,7 @@ trigger: linting: &linting pull: if-not-exists - image: node:lts + image: node:20.15.0-alpine3.20@sha256:24c14a8a192a6e81d0942929a344f7a4bdf0db8e3b3c77d64a5eb8a4b0c759b7 environment: NOTIFY_STUB: true commands: @@ -33,7 +33,7 @@ linting: &linting unit_tests: &unit_tests pull: if-not-exists - image: node:lts + image: node:20.15.0-alpine3.20@sha256:24c14a8a192a6e81d0942929a344f7a4bdf0db8e3b3c77d64a5eb8a4b0c759b7 environment: NOTIFY_STUB: true commands: @@ -56,9 +56,27 @@ steps: - feature/* event: [push, pull_request] + # Trivy Security Scannner for scanning OS related vulnerabilities in Base image of Dockerfile + - name: scan_image_os + pull: always + image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest + resources: + limits: + cpu: 1000 + memory: 1024Mi + environment: + IMAGE_NAME: node:20.15.0-alpine3.20@sha256:24c14a8a192a6e81d0942929a344f7a4bdf0db8e3b3c77d64a5eb8a4b0c759b7 + SERVICE_URL: https://acp-trivy.acp-trivy.svc.cluster.local:443 + SEVERITY: MEDIUM,HIGH,CRITICAL --dependency-tree + FAIL_ON_DETECTION: false + IGNORE_UNFIXED: false + ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml + when: + event: [push, pull_request] + - name: setup_deploy pull: if-not-exists - image: node:lts + image: node:20.15.0-alpine3.20@sha256:24c14a8a192a6e81d0942929a344f7a4bdf0db8e3b3c77d64a5eb8a4b0c759b7 environment: NOTIFY_STUB: true commands: @@ -98,23 +116,26 @@ steps: branch: master event: [push, pull_request] - - name: image_to_quay - pull: if-not-exists - image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind - environment: - DOCKER_PASSWORD: - from_secret: DOCKER_PASSWORD - commands: - - docker login -u="ukhomeofficedigital+asc_robot" -p=$${DOCKER_PASSWORD} quay.io - - docker tag $${IMAGE_REPO}:$${DRONE_COMMIT_SHA} $${IMAGE_URL}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA} - - docker push $${IMAGE_URL}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA} + - name: image_to_ecr + image: plugins/ecr + settings: + access_key: + from_secret: aws_access_key_id + secret_key: + from_secret: aws_secret_access_key + region: eu-west-2 + repo: sas/hof-boilerplate + registry: 340268328991.dkr.ecr.eu-west-2.amazonaws.com + tags: + - latest_${DRONE_BRANCH} + - ${DRONE_COMMIT_SHA} when: branch: master event: [push, pull_request] - # Trivy Security Scannner - - name: scan-image + # Trivy Security Scannner for scanning nodejs packages in Yarn + - name: scan_node_packages pull: always image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest resources: @@ -123,17 +144,15 @@ steps: memory: 1024Mi environment: IMAGE_NAME: additional-security-checks:${DRONE_COMMIT_SHA} - SEVERITY: MEDIUM,HIGH,CRITICAL + SERVICE_URL: https://acp-trivy.acp-trivy.svc.cluster.local:443 + SEVERITY: MEDIUM,HIGH,CRITICAL --dependency-tree FAIL_ON_DETECTION: false - IGNORE_UNFIXED: true - ALLOW_CVE_LIST_FILE: hof-services-config/Additional_Security_Checks/trivy-cve-exceptions.txt + IGNORE_UNFIXED: false + ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml when: - event: - - pull_request - - push - - tag + event: [push, pull_request] - # Deploy to pull request UAT environment + # Deploy with pull request to Branch environment - name: deploy_to_branch pull: if-not-exists image: quay.io/ukhomeofficedigital/kd:v1.14.0 @@ -150,7 +169,7 @@ steps: - name: setup_branch pull: if-not-exists - image: node:lts + image: node:20.15.0-alpine3.20@sha256:24c14a8a192a6e81d0942929a344f7a4bdf0db8e3b3c77d64a5eb8a4b0c759b7 environment: NOTIFY_STUB: true commands: @@ -330,53 +349,79 @@ steps: cron: security_scans event: cron - - name: cron_trivy_scan + - name: cron_trivy_scan_node_packages image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest pull: always environment: - IMAGE_NAME: additional-security-checks:${DRONE_COMMIT_SHA} - SEVERITY: MEDIUM,HIGH,CRITICAL - FAIL_ON_DETECTION: false - IGNORE_UNFIXED: true - ALLOW_CVE_LIST_FILE: hof-services-config/Additional_Security_Checks/trivy-cve-exceptions.txt + IMAGE_NAME: additional-security-checks:${DRONE_COMMIT_SHA} + SERVICE_URL: https://acp-trivy.acp-trivy.svc.cluster.local:443 + SEVERITY: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --dependency-tree + FAIL_ON_DETECTION: true + IGNORE_UNFIXED: false + ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml when: cron: security_scans event: cron - # Slack notification upon a CRON job fail - - name: cron_notify_slack_tear_down_pr_envs - pull: if-not-exists - image: plugins/slack + - name: cron_trivy_scan_image_os + image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest + pull: always + environment: + IMAGE_NAME: node:20.15.0-alpine3.20@sha256:24c14a8a192a6e81d0942929a344f7a4bdf0db8e3b3c77d64a5eb8a4b0c759b7 + SERVICE_URL: https://acp-trivy.acp-trivy.svc.cluster.local:443 + SEVERITY: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --dependency-tree + FAIL_ON_DETECTION: true + IGNORE_UNFIXED: false + ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml + when: + cron: security_scans + event: cron + + image: plugins/slack:1.4.1 settings: - channel: sas-build + channel: sas-hof-build-notify failure: ignore - icon_url: https://readme.drone.io/0.5/logo_dark.svg - icon.url: https://readme.drone.io/0.5/logo_dark.svg - template: "CRON Job {{build.deployTo}} of ASC has {{build.status}} - <{{build.link}}|#{{build.number}}> {{#success build.status}}\n :thumbsup: :thumbsup: :thumbsup:\n{{else}}\n :x: :x: :x:\n{{/success}} Author: {{build.author}}\n\nDuration: {{since job.started}}\n\nJob: <{{build.link}}|#{{build.number}}>\n\nCommit: {{build.commit}}\n" - username: Drone + template: > + :x: Build for cron tear down pr envs failed. + + Cron job failed to tear the deployments in Branch Env. Please use the information below to fix pipeline. + + *Repository:* + + *Build Link:* <{{build.link}}|View Build Details> webhook: - from_secret: slack_webhook + from_secret: slack_sas_hof_build_notify_webhook when: cron: tear_down_pr_envs event: cron - status: failure + status: [ failure ] - name: cron_notify_slack_security_scans pull: if-not-exists - image: plugins/slack + image: plugins/slack:1.4.1 settings: - channel: sas-build + channel: sas-hof-security failure: ignore - icon_url: https://readme.drone.io/0.5/logo_dark.svg - icon.url: https://readme.drone.io/0.5/logo_dark.svg - template: "CRON Job {{build.deployTo}} of ASC has {{build.status}} - <{{build.link}}|#{{build.number}}> {{#success build.status}}\n :thumbsup: :thumbsup: :thumbsup:\n{{else}}\n :x: :x: :x:\n{{/success}} Author: {{build.author}}\n\nDuration: {{since job.started}}\n\nJob: <{{build.link}}|#{{build.number}}>\n\nCommit: {{build.commit}}\n" - username: Drone + template: > + :x: Build for cron security scans failed. + + Trivy has detected vulnerabilities. As a result, the build has failed. Please prioritize reviewing and addressing this issue. + + *Repository:* + + *Branch:* + + *Build Link:* <{{build.link}}|View Build Details> + + *Commit:* + + *Author:* webhook: - from_secret: slack_webhook + from_secret: slack_sas_hof_security_webhook when: cron: security_scans event: cron - status: failure + status: [ failure ] services: - name: docker diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..7e5fc46 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,29 @@ +# Accept a build Argument named BASE_IMAGE +FROM node:20.15.0-alpine3.20@sha256:24c14a8a192a6e81d0942929a344f7a4bdf0db8e3b3c77d64a5eb8a4b0c759b7 +USER root + +# Update packages as a result of Anchore security vulnerability checks +RUN apk update && \ + apk add --upgrade gnutls binutils nodejs npm apk-tools libjpeg-turbo libcurl libx11 libxml2 + + +# Setup nodejs group & nodejs user +RUN addgroup --system nodejs --gid 998 && \ + adduser --system nodejs --uid 999 --home /app/ && \ + chown -R 999:998 /app/ + +USER 999 + +WORKDIR /app + +COPY --chown=999:998 . /app + +RUN yarn install --frozen-lockfile --production --ignore-optional && \ + yarn run postinstall + +HEALTHCHECK --interval=5m --timeout=3s \ + CMD curl --fail http://localhost:8080 || exit 1 + +CMD ["sh", "/app/run.sh"] + +EXPOSE 8080 diff --git a/kube/app/ingress-external.yml b/kube/app/ingress-external.yml index 82bc159..ff6dcde 100644 --- a/kube/app/ingress-external.yml +++ b/kube/app/ingress-external.yml @@ -13,10 +13,9 @@ spec: tls: - hosts: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} - - {{ .DRONE_BUILD_NUMBER }}.asc-branch.homeoffice.gov.uk - - asc-{{ .DRONE_SOURCE_BRANCH }}.asc-branch.homeoffice.gov.uk + - {{.APP_NAME}}-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} - - asc.uat.sas-notprod.homeoffice.gov.uk + - {{.APP_NAME}}.uat.sas-notprod.homeoffice.gov.uk {{ else if eq .KUBE_NAMESPACE .PROD_ENV }} - {{ .PRODUCTION_URL }} {{ end }} @@ -27,7 +26,7 @@ spec: {{ end }} rules: {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} - - host: asc-{{ .DRONE_SOURCE_BRANCH }}.asc-branch.homeoffice.gov.uk + - host: {{.APP_NAME}}-{{ .DRONE_SOURCE_BRANCH }}.branch.sas-notprod.homeoffice.gov.uk {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} - host: asc.uat.sas-notprod.homeoffice.gov.uk {{ else if eq .KUBE_NAMESPACE .PROD_ENV }} diff --git a/kube/certs/certificate-external.yml b/kube/certs/certificate-external.yml index 7d1c58c..a27f940 100644 --- a/kube/certs/certificate-external.yml +++ b/kube/certs/certificate-external.yml @@ -5,10 +5,10 @@ metadata: labels: cert-manager.io/solver: route53 spec: - commonName: "*.asc-branch.homeoffice.gov.uk" + commonName: "*.branch.sas-notprod.homeoffice.gov.uk" dnsNames: - - "*.asc-branch.homeoffice.gov.uk" + - "*.branch.sas-notprod.homeoffice.gov.uk" issuerRef: kind: ClusterIssuer - name: letsencrypt-prod + name: letsencrypt-staging secretName: branch-tls-external diff --git a/kube/certs/certificate-internal.yml b/kube/certs/certificate-internal.yml index fbeb2de..8c95108 100644 --- a/kube/certs/certificate-internal.yml +++ b/kube/certs/certificate-internal.yml @@ -5,10 +5,10 @@ metadata: labels: cert-manager.io/solver: route53 spec: - commonName: "*.internal.asc-branch.homeoffice.gov.uk" + commonName: "*.internal.branch.sas-notprod.homeoffice.gov.uk" dnsNames: - - "*.internal.asc-branch.homeoffice.gov.uk" + - "*.internal.branch.sas-notprod.homeoffice.gov.uk" issuerRef: kind: ClusterIssuer - name: letsencrypt-prod + name: letsencrypt-staging secretName: branch-tls-internal diff --git a/kube/hof-rds-api/ingress.yml b/kube/hof-rds-api/ingress.yml index 4c2b041..ec13a5c 100644 --- a/kube/hof-rds-api/ingress.yml +++ b/kube/hof-rds-api/ingress.yml @@ -19,7 +19,7 @@ spec: {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} - data-service.uat.sas-notprod.homeoffice.gov.uk {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} - - data-service-{{ .DRONE_SOURCE_BRANCH }}.asc-branch.homeoffice.gov.uk + - data-service-{{ .DRONE_SOURCE_BRANCH }}.asc.branch.sas-notprod.homeoffice.gov.uk {{ end }} {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} secretName: branch-tls-external @@ -34,7 +34,7 @@ spec: {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} - host: data-service.uat.sas-notprod.homeoffice.gov.uk {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} - - host: data-service-{{ .DRONE_SOURCE_BRANCH }}.asc-branch.homeoffice.gov.uk + - host: data-service-{{ .DRONE_SOURCE_BRANCH }}.asc.branch.sas-notprod.homeoffice.gov.uk {{ end }} http: paths: From 5a0b0348e640373bfc76f31d19d3d19d1d0dde5a Mon Sep 17 00:00:00 2001 From: adityababumallisettiHO Date: Fri, 2 Aug 2024 17:44:53 +0100 Subject: [PATCH 2/2] HOFF-774: Remove the tag from push to ECR * This tag can cause issues if git branch has special characters * we use drone commit sha as a tag for all the hof services --- .drone.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index c07cdc3..fa63be4 100644 --- a/.drone.yml +++ b/.drone.yml @@ -127,7 +127,6 @@ steps: repo: sas/hof-boilerplate registry: 340268328991.dkr.ecr.eu-west-2.amazonaws.com tags: - - latest_${DRONE_BRANCH} - ${DRONE_COMMIT_SHA} when: branch: master