Merge branch 'main' into fix-secrets-as-files

FlowFuse · May 7, 2024 · 6fe16f4 · 6fe16f4
2 parents 0b09e75 + c73759d
commit 6fe16f4
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 16 deletions.
diff --git a/.github/workflows/helm-chart-release.yaml b/.github/workflows/helm-chart-release.yaml
@@ -9,6 +9,33 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
+      - name: Wait for container images build
+        run: |
+          while :; do
+            result=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              https://api.github.com/repos/${{ github.repository }}/actions/runs | \
+              jq -r '.workflow_runs | map(select(.name == "Release container images")) | sort_by(.created_at) | reverse | .[0]')
+            status=$(echo "$result" | jq -r '.status')
+            conclusion=$(echo "$result" | jq -r '.conclusion')
+            if [[ "$status" == "completed" ]]; then
+              if [[ "$conclusion" == "success" ]]; then
+                echo "Release container images workflow completed successfully"
+                break
+              else
+                echo "Release container images workflow failed"
+                exit 1
+              fi
+            elif [[ "$status" == "in_progress" ]]; then
+              echo "Release container images workflow is still running"
+              sleep 60
+            else
+              echo "Release container images workflow returned unexpected status: $status"
+              exit 1
+            fi
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
@@ -45,30 +45,18 @@ jobs:
           ct lint --config ./.github/configs/chart-testing.yaml
 
       - name: Create kind cluster
+        if: "${{!startsWith(github.event.pull_request.title, 'feat: Release')}}"
         uses: helm/kind-action@v1.8.0
 
       - name: Label cluster nodes
+        if: "${{!startsWith(github.event.pull_request.title, 'feat: Release')}}"
         run: |
           for node in $(kubectl get nodes -o name); do
             kubectl label --overwrite $node "role=management"
           done
 
-      - name: Wait for forge application public image
-        run: |
-          IMAGE="flowfuse/forge-k8s"
-          TAG=$(helm show chart ./helm/flowforge | awk -F': ' '/appVersion/ {print $2}')
-          ATTEMPTS=0
-          until docker manifest inspect $IMAGE:$TAG || [ $ATTEMPTS -eq 10 ]; do
-            ATTEMPTS=$((ATTEMPTS+1))
-            echo "Attempt $ATTEMPTS failed! Trying again in 30 seconds..."
-            sleep 30
-          done
-          if [ $ATTEMPTS -eq 10 ]; then
-            echo "Failed to inspect remote $IMAGE:$TAG after $ATTEMPTS attempts!"
-            exit 1
-          fi
-
       - name: Run chart-testing (install and upgrade)
+        if: "${{!startsWith(github.event.pull_request.title, 'feat: Release')}}"
         run: ct install --upgrade --config ./.github/configs/chart-testing.yaml
 
   validate:

diff --git a/helm/flowforge/templates/broker.yaml b/helm/flowforge/templates/broker.yaml
@@ -68,6 +68,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      automountServiceAccountToken: false
       securityContext:
         {{- toYaml .Values.forge.broker.podSecurityContext | nindent 8 }}
       containers:

diff --git a/helm/flowforge/templates/deployment.yaml b/helm/flowforge/templates/deployment.yaml
@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   annotations:
-    checkov.io/skip1: CKV_K8S_35=Current approach is a temporary one 
+    checkov.io/skip1: CKV_K8S_38=The service account token is required to schedule projects
 spec:
   replicas: {{ .Values.forge.replicas }}
   selector:
@@ -31,6 +31,7 @@ spec:
         {{- end  }}
     spec:
       serviceAccountName: flowforge
+      automountServiceAccountToken: true 
       securityContext:
         {{- toYaml .Values.forge.podSecurityContext | nindent 8 }}
       initContainers:
@@ -45,6 +46,7 @@ spec:
             mountPath: /config
         securityContext:
           readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL

diff --git a/helm/flowforge/templates/file-storage.yml b/helm/flowforge/templates/file-storage.yml
@@ -40,6 +40,7 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/file-storage-configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       securityContext:
         {{- toYaml .Values.forge.fileStore.podSecurityContext | nindent 8 }}
       initContainers:
@@ -60,6 +61,7 @@ spec:
                 key: password
         securityContext:
           readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL