From 58086a630e028f1bff7a8a9131f0ff5af83710da Mon Sep 17 00:00:00 2001 From: Jeremy Ho Date: Fri, 15 Mar 2024 13:47:19 -0700 Subject: [PATCH 1/2] Update build-push-container actions Signed-off-by: Jeremy Ho --- .github/actions/build-push-container/action.yaml | 8 ++++---- .github/workflows/codeql-analysis.yaml | 6 +++--- .github/workflows/on-pr-closed.yaml | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/actions/build-push-container/action.yaml b/.github/actions/build-push-container/action.yaml index 01d615c3..a753a218 100644 --- a/.github/actions/build-push-container/action.yaml +++ b/.github/actions/build-push-container/action.yaml @@ -39,7 +39,7 @@ runs: echo "HAS_DOCKERHUB=${{ fromJson(inputs.dockerhub_username != '' && inputs.dockerhub_token != '') }}" >> $GITHUB_ENV - name: Login to Github Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ env.GH_USERNAME }} @@ -47,7 +47,7 @@ runs: - name: Login to Dockerhub Container Registry if: env.HAS_DOCKERHUB == 'true' - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: docker.io username: ${{ inputs.dockerhub_username }} @@ -55,7 +55,7 @@ runs: - name: Prepare Container Metadata tags id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: | ghcr.io/${{ env.GH_USERNAME }}/${{ inputs.image_name }} @@ -74,7 +74,7 @@ runs: - name: Build and Push to Container Registry id: builder - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: ${{ inputs.context }} push: true diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 3b789388..25226f5b 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -46,7 +46,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -57,7 +57,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -71,4 +71,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/on-pr-closed.yaml b/.github/workflows/on-pr-closed.yaml index 9829a4fa..57621a7a 100644 --- a/.github/workflows/on-pr-closed.yaml +++ b/.github/workflows/on-pr-closed.yaml @@ -41,12 +41,12 @@ jobs: helm uninstall --namespace ${{ env.NAMESPACE_PREFIX }}-dev pr-${{ github.event.number }} --timeout 10m --wait oc delete --namespace ${{ env.NAMESPACE_PREFIX }}-dev cm,secret --selector app.kubernetes.io/instance=pr-${{ github.event.number }} - name: Remove Release Comment on PR - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@v2.9.0 with: header: release delete: true - name: Remove Github Deployment Environment - uses: strumwolf/delete-deployment-environment@v2 + uses: strumwolf/delete-deployment-environment@v3 with: environment: pr onlyRemoveDeployments: true From 0cb482ecdb79d404d65813d7f3216fb7b2b0437a Mon Sep 17 00:00:00 2001 From: Jeremy Ho Date: Thu, 14 Mar 2024 15:34:40 -0700 Subject: [PATCH 2/2] Release COMS v0.8.0 Signed-off-by: Jeremy Ho --- SECURITY.md | 4 ++-- app/package-lock.json | 4 ++-- app/package.json | 2 +- bcgovpubcode.yml | 2 +- charts/coms/Chart.yaml | 4 ++-- charts/coms/README.md | 46 ++++++++++++++++++++--------------------- charts/coms/values.yaml | 25 +++++++++++++++++++--- 7 files changed, 53 insertions(+), 34 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 7d7d1721..b3aac2e7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,8 +14,8 @@ At this time, only the latest version of Common Object Management Service is sup | Version | Supported | | ------- | ------------------ | -| 0.7.0 | :white_check_mark: | -| < 0.7.x | :x: | +| 0.8.0 | :white_check_mark: | +| < 0.8.x | :x: | ## Reporting a Bug diff --git a/app/package-lock.json b/app/package-lock.json index a1187f22..fe64fee6 100644 --- a/app/package-lock.json +++ b/app/package-lock.json @@ -1,12 +1,12 @@ { "name": "common-object-management-service", - "version": "0.7.0", + "version": "0.8.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "common-object-management-service", - "version": "0.7.0", + "version": "0.8.0", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-s3": "^3.534.0", diff --git a/app/package.json b/app/package.json index 8bcd9d9c..470dc498 100644 --- a/app/package.json +++ b/app/package.json @@ -1,6 +1,6 @@ { "name": "common-object-management-service", - "version": "0.7.0", + "version": "0.8.0", "private": true, "description": "", "author": "NR Common Service Showcase ", diff --git a/bcgovpubcode.yml b/bcgovpubcode.yml index cb5dcad2..9986b711 100644 --- a/bcgovpubcode.yml +++ b/bcgovpubcode.yml @@ -30,7 +30,7 @@ product_information: product_technology_information: backend_frameworks: - name: Express - version: 4.18.2 + version: 4.18.3 - name: Other version: Knex - name: Other diff --git a/charts/coms/Chart.yaml b/charts/coms/Chart.yaml index 16a698dc..19a77578 100644 --- a/charts/coms/Chart.yaml +++ b/charts/coms/Chart.yaml @@ -3,7 +3,7 @@ name: common-object-management-service # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.21 +version: 0.0.22 kubeVersion: ">= 1.13.0" description: A microservice for managing access control to S3 Objects # A chart can be either an 'application' or a 'library' chart. @@ -43,6 +43,6 @@ maintainers: # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.7.0" +appVersion: "0.8.0" deprecated: false annotations: {} diff --git a/charts/coms/README.md b/charts/coms/README.md index 73ee2ffd..4b500719 100644 --- a/charts/coms/README.md +++ b/charts/coms/README.md @@ -1,6 +1,6 @@ # common-object-management-service -![Version: 0.0.21](https://img.shields.io/badge/Version-0.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square) +![Version: 0.0.22](https://img.shields.io/badge/Version-0.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square) A microservice for managing access control to S3 Objects @@ -33,46 +33,46 @@ Kubernetes: `>= 1.13.0` | autoscaling.maxReplicas | int | `16` | | | autoscaling.minReplicas | int | `2` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| basicAuthSecretOverride.password | string | `nil` | | -| basicAuthSecretOverride.username | string | `nil` | | +| basicAuthSecretOverride.password | string | `nil` | Basic authentication password | +| basicAuthSecretOverride.username | string | `nil` | Basic authentication username | | config.configMap | object | `{"DB_PORT":"5432","KC_IDENTITYKEY":null,"KC_PUBLICKEY":null,"KC_REALM":null,"KC_SERVERURL":null,"OBJECTSTORAGE_BUCKET":null,"OBJECTSTORAGE_ENDPOINT":null,"OBJECTSTORAGE_KEY":null,"SERVER_LOGLEVEL":"http","SERVER_PORT":"3000","SERVER_TEMP_EXPIRESIN":"300"}` | These values will be wholesale added to the configmap as is; refer to the coms documentation for what each of these values mean and whether you need them defined. Ensure that all values are represented explicitly as strings, as non-string values will not translate over as expected into container environment variables. For configuration keys named `*_ENABLED`, either leave them commented/undefined, or set them to string value "true". | -| config.enabled | bool | `false` | | +| config.enabled | bool | `false` | Set to true if you want to let Helm manage and overwrite your configmaps. | | config.releaseScoped | bool | `false` | This should be set to true if and only if you require configmaps and secrets to be release scoped. In the event you want all instances in the same namespace to share a similar configuration, this should be set to false | -| dbSecretOverride.password | string | `nil` | | -| dbSecretOverride.username | string | `nil` | | +| dbSecretOverride.password | string | `nil` | Database password | +| dbSecretOverride.username | string | `nil` | Database username | | failurePolicy | string | `"Retry"` | | | features.basicAuth | bool | `false` | Specifies whether basic auth is enabled | | features.defaultBucket | bool | `false` | Specifies whether a default bucket is enabled | | features.oidcAuth | bool | `false` | Specifies whether oidc auth is enabled | | fullnameOverride | string | `nil` | String to fully override fullname | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"docker.io/bcgovimages"` | | -| image.tag | string | `nil` | | +| image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy | +| image.repository | string | `"docker.io/bcgovimages"` | Default image repository | +| image.tag | string | `nil` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Specify docker-registry secret names as an array | -| keycloakSecretOverride.password | string | `nil` | | -| keycloakSecretOverride.username | string | `nil` | | +| keycloakSecretOverride.password | string | `nil` | Keycloak password | +| keycloakSecretOverride.username | string | `nil` | Keycloak username | | nameOverride | string | `nil` | String to partially override fullname | | networkPolicy.enabled | bool | `true` | Specifies whether a network policy should be created | -| objectStorageSecretOverride.password | string | `nil` | | -| objectStorageSecretOverride.username | string | `nil` | | -| patroni.enabled | bool | `false` | | +| objectStorageSecretOverride.password | string | `nil` | Object storage password | +| objectStorageSecretOverride.username | string | `nil` | Object storage username | +| patroni.enabled | bool | `false` | Controls whether to enable managing a Patroni db dependency as a part of the helm release | | podAnnotations | object | `{}` | Annotations for coms pods | -| podSecurityContext | object | `{}` | | +| podSecurityContext | object | `{}` | Privilege and access control settings | | replicaCount | int | `2` | | -| resources.limits.cpu | string | `"200m"` | | -| resources.limits.memory | string | `"512Mi"` | | -| resources.requests.cpu | string | `"50m"` | | -| resources.requests.memory | string | `"128Mi"` | | +| resources.limits.cpu | string | `"200m"` | Limit Peak CPU (in millicores ex. 1000m) | +| resources.limits.memory | string | `"512Mi"` | Limit Peak Memory (in gigabytes Gi or megabytes Mi ex. 2Gi) | +| resources.requests.cpu | string | `"50m"` | Requested CPU (in millicores ex. 500m) | +| resources.requests.memory | string | `"128Mi"` | Requested Memory (in gigabytes Gi or megabytes Mi ex. 500Mi) | | route.annotations | object | `{}` | Annotations to add to the route | | route.enabled | bool | `true` | Specifies whether a route should be created | | route.host | string | `"chart-example.local"` | | | route.tls.insecureEdgeTerminationPolicy | string | `"Redirect"` | | | route.tls.termination | string | `"edge"` | | | route.wildcardPolicy | string | `"None"` | | -| securityContext | object | `{}` | | -| service.port | int | `3000` | | -| service.portName | string | `"http"` | | -| service.type | string | `"ClusterIP"` | | +| securityContext | object | `{}` | Privilege and access control settings | +| service.port | int | `3000` | Service port | +| service.portName | string | `"http"` | Service port name | +| service.type | string | `"ClusterIP"` | Service type | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.enabled | bool | `false` | Specifies whether a service account should be created | | serviceAccount.name | string | `nil` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | diff --git a/charts/coms/values.yaml b/charts/coms/values.yaml index 7b90f76d..fc41e080 100644 --- a/charts/coms/values.yaml +++ b/charts/coms/values.yaml @@ -5,9 +5,11 @@ replicaCount: 2 image: + # -- Default image repository repository: docker.io/bcgovimages + # -- Default image pull policy pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + # -- Overrides the image tag whose default is the chart appVersion. tag: ~ # -- Specify docker-registry secret names as an array @@ -23,9 +25,11 @@ failurePolicy: Retry # -- Annotations for coms pods podAnnotations: {} +# -- Privilege and access control settings podSecurityContext: {} # fsGroup: 2000 +# -- Privilege and access control settings securityContext: {} # capabilities: # drop: @@ -73,8 +77,11 @@ networkPolicy: enabled: true service: + # -- Service type type: ClusterIP + # -- Service port port: 3000 + # -- Service port name portName: http route: @@ -97,10 +104,14 @@ resources: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: + # -- Limit Peak CPU (in millicores ex. 1000m) cpu: 200m + # -- Limit Peak Memory (in gigabytes Gi or megabytes Mi ex. 2Gi) memory: 512Mi requests: + # -- Requested CPU (in millicores ex. 500m) cpu: 50m + # -- Requested Memory (in gigabytes Gi or megabytes Mi ex. 500Mi) memory: 128Mi features: @@ -112,7 +123,7 @@ features: oidcAuth: false config: - # Set to true if you want to let Helm manage and overwrite your configmaps. + # -- Set to true if you want to let Helm manage and overwrite your configmaps. enabled: false # -- This should be set to true if and only if you require configmaps and secrets to be release @@ -154,21 +165,29 @@ config: # Modify the following variables if you need to acquire secret values from a custom-named resource basicAuthSecretOverride: + # -- Basic authentication username username: ~ + # -- Basic authentication password password: ~ dbSecretOverride: + # -- Database username username: ~ + # -- Database password password: ~ keycloakSecretOverride: + # -- Keycloak username username: ~ + # -- Keycloak password password: ~ objectStorageSecretOverride: + # -- Object storage username username: ~ + # -- Object storage password password: ~ # Patroni subchart configuration overrides patroni: - # Controls whether to enable managing a Patroni db dependency as a part of the helm release + # -- Controls whether to enable managing a Patroni db dependency as a part of the helm release enabled: false # replicaCount: 3