From 65b2b2ab0c6816314a0593d43e0d49e44945c984 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 9 Jan 2025 11:35:02 +0000 Subject: [PATCH 1/3] INFRA-39152: Use updated image for `aws-es-proxy` and switch to using `mintel` user --- charts/standard-application-stack/CHANGELOG.md | 4 ++++ charts/standard-application-stack/README.md | 6 +++--- .../templates/deployment-aws-es-proxy.yaml | 2 +- .../__snapshot__/opensearch_aws_es_proxy_test.yaml.snap | 4 ++-- .../tests/opensearch_aws_es_proxy_test.yaml | 2 +- charts/standard-application-stack/values.yaml | 2 +- 6 files changed, 12 insertions(+), 8 deletions(-) diff --git a/charts/standard-application-stack/CHANGELOG.md b/charts/standard-application-stack/CHANGELOG.md index 7da25bab..336386e3 100644 --- a/charts/standard-application-stack/CHANGELOG.md +++ b/charts/standard-application-stack/CHANGELOG.md @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [v7.8.0] - 2025-01-09 +### Changed +- Use updated image for `aws-es-proxy` and switch to using `mintel` user + ## [v7.7.0] - 2025-01-09 ### Changed - Use updated image for `aws-es-proxy` diff --git a/charts/standard-application-stack/README.md b/charts/standard-application-stack/README.md index cb4fcb5c..b5310c95 100644 --- a/charts/standard-application-stack/README.md +++ b/charts/standard-application-stack/README.md @@ -239,8 +239,8 @@ A generic chart to support most common application requirements | oauthProxy.skipAuthRegexes | list | `[]` | Optional: list of URL endpoints to bypass oauth-proxy for Health check and readiness urls are skipped automatically | | oauthProxy.type | string | `"portal"` | Identifies oauth-proxy as auth'ing with a mintel portal instance | | oauthProxy.userIdClaim | string | `""` | Optional: Claim contains the user ID | -| opensearch | object | `{"awsEsProxy":{"enabled":false,"ingress":{"alb":{"backendProtocol":"HTTP","backendProtocolVersion":"HTTP1","healthcheck":{"healthyThresholdCount":2,"intervalSeconds":15,"path":"/_cluster/health","protocol":"HTTP","timeoutSeconds":5,"unhealthyThresholdCount":2},"okta":{"authOnUnauthenticated":"authenticate","enabled":false,"extraRedirectPaths":[],"groups":"","ingressName":"","redirectPath":"","users":""},"preStopDelay":{"delaySeconds":15,"enabled":true},"scheme":"internet-facing","targetGroupAttributes":{"deregistration_delay.timeout_seconds":5,"load_balancing.algorithm.type":"least_outstanding_requests"}},"enabled":false,"extraAnnotations":{},"path":"/_dashboards"},"port":9200,"resources":{"limits":{"memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}},"enabled":false,"outputSecret":true,"secretRefreshIntervalOverride":"","secretStoreRefOverride":""}` | Configures AWS Opensearch deployment/connections | -| opensearch.awsEsProxy | object | `{"enabled":false,"ingress":{"alb":{"backendProtocol":"HTTP","backendProtocolVersion":"HTTP1","healthcheck":{"healthyThresholdCount":2,"intervalSeconds":15,"path":"/_cluster/health","protocol":"HTTP","timeoutSeconds":5,"unhealthyThresholdCount":2},"okta":{"authOnUnauthenticated":"authenticate","enabled":false,"extraRedirectPaths":[],"groups":"","ingressName":"","redirectPath":"","users":""},"preStopDelay":{"delaySeconds":15,"enabled":true},"scheme":"internet-facing","targetGroupAttributes":{"deregistration_delay.timeout_seconds":5,"load_balancing.algorithm.type":"least_outstanding_requests"}},"enabled":false,"extraAnnotations":{},"path":"/_dashboards"},"port":9200,"resources":{"limits":{"memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}}` | Configures aws-es-proxy to enable external access to opensearch | +| opensearch | object | `{"awsEsProxy":{"enabled":false,"ingress":{"alb":{"backendProtocol":"HTTP","backendProtocolVersion":"HTTP1","healthcheck":{"healthyThresholdCount":2,"intervalSeconds":15,"path":"/_cluster/health","protocol":"HTTP","timeoutSeconds":5,"unhealthyThresholdCount":2},"okta":{"authOnUnauthenticated":"authenticate","enabled":false,"extraRedirectPaths":[],"groups":"","ingressName":"","redirectPath":"","users":""},"preStopDelay":{"delaySeconds":15,"enabled":true},"scheme":"internet-facing","targetGroupAttributes":{"deregistration_delay.timeout_seconds":5,"load_balancing.algorithm.type":"least_outstanding_requests"}},"enabled":false,"extraAnnotations":{},"path":"/_dashboards"},"port":9200,"resources":{"limits":{"memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}},"enabled":false,"outputSecret":true,"secretRefreshIntervalOverride":"","secretStoreRefOverride":""}` | Configures AWS Opensearch deployment/connections | +| opensearch.awsEsProxy | object | `{"enabled":false,"ingress":{"alb":{"backendProtocol":"HTTP","backendProtocolVersion":"HTTP1","healthcheck":{"healthyThresholdCount":2,"intervalSeconds":15,"path":"/_cluster/health","protocol":"HTTP","timeoutSeconds":5,"unhealthyThresholdCount":2},"okta":{"authOnUnauthenticated":"authenticate","enabled":false,"extraRedirectPaths":[],"groups":"","ingressName":"","redirectPath":"","users":""},"preStopDelay":{"delaySeconds":15,"enabled":true},"scheme":"internet-facing","targetGroupAttributes":{"deregistration_delay.timeout_seconds":5,"load_balancing.algorithm.type":"least_outstanding_requests"}},"enabled":false,"extraAnnotations":{},"path":"/_dashboards"},"port":9200,"resources":{"limits":{"memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}}` | Configures aws-es-proxy to enable external access to opensearch | | opensearch.awsEsProxy.enabled | bool | `false` | Set to true to add an aws-es-proxy deployment in front of opensearch | | opensearch.awsEsProxy.ingress.alb.backendProtocol | string | `"HTTP"` | Application Version (HTTP / HTTPS) | | opensearch.awsEsProxy.ingress.alb.backendProtocolVersion | string | `"HTTP1"` | Application Protocol Version (HTTP1 / HTTP2 / GRPC) | @@ -264,7 +264,7 @@ A generic chart to support most common application requirements | opensearch.awsEsProxy.ingress.path | string | `"/_dashboards"` | Path for the Ingress | | opensearch.awsEsProxy.port | int | `9200` | Port for aws-es-proxy to listen on | | opensearch.awsEsProxy.resources | object | `{"limits":{"memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}` | Container resource requests and limits for aws-es-proxy sidecar ref: http://kubernetes.io/docs/user-guide/compute-resources | -| opensearch.awsEsProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Ingress for aws-es-proxy | +| opensearch.awsEsProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | Ingress for aws-es-proxy | | opensearch.enabled | bool | `false` | Set to true if deployment makes use of AWS opensearch | | opensearch.outputSecret | bool | `true` | set outputSecret to true to allow TF Cloud chart create ExternalSecrets | | opensearch.secretRefreshIntervalOverride | string | `""` | Optional: ExternalSecret refreshInterval override | diff --git a/charts/standard-application-stack/templates/deployment-aws-es-proxy.yaml b/charts/standard-application-stack/templates/deployment-aws-es-proxy.yaml index 4db777ba..c409234b 100644 --- a/charts/standard-application-stack/templates/deployment-aws-es-proxy.yaml +++ b/charts/standard-application-stack/templates/deployment-aws-es-proxy.yaml @@ -33,7 +33,7 @@ spec: {{- include "mintel_common.topologySpreadConstraints" $data | nindent 6 }} containers: - name: main - image: {{ .Values.opensearch.awsEsProxy.image | default "551844124467.dkr.ecr.${CLUSTER_REGION}.amazonaws.com/gitlab/mintel/satoshi/tools/aws-es-proxy:v0.1.0" }} + image: {{ .Values.opensearch.awsEsProxy.image | default "551844124467.dkr.ecr.${CLUSTER_REGION}.amazonaws.com/gitlab/mintel/satoshi/tools/aws-es-proxy:v0.2.0" }} imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }} args: - -listen=0.0.0.0:9200 diff --git a/charts/standard-application-stack/tests/__snapshot__/opensearch_aws_es_proxy_test.yaml.snap b/charts/standard-application-stack/tests/__snapshot__/opensearch_aws_es_proxy_test.yaml.snap index 41ad8637..890ce4a2 100644 --- a/charts/standard-application-stack/tests/__snapshot__/opensearch_aws_es_proxy_test.yaml.snap +++ b/charts/standard-application-stack/tests/__snapshot__/opensearch_aws_es_proxy_test.yaml.snap @@ -186,7 +186,7 @@ Check awsEsProxy deployment is created if enabled: envFrom: - secretRef: name: example-app-opensearch - image: 551844124467.dkr.ecr.${CLUSTER_REGION}.amazonaws.com/gitlab/mintel/satoshi/tools/aws-es-proxy:v0.1.0 + image: 551844124467.dkr.ecr.${CLUSTER_REGION}.amazonaws.com/gitlab/mintel/satoshi/tools/aws-es-proxy:v0.2.0 imagePullPolicy: IfNotPresent livenessProbe: tcpSocket: @@ -215,7 +215,7 @@ Check awsEsProxy deployment is created if enabled: drop: - ALL runAsNonRoot: true - runAsUser: 65534 + runAsUser: 1000 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/charts/standard-application-stack/tests/opensearch_aws_es_proxy_test.yaml b/charts/standard-application-stack/tests/opensearch_aws_es_proxy_test.yaml index 5a750c83..a0e400b5 100644 --- a/charts/standard-application-stack/tests/opensearch_aws_es_proxy_test.yaml +++ b/charts/standard-application-stack/tests/opensearch_aws_es_proxy_test.yaml @@ -23,7 +23,7 @@ tests: value: example-app-aws-es-proxy - equal: path: spec.template.spec.containers[0].image - value: 551844124467.dkr.ecr.${CLUSTER_REGION}.amazonaws.com/gitlab/mintel/satoshi/tools/aws-es-proxy:v0.1.0 + value: 551844124467.dkr.ecr.${CLUSTER_REGION}.amazonaws.com/gitlab/mintel/satoshi/tools/aws-es-proxy:v0.2.0 - it: Check awsEsProxy service is created if enabled template: service-aws-es-proxy.yaml diff --git a/charts/standard-application-stack/values.yaml b/charts/standard-application-stack/values.yaml index 591938ff..db7cddec 100644 --- a/charts/standard-application-stack/values.yaml +++ b/charts/standard-application-stack/values.yaml @@ -1248,7 +1248,7 @@ opensearch: drop: - ALL runAsNonRoot: true - runAsUser: 65534 + runAsUser: 1000 seccompProfile: type: RuntimeDefault ingress: From 4a1391754c448a1f0c247722dc9fbb349923cace Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 9 Jan 2025 11:39:14 +0000 Subject: [PATCH 2/3] Bump chart version --- charts/standard-application-stack/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/standard-application-stack/Chart.yaml b/charts/standard-application-stack/Chart.yaml index 291b3e13..c62948b6 100644 --- a/charts/standard-application-stack/Chart.yaml +++ b/charts/standard-application-stack/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 7.7.0 +version: 7.8.0 dependencies: - name: redis From 16afeb7fc2bf1b59a790de9c0474a0cfe683411c Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 9 Jan 2025 12:04:35 +0000 Subject: [PATCH 3/3] Bump helm-docs --- charts/standard-application-stack/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/standard-application-stack/README.md b/charts/standard-application-stack/README.md index b5310c95..5d04e5bb 100644 --- a/charts/standard-application-stack/README.md +++ b/charts/standard-application-stack/README.md @@ -1,6 +1,6 @@ # standard-application-stack -![Version: 7.7.0](https://img.shields.io/badge/Version-7.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 7.8.0](https://img.shields.io/badge/Version-7.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) A generic chart to support most common application requirements