diff --git a/.github/workflows/friendly-umbrella-deploy.yml b/.github/workflows/friendly-umbrella-deploy.yml new file mode 100644 index 0000000..00717b3 --- /dev/null +++ b/.github/workflows/friendly-umbrella-deploy.yml @@ -0,0 +1,75 @@ +name: Deploy Friendly-Umbrella +on: + push: +jobs: + build: + runs-on: + - codebuild-cfpb-cfgov-testing-gha-${{ github.run_id }}-${{ github.run_attempt }} + steps: + - name: Checkout Friendly-Umbrella + uses: actions/checkout@v2 + + - name: Retrieve Security Scan Secrets + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + , ${{ secrets.SECURITY_SCAN_SECRET }} + parse-json-secrets: true + + - name: Build Docker Image + run: | + + # Build Friendly-Umbrella Image + docker build -t ${{ secrets.ECR_REPO }}:$GITHUB_SHA . + + - name: Security Scan with Twistlock + run: | + + curl -k -u "$TL_USER:$TL_PASSWORD" "$TL_CONSOLE_URL/api/v1/util/twistcli" --output twistcli + chmod +x twistcli + + ./twistcli images scan --details -address "${TL_CONSOLE_URL}" -u "${TL_USER}" -p "${TL_PASSWORD}" ${{ secrets.ECR_REPO }}:$GITHUB_SHA tee twistcli.log; EXITCODE=$? + + + - name: Push to ECR + run: | + + # Login to ECR + aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username ${{ secrets.AWS_USERNAME }} --password-stdin ${{ secrets.ECR_REGISTRY }} + + # Push to ECR + docker push ${{ secrets.ECR_REPO }}:$GITHUB_SHA + + - name: Install K8s/Helm + run: | + + # Install Helm + curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 + chmod 700 get_helm.sh + ./get_helm.sh + + # Install kubectl + curl -o ./kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.14/2023-10-17/bin/linux/amd64/kubectl + curl -o ./kubectl.sha256 https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.14/2023-10-17/bin/linux/amd64/kubectl.sha256 + (diff <(openssl sha256 kubectl | awk {'print $2'}) <(cat kubectl.sha256 | awk {'print $1'}) && + echo 'kubectl checksum matches, enabling usage') || (echo 'kubectl checksum failed, exiting' && exit 1) + chmod +x kubectl + mkdir -p $HOME/bin && mv kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin + echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc + source ~/.bashrc + kubectl version --client + + # Update kubeconfig to point to EKS Cluster + aws eks update-kubeconfig --name $CLUSTER_NAME --region us-east-1 + + - name: Install Helm Chart on EKS + run: > + helm upgrade --install friendly-umbrella ./helm + -n ${{ secrets.NAMESPACE }} -f ./helm/values.yaml + --set image.repository=${{ secrets.ECR_REPO }} + --set image.tag=$GITHUB_SHA + --set mapping.host=${{ secrets.HOST }} + --set serviceAccount.name=${{ secrets.K8S_SERVICE_ACCOUNT }} + --set config.AWS_STORAGE_BUCKET_NAME=${{ secrets.BUCKET_NAME }} + --set serviceAccount.name=${{ secrets.K8S_SERVICE_ACCOUNT }} + --set config.AWS_STORAGE_BUCKET_NAME=${{ secrets.BUCKET_NAME }} diff --git a/friendly_umbrella/settings.py b/friendly_umbrella/settings.py index 15b9aa6..f21b65e 100644 --- a/friendly_umbrella/settings.py +++ b/friendly_umbrella/settings.py @@ -39,6 +39,7 @@ ALLOWED_HOSTS = ["*"] +CSRF_TRUSTED_ORIGINS = ["https://*.cfpb.gov"] # Application definition @@ -139,18 +140,11 @@ DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField" - -# If AWS credentials and a bucket are provided, use S3 for file upload storage -AWS_ACCESS_KEY_ID = os.getenv("AWS_ACCESS_KEY_ID") -AWS_SECRET_ACCESS_KEY = os.getenv("AWS_SECRET_ACCESS_KEY") -AWS_STORAGE_BUCKET_NAME = os.getenv("AWS_STORAGE_BUCKET_NAME") -if ( - AWS_ACCESS_KEY_ID is not None - and AWS_SECRET_ACCESS_KEY is not None - and AWS_STORAGE_BUCKET_NAME is not None -): +# Use S3 for file storage if a bucket name is provided. +if _aws_s3_bucket := os.getenv("AWS_STORAGE_BUCKET_NAME"): DEFAULT_FILE_STORAGE = "storages.backends.s3boto3.S3Boto3Storage" + AWS_STORAGE_BUCKET_NAME = _aws_s3_bucket - # Allow setting AWS_S3_ENDPOINT_URL to enable testing against a local S3 - if os.getenv("AWS_S3_ENDPOINT_URL") is not None: - AWS_S3_ENDPOINT_URL = os.getenv("AWS_S3_ENDPOINT_URL") + # Allow testing against a mock S3 using Localstack and awslocal. + if _s3_endpoint_url := os.getenv("AWS_S3_ENDPOINT_URL"): + AWS_S3_ENDPOINT_URL = _s3_endpoint_url diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml new file mode 100644 index 0000000..6cdc119 --- /dev/null +++ b/helm/templates/configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-configmap +data: + {{- with .Values.config }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 58e733e..81db6e1 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -32,6 +32,9 @@ spec: image: "{{ .repository }}:{{ .tag }}" imagePullPolicy: {{ .pullPolicy }} {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-configmap ports: - name: http containerPort: {{ .Values.service.port }} diff --git a/helm/templates/mapping.yaml b/helm/templates/mapping.yaml new file mode 100644 index 0000000..441f700 --- /dev/null +++ b/helm/templates/mapping.yaml @@ -0,0 +1,16 @@ +{{- if .Values.mapping.enabled }} +--- +apiVersion: getambassador.io/v2 +kind: Mapping +metadata: + name: {{ include "friendly-umbrella.fullname" . }} + labels: + {{- include "friendly-umbrella.labels" . | nindent 4 }} +spec: + ambassador_id: + {{- toYaml .Values.mapping.ambassador_id | nindent 4 }} + host: {{ .Values.mapping.host }} + prefix: {{ .Values.mapping.prefix | default "/" }} + service: {{ include "friendly-umbrella.fullname" . }}:{{ .Values.service.port }} + timeout_ms: 0 +{{- end }} \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml index ea90a1c..f3ec092 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -9,3 +9,14 @@ service: serviceAccount: create: false + name: service-account-name + +config: + AWS_STORAGE_BUCKET_NAME: bucket_name + +mapping: + enabled: true + host: "friendly-umbrella.localhost" + ambassador_id: + - "--apiVersion-v3alpha1-only--default" + prefix: "/" \ No newline at end of file