diff --git a/README.md b/README.md index 1f28c3e..8b550c0 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # ClamAV Mirror [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE) [![Lifecycle:Stable](https://img.shields.io/badge/Lifecycle-Stable-97ca00)](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md) -[![Docker](https://github.com/bcgov/clamav-mirror/actions/workflows/docker-image.yaml/badge.svg)](https://github.com/bcgov/clamav-mirror/actions/workflows/docker-image.yaml) +[![Docker](https://github.com/bcgov/clamav-mirror/actions/workflows/on-push.yaml/badge.svg)](https://github.com/bcgov/clamav-mirror/actions/workflows/docker-image.yaml) ![Image of ClamAV](https://www.clamav.net/assets/clamav-trademark.png) diff --git a/docker/src/Caddyfile b/docker/src/Caddyfile index 5220b3d..73a66a6 100644 --- a/docker/src/Caddyfile +++ b/docker/src/Caddyfile @@ -7,5 +7,6 @@ :8080 { file_server browse + log root * /mnt/cvdupdate/databases } diff --git a/openshift/README.md b/openshift/README.md index 2f95ac9..9c071d5 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -5,7 +5,6 @@ This application can be deployed onto Openshift. This readme will outline how to ## Table of Contents - [Infrastructure](#infrastructure) -- [Openshift Deployment Prerequisites](#openshift-deployment-prerequisites) - [Environment Setup - ConfigMaps and Secrets](#environment-setup---configmaps-and-secrets) - [Build Config & Deployment](#build-config--deployment) - [Templates](#templates) @@ -18,25 +17,11 @@ This application has a relatively simple architecture to achieve the following: 1. Act as a mirror for the ClamAV Database files within the cluster 2. Periodically fetch and update the definition files from upstream -![Infrastructure](infrastructure.png) +![Infrastructure](infrastructure.png) **Figure 1 - General Openshift infrastructure diagram** We achieve the first objective by leveraging Caddy in High Availability mode to host the files, and utilize an Openshift CronJob to update the definition files 3 times a day using the cvdupdate library. The definition files are stored on a persistent volume claim and updated as needed. In order to minimize the potential attack surface, we drop all network traffic that does not come from the cluster itself in the Openshift route definition. -## Openshift Deployment Prerequisites - -We assume you are logged into OpenShift and are in the repo/openshift local directory. We will run the scripts from there. - -### Add Default Kubernetes Network Policies - -Your namespace should already be a Network Policy named similar to `platform-services-controlled-deny-by-default`. Before deploying, ensure that you have the Network Policy `allow-from-openshift-ingress` by running the following: - -``` sh -export NAMESPACE= - -oc process -n $NAMESPACE -f https://raw.githubusercontent.com/wiki/bcgov/nr-get-token/assets/templates/default.np.yaml | oc apply -n $NAMESPACE -f - -``` - ## Environment Setup - ConfigMaps and Secrets This application requires a Config Map to define the Caddyfile configuration. However, this is embedded as a part of the deployment template, so no manual steps are required to have it be deployed. This application does not need to manage secrets. @@ -47,40 +32,7 @@ This application is currently designed as a single application pod deployment. I ## Templates -The Jenkins pipeline heavily leverages Openshift Templates in order to ensure that all of the environment variables, settings, and contexts are pushed to Openshift correctly. Files ending with `.bc.yaml` specify the build configurations, while files ending with `.dc.yaml` specify the components required for deployment. - -### Build Configurations - -Build configurations will emit and handle the chained builds or standard builds as necessary. They take in the following parameters: - -| Name | Required | Description | -| --- | --- | --- | -| BASE_IMAGE | yes | Base Image to build from | -| REPO_NAME | yes | Application repository name | -| SOURCE_REPO_REF | yes | Git Pull Request Reference (i.e. 'pull/CHANGE_ID/head') | -| SOURCE_REPO_URL | yes | Git Repository URL | - -The template can be manually invoked and deployed via Openshift CLI. For example: - -```sh -export NAMESPACE= - -oc process -n $NAMESPACE -f openshift/app.bc.yaml -p REPO_NAME=clamav-mirror -p SOURCE_REPO_URL=https://github.com/bcgov/clamav-mirror.git -p SOURCE_REPO_REF=master -o yaml | oc apply -n $NAMESPACE -f - -``` - -Note that these build configurations do not have any triggers defined. They need to be started manually in the console, or by an equivalent oc command for example: - -```sh -oc start-build -n $NAMESPACE --follow -``` - -While this deployment does not use explicitly managed tags (sticks with the latest build tag instead), we generally tag the resultant image so that the deployment config will know which exact image to use. The equivalent oc command for example is: - -```sh -oc tag -n $NAMESPACE :latest :master -``` - -*Note: Remember to swap out the bracketed values with the appropriate values!* +The templates are mainly used for defining the yaml manifests needed for this application to run and update correctly in an Openshift environment. ### Deployment Configurations @@ -93,7 +45,6 @@ Our application template take in mainly the following parameters: | APP_NAME | yes | short name for the application | | INSTANCE | yes | The name of this instance of the application | | NAMESPACE | yes | which namespace/"environment" are we deploying to? dev, test, prod? | -| REPO_NAME | yes | Application repository name | | ROUTE_HOST | yes | The host the route will use to expose service outside cluster | Deployment invocation can be done manually with the following for example: @@ -102,7 +53,7 @@ Deployment invocation can be done manually with the following for example: export NAMESPACE= export APP_NAME= -oc process -n $NAMESPACE -f openshift/app.dc.yaml -p APP_NAME=$APP_NAME -p INSTANCE=master -p NAMESPACE=$NAMESPACE -p REPO_NAME=clamav-mirror -p ROUTE_HOST=clamav-mirror.apps.silver.devops.gov.bc.ca -o yaml | oc apply -n $NAMESPACE -f - +oc process -n $NAMESPACE -f openshift/app.dc.yaml -p APP_NAME=$APP_NAME -p INSTANCE=master -p NAMESPACE=$NAMESPACE -p ROUTE_HOST=clamav-mirror.apps.silver.devops.gov.bc.ca -o yaml | oc apply -n $NAMESPACE -f - ``` Due to the triggers that are set in the deploymentconfig, the deployment will begin automatically. However, you can deploy manually by use the following command for example: @@ -124,7 +75,6 @@ Our application template take in mainly the following parameters: | APP_NAME | yes | short name for the application | | INSTANCE | yes | The name of this instance of the application | | NAMESPACE | yes | which namespace/"environment" are we deploying to? dev, test, prod? | -| REPO_NAME | yes | Application repository name | | CRON_SCHEDULE | no | CronJob crontab schedule | Cronjob invocation can be done manually with the following for example: @@ -133,7 +83,7 @@ Cronjob invocation can be done manually with the following for example: export NAMESPACE= export APP_NAME= -oc process -n $NAMESPACE -f openshift/app.cronjob.yaml -p APP_NAME=$APP_NAME -p INSTANCE=master -p NAMESPACE=$NAMESPACE -p REPO_NAME=clamav-mirror -o yaml | oc apply -n $NAMESPACE -f - +oc process -n $NAMESPACE -f openshift/app.cronjob.yaml -p APP_NAME=$APP_NAME -p INSTANCE=master -p NAMESPACE=$NAMESPACE -o yaml | oc apply -n $NAMESPACE -f - ``` #### Manual Run diff --git a/openshift/app.bc.yaml b/openshift/app.bc.yaml deleted file mode 100644 index 2da14fd..0000000 --- a/openshift/app.bc.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -apiVersion: v1 -kind: Template -labels: - build: "${REPO_NAME}-app" - template: "${REPO_NAME}-app-bc-template" -metadata: - name: "${REPO_NAME}-app-bc" -objects: - - apiVersion: v1 - kind: ImageStream - metadata: - name: "${REPO_NAME}-app" - spec: - lookupPolicy: - local: false - - apiVersion: v1 - kind: BuildConfig - metadata: - name: "${REPO_NAME}-app" - spec: - completionDeadlineSeconds: 600 - failedBuildsHistoryLimit: 3 - nodeSelector: - output: - to: - kind: ImageStreamTag - name: "${REPO_NAME}-app:latest" - postCommit: {} - resources: - requests: - cpu: 2000m - memory: 1Gi - limits: - cpu: 4000m - memory: 2Gi - runPolicy: SerialLatestOnly - source: - contextDir: docker - git: - ref: "${SOURCE_REPO_REF}" - uri: "${SOURCE_REPO_URL}" - type: Git - strategy: - dockerStrategy: - from: - kind: DockerImage - name: "${BASE_IMAGE}" - type: Docker - successfulBuildsHistoryLimit: 3 -parameters: - - name: BASE_IMAGE - description: Base Image to build from - displayName: Base Image - required: true - value: docker.io/python:3.11-alpine - - name: REPO_NAME - description: Application repository name - displayName: Repository Name - required: true - - name: SOURCE_REPO_REF - description: Git Pull Request Reference (i.e. 'pull/CHANGE_ID/head') - displayName: Source Repository Reference - required: true - - name: SOURCE_REPO_URL - description: Git Repository URL - displayName: Source Repository URL - required: true diff --git a/openshift/app.cronjob.yaml b/openshift/app.cronjob.yaml index 80ccc4e..605d41a 100644 --- a/openshift/app.cronjob.yaml +++ b/openshift/app.cronjob.yaml @@ -8,14 +8,14 @@ labels: app.kubernetes.io/name: python app.kubernetes.io/managed-by: template app.kubernetes.io/part-of: ${APP_NAME}-${INSTANCE} - app.kubernetes.io/version: "3.9" + app.kubernetes.io/version: "3.12" app.openshift.io/runtime: python template: "${REPO_NAME}-updater-template" metadata: name: "${REPO_NAME}-updater-dc" objects: - - apiVersion: batch/v1beta1 - kind: CronJob + - kind: CronJob + apiVersion: batch/v1 metadata: name: "${APP_NAME}-updater" spec: @@ -32,7 +32,7 @@ objects: app.kubernetes.io/name: python app.kubernetes.io/managed-by: template app.kubernetes.io/part-of: ${APP_NAME}-${INSTANCE} - app.kubernetes.io/version: "3.9" + app.kubernetes.io/version: "3.12" app.openshift.io/runtime: python template: "${REPO_NAME}-updater-template" spec: @@ -55,7 +55,7 @@ objects: spec: containers: - name: updater - image: "${IMAGE_REGISTRY}/${NAMESPACE}/${REPO_NAME}-app:latest" + image: "${IMAGE_REGISTRY}/${NAMESPACE}/${REPO_NAME}:${IMAGE_TAG}" imagePullPolicy: IfNotPresent command: - "./entrypoint.sh" @@ -95,15 +95,22 @@ parameters: description: The base docker registry displayName: Docker Image Registry required: true - value: image-registry.openshift-image-registry.svc:5000 + value: ghcr.io + - name: IMAGE_TAG + description: The docker image tag + displayName: Docker Image Tag + required: true + value: latest - name: NAMESPACE description: Target namespace reference (i.e. 'wfezkf-dev') displayName: Target Namespace required: true + value: bcgov - name: REPO_NAME description: Application repository name displayName: Repository Name required: true + value: clamav-mirror # https://crontab.guru/every-8-hours - name: CRON_SCHEDULE description: CronJob crontab schedule diff --git a/openshift/app.dc.yaml b/openshift/app.dc.yaml index 376d780..b0c5333 100644 --- a/openshift/app.dc.yaml +++ b/openshift/app.dc.yaml @@ -21,8 +21,8 @@ labels: app.openshift.io/runtime: golang template: "${REPO_NAME}-app-template" objects: - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy + - kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 metadata: name: "allow-openshift-ingress-to-${APP_NAME}-app" spec: @@ -37,8 +37,8 @@ objects: network.openshift.io/policy-group: ingress policyTypes: - Ingress - - apiVersion: v1 - kind: ConfigMap + - kind: ConfigMap + apiVersion: v1 metadata: name: "${APP_NAME}-caddyfile" data: @@ -52,10 +52,11 @@ objects: :8080 { file_server browse + log root * ${DATA_DIR}/databases } - - apiVersion: v1 - kind: DeploymentConfig + - kind: DeploymentConfig + apiVersion: v1 metadata: name: "${APP_NAME}-app" spec: @@ -84,12 +85,12 @@ objects: spec: containers: - name: app - image: "${IMAGE_REGISTRY}/${NAMESPACE}/${REPO_NAME}-app:latest" + image: "${IMAGE_REGISTRY}/${NAMESPACE}/${REPO_NAME}:${IMAGE_TAG}" securityContext: capabilities: add: - NET_BIND_SERVICE - imagePullPolicy: IfNotPresent + imagePullPolicy: Always livenessProbe: tcpSocket: port: 8080 @@ -136,15 +137,6 @@ objects: test: false triggers: - type: ConfigChange - - imageChangeParams: - automatic: true - containerNames: - - app - from: - kind: ImageStreamTag - name: "${REPO_NAME}-app:latest" - namespace: "${NAMESPACE}" - type: ImageChange - apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -208,15 +200,22 @@ parameters: description: The base docker registry displayName: Docker Image Registry required: true - value: image-registry.openshift-image-registry.svc:5000 + value: ghcr.io + - name: IMAGE_TAG + description: The docker image tag + displayName: Docker Image Tag + required: true + value: latest - name: NAMESPACE description: Target namespace reference (i.e. 'wfezkf-dev') displayName: Target Namespace required: true + value: bcgov - name: REPO_NAME description: Application repository name displayName: Repository Name required: true + value: clamav-mirror - name: ROUTE_HOST description: The host the route will use to expose service outside cluster displayName: Route host