diff --git a/Dockerfile b/Dockerfile index cecd74e..6d28958 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ RUN cd /app \ && pip install -r requirements.txt -RUN mkdir /pubgrade_temp_files +RUN mkdir /pubgrade_temp_files && chown -R 1000 /pubgrade_temp_files USER 1000 diff --git a/build-complete-updater/updater.py b/build-complete-updater/updater.py index 421b350..4e674d3 100644 --- a/build-complete-updater/updater.py +++ b/build-complete-updater/updater.py @@ -24,6 +24,7 @@ if os.getenv("BROKER_PORT"): BROKER_PORT = os.getenv("BROKER_PORT") +BROKER_URL="https://pubgrade.dyn.cloud.e-infra.cz" def get_env(env, name): for var in env: @@ -42,8 +43,8 @@ def get_env(env, name): build_name is not None and access_token is not None ): repo_id = build_name[:BUILD_ID_LENGTH] - url = "{}:{}/repositories/{}/builds/{}".format( - BROKER_URL, BROKER_PORT, repo_id, build_name + url = "https://pubgrade.dyn.cloud.e-infra.cz/repositories/{}/builds/{}".format( + BROKER_PORT, repo_id, build_name ) payload = json.dumps({"id": build_name}) headers = { diff --git a/deployment/templates/deployment.yaml b/deployment/templates/deployment.yaml index e3b1bb0..8a37c81 100644 --- a/deployment/templates/deployment.yaml +++ b/deployment/templates/deployment.yaml @@ -14,10 +14,12 @@ spec: spec: serviceAccountName: pubgrade automountServiceAccountToken: true + securityContext: + runAsUser: 1000 containers: - name: pubgrade - imagePullPolicy: IfNotPresent - image: akash7778/pubgrade:test_build + imagePullPolicy: Always + image: akash7778/pubgrade:test_build_1 ports: - containerPort: 8080 volumeMounts: @@ -38,10 +40,7 @@ spec: - name: take-data-dir-ownership image: alpine:3 command: - - chown - - -R - - 1000:1000 - - {{ .Values.volumes.Pubgrade.pathToMountedDir }} + - ls volumeMounts: - name: pubgrade-storage mountPath: {{ .Values.volumes.Pubgrade.pathToMountedDir }} diff --git a/deployment/templates/mongodb/mongodb-deployment.yaml b/deployment/templates/mongodb/mongodb-deployment.yaml index 15aa07a..e8c09c7 100644 --- a/deployment/templates/mongodb/mongodb-deployment.yaml +++ b/deployment/templates/mongodb/mongodb-deployment.yaml @@ -14,6 +14,8 @@ spec: labels: app: db spec: + securityContext: + runAsUser: 999 containers: - name: mongodb image: mongo:3.6 diff --git a/deployment/templates/mongodb/mongodb-pvc.yaml b/deployment/templates/mongodb/mongodb-pvc.yaml index eb3acc3..9d17f89 100644 --- a/deployment/templates/mongodb/mongodb-pvc.yaml +++ b/deployment/templates/mongodb/mongodb-pvc.yaml @@ -1,28 +1,28 @@ -{{ if .Values.volumes.mongodb.deployLocalPv }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: mongo-pv - labels: - type: local -spec: - storageClassName: {{ .Values.volumes.mongodb.storageClass }} - capacity: - storage: {{ .Values.volumes.mongodb.size }} - accessModes: - - ReadWriteOnce - hostPath: - path: {{ .Values.volumes.mongodb.pathToLocalDir }} -{{ end }} ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ .Values.volumes.mongodb.name }} -spec: - storageClassName: {{ .Values.volumes.mongodb.storageClass }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.volumes.mongodb.size }} \ No newline at end of file +# {{ if .Values.volumes.mongodb.deployLocalPv }} +# apiVersion: v1 +# kind: PersistentVolume +# metadata: +# name: mongo-pv +# labels: +# type: local +# spec: +# storageClassName: {{ .Values.volumes.mongodb.storageClass }} +# capacity: +# storage: {{ .Values.volumes.mongodb.size }} +# accessModes: +# - ReadWriteOnce +# hostPath: +# path: {{ .Values.volumes.mongodb.pathToLocalDir }} +# {{ end }} +# --- +# apiVersion: v1 +# kind: PersistentVolumeClaim +# metadata: +# name: {{ .Values.volumes.mongodb.name }} +# spec: +# storageClassName: {{ .Values.volumes.mongodb.storageClass }} +# accessModes: +# - ReadWriteOnce +# resources: +# requests: +# storage: {{ .Values.volumes.mongodb.size }} \ No newline at end of file diff --git a/deployment/templates/pubgrade-pvc.yaml b/deployment/templates/pubgrade-pvc.yaml index 380603b..fa020b9 100644 --- a/deployment/templates/pubgrade-pvc.yaml +++ b/deployment/templates/pubgrade-pvc.yaml @@ -1,28 +1,61 @@ -{{ if .Values.volumes.Pubgrade.deployLocalPv }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: pubgrade-pv - labels: - type: local -spec: - storageClassName: {{ .Values.volumes.Pubgrade.storageClass }} - capacity: - storage: {{ .Values.volumes.Pubgrade.size }} - accessModes: - - ReadWriteOnce - hostPath: - path: {{ .Values.volumes.Pubgrade.pathToLocalDir }} -{{ end }} ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ .Values.volumes.Pubgrade.name }} -spec: - storageClassName: {{ .Values.volumes.Pubgrade.storageClass }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.volumes.Pubgrade.size }} +# {{ if .Values.volumes.Pubgrade.deployLocalPv }} +# apiVersion: v1 +# kind: PersistentVolume +# metadata: +# name: pubgrade-pv +# labels: +# type: local +# spec: +# storageClassName: {{ .Values.volumes.Pubgrade.storageClass }} +# capacity: +# storage: {{ .Values.volumes.Pubgrade.size }} +# accessModes: +# - ReadWriteOnce +# hostPath: +# path: {{ .Values.volumes.Pubgrade.pathToLocalDir }} +# {{ end }} +# --- +# apiVersion: v1 +# kind: PersistentVolumeClaim +# metadata: +# name: {{ .Values.volumes.Pubgrade.name }} +# spec: +# storageClassName: {{ .Values.volumes.Pubgrade.storageClass }} +# accessModes: +# - ReadWriteOnce +# resources: +# requests: +# storage: {{ .Values.volumes.Pubgrade.size }} +# --- +# apiVersion: v1 +# items: +# - apiVersion: v1 +# kind: PersistentVolumeClaim +# metadata: +# finalizers: +# - kubernetes.io/pvc-protection +# name: mongo-pvc +# spec: +# accessModes: +# - ReadWriteOnce +# resources: +# requests: +# storage: 2Gi +# storageClassName: standard-rwo +# - apiVersion: v1 +# kind: PersistentVolumeClaim +# metadata: +# finalizers: +# - kubernetes.io/pvc-protection +# name: pubgrade-pvc +# spec: +# accessModes: +# - ReadWriteOnce +# resources: +# requests: +# storage: 2Gi +# storageClassName: standard-rwo +# kind: List +# metadata: +# resourceVersion: "" +# selfLink: "" \ No newline at end of file diff --git a/deployment/templates/services.yaml b/deployment/templates/services.yaml index 28d7d6b..797b179 100644 --- a/deployment/templates/services.yaml +++ b/deployment/templates/services.yaml @@ -9,4 +9,4 @@ spec: ports: - port: 8080 targetPort: 8080 - nodePort: 30008 + nodePort: 30010 diff --git a/deployment/values.yaml b/deployment/values.yaml index 5b4b17f..24e0ffa 100644 --- a/deployment/values.yaml +++ b/deployment/values.yaml @@ -14,14 +14,14 @@ volumes: # In case you are working with minikube or another single-worker solution # you can add a peristent volume from a local directory. For fully-distributed #clusters you should use a StorageClass already existing in your cluster, so set this to false. - deployLocalPv: true + deployLocalPv: false pathToMountedDir: /pubgrade_temp_files pathToLocalDir: /tmp/pubgrade-pv name: pubgrade-pvc storageClass: manual size: 2Gi mongodb: - deployLocalPv: true + deployLocalPv: false pathToLocalDir: /tmp/mongo-pv name: mongo-pvc storageClass: manual diff --git a/pubgrade/config.yaml b/pubgrade/config.yaml index c28df4b..025591f 100644 --- a/pubgrade/config.yaml +++ b/pubgrade/config.yaml @@ -8,7 +8,7 @@ server: use_reloader: True db: - host: mongodb.pubgrade + host: mongodb.pubgrade-ns port: 27017 dbs: pubgradeStore: diff --git a/pubgrade/modules/endpoints/builds.py b/pubgrade/modules/endpoints/builds.py index bcc69ec..f2553d9 100644 --- a/pubgrade/modules/endpoints/builds.py +++ b/pubgrade/modules/endpoints/builds.py @@ -24,7 +24,7 @@ logger = logging.getLogger(__name__) -template_file = '/app/pubgrade/pubgrade/endpoints/kaniko/template.yaml' +template_file = '/app/pubgrade/modules/endpoints/kaniko/template.yaml' BASE_DIR = os.getenv("BASE_DIR") if BASE_DIR is None: BASE_DIR = '/pubgrade_temp_files' @@ -375,7 +375,7 @@ def create_deployment_YAML( data["spec"]["containers"][0]["env"][2]["value"] = "default" data["spec"]["containers"][0]["env"][3][ "value" - ] = "http://pubgrade-service.pubgrade" # PUBGRADE_URL + ] = "http://pubgrade-service.pubgrade-ns" # PUBGRADE_URL data["spec"]["containers"][0]["env"][4]["value"] = "8080" # PORT with open(deployment_file_location, "w") as yaml_file: yaml_file.write(yaml.dump(data, default_flow_style=False)) diff --git a/pubgrade/modules/endpoints/kaniko/template.yaml b/pubgrade/modules/endpoints/kaniko/template.yaml index db660a8..0c78d86 100644 --- a/pubgrade/modules/endpoints/kaniko/template.yaml +++ b/pubgrade/modules/endpoints/kaniko/template.yaml @@ -3,6 +3,8 @@ kind: Pod metadata: name: kaniko spec: + securityContext: + runAsUser: 0 containers: - args: - --dockerfile=/docker_file_path