diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 82e107b..1ea112b 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -3,81 +3,64 @@ env: IMAGE_REPO: ghcr.io/metal-toolbox/${APP_NAME} IMAGE_TAG: ${BUILDKITE_BUILD_NUMBER}-${BUILDKITE_COMMIT:0:8} -steps: - - group: ":golang: Application" - key: "app" - steps: - - label: ":golangci-lint: lint :lint-roller:" - key: "lint" - plugins: - - docker#v5.8.0: - image: "registry.hub.docker.com/golangci/golangci-lint:v1.53-alpine" - command: ["golangci-lint", "run", "-v", "--timeout", "5m"] - - label: ":test_tube: test" - key: "test" - plugins: - - docker-compose#v4.14.0: - cli-version: 2 - run: go - config: docker-compose-ci.yml - command: ["make", "ci-test"] +steps: +- label: ":golangci-lint: lint :lint-roller:" + key: "lint" + plugins: + - docker#v5.8.0: + image: "registry.hub.docker.com/golangci/golangci-lint:v1.53-alpine" + command: ["golangci-lint", "run", "-v", "--timeout", "5m"] - - label: ":golang: build" - key: "gobuild" - artifact_paths: "bin/${APP_NAME}" - plugins: - - docker#v5.8.0: - image: "golang:1.20" - environment: - - CGO_ENABLED=0 - - GOOS=linux - command: ["go", "build", "-buildvcs=false", "-mod=mod", "-a", "-o", "bin/$APP_NAME"] +- label: ":test_tube: test" + key: "test" + plugins: + - docker-compose#v4.14.0: + cli-version: 2 + run: go + config: docker-compose-ci.yml + command: ["make", "ci-test"] - - label: ":docker: docker build and publish" - key: "build" - depends_on: ["lint", "test", "gobuild"] - env: - BUILDKITE_PLUGINS_ALWAYS_CLONE_FRESH: "true" - commands: | - #!/bin/bash - echo --- Retrieve Artifacts - buildkite-agent artifact download "bin/${APP_NAME}" . - # move it to where we expect and make sure it is executable - cp bin/${APP_NAME} ${APP_NAME} - chmod +x ${APP_NAME} - plugins: - - docker-login#v2.1.0: - username: metal-buildkite - password-env: SECRET_GHCR_PUBLISH_TOKEN - server: ghcr.io - - equinixmetal-buildkite/docker-metadata#v1.0.0: - images: - - "${IMAGE_REPO}" - extra_tags: - - "${IMAGE_TAG}" - - equinixmetal-buildkite/docker-build#v1.1.0: - push: true - build-args: - - NAME=${APP_NAME} - - equinixmetal-buildkite/trivy#v1.18.2: - severity: CRITICAL,HIGH - ignore-unfixed: true - security-checks: config,secret,vuln - skip-files: 'cosign.key,Dockerfile.dev' +- label: ":golang: build" + key: "gobuild" + artifact_paths: "bin/${APP_NAME}" + plugins: + - docker#v5.8.0: + image: "golang:1.20" + environment: + - CGO_ENABLED=0 + - GOOS=linux + command: ["go", "build", "-buildvcs=false", "-mod=mod", "-a", "-o", "bin/$APP_NAME"] - - group: ":helm: Helm Chart" - key: "chart" - steps: - - label: ":helm: Helm Tarball Update" - key: "helm-dep-up" - plugins: - equinixmetal-buildkite/helm-tar-update#v0.0.1: {} +- label: ":docker: docker build and publish" + key: "build" + depends_on: ["lint", "test", "gobuild"] + env: + BUILDKITE_PLUGINS_ALWAYS_CLONE_FRESH: "true" + commands: | + #!/bin/bash + echo --- Retrieve Artifacts + buildkite-agent artifact download "bin/${APP_NAME}" . + # move it to where we expect and make sure it is executable + cp bin/${APP_NAME} ${APP_NAME} + chmod +x ${APP_NAME} + plugins: + - docker-login#v2.1.0: + username: metal-buildkite + password-env: SECRET_GHCR_PUBLISH_TOKEN + server: ghcr.io + - equinixmetal-buildkite/docker-metadata#v1.0.0: + images: + - "${IMAGE_REPO}" + extra_tags: + - "${IMAGE_TAG}" + - equinixmetal-buildkite/docker-build#v1.1.0: + push: true + build-args: + - NAME=${APP_NAME} + - equinixmetal-buildkite/trivy#v1.18.2: + severity: CRITICAL,HIGH + ignore-unfixed: true + security-checks: config,secret,vuln + skip-files: 'cosign.key,Dockerfile.dev' - - label: ":helm: lint" - depends_on: - - helm-dep-up - plugins: - - docker#v5.7.0: - image: "alpine/helm" - command: ["lint", "chart/governor-api"] diff --git a/.trivyignore b/.trivyignore deleted file mode 100644 index 15d808a..0000000 --- a/.trivyignore +++ /dev/null @@ -1,2 +0,0 @@ -# False positive from k8s-otel-collector -AVD-KSV-01010 diff --git a/chart/governor-api/.trivyignore b/chart/governor-api/.trivyignore deleted file mode 100644 index 15d808a..0000000 --- a/chart/governor-api/.trivyignore +++ /dev/null @@ -1,2 +0,0 @@ -# False positive from k8s-otel-collector -AVD-KSV-01010 diff --git a/chart/governor-api/Chart.lock b/chart/governor-api/Chart.lock deleted file mode 100644 index 318e54b..0000000 --- a/chart/governor-api/Chart.lock +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- name: common - repository: https://charts.bitnami.com/bitnami - version: 2.8.0 -- name: k8s-otel-collector - repository: https://helm.equinixmetal.com - version: 0.6.1 -digest: sha256:96a0500b0a1471ecc8df0607d116f47e5d77076d9a11f27660625a13796694b7 -generated: "2023-08-10T22:26:21.049199153Z" diff --git a/chart/governor-api/Chart.yaml b/chart/governor-api/Chart.yaml deleted file mode 100644 index 461d3f1..0000000 --- a/chart/governor-api/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v2 -name: governor-api -description: A helm chart for Governor-API -type: application -version: 0.1.0 -appVersion: v0.0.1 - -dependencies: - - name: common - repository: https://charts.bitnami.com/bitnami - tags: - - bitnami-common - version: 2.8.0 - - name: k8s-otel-collector - repository: https://helm.equinixmetal.com - version: 0.6.1 diff --git a/chart/governor-api/README.md b/chart/governor-api/README.md deleted file mode 100644 index 94be6c4..0000000 --- a/chart/governor-api/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Governor Chart - -This is the helm chart for governor. It assumes that you've setup a cockroachdb cluster, database, and user, and have made the secrets involved available. diff --git a/chart/governor-api/charts/common-2.4.0.tgz b/chart/governor-api/charts/common-2.4.0.tgz deleted file mode 100644 index e00031f..0000000 Binary files a/chart/governor-api/charts/common-2.4.0.tgz and /dev/null differ diff --git a/chart/governor-api/charts/k8s-otel-collector-0.6.1.tgz b/chart/governor-api/charts/k8s-otel-collector-0.6.1.tgz deleted file mode 100644 index 7adb8e1..0000000 Binary files a/chart/governor-api/charts/k8s-otel-collector-0.6.1.tgz and /dev/null differ diff --git a/chart/governor-api/renovate.json b/chart/governor-api/renovate.json deleted file mode 100644 index f45d8f1..0000000 --- a/chart/governor-api/renovate.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "extends": [ - "config:base" - ] -} diff --git a/chart/governor-api/templates/configmap.yml b/chart/governor-api/templates/configmap.yml deleted file mode 100644 index fd9d4d2..0000000 --- a/chart/governor-api/templates/configmap.yml +++ /dev/null @@ -1,51 +0,0 @@ -{{- $root := . -}} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "common.names.fullname" . }}-config - annotations: - argocd.argoproj.io/sync-wave: '-1' -data: - .governor.yaml: | - admin-groups: - - {{ .Values.governor.adminGroups }} - - nats: - url: {{ .Values.nats.url }} - creds-file: {{ .Values.nats.credsPath }}/{{ template "common.names.fullname" . }}-nats-client-creds - subject-prefix: {{ .Values.nats.subjectPrefix }} - - oidc: - {{- range .Values.api.oidc }} - - issuer: {{ .issuer }} - audience: {{ .audience }} - jwksuri: {{ .jwksuri }} - enabled: {{ .enabled }} - {{- if or .rolesClaim .userClaim }} - claims: - {{- end }} - {{- if .rolesClaim }} - roles: {{ .rolesClaim }} - {{- end }} - {{- if .userClaim }} - username: {{ .userClaim }} - {{- end }} - {{- end }} - - {{- if .Values.debug }} - logging: - debug: true - pretty: true - {{- end }} - - {{- if .Values.tracing.enabled }} - tracing: - enabled: true - {{- end }} - - db: - connections: - max_open: {{ .Values.db.connections.max_open }} - max_idle: {{ .Values.db.connections.max_idle }} - max_lifetime: {{ .Values.db.connections.max_lifetime }} diff --git a/chart/governor-api/templates/deployment.yml b/chart/governor-api/templates/deployment.yml deleted file mode 100644 index 5ecf722..0000000 --- a/chart/governor-api/templates/deployment.yml +++ /dev/null @@ -1,128 +0,0 @@ ---- -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ template "common.names.fullname" . }}-api - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: api -spec: - replicas: {{ .Values.api.replicaCount }} - revisionHistoryLimit: 3 - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: api - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} - spec: - initContainers: - # Optional: Pre-creates the `/app-audit/audit.log` named pipe. - - image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}" - args: - - 'init' - - '-f' - - '/app-audit/audit.log' - name: init-audit-logs-api - resources: -{{ toYaml .Values.audit.initContainer.resources | indent 10 }} - imagePullPolicy: {{ .Values.audit.auditImage.pullPolicy }} - volumeMounts: - - mountPath: /app-audit - name: audit-logs-api - containers: - - name: {{ template "common.names.fullname" . }}-api - args: - - serve - - "--config=/config/.governor.yaml" - envFrom: - - secretRef: - name: {{ .Values.dbURI.existingSecret }} - {{- if .Values.tracing.enabled }} - env: - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: http://opentelemetry-collector:4317 - - name: OTEL_EXPORTER_OTLP_INSECURE - value: "true" - {{- end }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - runAsNonRoot: true - ports: - - name: http - containerPort: 3001 - livenessProbe: - httpGet: - path: /healthz/liveness - port: http - readinessProbe: - httpGet: - path: /healthz/readiness - port: http - {{- if .Values.api.readinessProbe.initialDelaySeconds }} - initialDelaySeconds: {{ .Values.api.readinessProbe.initialDelaySeconds }} - {{- else }} - initialDelaySeconds: 5 - {{- end }} - {{- if .Values.api.readinessProbe.periodSeconds }} - periodSeconds: {{ .Values.api.readinessProbe.periodSeconds }} - {{- else }} - periodSeconds: 20 - {{- end }} - {{- if .Values.api.readinessProbe.timeoutSeconds }} - timeoutSeconds: {{ .Values.api.readinessProbe.timeoutSeconds }} - {{- else }} - timeoutSeconds: 2 - {{- end }} - {{- if .Values.api.readinessProbe.successThreshold }} - successThreshold: {{ .Values.api.readinessProbe.successThreshold }} - {{- else }} - successThreshold: 1 - {{- end }} - {{- if .Values.api.readinessProbe.failureThreshold }} - failureThreshold: {{ .Values.api.readinessProbe.failureThreshold }} - {{- else }} - failureThreshold: 3 - {{- end }} - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: - - name: config-volume - mountPath: /config - readOnly: true - - name: dbcerts - mountPath: "/dbcerts" - readOnly: true - - name: natscreds - mountPath: "/nats" - readOnly: true - - name: audit-logs-api - mountPath: /app-audit - - name: audit-{{ template "common.names.fullname" . }}-api - args: - - -f - - /app-audit/audit.log - image: "{{ .Values.audit.auditImage.registry }}/{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}" - resources: -{{ toYaml .Values.audit.resources | indent 10 }} - volumeMounts: - - name: audit-logs-api - mountPath: /app-audit - restartPolicy: Always - terminationGracePeriodSeconds: 30 - volumes: - - name: config-volume - configMap: - name: {{ template "common.names.fullname" . }}-config - - name: dbcerts - secret: - secretName: {{ template "common.names.fullname" . }}-crdb-ca - defaultMode: 0444 - - name: audit-logs-api - emptyDir: {} - - name: natscreds - secret: - secretName: {{ template "common.names.fullname" . }}-nats-creds - defaultMode: 0444 diff --git a/chart/governor-api/templates/ingress.yml b/chart/governor-api/templates/ingress.yml deleted file mode 100644 index 72d9873..0000000 --- a/chart/governor-api/templates/ingress.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - name: {{ template "common.names.fullname" . }}-api - labels: {{- include "common.labels.standard" . | nindent 4 }} -spec: - ingressClassName: nginx-governor - rules: - - host: {{ .Values.api.ingress.host }} - http: - paths: - - path: "/" - pathType: Prefix - backend: - service: - name: {{ template "common.names.fullname" $ }}-api - port: - name: http - - path: "/healthz" - pathType: Prefix - backend: - service: - name: {{ template "common.names.fullname" $ }}-api - port: - name: http - tls: - - hosts: - - {{ .Values.api.ingress.host }} - secretName: {{ template "common.names.fullname" . }}-api-tls diff --git a/chart/governor-api/templates/secrets.yml b/chart/governor-api/templates/secrets.yml deleted file mode 100644 index d4df10b..0000000 --- a/chart/governor-api/templates/secrets.yml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if .Values.db.secrets.enabled }} ---- -kind: Secret -apiVersion: v1 -metadata: - name: db-uri - labels: {{- include "common.labels.standard" . | nindent 4 }} -type: Opaque -data: - GOVERNOR_DB_URI: {{ .Values.db.secrets.uri }} ---- -kind: Secret -apiVersion: v1 -metadata: - name: {{ template "common.names.fullname" . }}-crdb-ca - labels: {{- include "common.labels.standard" . | nindent 4 }} -type: Opaque -data: - ca.crt: {{ .Values.db.secrets.crdbCrt }} -{{- end }} -{{- if .Values.nats.secrets.enabled }} ---- -kind: Secret -apiVersion: v1 -metadata: - name: {{ template "common.names.fullname" . }}-nats-creds - labels: {{- include "common.labels.standard" . | nindent 4 }} -type: Opaque -data: - governor-nats-client-creds:: {{ .Values.nats.secrets.clientCreds }} -{{- end }} -{{- if .Values.tracing.secrets.enabled }} ---- -kind: Secret -apiVersion: v1 -metadata: - name: {{ template "common.names.fullname" . }}-nats-creds - labels: {{- include "common.labels.standard" . | nindent 4 }} -type: Opaque -data: - honeycomb-key:: {{ .Values.tracing.secrets.honeycombKey }} -{{- end }} diff --git a/chart/governor-api/templates/service-monitor.yml b/chart/governor-api/templates/service-monitor.yml deleted file mode 100644 index efffee2..0000000 --- a/chart/governor-api/templates/service-monitor.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "common.names.fullname" . }}-api - labels: {{- include "common.labels.standard" . | nindent 4 }} -spec: - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app.kubernetes.io/component: api - endpoints: - - targetPort: 3001 - path: /metrics - interval: 5s diff --git a/chart/governor-api/templates/service.yml b/chart/governor-api/templates/service.yml deleted file mode 100644 index 47a8305..0000000 --- a/chart/governor-api/templates/service.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.names.fullname" . }}-api - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: api -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 3001 - selector: {{ include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: api - sessionAffinity: None - type: ClusterIP diff --git a/chart/governor-api/values.yaml b/chart/governor-api/values.yaml deleted file mode 100644 index 8c1820f..0000000 --- a/chart/governor-api/values.yaml +++ /dev/null @@ -1,104 +0,0 @@ -image: - repository: ghcr.io/metal-toolbox/governor-api - tag: 43-520c6716 - pullPolicy: IfNotPresent - -ingress: - domains: [] - enabled: true - -resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - -nats: - url: - credsPath: /nats - subjectPrefix: governor.events - # set to `true` if you want to set the value directly in the chart (not recommended) - secrets: - enabled: false - clientCreds: - -governor: - adminGroups: "governor-admins" - -# governor-api settings -api: - enabled: true - ingress: - prefix: api.governor - replicaCount: 2 - readinessProbe: - periodSeconds: 20 - timeoutSeconds: 3 - successThreshold: 1 - failureThreshold: 3 - - # oidc settings, currently startup will fail without a valid oidc config - oidc: - - audience: "" - issuer: "" - jwksuri: "" - enabled: true - rolesClaim: "" - userClaim: "" - - resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - -# audit sidecar settings -audit: - auditImage: - repository: ghcr.io/metal-toolbox/audittail - tag: v0.7.0 - pullPolicy: IfNotPresent - resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - initContainer: - resources: - limits: - cpu: 100m - memory: 20Mi - requests: - cpu: 100m - memory: 20Mi - -# settings for the backend db -db: - connections: - max_open: 20 - max_idle: 20 - max_lifetime: 0 - # set to `true` if you want to set the value directly in the chart (not recommended) - secrets: - enabled: false - uri: - crdbCrt: - -dbURI: - existingSecret: db-uri - -# tracing settings -tracing: - enabled: true - # set to `true` if you want to set the value directly in the chart (not recommended) - secrets: - enabled: false - honeycombKey: -k8s-otel-collector: - include_otel_attributes: false