diff --git a/.drone.yml b/.drone.yml index 9a7d9922..056361c9 100644 --- a/.drone.yml +++ b/.drone.yml @@ -4,16 +4,16 @@ name: default type: kubernetes environment: - APP_NAME: biometric-residence-permit - PROD_ENV: brp - STG_ENV: brp-stg + APP_NAME: fmr + PROD_ENV: sas-fmr-prod + STG_ENV: sas-fmr-stg UAT_ENV: brp-uat BRANCH_ENV: brp-branch - PRODUCTION_URL: www.biometric-residence-permit.service.gov.uk + PRODUCTION_URL: www.request-reference-evisa.homeoffice.gov.uk IMAGE_URL: quay.io/ukhomeofficedigital - IMAGE_REPO: brpapp + IMAGE_REPO: fmr GIT_REPO: UKHomeOffice/brp_enquiry_forms - HOF_CONFIG: hof-services-config/Biometric_Residency_Permit + HOF_CONFIG: hof-services-config/For_My_Reference_Form NON_PROD_AVAILABILITY: Mon-Fri 08:00-23:00 Europe/London READY_FOR_TEST_DELAY: 20s NOTIFY_STUB: stub @@ -25,7 +25,7 @@ trigger: linting: &linting pull: if-not-exists - image: node:18 + image: node:20.16.0-alpine3.20@sha256:eb8101caae9ac02229bd64c024919fe3d4504ff7f329da79ca60a04db08cef52 environment: NOTIFY_KEY: USE_MOCK commands: @@ -33,7 +33,7 @@ linting: &linting unit_tests: &unit_tests pull: if-not-exists - image: node:18 + image: node:20.16.0-alpine3.20@sha256:eb8101caae9ac02229bd64c024919fe3d4504ff7f329da79ca60a04db08cef52 environment: NOTIFY_KEY: USE_MOCK commands: @@ -68,9 +68,26 @@ steps: - master event: [push, pull_request] + # Trivy Security Scannner for scanning OS related vulnerabilities in Base image of Dockerfile + - name: scan_image_os + pull: always + image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest + resources: + limits: + cpu: 1000 + memory: 1024Mi + environment: + IMAGE_NAME: node:20.16.0-alpine3.20@sha256:eb8101caae9ac02229bd64c024919fe3d4504ff7f329da79ca60a04db08cef52 + SEVERITY: MEDIUM,HIGH,CRITICAL --dependency-tree + FAIL_ON_DETECTION: false + IGNORE_UNFIXED: false + ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml + when: + event: [push, pull_request] + - name: setup_deploy pull: if-not-exists - image: node:18 + image: node:20.16.0-alpine3.20@sha256:eb8101caae9ac02229bd64c024919fe3d4504ff7f329da79ca60a04db08cef52 environment: NOTIFY_KEY: USE_MOCK commands: @@ -132,8 +149,8 @@ steps: branch: master event: [push, pull_request] - # Trivy Security Scannner - - name: scan-image + # Trivy Security Scannner for scanning nodejs packages in Yarn + - name: scan_node_packages pull: always image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest resources: @@ -141,16 +158,13 @@ steps: cpu: 1000 memory: 1024Mi environment: - IMAGE_NAME: brpapp:${DRONE_COMMIT_SHA} - SEVERITY: MEDIUM,HIGH,CRITICAL + IMAGE_NAME: fmr:${DRONE_COMMIT_SHA} + SEVERITY: MEDIUM,HIGH,CRITICAL --dependency-tree FAIL_ON_DETECTION: false - IGNORE_UNFIXED: true - ALLOW_CVE_LIST_FILE: hof-services-config/Biometric_Residency_Permit/trivy-cve-exceptions.txt + IGNORE_UNFIXED: false + ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml when: - event: - - pull_request - - push - - tag + event: [push, pull_request] # Deploy to pull request UAT environment - name: deploy_to_branch @@ -170,7 +184,7 @@ steps: - name: setup_branch pull: if-not-exists - image: node:18 + image: node:20.16.0-alpine3.20@sha256:eb8101caae9ac02229bd64c024919fe3d4504ff7f329da79ca60a04db08cef52 environment: NOTIFY_KEY: USE_MOCK commands: @@ -225,7 +239,7 @@ steps: # Snyk security scans which run after branch deployment to prevent blocking of PR UAT tests - name: snyk_scan pull: if-not-exists - image: node:18 + image: node:20.16.0-alpine3.20@sha256:eb8101caae9ac02229bd64c024919fe3d4504ff7f329da79ca60a04db08cef52 environment: SNYK_TOKEN: from_secret: snyk_token @@ -397,67 +411,71 @@ steps: cron: security_scans event: cron - - name: cron_snyk_scan - pull: if-not-exists - image: node:18 + - name: cron_trivy_scan_image_os + image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest + pull: always environment: - SNYK_TOKEN: - from_secret: snyk_token - commands: - - yarn install --frozen-lockfile - - yarn run postinstall - - yarn run test:snyk + IMAGE_NAME: node:20.16.0-alpine3.20@sha256:eb8101caae9ac02229bd64c024919fe3d4504ff7f329da79ca60a04db08cef52 + SEVERITY: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --dependency-tree + FAIL_ON_DETECTION: true + IGNORE_UNFIXED: false + ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml when: cron: security_scans event: cron - - name: cron_trivy_scan + - name: cron_trivy_scan_node_packages image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest pull: always environment: - IMAGE_NAME: brpapp:${DRONE_COMMIT_SHA} - SEVERITY: MEDIUM,HIGH,CRITICAL - FAIL_ON_DETECTION: false - IGNORE_UNFIXED: true - ALLOW_CVE_LIST_FILE: hof-services-config/Biometric_Residency_Permit/trivy-cve-exceptions.txt + IMAGE_NAME: fmr:${DRONE_COMMIT_SHA} + SEVERITY: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --dependency-tree + FAIL_ON_DETECTION: true + IGNORE_UNFIXED: false + ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml when: cron: security_scans event: cron + status: [success, failure] # Slack notification upon a CRON job fail - name: cron_notify_slack_tear_down_pr_envs pull: if-not-exists - image: plugins/slack + image: plugins/slack:1.4.1 settings: - channel: sas-build + channel: sas-hof-build-notify failure: ignore - icon_url: http://readme.drone.io/0.5/logo_dark.svg - icon.url: http://readme.drone.io/0.5/logo_dark.svg - template: "CRON Job {{build.deployTo}} of BRP has {{build.status}} - <{{build.link}}|#{{build.number}}> {{#success build.status}}\n :thumbsup: :thumbsup: :thumbsup:\n{{else}}\n :x: :x: :x:\n{{/success}} Author: {{build.author}}\n\nDuration: {{since job.started}}\n\nJob: <{{build.link}}|#{{build.number}}>\n\nCommit: {{build.commit}}\n" - username: Drone + template: > + *✘ {{ uppercasefirst build.status }}*: Cron job `tear_down_pr_envs` failed to tear down the deployments in the BRANCH environment. + + *Repo* | *Branch* | *Commit* + + *Build <{{build.link}}|#{{build.number}}>* webhook: - from_secret: slack_webhook + from_secret: slack_sas_hof_build_notify_webhook when: cron: tear_down_pr_envs event: cron - status: failure - + status: [ failure ] + - name: cron_notify_slack_security_scans pull: if-not-exists - image: plugins/slack + image: plugins/slack:1.4.1 settings: - channel: sas-build + channel: sas-hof-security failure: ignore - icon_url: http://readme.drone.io/0.5/logo_dark.svg - icon.url: http://readme.drone.io/0.5/logo_dark.svg - template: "CRON Job {{build.deployTo}} of BRP has {{build.status}} - <{{build.link}}|#{{build.number}}> {{#success build.status}}\n :thumbsup: :thumbsup: :thumbsup:\n{{else}}\n :x: :x: :x:\n{{/success}} Author: {{build.author}}\n\nDuration: {{since job.started}}\n\nJob: <{{build.link}}|#{{build.number}}>\n\nCommit: {{build.commit}}\n" - username: Drone + template: > + *✘ {{ uppercasefirst build.status }}*: Cron job `security_scans` has failed. Prioritise reviewing build logs and addressing issues. + + *Repo* | *Branch* | *Commit* + + *Build <{{build.link}}|#{{build.number}}>* webhook: - from_secret: slack_webhook + from_secret: slack_sas_hof_security_webhook when: cron: security_scans event: cron - status: failure + status: [ failure ] services: - name: docker diff --git a/.snyk b/.snyk deleted file mode 100644 index 02231c53..00000000 --- a/.snyk +++ /dev/null @@ -1,63 +0,0 @@ -# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. -version: v1.22.1 -# ignores vulnerabilities until expiry date; change duration by modifying expiry date -ignore: - SNYK-JS-REQUEST-3361831: - - '*': - reason: HOF framework needs updating to remove request.js - expires: '2024-08-01T00:00:00.000Z' - created: '2023-08-09T13:22:47.350Z' - SNYK-JS-TOUGHCOOKIE-5672873: - - '*': - reason: HOF framework needs updating to remove request.js of which this is a dependency - expires: '2024-08-01T00:00:00.000Z' - created: '2023-08-09T13:22:47.350Z' - SNYK-JS-REQUEST-1314897: - - hof > request: - reason: Need to replace request in HOF - expires: '2024-08-01T14:58:46.388Z' - SNYK-JS-JSONSCHEMA-1920922: - - hof > request > http-signature > jsprim > json-schema: - reason: Need to replace Request - expires: '2024-09-18T12:35:24.867Z' - SNYK-JS-SHELLQUOTE-1766506: - - hof > browserify > shell-quote: - reason: No update currently available - expires: '2024-09-18T12:35:24.867Z' - SNYK-JS-CACHEDPATHRELATIVE-2342653: - - '*': - reason: No direct upgrade or patch - expires: '2024-12-31T17:02:21.865Z' - SNYK-JS-MINIMIST-2429795: - - '*': - reason: No direct upgrade or patch - expires: '2024-11-01T17:02:21.865Z' - SNYK-JS-MARKDOWNIT-6483324: - - hof > markdown-it: - reason: Need to update markdown-it in HOF to version 13.0.2. - expires: '2024-08-09T00:00:00.000Z' - SNYK-JS-AXIOS-6032459: - - hof > notifications-node-client > axios: - reason: Need to update notifications-node-client in HOF to version 8.0.0 - expires: '2024-08-09T00:00:00.000Z' - SNYK-JS-AXIOS-6124857: - - hof > notifications-node-client > axios: - reason: Need to update notifications-node-client in HOF to version 8.0.0. - expires: '2024-08-09T00:00:00.000Z' - SNYK-JS-AXIOS-6144788: - - hof > notifications-node-client > axios: - reason: Need to update notifications-node-client in HOF to version 8.0.0. - expires: '2024-08-09T00:00:00.000Z' - SNYK-JS-INFLIGHT-6095116: - - '*': - reason: No direct upgrade or patch available - expires: '2024-08-09T00:00:00.000Z' - SNYK-JS-BRACES-6838727: - - '*': - reason: No direct upgrade or patch available - expires: '2024-08-14T00:00:00.000Z' - SNYK-JS-ASYNC-7414156: - - '*': - reason: No direct upgrade or patch available - expires: '2024-10-08T00:00:00.000Z' -patch: {} diff --git a/Dockerfile b/Dockerfile index ee4f8cd6..1d9b9479 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18-alpine@sha256:2322b1bb3917b313f2e9308395aa5c39d51b91cc92a5d4d5be6d0451fcfb4d24 +FROM node:20.16.0-alpine3.20@sha256:eb8101caae9ac02229bd64c024919fe3d4504ff7f329da79ca60a04db08cef52 USER root diff --git a/bin/deploy.sh b/bin/deploy.sh index 098ba276..cf7bae13 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -6,6 +6,8 @@ export INGRESS_INTERNAL_ANNOTATIONS=$HOF_CONFIG/ingress-internal-annotations.yam export INGRESS_EXTERNAL_ANNOTATIONS=$HOF_CONFIG/ingress-external-annotations.yaml export CONFIGMAP_VALUES=$HOF_CONFIG/configmap-values.yaml export NGINX_SETTINGS=$HOF_CONFIG/nginx-settings.yaml +export FILEVAULT_NGINX_SETTINGS=$HOF_CONFIG/filevault-nginx-settings.yaml +export FILEVAULT_INGRESS_EXTERNAL_ANNOTATIONS=$HOF_CONFIG/filevault-ingress-external-annotations.yaml kd='kd --insecure-skip-tls-verify --timeout 10m --check-interval 10s' @@ -23,19 +25,23 @@ export KUBE_NAMESPACE=$1 export DRONE_SOURCE_BRANCH=$(echo $DRONE_SOURCE_BRANCH | tr '[:upper:]' '[:lower:]' | tr '/' '-') if [[ ${KUBE_NAMESPACE} == ${BRANCH_ENV} ]]; then + $kd -f kube/file-vault/file-vault-ingress.yml $kd -f kube/configmaps -f kube/certs - $kd -f kube/redis -f kube/app + $kd -f kube/redis -f kube/app -f kube/file-vault elif [[ ${KUBE_NAMESPACE} == ${UAT_ENV} ]]; then + $kd -f kube/file-vault/file-vault-ingress.yml $kd -f kube/configmaps/configmap.yml - $kd -f kube/redis -f kube/app + $kd -f kube/redis -f kube/file-vault -f kube/app elif [[ ${KUBE_NAMESPACE} == ${STG_ENV} ]]; then + $kd -f kube/file-vault/file-vault-ingress.yml $kd -f kube/configmaps/configmap.yml -f kube/app/service.yml $kd -f kube/app/networkpolicy-internal.yml -f kube/app/ingress-internal.yml - $kd -f kube/redis -f kube/app/deployment.yml + $kd -f kube/redis -f kube/file-vault -f kube/app/deployment.yml elif [[ ${KUBE_NAMESPACE} == ${PROD_ENV} ]]; then $kd -f kube/configmaps/configmap.yml -f kube/app/service.yml + $kd -f kube/file-vault/file-vault-ingress.yml $kd -f kube/app/networkpolicy-external.yml -f kube/app/ingress-external.yml - $kd -f kube/redis -f kube/app/deployment.yml + $kd -f kube/redis -f kube/file-vault -f kube/app/deployment.yml fi sleep $READY_FOR_TEST_DELAY diff --git a/kube/file-vault/file-vault-deployment.yml b/kube/file-vault/file-vault-deployment.yml new file mode 100644 index 00000000..dd1a1303 --- /dev/null +++ b/kube/file-vault/file-vault-deployment.yml @@ -0,0 +1,209 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault + {{ end }} +spec: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + replicas: 2 + {{ else }} + replicas: 1 + {{ end }} + selector: + matchLabels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-{{ .DRONE_SOURCE_BRANCH }} + service: file-vault-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault + service: file-vault + {{ end }} + template: + metadata: + labels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-{{ .DRONE_SOURCE_BRANCH }} + service: file-vault-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault + service: file-vault + {{ end }} + spec: + containers: + - name: file-vault + image: quay.io/ukhomeofficedigital/file-vault:f4cd1ece1caddc3bfbc8f5db761c593fda79ef12 + imagePullPolicy: Always + resources: + limits: + memory: "1024Mi" + cpu: 200m + requests: + memory: 512Mi + envFrom: + - configMapRef: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: {{ .APP_NAME }}-configmap-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: {{ .APP_NAME }}-configmap + {{ end }} + env: + - name: NODE_TLS_REJECT_UNAUTHORIZED + value: "0" + - name: FILE_VAULT_URL + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + value: https://fv-{{ .APP_NAME }}.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + value: https://fv-{{ .APP_NAME }}.stg.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} + value: https://fv-{{ .APP_NAME }}.uat.sas-notprod.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} + value: https://fv-{{ .DRONE_SOURCE_BRANCH }}.{{ .BRANCH_ENV }}.homeoffice.gov.uk + - name: DEBUG + value: "true" + {{ end }} + - name: PORT + value: "3000" + - name: CLAMAV_REST_URL + value: https://clamav.virus-scan.svc.cluster.local/scan + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + name: sas-{{ .APP_NAME }}-s3 + key: iam_access_key + {{else}} + name: {{ .APP_NAME }}-notprod-s3 + key: access_key_id + {{end}} + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + name: sas-{{ .APP_NAME }}-s3 + key: iam_access_secret + {{else}} + name: {{ .APP_NAME }}-notprod-s3 + key: secret_access_key + {{end}} + - name: AWS_KMS_KEY_ID + valueFrom: + secretKeyRef: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + name: sas-{{ .APP_NAME }}-s3 + {{else}} + name: {{ .APP_NAME }}-notprod-s3 + {{end}} + key: kms_key_id + - name: AWS_BUCKET + valueFrom: + secretKeyRef: + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + name: sas-{{ .APP_NAME }}-s3 + key: s3_bucket_name + {{else}} + name: {{ .APP_NAME }}-notprod-s3 + key: name + {{end}} + - name: AWS_PASSWORD + valueFrom: + secretKeyRef: + name: ses + key: smtp_password + - name: ALLOW_GENERATE_LINK_ROUTE + value: "yes" + securityContext: + runAsNonRoot: true + + - name: keycloak-proxy + image: quay.io/ukhomeofficedigital/gogatekeeper:2.9.2 + resources: + limits: + memory: "1024Mi" + cpu: 200m + env: + - name: PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client + key: secret + - name: PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: keycloak-client + key: id + - name: PROXY_REDIRECTION_URL + {{ if eq .KUBE_NAMESPACE .PROD_ENV }} + value: https://fv-{{ .APP_NAME }}.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + value: https://fv-{{ .APP_NAME }}.stg.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} + value: https://fv-{{ .APP_NAME }}.uat.sas-notprod.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .BRANCH_ENV }} + value: https://fv-{{ .DRONE_SOURCE_BRANCH }}.{{ .BRANCH_ENV }}.homeoffice.gov.uk + {{ end }} + args: + - --listen=:10443 + # the url which is used to retrieve the OpenID configuration + {{ if or (eq .KUBE_NAMESPACE .BRANCH_ENV) (eq .KUBE_NAMESPACE .UAT_ENV) }} + - --discovery-url=https://acp-sso.notprod.acp.homeoffice.gov.uk/realms/{{ .APP_NAME }}-notprod + {{ else }} + - --discovery-url=https://sso.digital.homeoffice.gov.uk/auth/realms/{{ .APP_NAME }} + {{ end }} + # the endpoint where requests are proxied to + - --upstream-url=https://127.0.0.1:10444 + # URls that you wish to protect. + - --resources=uri=/* + - --tls-cert=/certs/tls.crt + - --tls-private-key=/certs/tls.key + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + - --verbose=true + {{ end }} + ports: + - containerPort: 10080 + - containerPort: 10443 + securityContext: + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + - mountPath: /etc/ssl/certs + name: bundle + readOnly: true + + - name: nginx-proxy + # nginx-proxy-govuk:v4 + image: quay.io/ukhomeofficedigital/nginx-proxy-govuk@sha256:4470064d0b1d20ae08c5fd85551576cb687f342a22d6cb456fda9b2c4ce8c8df + resources: + limits: + memory: "1024Mi" + cpu: 200m + requests: + memory: 512Mi + env: +{{ file .FILEVAULT_NGINX_SETTINGS | indent 12 }} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - name: bundle + mountPath: /etc/ssl/certs + readOnly: true + volumes: + - name: certs + secret: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + secretName: branch-tls-external + {{ else }} + secretName: file-vault-cert + {{ end }} + - name: bundle + configMap: + name: bundle diff --git a/kube/file-vault/file-vault-ingress.yml b/kube/file-vault/file-vault-ingress.yml new file mode 100644 index 00000000..a4df3e7e --- /dev/null +++ b/kube/file-vault/file-vault-ingress.yml @@ -0,0 +1,48 @@ +--- +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-ingress-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault-ingress + {{ end }} +{{ file .FILEVAULT_INGRESS_EXTERNAL_ANNOTATIONS | indent 2 }} +spec: + ingressClassName: nginx-external + tls: + - hosts: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + - fv-{{ .DRONE_SOURCE_BRANCH }}.{{ .BRANCH_ENV }}.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} + - fv-{{ .APP_NAME }}.uat.sas-notprod.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + - fv-{{ .APP_NAME }}.stg.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .PROD_ENV }} + - fv-{{ .APP_NAME }}.sas.homeoffice.gov.uk + {{ end }} + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + secretName: branch-tls-external + {{ else }} + secretName: file-vault-cert + {{ end }} + rules: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + - host: fv-{{ .DRONE_SOURCE_BRANCH }}.{{ .BRANCH_ENV }}.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .UAT_ENV }} + - host: fv-{{ .APP_NAME }}.uat.sas-notprod.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .STG_ENV }} + - host: fv-{{ .APP_NAME }}.stg.sas.homeoffice.gov.uk + {{ else if eq .KUBE_NAMESPACE .PROD_ENV }} + - host: fv-{{ .APP_NAME }}.sas.homeoffice.gov.uk + {{ end }} + http: + paths: + - path: / + backend: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + serviceName: file-vault-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + serviceName: file-vault + {{ end }} + servicePort: 10443 diff --git a/kube/file-vault/file-vault-network-policy.yml b/kube/file-vault/file-vault-network-policy.yml new file mode 100644 index 00000000..cc580e26 --- /dev/null +++ b/kube/file-vault/file-vault-network-policy.yml @@ -0,0 +1,29 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-allow-ingress-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault-allow-ingress + {{ end }} +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + name: ingress-external + ports: + - port: 10080 + protocol: TCP + - port: 10443 + protocol: TCP + podSelector: + matchLabels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault + {{ end }} + policyTypes: + - Ingress diff --git a/kube/file-vault/file-vault-service.yml b/kube/file-vault/file-vault-service.yml new file mode 100644 index 00000000..7a1dac3d --- /dev/null +++ b/kube/file-vault/file-vault-service.yml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: Service +metadata: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault + {{ end }} + labels: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-{{ .DRONE_SOURCE_BRANCH }} + role: service-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault + role: service + {{ end }} +spec: + ports: + - name: http + port: 10080 + - name: https + port: 10443 + selector: + {{ if eq .KUBE_NAMESPACE .BRANCH_ENV }} + name: file-vault-{{ .DRONE_SOURCE_BRANCH }} + {{ else }} + name: file-vault + {{ end }} diff --git a/sonar-project.properties b/sonar-project.properties index 3ce5444d..01886abb 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,5 +1,5 @@ -sonar.projectKey=Biometric-Residency-Permit -sonar.projectName=Biometric-Residency-Permit +sonar.projectKey=For-My-Reference-Form +sonar.projectName=For-My-Reference-Form sonar.language=js sonar.sources=apps sonar.tests=test