- perf(server, webhook-service): production images are based on distroless
Reduces image file size by >40% for images which can use distroless base image. As
well as improving boot-up & restart time (via smaller download & load size), Distroless reduces the
attack surface area by removing almost all binaries & packages (e.g. shell, chown) that are not
necessary to run node.
- ensures distroless node images run tini
- removes fonts-dejavu-core and fontconfig from speckle-server
- Remove man and doc files if they exist
- args hoisted to top of Dockerfile and consolidated
- env vars consolidated to prevent additional layers
address https://github.com/specklesystems/speckle-server/issues/883
ServiceAccounts for each service do not mount service account token (which allows access to the
kubernetes API), and limit the secrets each user of the service account has access to.
Fixes https://github.com/specklesystems/speckle-server/issues/859
* feat(helm chart): node affinities, tolerations etc. are configurable
Kubernetes operators should be able to configure Speckle to be deployed on certain nodes based on
rules they provide. This commit allows affinity, nodeSelector, tolerations, and
topologySpreadConstrains to be provided by the operator.
fixes https://github.com/specklesystems/speckle-server/issues/861
Fileimport service retreives blobs via the server storage API, and not directly from s3. Fileimport
service no longer requires information or credentials about s3.
* Allow save object to S3 in different region
* feat(helm & docker-compose): adds S3_REGION to helm chart & docker-compose
Explicitly adding the environment variable to deployment configuration files provides system operators with documentation of its existence.
Set to empty by default, which will result in the default value being used.
Co-authored-by: Iain Sproat <68657+iainsproat@users.noreply.github.com>
* feat(helm chart): network policies are provided for all services
Network policies are used to deny arbitrary egress and ingress to a pod, providing more security
hardening.
Fix https://github.com/specklesystems/speckle-server/issues/860
* NetworkPolicies for remaining services
* Network policies are configurable but enabled by default
* fix to naming
* Use named port
* Helper function for defining redis egress
* Network policy is more tightly defined to port for service if fqdn
* if an IP is provided for redis, postgres, or blob storage, egress is limited to that IP
* Note about limitations
* Simplifies networkpolicy logic by requiring variables to be provided in values.yaml
* default disable networkpolicy, otherwise end users will have to provide all the additional values and that could become confusing
* supports dependencies being deployed within the same cluster
* Disable network policies by default
* Ensure the host name does not contain a port
* Exclude (likely) kubernetes IP ranges from allowed egress
* Add explicit ingress to the server from fileimport and test
* disable test networkpolicy if test is disabled
* Allow egress to sentry
* remove access to s3 from preview service
* remove access to redis from fileimport service
* Allow prometheus ingress to metrics endpoints
* tightens ingress by restricting to the prometheus pod in a single namespace
* Limit ingress on the server to the nginx ingress controller and prometheus
* Limit ingress to frontend to just the nginx ingress controller
* Fileimport does not require s3
* feat(helm chart): prometheus monitoring namespace and release name should be configurable
Currently Speckle assumes prometheus is deployed in the 'speckle' namespace and is deployed as a
release named 'kube-prometheus-stack'. This commit introduces non-breaking changes that allow
custom values for these to be provided, defaulting to the current assumed values if they are not
provided.
fixes https://github.com/specklesystems/speckle-server/issues/863
* Fix serviceMonitor so that it can find services in a different namespace
* Namespace selector is not required if the default namespace is being used
* feat(helm chart): add SecurityContext to pods and containers
Speckle pods should run with minimal privileges and capabilities to function.
Fix https://github.com/specklesystems/speckle-server/issues/857
* Update securityContext for all pods
* frontend runs as nonroot and readonly root filesystem
- set fsgroup for all pods with volumes
* Frontend requires write directory at /etc/nginx/conf.d
* Allow openresty log directory to be writable
* feat(helm local test): add test container into the make script
Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
* fix(pull request template): pR template should be the default and not an option
- PR template was in a directory which allows selection using queries. The PR template should be
provided by default so should be renamed and placed in the .github directory.
- Remove obsolete template
* Adds hadolint as pre-commit
* Addresses all hadolint comments
* Hadolint docker works when entrypoint explicitly provided
* Use noninteractive apt-get frontend and clean after install
* build(circleci): filters for pre-commit should be same as for test-server
* remove cache prefix as not currently necessary due to pre-commit-config.yaml changing
* build(circleci): enable remote docker for pre-commit
* build(circleci): use speckle pre-commit runner with built-in hadolint
* build(server): dockerfile RUN statements are consolidated
Each RUN statement in a Dockerfile creates a new layer. Hadolint rule DL3059 suggests they should
be consolidated.
* build(server): dockerfile RUN statements are consolidated
Each RUN statement in a Dockerfile creates a new layer. Hadolint rule DL3059 suggests they should
be consolidated.
* Improve husky bash script to catch errors
* Integrates pre-commit with husky
* pre-commit should now be run by husky on every commit
* pre-commit which requires additional installed dependencies is moved to separate file
* Update README for revised developer instructions
* Updates pre-commit yarn script
* refactor(pre-commit): make everyone happy with loosly integrating husky and pre-commit scripts
* chore(clean up pre-commit configs): clean some more pre-commit mess
* chore(pre-commit): run pre-commit in ci too
* fix(husky pre-commit): fix ci build husky invocation, the script is not commited to git
* fix(circleci config): install yarn packages for linting in pre-commit
* fix(pre-commit): fix shellcheck disable comment placement
* fix(pre-commit): add shellcheck ignore
* fix(pre-commit husyk): fix shellcheck ignore version
Co-authored-by: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Branch names are being used for docker tags. Docker tags only accept ascii letters and digits,
underscore, period and dash. This changes sanitised branch names to conform to this.
* Adds hadolint as pre-commit step
* Addresses all hadolint comments
* Use noninteractive apt-get frontend and clean after install
* dockerfile RUN statements are consolidated to prevent additional layers
* installed packages have pinned versions
* build(circleci): use speckle pre-commit runner with built-in hadolint
* Integrate pre-commit with husky bash script for git pre-commit hooks
* catches errors in bash
* if pre-commit is installed, it is run
* if optional additional binaries are installed, further pre-commit steps are run
* Update README with revised developer instructions
* Adds a pre-commit yarn script
Iain Sproat