* feat(helm): s3 configuration can be loaded from configmap
- Variables for s3's configuration can now be read in from a configmap in the cluster. This allows
deployment tooling, such as Terraform or CloudFormation, to dynamically create an s3 bucket and
create a configmap with the necessary values. This decouples the cluster deployment from the helm
release.
* Update values.schema.json for helm chart
- also include changes from a previous commit that had not been included previously
* feat(helm chart): secrets can be referenced from different kubernetes Secret resources
Currently secrets have to be referenced from a single kubernetes Secret resource (default name
'server-vars'). This PR allows each secret to be loaded from a separate kubernetes Secret. If
values for individual secrets are not provided, it defaults to the previous single kubernetes
resource. This single kubernetes secret should now be considered deprecated in favour of individual
references.
* Fix error in Redis key
* Fix DNS egress for Redis in CiliumNetworkPolicy
- only give access to optional secrets if the component is enabled
* Values should be empty by default to allow for backwards compatibility
* fix(helm chart): allow egress in server Network Policies to Apollo
The Cilium and Kubernetes network policies currently do not allow egress from the server to Apollo
for graphql monitoring.
Kubernetes Network Policies don't allow domain names. We have an open support ticket with Apollo
Studio to request which CIDR to limit egress to. Until then, we will need to open egress to
everywhere if a Kubernetes Network Policy is used.
* fix(helm chart): remove unused values from helm chart
Previous commit introduced two additional values that are not being used for s3. This commit
removes them.
* Looks up domain or IP from secret for redis and postgres
- undertakes a kubectl get on the secret. The user or service account that deploys helm must have permissions to view the secret.
- fix: matchName for domain instead of matchPattern
- fix: typo in protocol
* Only allow monitoring ingress if monitoring is enabled
* Port can be determine from the provided secret
- updates values.yaml to only require port for postgres and redis for inCluster endpoints
* feat(helm chart): deployes Cilium Network Policies when configured
Cilium Network Policies provide more features over regular Kubernetes Network Policies, but Cilium
is not available everywhere. When selected by an operator, Cilium Network Policies will be deployed
instead of Kubernetes Network Policies.
Fixes https://github.com/specklesystems/speckle-server/issues/913
* Cilium Network Policy for fileimport service.
* tested only for external host.
* Still to test internal pod and external IP.
* Cilium network policy for file import service restricts DNS
* allows egress to service instead of endpoint
* file import service uses service url of speckle-server
* helper functions for server and dns
* DRY the prometheus selector
* CiliumNetworkPolicy for frontend
* CiliumNetworkPolicy for monitoring service
* CiliumNetworkPolicy for preview service
* CiliumNetworkPolicy for test
* CiliumNetworkPolicy for webhook_service
* CiliumNetworkPolicy for Server
* Test should egress to domain, not internally
* Test should be in tests directory to match Helm convention for tests
* Test should explicitly deny ingress from everywhere
* Server needs to egress to canonical domain (i.e. itself)
- DNS and egress for canonical domain added to Server
- As Test also egresses via canonical domain to access Server, we do not require the intra-cluster ingress to the server from the test pod
- Explicitly deny all egress from frontend
* WIP update to schema.json
* Breaking Change: inCluster network policies supported for cilium
* Breaking change: kubernetes network policy podSelector and namespaceSelector are now at a different level
* Updates schema.json
* add notes to remove egress once bug is fixed
- perf(server, webhook-service): production images are based on distroless
Reduces image file size by >40% for images which can use distroless base image. As
well as improving boot-up & restart time (via smaller download & load size), Distroless reduces the
attack surface area by removing almost all binaries & packages (e.g. shell, chown) that are not
necessary to run node.
- ensures distroless node images run tini
- removes fonts-dejavu-core and fontconfig from speckle-server
- Remove man and doc files if they exist
- args hoisted to top of Dockerfile and consolidated
- env vars consolidated to prevent additional layers
address https://github.com/specklesystems/speckle-server/issues/883
ServiceAccounts for each service do not mount service account token (which allows access to the
kubernetes API), and limit the secrets each user of the service account has access to.
Fixes https://github.com/specklesystems/speckle-server/issues/859
* feat(helm chart): node affinities, tolerations etc. are configurable
Kubernetes operators should be able to configure Speckle to be deployed on certain nodes based on
rules they provide. This commit allows affinity, nodeSelector, tolerations, and
topologySpreadConstrains to be provided by the operator.
fixes https://github.com/specklesystems/speckle-server/issues/861
Fileimport service retreives blobs via the server storage API, and not directly from s3. Fileimport
service no longer requires information or credentials about s3.
* Allow save object to S3 in different region
* feat(helm & docker-compose): adds S3_REGION to helm chart & docker-compose
Explicitly adding the environment variable to deployment configuration files provides system operators with documentation of its existence.
Set to empty by default, which will result in the default value being used.
Co-authored-by: Iain Sproat <68657+iainsproat@users.noreply.github.com>
* feat(helm chart): network policies are provided for all services
Network policies are used to deny arbitrary egress and ingress to a pod, providing more security
hardening.
Fix https://github.com/specklesystems/speckle-server/issues/860
* NetworkPolicies for remaining services
* Network policies are configurable but enabled by default
* fix to naming
* Use named port
* Helper function for defining redis egress
* Network policy is more tightly defined to port for service if fqdn
* if an IP is provided for redis, postgres, or blob storage, egress is limited to that IP
* Note about limitations
* Simplifies networkpolicy logic by requiring variables to be provided in values.yaml
* default disable networkpolicy, otherwise end users will have to provide all the additional values and that could become confusing
* supports dependencies being deployed within the same cluster
* Disable network policies by default
* Ensure the host name does not contain a port
* Exclude (likely) kubernetes IP ranges from allowed egress
* Add explicit ingress to the server from fileimport and test
* disable test networkpolicy if test is disabled
* Allow egress to sentry
* remove access to s3 from preview service
* remove access to redis from fileimport service
* Allow prometheus ingress to metrics endpoints
* tightens ingress by restricting to the prometheus pod in a single namespace
* Limit ingress on the server to the nginx ingress controller and prometheus
* Limit ingress to frontend to just the nginx ingress controller
* Fileimport does not require s3
* feat(helm chart): prometheus monitoring namespace and release name should be configurable
Currently Speckle assumes prometheus is deployed in the 'speckle' namespace and is deployed as a
release named 'kube-prometheus-stack'. This commit introduces non-breaking changes that allow
custom values for these to be provided, defaulting to the current assumed values if they are not
provided.
fixes https://github.com/specklesystems/speckle-server/issues/863
* Fix serviceMonitor so that it can find services in a different namespace
* Namespace selector is not required if the default namespace is being used
* feat(helm chart): add SecurityContext to pods and containers
Speckle pods should run with minimal privileges and capabilities to function.
Fix https://github.com/specklesystems/speckle-server/issues/857
* Update securityContext for all pods
* frontend runs as nonroot and readonly root filesystem
- set fsgroup for all pods with volumes
* Frontend requires write directory at /etc/nginx/conf.d
* Allow openresty log directory to be writable
* feat(helm local test): add test container into the make script
Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
* Adds hadolint as pre-commit step
* Addresses all hadolint comments
* Use noninteractive apt-get frontend and clean after install
* dockerfile RUN statements are consolidated to prevent additional layers
* installed packages have pinned versions
* build(circleci): use speckle pre-commit runner with built-in hadolint
* Integrate pre-commit with husky bash script for git pre-commit hooks
* catches errors in bash
* if pre-commit is installed, it is run
* if optional additional binaries are installed, further pre-commit steps are run
* Update README with revised developer instructions
* Adds a pre-commit yarn script
* refactor(helm chart): dRY for some labels
* Metadata for Chart.yaml
* refactor(helm chart): dRY using common selector labels
Able to remove `app` and `project` labels from each template and incorporate into definitions
* feat: adding extra apollo studio env vars to helm chart
* made apollo read version from SPECKLE_SERVER_VERSION
* moved from graph_ref to graph_id
* changing up some values
* feat(server): add server authz pipeline rework first sketch
* feat(server authz): add new server authz middleware poc implementation
* test(server authz): add unittests for the new server authz workflow
* feat(wip rework of fileuploads vs blob storage): add basim impl of separate blob storage service
* feat(fileimport service): refactored file import service to utilize the new asssetstorage service
* refactor(server errors): refactor server errors to use the shared module definitions
Now all the errors inherit from BaseError
* refactor(fileimport service): cleanup after refactor
* feat(frontend fileimports): use the new blob storage for downloading the original file
* refactor(server fileimports): clean up the remnants of S3 storage from file imports
* refactor(server authz): centralize generic authz pipeline configs
* refactor(server blob storage): refactor / rename everything to use the `blob-storage` name
* ci(circleci): add s3 objectstorage environment variables
* ci(circleci): fix missing env variables
* ci(circleci): add minio test container
* ci(circleci): fix minio app startup
* ci(circleci): enable circleci remote docker
* ci(circleci): fix minio startup
* ci(cirleci): detach and wait properly for minio to start
* ci(circleci): revert to additional minio img config, it only fails when the container is stopped ?!
* ci(circleci): disable file uploads
* fix(fileimports): update with blob storage refactor leftovers
* feat(server blob storage): add blob storage graphql api
* refactor(server errors): merge new errors to shared module
* fix(server comments rte): fix import for RTE error
* chore(fileimports): remove node-fetch from dependency
* chore(server): remove body parser dependency
* fix(server blob storage): fix gql api
* fix(frontend): fix fileupload item not loading the new upload status, cause of premature event fire
* feat(server blob storage): fix file size limit and allow for public streams
* Update packages/server/modules/blobstorage/graph/schemas/blobstorage.graphql
Co-authored-by: Kristaps Fabians Geikins <fabis94@live.com>
* chore(blobstorage): fix PR review issues
* fix(server): fix import bugs
* test(server): blob storage first test
* test(server blob services): add tests for blob storage services
* test(server blob storage): add service and rest api tests
* test(server blob storage): add server blob storage graphql api tests
* feat(server blob storage): store and make available blob fileHash attribute
* feat(server authz): add fatal failure option to server authz pipeline
* test(server authz): add optional stream context checks with tests
* feat(monitor deployment): add shutdown signal handling to monitor deployment container
Co-authored-by: Kristaps Fabians Geikins <fabis94@live.com>
* feat(server): add server authz pipeline rework first sketch
* feat(server authz): add new server authz middleware poc implementation
* test(server authz): add unittests for the new server authz workflow
* feat(wip rework of fileuploads vs blob storage): add basim impl of separate blob storage service
* feat(fileimport service): refactored file import service to utilize the new asssetstorage service
* refactor(server errors): refactor server errors to use the shared module definitions
Now all the errors inherit from BaseError
* refactor(fileimport service): cleanup after refactor
* feat(frontend fileimports): use the new blob storage for downloading the original file
* refactor(server fileimports): clean up the remnants of S3 storage from file imports
* refactor(server authz): centralize generic authz pipeline configs
* refactor(server blob storage): refactor / rename everything to use the `blob-storage` name
* ci(circleci): add s3 objectstorage environment variables
* ci(circleci): fix missing env variables
* ci(circleci): add minio test container
* ci(circleci): fix minio app startup
* ci(circleci): enable circleci remote docker
* ci(circleci): fix minio startup
* ci(cirleci): detach and wait properly for minio to start
* ci(circleci): revert to additional minio img config, it only fails when the container is stopped ?!
* ci(circleci): disable file uploads
* fix(fileimports): update with blob storage refactor leftovers
* feat(server blob storage): add blob storage graphql api
* refactor(server errors): merge new errors to shared module
* fix(server comments rte): fix import for RTE error
* chore(fileimports): remove node-fetch from dependency
* chore(server): remove body parser dependency
* fix(server blob storage): fix gql api
* fix(frontend): fix fileupload item not loading the new upload status, cause of premature event fire
* feat(server blob storage): fix file size limit and allow for public streams
* Update packages/server/modules/blobstorage/graph/schemas/blobstorage.graphql
Co-authored-by: Kristaps Fabians Geikins <fabis94@live.com>
* chore(blobstorage): fix PR review issues
* fix(server): fix import bugs
* chore(docker): ignore python venv data for docker build context
* feat(knex): update knex configuration with min max connections and application_name
* feat(helm chart): configure postgres max connections for server in the helm chart
Co-authored-by: Kristaps Fabians Geikins <fabis94@live.com>
* ci(circleci): publish npm packages with the implicit default `latest` tag
* feat(helm chart): add a conditional flag for creating k8s namespace in the helm chart
* fix(server package.json): fix cross-env variable string naming
fix#780
Iain Sproat