Merge pull request #6 from cfpb/add-gha

Add Deployment GitHub Action, Helm Chart Modifications, and S3 Connections

.github/workflows/friendly-umbrella-deploy.yml

@@ -0,0 +1,75 @@
+name: Deploy Friendly-Umbrella
+on:
+  push:
+jobs:
+  build:
+    runs-on:
+      - codebuild-cfpb-cfgov-testing-gha-${{ github.run_id }}-${{ github.run_attempt }}
+    steps:
+      - name: Checkout Friendly-Umbrella
+        uses: actions/checkout@v2
+
+      - name: Retrieve Security Scan Secrets
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            , ${{ secrets.SECURITY_SCAN_SECRET }}
+          parse-json-secrets: true
+
+      - name: Build Docker Image
+        run: |      
+
+          # Build Friendly-Umbrella Image
+          docker build -t ${{ secrets.ECR_REPO }}:$GITHUB_SHA .
+
+      - name: Security Scan with Twistlock
+        run: |  
+
+          curl -k -u "$TL_USER:$TL_PASSWORD" "$TL_CONSOLE_URL/api/v1/util/twistcli" --output twistcli
+          chmod +x twistcli
+
+          ./twistcli images scan --details -address "${TL_CONSOLE_URL}" -u  "${TL_USER}" -p "${TL_PASSWORD}" ${{ secrets.ECR_REPO }}:$GITHUB_SHA tee twistcli.log; EXITCODE=$?
+
+      
+      - name: Push to ECR
+        run: |
+
+          # Login to ECR
+          aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username ${{ secrets.AWS_USERNAME }} --password-stdin ${{ secrets.ECR_REGISTRY }} 
+          
+          # Push to ECR
+          docker push ${{ secrets.ECR_REPO }}:$GITHUB_SHA
+
+      - name: Install K8s/Helm
+        run: |
+
+          # Install Helm 
+          curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+          chmod 700 get_helm.sh
+          ./get_helm.sh
+
+          # Install kubectl 
+          curl -o ./kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.14/2023-10-17/bin/linux/amd64/kubectl
+          curl -o ./kubectl.sha256 https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.14/2023-10-17/bin/linux/amd64/kubectl.sha256
+          (diff  <(openssl sha256 kubectl | awk {'print $2'}) <(cat kubectl.sha256 | awk {'print $1'}) &&
+            echo 'kubectl checksum matches, enabling usage') || (echo 'kubectl checksum failed, exiting' && exit 1)
+          chmod +x kubectl
+          mkdir -p $HOME/bin && mv kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
+          echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
+          source ~/.bashrc
+          kubectl version --client
+
+          # Update kubeconfig to point to EKS Cluster
+          aws eks update-kubeconfig --name $CLUSTER_NAME --region us-east-1
+
+      - name: Install Helm Chart on EKS
+        run: >
+          helm upgrade --install friendly-umbrella ./helm 
+          -n ${{ secrets.NAMESPACE }} -f ./helm/values.yaml
+          --set image.repository=${{ secrets.ECR_REPO }}
+          --set image.tag=$GITHUB_SHA
+          --set mapping.host=${{ secrets.HOST }}
+          --set serviceAccount.name=${{ secrets.K8S_SERVICE_ACCOUNT }}
+          --set config.AWS_STORAGE_BUCKET_NAME=${{ secrets.BUCKET_NAME }}
+          --set serviceAccount.name=${{ secrets.K8S_SERVICE_ACCOUNT }}
+          --set config.AWS_STORAGE_BUCKET_NAME=${{ secrets.BUCKET_NAME }}

friendly_umbrella/settings.py

@@ -39,6 +39,7 @@
 
 ALLOWED_HOSTS = ["*"]
 
+CSRF_TRUSTED_ORIGINS = ["https://*.cfpb.gov"]
 
 # Application definition
 
@@ -139,18 +140,11 @@
 
 DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 
-
-# If AWS credentials and a bucket are provided, use S3 for file upload storage
-AWS_ACCESS_KEY_ID = os.getenv("AWS_ACCESS_KEY_ID")
-AWS_SECRET_ACCESS_KEY = os.getenv("AWS_SECRET_ACCESS_KEY")
-AWS_STORAGE_BUCKET_NAME = os.getenv("AWS_STORAGE_BUCKET_NAME")
-if (
-    AWS_ACCESS_KEY_ID is not None
-    and AWS_SECRET_ACCESS_KEY is not None
-    and AWS_STORAGE_BUCKET_NAME is not None
-):
+# Use S3 for file storage if a bucket name is provided.
+if _aws_s3_bucket := os.getenv("AWS_STORAGE_BUCKET_NAME"):
     DEFAULT_FILE_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"
+    AWS_STORAGE_BUCKET_NAME = _aws_s3_bucket
 
-    # Allow setting AWS_S3_ENDPOINT_URL to enable testing against a local S3
-    if os.getenv("AWS_S3_ENDPOINT_URL") is not None:
-        AWS_S3_ENDPOINT_URL = os.getenv("AWS_S3_ENDPOINT_URL")
+    # Allow testing against a mock S3 using Localstack and awslocal.
+    if _s3_endpoint_url := os.getenv("AWS_S3_ENDPOINT_URL"):
+        AWS_S3_ENDPOINT_URL = _s3_endpoint_url

helm/templates/configmap.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.config }}
+apiVersion: v1
+kind: ConfigMap
+metadata: 
+    name: {{ .Release.Name }}-configmap
+data:
+    {{- with .Values.config }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

helm/templates/deployment.yaml

@@ -32,6 +32,9 @@ spec:
           image: "{{ .repository }}:{{ .tag }}"
           imagePullPolicy: {{ .pullPolicy }}
           {{- end }}
+          envFrom:
+            - configMapRef:
+                name: {{ .Release.Name }}-configmap
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

helm/templates/mapping.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.mapping.enabled }}
+---
+apiVersion: getambassador.io/v2
+kind: Mapping
+metadata:
+  name: {{ include "friendly-umbrella.fullname" . }}
+  labels:
+    {{- include "friendly-umbrella.labels" . | nindent 4 }}
+spec:
+  ambassador_id:
+    {{- toYaml .Values.mapping.ambassador_id | nindent 4 }}
+  host: {{ .Values.mapping.host }}
+  prefix: {{ .Values.mapping.prefix | default "/" }}
+  service: {{ include "friendly-umbrella.fullname" . }}:{{ .Values.service.port }}
+  timeout_ms: 0
+{{- end }}

helm/values.yaml

@@ -9,3 +9,14 @@ service:
 
 serviceAccount:
   create: false
+  name: service-account-name
+
+config:
+  AWS_STORAGE_BUCKET_NAME: bucket_name
+
+mapping:
+  enabled: true
+  host: "friendly-umbrella.localhost"
+  ambassador_id:
+    - "--apiVersion-v3alpha1-only--default"
+  prefix: "/"