Refactor ingress configuration to remove SSL redirect and force SSL r…

…edirect annotations, and change backend protocol to HTTP for monitoring-ingress resource
adamlahbib · Nov 18, 2024 · 282e679 · 282e679
1 parent 9c5ce4b
commit 282e679
Show file tree

Hide file tree

Showing 18 changed files with 3,051 additions and 25 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1 @@
+readme.md
diff --git a/.github/actions/terraform-apply/action.yaml b/.github/actions/terraform-apply/action.yaml
@@ -44,6 +44,9 @@ inputs:
   TAILSCALE_CLIENT_SECRET:
     description: 'Tailscale Client Secret'
     required: true
+  CROWDSEC_ENROLL_KEY:
+    description: 'CrowdSec Enroll Key'
+    required: true
 
 runs:
   using: 'composite'
@@ -65,6 +68,7 @@ runs:
         TF_VAR_SLACK_WEBHOOK: ${{ inputs.SLACK_WEBHOOK }}
         TF_VAR_TAILSCALE_CLIENT_ID: ${{ inputs.TAILSCALE_CLIENT_ID }}
         TF_VAR_TAILSCALE_CLIENT_SECRET: ${{ inputs.TAILSCALE_CLIENT_SECRET }}
+        TF_VAR_CROWDSEC_ENROLL_KEY: ${{ inputs.CROWDSEC_ENROLL_KEY }}
       uses: dflook/terraform-apply@v1
       with:
         path: ./terraform

diff --git a/.github/actions/terraform-destroy/action.yaml b/.github/actions/terraform-destroy/action.yaml
@@ -44,6 +44,9 @@ inputs:
   TAILSCALE_CLIENT_SECRET:
     description: 'Tailscale Client Secret'
     required: true
+  CROWDSEC_ENROLL_KEY:
+    description: 'CrowdSec Enroll Key'
+    required: true
 
 runs:
   using: 'composite'
@@ -65,6 +68,7 @@ runs:
         TF_VAR_SLACK_WEBHOOK: ${{ inputs.SLACK_WEBHOOK }}
         TF_VAR_TAILSCALE_CLIENT_ID: ${{ inputs.TAILSCALE_CLIENT_ID }}
         TF_VAR_TAILSCALE_CLIENT_SECRET: ${{ inputs.TAILSCALE_CLIENT_SECRET }}
+        TF_VAR_CROWDSEC_ENROLL_KEY: ${{ inputs.CROWDSEC_ENROLL_KEY }}
       uses: dflook/terraform-destroy@v1
       with:
         path: ./terraform

diff --git a/.github/actions/terraform-plan/action.yaml b/.github/actions/terraform-plan/action.yaml
@@ -47,6 +47,9 @@ inputs:
   TAILSCALE_CLIENT_SECRET: 
     description: 'Tailscale Client Secret'
     required: true
+  CROWDSEC_ENROLL_KEY:
+    description: 'CrowdSec Enroll Key'
+    required: true
 
 runs:
   using: 'composite'
@@ -72,6 +75,7 @@ runs:
         TF_VAR_SLACK_WEBHOOK: ${{ inputs.SLACK_WEBHOOK }}
         TF_VAR_TAILSCALE_CLIENT_ID: ${{ inputs.TAILSCALE_CLIENT_ID }}
         TF_VAR_TAILSCALE_CLIENT_SECRET: ${{ inputs.TAILSCALE_CLIENT_SECRET }}
+        TF_VAR_CROWDSEC_ENROLL_KEY: ${{ inputs.CROWDSEC_ENROLL_KEY }}
       uses: dflook/terraform-plan@v1
       with:
         path: ./terraform

diff --git a/.github/workflows/destroy.yaml b/.github/workflows/destroy.yaml
@@ -17,6 +17,7 @@ env:
   SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
   TAILSCALE_CLIENT_ID: ${{ secrets.TAILSCALE_CLIENT_ID }}
   TAILSCALE_CLIENT_SECRET: ${{ secrets.TAILSCALE_CLIENT_SECRET }}
+  CROWDSEC_ENROLL_KEY: ${{ secrets.CROWDSEC_ENROLL_KEY }}
 
 jobs:
   terraform-destroy:
@@ -55,4 +56,5 @@ jobs:
           CLOUDFLARE_API_TOKEN: ${{ env.CLOUDFLARE_API_TOKEN }}
           SLACK_WEBHOOK: ${{ env.SLACK_WEBHOOK }}
           TAILSCALE_CLIENT_ID: ${{ env.TAILSCALE_CLIENT_ID }}
-          TAILSCALE_CLIENT_SECRET: ${{ env.TAILSCALE_CLIENT_SECRET }}
+          TAILSCALE_CLIENT_SECRET: ${{ env.TAILSCALE_CLIENT_SECRET }}
+          CROWDSEC_ENROLL_KEY: ${{ env.CROWDSEC_ENROLL_KEY }}
diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml
@@ -25,6 +25,7 @@ env:
   SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
   TAILSCALE_CLIENT_ID: ${{ secrets.TAILSCALE_CLIENT_ID }}
   TAILSCALE_CLIENT_SECRET: ${{ secrets.TAILSCALE_CLIENT_SECRET }}
+  CROWDSEC_ENROLL_KEY: ${{ secrets.CROWDSEC_ENROLL_KEY }}
 
 jobs: 
   terraform-plan:
@@ -64,4 +65,5 @@ jobs:
           CLOUDFLARE_API_TOKEN: ${{ env.CLOUDFLARE_API_TOKEN }}
           SLACK_WEBHOOK: ${{ env.SLACK_WEBHOOK }}
           TAILSCALE_CLIENT_ID: ${{ env.TAILSCALE_CLIENT_ID }}
-          TAILSCALE_CLIENT_SECRET: ${{ env.TAILSCALE_CLIENT_SECRET }}
+          TAILSCALE_CLIENT_SECRET: ${{ env.TAILSCALE_CLIENT_SECRET }}
+          CROWDSEC_ENROLL_KEY: ${{ env.CROWDSEC_ENROLL_KEY }}
diff --git a/.github/workflows/sync-and-deploy.yaml b/.github/workflows/sync-and-deploy.yaml
@@ -22,6 +22,7 @@ env:
   SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
   TAILSCALE_CLIENT_ID: ${{ secrets.TAILSCALE_CLIENT_ID }}
   TAILSCALE_CLIENT_SECRET: ${{ secrets.TAILSCALE_CLIENT_SECRET }}
+  CROWDSEC_ENROLL_KEY: ${{ secrets.CROWDSEC_ENROLL_KEY }}
 
 jobs: 
   terraform-apply:
@@ -63,6 +64,7 @@ jobs:
           SLACK_WEBHOOK: ${{ env.SLACK_WEBHOOK }}
           TAILSCALE_CLIENT_ID: ${{ env.TAILSCALE_CLIENT_ID }}
           TAILSCALE_CLIENT_SECRET: ${{ env.TAILSCALE_CLIENT_SECRET }}
+          CROWDSEC_ENROLL_KEY: ${{ env.CROWDSEC_ENROLL_KEY }}
 
       - name: Prepare Slack Notification
         if: always()

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -1,3 +1,6 @@
+# The pipeline can have failed steps marked as successful by using continue-on-error: true. 
+# If needed, I just went with the default setting for the sake of simplicity and used the always() condition to ensure that any step runs regardless of the outcome of the previous steps.
+
 name: Test Pipeline
 
 on:
@@ -11,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Test Application
     outputs:
-      message: "Bandit Security Linting: ${{ steps.bandit.outcome }}\nTrufflehog Leaked Secret Scanning: ${{ steps.trufflehog.outcome }}\nGrype Container Vulnerability Scanning: ${{ steps.grype.outcome }}\nApplication Tests: ${{ steps.tests.outcome }}"
+      message: "Bandit Security Linting: ${{ steps.bandit.outcome }}\nTrufflehog Leaked Secret Scanning: ${{ steps.trufflehog.outcome }}\nGrype Container Vulnerability Scanning: ${{ steps.grype.outcome }}\nApplication Tests: ${{ steps.tests.outcome }}\nFlake8 Linting: ${{ steps.lint.outcome }}"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -62,6 +65,11 @@ jobs:
         if: always()
         run: make run
 
+      - name: Flake8 Linting # I had linting running inside the container as the application uses uvicorn, a server that won't exit if any errors are found and thus the container would not stop running
+        id: lint
+        if: always()
+        run: make lint
+
       - name: Run-Tests
         id: tests
         if: always()

diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 DOCKER_COMPOSE = docker compose
 
-.PHONY: run build test clean
+.PHONY: run build test clean lint
 
 build:
 	@$(DOCKER_COMPOSE) build
@@ -11,5 +11,11 @@ run:
 test:
 	@$(DOCKER_COMPOSE) run --rm app pytest --cov=app --cov-report=term-missing
 
+lint:
+	@echo "Running flake8 for syntax errors and undefined names..."
+	flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+	@echo "Running flake8 with relaxed rules (warnings only)..."
+	flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+
 clean:
 	@$(DOCKER_COMPOSE) down --volumes --remove-orphans
diff --git a/requirements.txt b/requirements.txt
@@ -3,4 +3,5 @@ uvicorn==0.30.5
 pydantic==1.10.10
 pytest==7.4.2
 pytest-cov==4.1.0
-httpx==0.23.0
+httpx==0.23.0
+flake8==7.1.1