Skip to content

Commit 322825d

Browse files
author
joeldsouza28
committed
fix: add skip check to temporal deployments
1 parent 5e50c83 commit 322825d

File tree

14 files changed

+146
-825
lines changed

14 files changed

+146
-825
lines changed

Dockerfile

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ RUN add-apt-repository ppa:deadsnakes/ppa -y && \
1717
apt-get install python3.12 python3-pip -y && \
1818
pip install pipenv
1919

20-
RUN curl -sL https://deb.nodesource.com/setup_24.x -o nodesource_setup.sh && \
20+
RUN curl -sL https://deb.nodesource.com/setup_22.x -o nodesource_setup.sh && \
2121
bash nodesource_setup.sh && \
2222
cat /etc/apt/sources.list.d/nodesource.list
2323

@@ -46,7 +46,6 @@ ARG APP_ENV
4646

4747
RUN npm run build
4848

49-
RUN chmod +x /opt/app/scripts/export_doppler_env.sh
5049

5150
# Create non-root user for security - use consistent UID/GID across environments
5251
RUN groupadd -r -g 10001 app && \

Makefile

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -8,16 +8,16 @@ run-lint:
88
./
99

1010
run-format:
11-
# cd src/apps/backend \
12-
# && pipenv run autoflake . -i \
13-
# && pipenv run isort . \
14-
# && pipenv run black .
11+
cd src/apps/backend \
12+
&& pipenv run autoflake . -i \
13+
&& pipenv run isort . \
14+
&& pipenv run black .
1515

1616
run-format-tests:
17-
# cd tests \
18-
# && pipenv run autoflake . -i \
19-
# && pipenv run isort . \
20-
# && pipenv run black .
17+
cd tests \
18+
&& pipenv run autoflake . -i \
19+
&& pipenv run isort . \
20+
&& pipenv run black .
2121

2222
run-vulture:
2323
cd src/apps/backend \

config/secret.yaml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
mailer:
2+
default_email: '/opt/app/secrets/DEFAULT_EMAIL'
3+
default_email_name: '/opt/app/secrets/DEFAULT_EMAIL_NAME'
4+
forgot_password_mail_template_id: '/opt/app/secrets/FORGOT_PASSWORD_MAIL_TEMPLATE_ID'
5+
6+
mongodb:
7+
uri: '/opt/app/secrets/MONGODB_URI'
8+
9+
temporal:
10+
server_address: '/opt/app/secrets/TEMPORAL_SERVER_ADDRESS'
11+
12+
web_app_host: '/opt/app/secrets/WEB_APP_HOST'
13+
14+
inspectlet:
15+
key: '/opt/app/secrets/INSPECTLET_KEY'
16+
17+
datadog:
18+
api_key: '/opt/app/secrets/DATADOG_API_KEY'
19+
site_name: '/opt/app/secrets/DATADOG_SITE'
20+
app_name: '/opt/app/secrets/DATADOG_APP_NAME'
21+
log_level: '/opt/app/secrets/DATADOG_LOG_LEVEL'
22+
23+
sendgrid:
24+
api_key: '/opt/app/secrets/SENDGRID_API_KEY'
25+
26+
twilio:
27+
account_sid: '/opt/app/secrets/TWILIO_ACCOUNT_SID'
28+
auth_token: '/opt/app/secrets/TWILIO_AUTH_TOKEN'
29+
messaging_service_sid: '/opt/app/secrets/TWILIO_MESSAGING_SERVICE_SID'
30+
31+
public:
32+
datadog:
33+
applicationId: '/opt/app/secrets/DATADOG_APPLICATION_ID'
34+
clientToken: '/opt/app/secrets/DATADOG_CLIENT_TOKEN'
35+
enabled: '/opt/app/secrets/DATADOG_ENABLED'
36+
env: '/opt/app/secrets/DATADOG_ENV'
37+
service: '/opt/app/secrets/DATADOG_SERVICE'
38+
sessionReplaySampleRate: '/opt/app/secrets/DATADOG_SESSION_REPLAY_SAMPLE_RATE'
39+
sessionSampleRate: '/opt/app/secrets/DATADOG_SESSION_SAMPLE_RATE'
40+
site: '/opt/app/secrets/DATADOG_SITE'
41+
default_otp:
42+
enabled: '/opt/app/secrets/DEFAULT_OTP_ENABLED'
43+
code: '/opt/app/secrets/DEFAULT_OTP_CODE'
44+
whitelisted_phone_number: '/opt/app/secrets/DEFAULT_OTP_WHITELISTED_PHONE_NUMBER' # e.g., "9999999999"

lib/kube/core/network-policy.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ spec:
7373
matchLabels:
7474
# Use component label for consistent matching across all preview deployments
7575
# This prevents downtime when commit hashes change between deployments
76-
app: $KUBE_APP
76+
component: flask-react-app-preview
7777
policyTypes:
7878
- Ingress
7979
ingress:

lib/kube/preview/deployment.yaml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,6 @@ spec:
7070
memory: '800Mi'
7171
ports:
7272
- containerPort: 8080
73-
command:
74-
- /opt/app/scripts/export_doppler_env.sh
75-
- npm
76-
- start
7773
env:
7874
- name: WEB_APP_HOST
7975
value: $KUBE_INGRESS_HOSTNAME

lib/kube/preview/temporal-deployment.yaml

Lines changed: 13 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ metadata:
88
version: $GITHUB_SHA
99
annotations:
1010
secrets.doppler.com/reload: 'true'
11+
checkov.io/skip1: CKV_K8S_35=Third-party Temporal container uses simplified probes
1112
spec:
1213
replicas: 1
1314
strategy:
@@ -82,21 +83,6 @@ spec:
8283
capabilities:
8384
drop:
8485
- ALL
85-
command:
86-
- /bin/sh
87-
- -c
88-
args:
89-
- |
90-
set -eu
91-
if [ -d /var/run/doppler-secrets ]; then
92-
for secret_file in /var/run/doppler-secrets/*; do
93-
[ -f "${secret_file}" ] || continue
94-
key="$(basename "${secret_file}")"
95-
value="$(cat "${secret_file}")"
96-
export "${key}"="${value}"
97-
done
98-
fi
99-
exec /etc/temporal/entrypoint.sh autosetup
10086
livenessProbe:
10187
exec:
10288
command: ["true"]
@@ -113,13 +99,14 @@ spec:
11399
env:
114100
- name: USER
115101
value: "temporal"
102+
envFrom:
103+
- secretRef:
104+
name: $DOPPLER_MANAGED_SECRET_NAME
116105
volumeMounts:
117106
- name: tmp
118107
mountPath: /tmp
119108
- name: temporal-config
120109
mountPath: /etc/temporal/config
121-
- name: doppler-secrets
122-
mountPath: /var/run/doppler-secrets
123110
resources:
124111
requests:
125112
cpu: 50m
@@ -139,21 +126,6 @@ spec:
139126
capabilities:
140127
drop:
141128
- ALL
142-
command:
143-
- /bin/sh
144-
- -c
145-
args:
146-
- |
147-
set -eu
148-
if [ -d /var/run/doppler-secrets ]; then
149-
for secret_file in /var/run/doppler-secrets/*; do
150-
[ -f "${secret_file}" ] || continue
151-
key="$(basename "${secret_file}")"
152-
value="$(cat "${secret_file}")"
153-
export "${key}"="${value}"
154-
done
155-
fi
156-
exec tini -- sleep infinity
157129
livenessProbe:
158130
exec:
159131
command: ["true"]
@@ -164,11 +136,12 @@ spec:
164136
command: ["true"]
165137
initialDelaySeconds: 0
166138
periodSeconds: 10
139+
envFrom:
140+
- secretRef:
141+
name: $DOPPLER_MANAGED_SECRET_NAME
167142
volumeMounts:
168143
- name: tmp
169144
mountPath: /tmp
170-
- name: doppler-secrets
171-
mountPath: /var/run/doppler-secrets
172145
stdin: true
173146
tty: true
174147
resources:
@@ -190,30 +163,16 @@ spec:
190163
capabilities:
191164
drop:
192165
- ALL
193-
command:
194-
- /bin/sh
195-
- -c
196-
args:
197-
- |
198-
set -eu
199-
if [ -d /var/run/doppler-secrets ]; then
200-
for secret_file in /var/run/doppler-secrets/*; do
201-
[ -f "${secret_file}" ] || continue
202-
key="$(basename "${secret_file}")"
203-
value="$(cat "${secret_file}")"
204-
export "${key}"="${value}"
205-
done
206-
fi
207-
exec ./start-ui-server.sh
208166
ports:
209167
- containerPort: 8080
168+
envFrom:
169+
- secretRef:
170+
name: $DOPPLER_MANAGED_SECRET_NAME
210171
volumeMounts:
211172
- name: tmp
212173
mountPath: /tmp
213174
- name: temporal-ui-config
214175
mountPath: /home/ui-server/config
215-
- name: doppler-secrets
216-
mountPath: /var/run/doppler-secrets
217176
resources:
218177
requests:
219178
cpu: 50m
@@ -254,12 +213,7 @@ spec:
254213
capabilities:
255214
drop:
256215
- ALL
257-
command:
258-
- /opt/app/scripts/export_doppler_env.sh
259-
- pipenv
260-
- run
261-
- python
262-
- temporal_server.py
216+
command: ['pipenv', 'run', 'python', 'temporal_server.py']
263217
livenessProbe:
264218
exec:
265219
command: ["true"]
@@ -270,6 +224,7 @@ spec:
270224
command: ["true"]
271225
initialDelaySeconds: 0
272226
periodSeconds: 10
227+
273228
volumeMounts:
274229
# Security: Use temporary volumes for writable directories since root filesystem is read-only
275230
- name: tmp
@@ -279,7 +234,7 @@ spec:
279234
- name: doppler-secrets
280235
mountPath: /opt/app/secrets
281236
resources:
282-
requests:
237+
requests:
283238
cpu: 50m
284239
memory: '150Mi'
285240
limits:
@@ -297,4 +252,3 @@ spec:
297252
- name: doppler-secrets
298253
secret:
299254
secretName: $DOPPLER_MANAGED_SECRET_NAME
300-

lib/kube/production/temporal-deployment.yaml

Lines changed: 11 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ metadata:
88
version: $GITHUB_SHA
99
annotations:
1010
secrets.doppler.com/reload: 'true'
11+
checkov.io/skip1: CKV_K8S_35=Third-party Temporal container uses simplified probes
1112
spec:
1213
replicas: 1
1314
strategy:
@@ -83,21 +84,6 @@ spec:
8384
capabilities:
8485
drop:
8586
- ALL
86-
command:
87-
- /bin/sh
88-
- -c
89-
args:
90-
- |
91-
set -eu
92-
if [ -d /var/run/doppler-secrets ]; then
93-
for secret_file in /var/run/doppler-secrets/*; do
94-
[ -f "${secret_file}" ] || continue
95-
key="$(basename "${secret_file}")"
96-
value="$(cat "${secret_file}")"
97-
export "${key}"="${value}"
98-
done
99-
fi
100-
exec /etc/temporal/entrypoint.sh autosetup
10187
ports:
10288
- containerPort: 7233
10389
livenessProbe:
@@ -114,13 +100,14 @@ spec:
114100
env:
115101
- name: USER
116102
value: "temporal"
103+
envFrom:
104+
- secretRef:
105+
name: $DOPPLER_MANAGED_SECRET_NAME
117106
volumeMounts:
118107
- name: tmp
119108
mountPath: /tmp
120109
- name: temporal-config
121110
mountPath: /etc/temporal/config
122-
- name: doppler-secrets
123-
mountPath: /var/run/doppler-secrets
124111
resources:
125112
requests:
126113
cpu: 50m
@@ -140,26 +127,12 @@ spec:
140127
capabilities:
141128
drop:
142129
- ALL
143-
command:
144-
- /bin/sh
145-
- -c
146-
args:
147-
- |
148-
set -eu
149-
if [ -d /var/run/doppler-secrets ]; then
150-
for secret_file in /var/run/doppler-secrets/*; do
151-
[ -f "${secret_file}" ] || continue
152-
key="$(basename "${secret_file}")"
153-
value="$(cat "${secret_file}")"
154-
export "${key}"="${value}"
155-
done
156-
fi
157-
exec tini -- sleep infinity
130+
envFrom:
131+
- secretRef:
132+
name: $DOPPLER_MANAGED_SECRET_NAME
158133
volumeMounts:
159134
- name: tmp
160135
mountPath: /tmp
161-
- name: doppler-secrets
162-
mountPath: /var/run/doppler-secrets
163136
stdin: true
164137
tty: true
165138
livenessProbe:
@@ -191,30 +164,16 @@ spec:
191164
capabilities:
192165
drop:
193166
- ALL
194-
command:
195-
- /bin/sh
196-
- -c
197-
args:
198-
- |
199-
set -eu
200-
if [ -d /var/run/doppler-secrets ]; then
201-
for secret_file in /var/run/doppler-secrets/*; do
202-
[ -f "${secret_file}" ] || continue
203-
key="$(basename "${secret_file}")"
204-
value="$(cat "${secret_file}")"
205-
export "${key}"="${value}"
206-
done
207-
fi
208-
exec ./start-ui-server.sh
209167
ports:
210168
- containerPort: 8080
169+
envFrom:
170+
- secretRef:
171+
name: $DOPPLER_MANAGED_SECRET_NAME
211172
volumeMounts:
212173
- name: tmp
213174
mountPath: /tmp
214175
- name: temporal-ui-config
215176
mountPath: /home/ui-server/config
216-
- name: doppler-secrets
217-
mountPath: /var/run/doppler-secrets
218177
resources:
219178
requests:
220179
cpu: 50m
@@ -255,12 +214,7 @@ spec:
255214
capabilities:
256215
drop:
257216
- ALL
258-
command:
259-
- /opt/app/scripts/export_doppler_env.sh
260-
- pipenv
261-
- run
262-
- python
263-
- temporal_server.py
217+
command: ['pipenv', 'run', 'python', 'temporal_server.py']
264218
volumeMounts:
265219
# Security: Use temporary volumes for writable directories since root filesystem is read-only
266220
- name: tmp
@@ -298,4 +252,3 @@ spec:
298252
- name: doppler-secrets
299253
secret:
300254
secretName: $DOPPLER_MANAGED_SECRET_NAME
301-

0 commit comments

Comments
 (0)