Граф коммитов

83 Коммитов

Автор SHA1 Сообщение Дата
Iain Sproat c461397aa2
fix(helm): schema.json now matches values file (#1445)
- small typo fix to values.yaml documentation
2023-03-10 10:39:26 +00:00
Iain Sproat d3b4310672
docs(helm): schematic diagram in mermaid format (#1358)
* docs(helm): schematic diagram in mermaid format
* Clarifies that dependencies can be external or internal to cluster
* Explicitly show namespace containing secrets
2023-02-22 09:40:30 +00:00
Gergő Jedlicska 40a6701799
feat(server): add switchable admin authz override (#1378)
* feat(server): add switchable admin authz override

* fix(server): make sure tests work with the new admin override

* feat(server authz): make sure to add all requested roles to server admins in admin override mode
2023-02-17 16:31:06 +01:00
Iain Sproat 68fd86b754
chore(frontend): use bitnami/openresty as base image for frontend Dockerfile (#1335)
* chore(frontend): use bitnami/openresty as base image for frontend Dockerfile

openresty/openresty was not being patched as frequently as we would like, resulting in numerous
vulnerabilities without resolution. bitnami/openresty is being patched more frequently.

Some additional changes were necessary when porting our frontend between these distributions:
- html files are in /app
- nginx.conf is in /opt/bitnami/openresty/nginx/conf/nginx.conf
- envsubst is not available by default in bitnami/openresty and needs to be copied in
- Nginx.conf - we wrap the server block in http block and overwrite root nginx.conf
    - using the existing bitnami/openresty nginx.conf as a server block alone causes issues with bitnami/openresty, as bitnami/openresty provides a root nginx.conf which conflicts with directives in Speckle's server block
- we copy the directives from openresty/openresty (which are known to work with Speckle's server block), and apply them alongside Speckle's server block. This creates a new root nginx.conf which we can overwrite the default on the image.
- nginx should use a port available to non sudo/root user, we have selected 8080 instead of previous 80
- need to explicitly output nginx logs to stderr / stdout

Created a readonly root file system on Kubernetes. This requires the following changes:
- emptyDir volumes are mounted in kubernetes to allow bitnami/openresty to write to specific locations
- explicitly include and copy mime.types file to nginx configuration directory

Due to the change to non-privileged port number (8080), the following subsequent changes were required:
- Update 1-click deployment script to match frontend at port 8080
- Updates docker-compose-speckle.yaml file

Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
2023-01-25 19:06:48 +00:00
spgoad 38720cecdc
Feature: Add OpenID Connect Generic Authentication Strategy (#1283)
* feat(server): add OIDC auth strategy

Add an OpenID Connect Authentication Strategy for Speckle Server. Enables configuration of
authentication against an OIDC standard compliant identity provider endpoint.

closes specklesystems#1270

Co-authored-by: spencer.goad <spencer.goad@disney.com>
2023-01-09 13:41:50 +00:00
Gergő Jedlicska e6484f6360
gergo/helmDisableFileUpload (#1281)
* style(server): fix formatting

* fix(preview-service): fix chromium deps in Dockerfile

* feat(helm chart): expose file uploads disable flag in the helm chart

* fix(helm chart): value name fix

* fix(helm): its values

* fix(helm chart): fix always disabled file uploads
2022-12-23 15:42:24 +01:00
Gergő Jedlicska 42ce09e651
gergo/helmDisableFileUpload (#1280)
* style(server): fix formatting

* fix(preview-service): fix chromium deps in Dockerfile

* feat(helm chart): expose file uploads disable flag in the helm chart

* fix(helm chart): value name fix

* fix(helm): its values
2022-12-23 14:59:27 +01:00
Gergő Jedlicska cd61b5b40e
gergo/helmDisableFileUpload (#1279)
* style(server): fix formatting

* fix(preview-service): fix chromium deps in Dockerfile

* feat(helm chart): expose file uploads disable flag in the helm chart

* fix(helm chart): value name fix
2022-12-23 14:55:06 +01:00
Gergő Jedlicska 848d65b0a0
gergo/helmDisableFileUpload (#1278)
* style(server): fix formatting

* fix(preview-service): fix chromium deps in Dockerfile

* feat(helm chart): expose file uploads disable flag in the helm chart
2022-12-23 14:50:46 +01:00
Iain Sproat 170e52cf95
fix(helm chart): liveness probe on webhook and fileimport use distroless node path (#1271) 2022-12-14 19:42:05 +00:00
Iain Sproat 96bed71022
fix(logging): Improves error logging and pretty-prints logs during dev & test (#1255)
* Improves error logging
- use pino error logger correctly by passing in error as first argument

* monitor deployment: Filter logging at INFO level and above
* Use structured logging to create parameters for monitoring results
* Add structured logging to obj fileimport service
* Fileimport service, fix and improve logging
    - use child logger with additional context where possible
    - select appropriate logging level
- fix duplicated context in log statement
* REST endpoints, add context to structured logging and remove same context from message
* Webhook service provides context to bound logger to properly use structured logging
    - Pass bound logger containing context to `makeNetworkRequest`
    - do not log url, as it may contain a secret (like Discord's webhook urls), instead log the webhook Id
     - log error message when network call fails
* upload: make better use of structured logging when recording data
* pino-pretty when in dev or test mode
    - pino-pretty configured to send to stderr
* LOG_PRETTY env var
* Silence structured logging during testing
     - can not rely on determining the port number by reading from stdout/stderr
     - instead we determine which port is free, then create our server on that port
     - we then poll that port until the server is ready before commencing tests
* Allow puppeteer to install chromium
* Do not need to install chromium separately
2022-12-13 09:18:28 +00:00
Iain Sproat d1494996a1
fix(server:helm chart): fixes readiness probe for server helm chart, path to node was broken (#1254) 2022-12-08 12:19:57 +00:00
Iain Sproat d09bce7267
feat(docker images): Distroless (#935)
* Moves speckle-server, webhook-service, fileimport-service, monitoring-deployment, and test-deployment images to Distroless.

Partially addresses https://github.com/specklesystems/speckle-server/issues/883

* preview-service uses similar image for building and production stages
* explicitly include chromium-common dependency to prevent error in preview service
* Bump chromium packages due to package versions not being found
* Handle machine-id in distroless
    - distroless has no shell, so node-machine-id will result in an error
    - this commit introduces error handling and defaults to a uuid v4 in the case of an error
* Update binary location for readiness and liveness checks to match the binary location in Distroless
* Allow node binary path to be set as environment variable in fileimport service
2022-12-07 12:07:42 +00:00
Iain Sproat ee50b32b59
chore(node): upgrades to node 18 (#1189)
* chore(node): upgrades to node 18

Node 16 was out of support (but not security upgrades), so bumping to next stable version.

https://github.com/specklesystems/speckle-server/issues/1187

* Update server liveness and readiness probes for node 18
* Bump web-ifc to 0.0.36
* Apply `--no-experimental-fetch` flag to fileimport-service to prevent issues in web-ifc (via emscripten) with node 18
2022-12-06 12:57:48 +00:00
Iain Sproat 4d01e13a84
feat(structured logging) (#1242)
* Revert "Revert structured logging 2 (#1240)"
This reverts commit 78ecaeffcb.
* Logging should not be bundled into core shared directory
* making sure observability stuff isnt bundled into frontend


Co-authored-by: Kristaps Fabians Geikins <fabis94@live.com>
2022-12-06 11:51:18 +00:00
Iain Sproat 78ecaeffcb
Revert structured logging 2 (#1240)
* Revert "'@' shortcut must come after it is configured in bootstrap (#1239)"

This reverts commit 967329473f.

* Revert "Structured logging (attempt 2) (#1234)"

This reverts commit 444d2ca7dd.
2022-12-05 15:46:09 +00:00
Iain Sproat 444d2ca7dd
Structured logging (attempt 2) (#1234)
* Revert "Revert "feat(structured logging): implements structured logging for backend (#1217)" (#1227)"

This reverts commit 63e6581162.

* Use pino-http instead of express pino logger
* Use correct reference to knex and do not instantiate HttpLogger prematurely
* Adds missing dependency for pino to webhook-service
* Do not instantiate middleware when passed to express
* Refactor to move logging into shared
* Copy shared packages into dockerfiles
* Build shared workspace in docker build-stage for fileimport & webhook
2022-12-05 14:49:52 +00:00
Iain Sproat 63e6581162
Revert "feat(structured logging): implements structured logging for backend (#1217)" (#1227)
This reverts commit 84cb74e8b3.
2022-11-25 16:57:28 +00:00
Iain Sproat 84cb74e8b3
feat(structured logging): implements structured logging for backend (#1217)
* each log line is a json object
* structured logging allows logs to be ingested by machines and the logs to be indexed and queried addresses #1105
* structured logging allows arbitrary properties to be appended to each log line, and ingestion of logs to remain robust
* Structured logging provided by `pino` library
* Add `express-pino-logger` dependency
* Remove `debug`, `morgan`, and `morgan-debug` and replace with structured logging
* `console.log` & `console.error` replaced with structured logging in backend
* Remove `DEBUG` environment variable and replace with `LOG_LEVEL`
- Note that there is a test which reads from a logged line on `stdout`. This is not robust, it would be better to use the childProcess.pid to look up the port number.
* Log errors at points we explicitly send error to Sentry
* Amend indentation of a couple of log messages to align indentation with others
2022-11-25 16:05:05 +00:00
Iain Sproat de9beccd22
Helm test is deployed as a job (#1174)
- this allows it to be identified in alerting more easily
2022-11-02 17:16:53 +00:00
Iain Sproat df250d616d
Fixes broken helm template by adding quotation marks around liveness probe command (#1171) 2022-11-02 10:40:03 +00:00
Iain Sproat 0c99573bc6
Fixes liveness and readiness checks to prevent CSRF error message (#1169)
- provides content-type header
- check that status code is 200
2022-11-02 10:01:19 +00:00
Iain Sproat c59084f4fd
Upgrades redis to 7.0.5 in circleci & DO 1click configuration (#1087)
* Upgrades redis to 7.0.5 in docker-compose & circleci

* Upgrade redis on minikube to 7.0
2022-10-20 12:53:12 +01:00
Iain Sproat 07f7572c9d
fix(helm chart): fileimport should be deployed if s3 configmap is used (#1129)
Fixes bug where fileimport-service was not deployed if an s3 configmap was used, instead of defining
s3 endpoint etc. in helm chart values
2022-10-19 16:43:12 +01:00
Iain Sproat ba71184421
upgrade development contexts to use postgres 14.5 (#1089)
* Upgrade CircleCI configuration to postgres 14.5

* docker-compose-deps upgraded to postgres 14.5

* Upgrade minikube to use postgres 14.5
2022-10-10 12:04:15 +01:00
Iain Sproat df8c6ccc4f
fix(helm chart): networkPolicy supports distinct namespaces for prometheus pod & servicemonitor (#1086)
* fix(helm chart): networkPolicy supports distinct namespaces for prometheus pod & servicemonitor

Network policy did not allow ingress from prometheus if it was deployed in a different namespace
from the servicemonitor. This PR allows the ingress to be configured to match the operator's
requirements.

addresses https://github.com/specklesystems/gitOps/issues/68

* provides additional validation and error output when getting secrets
* Fix for kubernetes network policies using s3 details from ConfigMap
* Remove blocking of 10.0.0.0/8 range as this also prevents access to cloud provider private IPs
* Update values.schema.json
2022-10-07 11:39:50 +01:00
Gergő Jedlicska 393a192940
gergo/emailDigestFixes (#1074)
* feat(server task scheduler): sketch out core task scheduler implementation

* feat(server weekly activity digests): add function lock duration to the weekly digest execution

* feat(server scheduled tasks): add scheduled tasks type definition, db schema and migration

* feat(server scheduled tasks): add scheduled tasks repository

* feat(server task scheduler): add task scheduler service implementation

* chore(server deps): add mocha type definitions

* refactor(server scheduled tasks): refactor scheduled tasks migration

* refactor(server scheduled tasks): refactor scheduled task db schema and type definitions

* feat(server scheduled tasks): implement db side lock acquire

* refactor(server scheduled tasks): refactor task scheduler with lock on query mechanism

* test(server scheduled tasks): add tests for scheduled tasks implementation

* refactor(server weekly activity digests): refactor to new task scheduler implementation

* feat(server weekly activity digest): switch to a 1000 seconds trigger period for testing purposes

* fix(server task scheduler): fix not catching lock acquire function errors

* feat(server weekly digest): switch weekly digest cron trigger to the prod ready value

* fix(nginx configs): fix missing static route proxy to backend

* fix(server email template): fix footer anchor tags not pointing to the right places
2022-10-05 10:09:24 +02:00
Iain Sproat ee7c9f0a0c
feat(helm): s3 configuration can be loaded from configmap (#1048)
* feat(helm): s3 configuration can be loaded from configmap
- Variables for s3's configuration can now be read in from a configmap in the cluster. This allows
deployment tooling, such as Terraform or CloudFormation, to dynamically create an s3 bucket and
create a configmap with the necessary values. This decouples the cluster deployment from the helm
release.
* Update values.schema.json for helm chart
- also include changes from a previous commit that had not been included previously
2022-09-30 10:34:08 +01:00
Iain Sproat 77678ecaa8
feat(helm chart): secrets can be referenced from different kubernetes Secret resources (#1005)
* feat(helm chart): secrets can be referenced from different kubernetes Secret resources

Currently secrets have to be referenced from a single kubernetes Secret resource (default name
'server-vars').  This PR allows each secret to be loaded from a separate kubernetes Secret.  If
values for individual secrets are not provided, it defaults to the previous single kubernetes
resource.  This single kubernetes secret should now be considered deprecated in favour of individual
references.

* Fix error in Redis key

* Fix DNS egress for Redis in CiliumNetworkPolicy

- only give access to optional secrets if the component is enabled

* Values should be empty by default to allow for backwards compatibility
2022-09-21 16:27:05 +02:00
Iain Sproat 9f9f1c381f
Only create configmap for DB certificate if certificate is provided in helm chart (#999)
- otherwise, we should expect the configmap to already be in the namespace
2022-09-09 11:10:46 +01:00
Iain Sproat 23bc801eb0
fix(helm chart): allow egress to auth providers (#970)
* fix(helm chart): allow egress to auth providers
* Increase Azure AD allowlist to match https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud
* Allows customisation of azure AD domains
2022-08-29 12:10:37 +01:00
Iain Sproat 278da16e53
fix(helm chart server kubernetes network policy): update CIDR for Apollo (#968)
Apollo responded to our support question, they confirmed that 34.120.83.176/32 is sufficient for
egress to usage-reporting.api.apollographql.com
2022-08-26 17:05:32 +01:00
Iain Sproat 5aa00784a6
fix(helm chart): allow egress from server to email server (#966)
Network Policies omitted to allow egress to email.  This commit allows egress to email.
2022-08-25 16:00:34 +01:00
Iain Sproat ab0c60ec57
Helm Chart: Network Policies allow server egress to apollo (#965)
* fix(helm chart): allow egress in server Network Policies to Apollo

The Cilium and Kubernetes network policies currently do not allow egress from the server to Apollo
for graphql monitoring.

Kubernetes Network Policies don't allow domain names.  We have an open support ticket with Apollo
Studio to request which CIDR to limit egress to.  Until then, we will need to open egress to
everywhere if a Kubernetes Network Policy is used.
2022-08-25 15:08:25 +01:00
Iain Sproat d6f6a64630
fix(helm chart): remove unnecessary values from helm chart (#964)
* fix(helm chart): remove unused values from helm chart

Previous commit introduced two additional values that are not being used for s3.  This commit
removes them.

* Looks up domain or IP from secret for redis and postgres

- undertakes a kubectl get on the secret.  The user or service account that deploys helm must have permissions to view the secret.
- fix: matchName for domain instead of matchPattern
- fix: typo in protocol

* Only allow monitoring ingress if monitoring is enabled

* Port can be determine from the provided secret
 - updates values.yaml to only require port for postgres and redis for inCluster endpoints
2022-08-25 10:36:15 +02:00
Iain Sproat b61f0ffabe
Cilium network policies (#954)
* feat(helm chart): deployes Cilium Network Policies when configured

Cilium Network Policies provide more features over regular Kubernetes Network Policies, but Cilium
is not available everywhere.  When selected by an operator, Cilium Network Policies will be deployed
instead of Kubernetes Network Policies.

Fixes https://github.com/specklesystems/speckle-server/issues/913

* Cilium Network Policy for fileimport service.
* tested only for external host.
* Still to test internal pod and external IP.

* Cilium network policy for file import service restricts DNS

* allows egress to service instead of endpoint
* file import service uses service url of speckle-server
* helper functions for server and dns

* DRY the prometheus selector

* CiliumNetworkPolicy for frontend

* CiliumNetworkPolicy for monitoring service

* CiliumNetworkPolicy for preview service

* CiliumNetworkPolicy for test

* CiliumNetworkPolicy for webhook_service

* CiliumNetworkPolicy for Server

* Test should egress to domain, not internally

* Test should be in tests directory to match Helm convention for tests
* Test should explicitly deny ingress from everywhere

* Server needs to egress to canonical domain (i.e. itself)

- DNS and egress for canonical domain added to Server
- As Test also egresses via canonical domain to access Server, we do not require the intra-cluster ingress to the server from the test pod
- Explicitly deny all egress from frontend

* WIP update to schema.json

* Breaking Change: inCluster network policies supported for cilium

* Breaking change: kubernetes network policy podSelector and namespaceSelector are now at a different level
* Updates schema.json

* add notes to remove egress once bug is fixed
2022-08-24 17:25:08 +02:00
Iain Sproat 56d0d54bca
refactor(helm chart): explicitly define the deployment rollout strategy (#963)
Partially addresses https://github.com/specklesystems/speckle-server/issues/925
2022-08-24 17:21:01 +02:00
Iain Sproat 49fdd818ce
docs(helm chart): values.yaml is documented and json.schema provided (#932)
* docs(helm chart): values.yaml is documented and json.schema provided

Helm Chart values.yaml file is documented with inline comments.  These have been used to generate a
README (in the helm repo) and a values.json.schema file.

fixes https://github.com/specklesystems/speckle-server/issues/887
fixes https://github.com/specklesystems/speckle-server/issues/867
2022-08-16 14:41:34 +01:00
Iain Sproat ca1a612a29
feat(helm chart): serviceAccounts are provided for each service (#922)
ServiceAccounts for each service do not mount service account token (which allows access to the
kubernetes API), and limit the secrets each user of the service account has access to.

Fixes https://github.com/specklesystems/speckle-server/issues/859
2022-08-15 16:24:34 +01:00
Iain Sproat 35e2652714
feat(helm chart): node affinities, tolerations etc. are configurable (#926)
* feat(helm chart): node affinities, tolerations etc. are configurable

Kubernetes operators should be able to configure Speckle to be deployed on certain nodes based on
rules they provide.  This commit allows affinity, nodeSelector, tolerations, and
topologySpreadConstrains to be provided by the operator.

fixes https://github.com/specklesystems/speckle-server/issues/861
2022-08-15 16:04:50 +01:00
Iain Sproat da7dafe819
fix(fileimport service): s3 is not required by fileimport service (#924)
Fileimport service retreives blobs via the server storage API, and not directly from s3.  Fileimport
service no longer requires information or credentials about s3.
2022-08-15 15:49:10 +01:00
Iain Sproat 19b59fa4d8
fix(frontend): frontend revert security context to prior permissions (#929)
Frontend could not chown within a rw emptyDir
2022-08-15 14:56:26 +01:00
Iain Sproat 5972e6b42a
fix(frontend): frontend currently cannot run as non-root (#928)
Nginx needs to bind to port 80 which requires root permissions
2022-08-15 15:13:44 +02:00
Peter Grainger 72d27b9a7c
Allow save object to S3 in different region (#910)
* Allow save object to S3 in different region

* feat(helm & docker-compose): adds S3_REGION to helm chart & docker-compose

Explicitly adding the environment variable to deployment configuration files provides system operators with documentation of its existence.

Set to empty by default, which will result in the default value being used.

Co-authored-by: Iain Sproat <68657+iainsproat@users.noreply.github.com>
2022-08-15 14:24:30 +02:00
Iain Sproat 0084102d0d
feat(helm chart): network policies are provided for all services (#909)
* feat(helm chart): network policies are provided for all services

Network policies are used to deny arbitrary egress and ingress to a pod, providing more security
hardening.

Fix https://github.com/specklesystems/speckle-server/issues/860

* NetworkPolicies for remaining services

* Network policies are configurable but enabled by default

* fix to naming

* Use named port

* Helper function for defining redis egress

* Network policy is more tightly defined to port for service if fqdn

* if an IP is provided for redis, postgres, or blob storage, egress is limited to that IP

* Note about limitations

* Simplifies networkpolicy logic by requiring variables to be provided in values.yaml

* default disable networkpolicy, otherwise end users will have to provide all the additional values and that could become confusing
* supports dependencies being deployed within the same cluster

* Disable network policies by default

* Ensure the host name does not contain a port

* Exclude (likely) kubernetes IP ranges from allowed egress

* Add explicit ingress to the server from fileimport and test

* disable test networkpolicy if test is disabled

* Allow egress to sentry
* remove access to s3 from preview service
* remove access to redis from fileimport service

* Allow prometheus ingress to metrics endpoints

* tightens ingress by restricting to the prometheus pod in a single namespace

* Limit ingress on the server to the nginx ingress controller and prometheus

* Limit ingress to frontend to just the nginx ingress controller

* Fileimport does not require s3
2022-08-15 14:23:14 +02:00
Iain Sproat fb5631bd32
feat(helm chart): prometheus monitoring namespace and release name should be configurable (#914)
* feat(helm chart): prometheus monitoring namespace and release name should be configurable

Currently Speckle assumes prometheus is deployed in the 'speckle' namespace and is deployed as a
release named 'kube-prometheus-stack'.  This commit introduces non-breaking changes that allow
custom values for these to be provided, defaulting to the current assumed values if they are not
provided.

fixes https://github.com/specklesystems/speckle-server/issues/863

* Fix serviceMonitor so that it can find services in a different namespace

* Namespace selector is not required if the default namespace is being used
2022-08-15 14:21:01 +02:00
Iain Sproat 65a00dca2e
feat(helm chart): add SecurityContext to pods and containers (#917)
* feat(helm chart): add SecurityContext to pods and containers

Speckle pods should run with minimal privileges and capabilities to function.

Fix https://github.com/specklesystems/speckle-server/issues/857

* Update securityContext for all pods

* frontend runs as nonroot and readonly root filesystem

- set fsgroup for all pods with volumes

* Frontend requires write directory at /etc/nginx/conf.d

* Allow openresty log directory to be writable

* feat(helm local test): add test container into the make script

Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
2022-08-15 14:20:19 +02:00
Iain Sproat 81bed0c760
style: at newlines at end of files (#893) 2022-08-08 11:06:56 +02:00
Iain Sproat 3eaf72f830
refactor(helm chart): DRY common labels (#884)
* refactor(helm chart): dRY for some labels

* Metadata for Chart.yaml

* refactor(helm chart): dRY using common selector labels

Able to remove `app` and `project` labels from each template and incorporate into definitions
2022-08-08 11:05:22 +02:00
Iain Sproat 80d9aa0e9f
refactor(helm chart): use named ports where possible (#898) 2022-08-08 11:03:57 +02:00