2022.04 Release
Exciting quality of life updates, cracked down on more security vulnerabilities, and brought our Java framework support up to a consistent level across both Springboot and Micronaut
Develop
Apple Silicon Support
All our underlying build dependencies (namely the docker fabric8 plugin) have been updated to support building under Apple Silicon (ARM) devices.
Micronaut V3
The latest micronaut v3 tiles + libraries have been updated to include full Java 17 language support.
Included composites have been updated to use the new micronaut compiler 3.4+ tooling, and the underlying jackson-databind library has been updated to address several recent CVEs.
Sonar
practiv-audit-sonar
The sonar tile has been updated to include the latest Sonar plugin
Spring Boot
Spring Boot tiles have been brought in line with the latest functionality introduced through the Micronaut updates. Namely:
- Application config and secrets are now resolved through
src/main/config/application.yamlandsrc/main/secret/application.yaml- This will result in a K8 friendly
config.yamlandsecret.yamlbeing produced containing the respective properties. These will be mounted and accessibly to your container through the latestpractiv-tile-deploy-springboottile - There is no need anymore to manage your own
secret.templatefile with this method
- This will result in a K8 friendly
- Standard JIB library is now used to create the docker image from Java dependencies
- Bootstrapping app in docker container at build time and ensuring container is up
- General updates, and datadog support
Build
Stricter on CVEs
chalk-dockerfile
chalk-dockerfile-application
basalt-eksctl-bats
basalt-trivy
Across the board we’ve upgraded our tiles to enforce a failure threshold of medium for detected CVEs.
Additionally; the base chalk-dockerfile tileset has been upgraded to include trivy scanning by default.
Specific CVEs can still be ignored by including inside a .trivyignore file in the project root directory if required.
Base image upgrades
We’ve upgraded all the base images included under basalt-* with the latest base images available to address several new vulnerabilities.
OAuth Proxy upgrades
Version **3.1**
- Use alpine:1.15
- Use oauth2-proxy:7.2.1
The corresponding practiv-run-oauth-proxy tile has also been upgraded to support the new Ingress definitions mentioned below, as well as these base image upgrades.
BREAKING CHANGES
We’ve bumped the major version of the oauth proxy to account for the upstream base application changes. See https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0
Jenkins
The Practiv Build Jenkins system has been upgraded to use 2.337
https://www.jenkins.io/security/advisory/2022-02-09/
Nexus
Nexus has been upgraded to version 3.38, which addresses several CVEs.
Overridable secret names
practiv-tile-kubernetes-secrets
We’ve updated this tile to prevent the default secret content from causing secret churn due to the presence of ever-changing version and document what the entry is for inside of the entry itself.
Allow override of the secret name such that non-standard projects can still leverage this tooling and not be forced to create a redundant boilerplate:
tile-kubernetes-secrets.secret.name can be set to an alternative name as needed.
Run
Environments
The chalk-environment tileset has been upgraded to version v22. This change introduces some much awaited support for the new Kubernetes Ingress API [networking.k8s.io/v1](http://networking.k8s.io/v1) which has been made stable in K8 1.19+.
Breaking change
If on Kubernetes 1.22+, support for the beta ingress v1 API has been dropped. Ingress definitions need to be updated to use [networking.k8s.io/v1](http://networking.k8s.io/v1) in order to be valid.
Leveraging the latest Practiv tilesets should manage this change for you, however, if you are managing your own ingresses you will need to manually switch to the new API definition - thankfully, the specification changes are quite minor:
https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.1.1
If using the tile practiv-tile-deploy-ingress directly instead of the aggregate., then this can be upgraded to bring in the new ingress templating.
Run platform
A bunch of improvements have been made to run platform functionality this quarter
- Ingress templating has been moved to
apiVersion: [networking.k8s.io/v1](http://networking.k8s.io/v1) - Scripts have been added to identity jobs in different states and remove them as needed
- Improved readability and debuggability
- Working files are persisted after a deployment so they can be analysed in a read-only fashion.
Platform Tilesets
chalk-run-platform-eks
chalk-run-platform-eks-without-efs
chalk-run-platform-gke
Allow for the default issuer to be configured
This change allows for the possibility of settings the default issuer name and kind if rolling a custom definition is desired rather than one of the prepackaged ones.
The default configuration is the same as before but can be overridden by setting the properties below in your run-platform project
practiv-run-certmanager.defaultIssuerName=practiv-run-issuer-v3
practiv-run-certmanager.defaultIssuerKind=Issuer
practiv-run-aws-eks-connector
A breaking change to the kube-system manifest handling was made and this new version supports that new standard.
practiv-run-certmanager
A number of changes to the cert manager, including:
- Big update from 1.5 from 0.13
- Default issuer is now configurable
- Injector has resource limits to ensure EKS will not remove any pods
- ca-injector is now memory overridable
Infrastructure
Latest Terraform and AWS Provider
basalt-terraform
AWS Provider 4.2.0
Change notes: https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#420-february-18-2022
Terraform 1.1.6
Change notes: https://github.com/hashicorp/terraform/blob/v1.1/CHANGELOG.md#116-february-16-2022