2022.07 Release
Develop
Local Environment Seed Support
A key part of the Practiv philosophy is ’everything-as-code’ - that is, everything we do should ideally have a place it lives within source control, and this includes our local developer environments.
We’ve been working on leveraging the same RUN platform systems to run a full application stack locally within Kubernetes natively. There has been some awesome success battle testing this in an Enterprise development environment, where we can run an end-to-end banking system almost entirely on our laptops!
Through this support, engineers can collaborate on their perfect local environment, optionally mocking the out-of-scope boundaries, and then deploying the same application artifacts they deploy to a live environment.
Developers can then hot-deploy in-development code directly into their Kubernetes cluster to get immediate end-to-end assurance around how that code may affect the wider environment, before even committing any code.
We’re about at the point where we’re ready to make this more general purpose and available to everyone. Over the next few months we will be cutting out some of the boilerplate that we can automate, as well as documented the process and providing ‘getting started’ guides.
Watch this space!
Micronaut V3 updates
Tileset: chalk-micronaut-v3
Trivy scanning is now run by default on the chalk-micronaut-v3 tileset. Builds will now report on any detected vulnerabilities without having to include additional configuration or tiles.
Default base image now runs on the alpine release of OpenJDK 17.
Additionally, the user the application runs within the container is now configurable with the property:
<tile-deploy.runAsUser>newuser</tile-deploy.runAsUser>
The application by default will run as nobody.
The service port and HTTP scheme is now configurable with the following properties:
<tile-deploy.servicePort>1832</tile-deploy.servicePort>
<tile-deploy.scheme>HTTP</tile-deploy.scheme>
SpringBoot updates
practiv-tile-deploy-springboot
Health check and liveliness templating has been bound to the separate paths with the same default. This allows downstream consumers to configure each respectively without having to completely override the deployment specification.
Build
Docker
practiv-tile-docker
Capability has been added to include a binary file directly from source as opposed to only as a build output. Binaries can be included under src/main/binaries and putting them in the image in the root directory as usual.
Further Apple Silicon upgrades
A few dependencies were missed in the last round of updates, and have been added in this round.
Trivy scanning
We’ve upgraded to the latest Trivy version 0.28.1 which includes a host of new features and bugfixes.
Kube CTL + EKS CTL updates
chalk-cluster-eks
basalt-eksctl
The basalt-kubectl image is now used as the base, reducing what is needed to download/install in this image and ensuring consistency between the two going forward.
Additionally:
- New docker build tooling resulting in a more compact image
- Cleaner Dockerfile
- Updated EKS CTL to 0.102.0
- Updated Kubectl to 1.22.6 via
basalt-kubectl 6.1+ - Updated Alpine to 3.16.0
- Updated aws-iam-authenticator to 1.21.2
Across the board, updates have been introduced to be much more verbose with the log output such that what is going on is visible.
OAuth Proxy
basalt-oauth-proxy
Updated to version 7.3.0
Jenkins Upgrades
practiv-build-jenkins-plugins
Jenkins has been upgraded to 2.337
Standardised Maven Builds with Secrets
mavenBuildWithSecretFile('some-artifact.secret-template-id')
Sometimes you want to do something after the build, this allows a custom pipeline script block
mavenBuildWithSecretFile('some-artifact.secret-template-id') {
sh 'echo Hello Nested Block'
}
Cyclone DX tooling added for Node/Javascript projects
practiv-build-maven
CycloneDX enables the output of a software bill of materials including licence usage information.
Nexus
practiv-build-nexus
- Ingresses updated to use the Kubernetes 1.22+ format
- OAuth Proxy is now required by default
- Persistent volume claim is now included
- Change of configuration variables means this package now supports both GHE and github.com
Run
Environment
Tilesets:
chalk-environment
chalk-run-platform-eks
Tiles:
practiv-run-scripts
Improvements
Improved build console output, removed a deprecated script, and fixed various subtle things.
Use practiv-run-ingress v12 for Permissions-Policy header
Version 12 of the practiv-run-ingress implements the Permission-Policy header with the Owasp best practice settings.
These can be overwritten at deployment time as its controlled by a variable called practiv-run-ingress.add-header-permissions-policy
On the run system side of things:
- Removed deprecated configure-cksum script that just warned and called prepare-image
- Improve output of env-build-time prepare-image script and children thereof
- Announce the main deployment start/end in chat - was previously conspicuously missing between two other notifications
Fixed a critical bug where:
- patches of all types not applied
- configs not checksummed/validated
- secrets not checksummed/validated
- jobs not checksummed/validated
- resources not tallied up
Kubernetes updates
Prior to the previous version there were no secrets in use in kube-system - so it never failed on them being missing - now the full set of secrets is copied to the kube-system env as well as the run platform env such that they may be properly checked at build time and used at run time. Additionally, kube-system project tiles used to dump their output directly into the pick-up path for the docker build resulting in only one filter pass with default delimiters. Those will continue to work, but anything with a double replacement will now work correctly too.
Also includes, by default, the image-pull-secret for the kube-system namespace for the first time ever. This has been manually worked around for each cluster in the past but going forward will be automatic and correct.
New multi-build run-scripts
Prior to this version run scripts only fully processed the named environment at build time - not any others that may be present in the image. Now all are processed equally at build time. There change has no effect on normal environment builds which only have one.
Ingress
The permissions-policy header is now configurable as mensioned aboso that it can then be set it to the Owasp best practice value found here
Datadog Agent
practiv-run-datadog-agent
Upgrading to a much newer version of datadog for Kube with a lot more features and a better, more reliable process for upgrading to newer versions in the future
OAuth Proxy
practiv-run-oauth-proxy
practiv-run-oauth-proxy-github
Make the subdomain/context for this oauth proxy unique to it in terms of control property.
Infrastructure
basalt-terraform-aws