Compare commits
71 Commits
37e89b60af
...
argoworkfl
| Author | SHA1 | Date | |
|---|---|---|---|
| a09f4cfac6 | |||
| 180ac99472 | |||
| 21ecb33115 | |||
| 94246cef76 | |||
| ba85e36d00 | |||
| 66801f88fd | |||
| 381de6eb4c | |||
| 4aca89c574 | |||
| 1c784f564d | |||
| 9ff70abd82 | |||
| 87723301ea | |||
| 25f4b9bb53 | |||
| 2079b73acc | |||
| b6f0bea373 | |||
| 6da24ca2eb | |||
| f0aa20ba2a | |||
| 0037a703ab | |||
| 51d61b129b | |||
| 4601756e17 | |||
| 1bcf7034a6 | |||
| 2ff0ac0c76 | |||
| acbae4aa41 | |||
| 49d7f8a500 | |||
| e32403dd86 | |||
| 64605796b2 | |||
| a652a0bddb | |||
| 30ba18cace | |||
| e297121e93 | |||
| 9e4cc61e30 | |||
| 90dcd19a46 | |||
| a5a9c9ec43 | |||
| a0a9d7d592 | |||
| 7ada42d7f8 | |||
| 2777e73aa2 | |||
| 77884b291d | |||
| c9ffa1c420 | |||
| c99b2be62f | |||
| 239df0af11 | |||
| a44bf142ba | |||
| 3fb4ffd621 | |||
| 9659af1c9a | |||
| a77ec1a6f8 | |||
| 901805bd01 | |||
| 2886274d5e | |||
| 8396169b19 | |||
| 8eb3dbfd59 | |||
| dd248dc0b9 | |||
| c8cd08d7ff | |||
| 0c02c20995 | |||
| 7b12088952 | |||
| 7a411a7148 | |||
| 37ea900325 | |||
| 2a80c733b3 | |||
| 3764970082 | |||
| 76a351710f | |||
| c1f0da4a9c | |||
| eefc952ff0 | |||
| 8c35b3bd8c | |||
| 60011b1c72 | |||
| 859a962c12 | |||
| 0e9df4f859 | |||
| 1554404657 | |||
| 925af7d314 | |||
| fb260a0f6d | |||
| dcd9a39b46 | |||
| 8194e3e9fe | |||
| 0006044ae4 | |||
| 74a58879ce | |||
| d325a52222 | |||
| 546d26ada0 | |||
| acf4b1c26c |
17
Dockerfile
17
Dockerfile
@ -1,5 +1,18 @@
|
||||
FROM python:3.11.7-slim-bookworm
|
||||
FROM python:3.11.7-alpine
|
||||
|
||||
# Wersja i data builda jako build-arg
|
||||
ARG APP_VERSION=unknown
|
||||
ARG BUILD_DATE=unknown
|
||||
|
||||
# Ustawiamy zmienne w ENV, by były dostępne w kontenerze
|
||||
ENV APP_VERSION=$APP_VERSION
|
||||
ENV BUILD_DATE=$BUILD_DATE
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
COPY api .
|
||||
|
||||
RUN apk add --no-cache curl
|
||||
RUN pip install -r requirements.txt
|
||||
CMD python3 app.py
|
||||
|
||||
CMD python3 app.py
|
||||
@ -4,7 +4,8 @@ from flask_jwt_extended import JWTManager
|
||||
from jwt import ExpiredSignatureError
|
||||
from models import db, RevokedToken
|
||||
import os
|
||||
from utils import init_db
|
||||
from tech_views import tech_bp
|
||||
from utils import init_db, wait_for_db
|
||||
from views import user_bp
|
||||
from werkzeug.exceptions import HTTPException
|
||||
|
||||
@ -26,6 +27,7 @@ def create_app(config_name="default"):
|
||||
|
||||
# Blueprints registration
|
||||
app.register_blueprint(user_bp)
|
||||
app.register_blueprint(tech_bp)
|
||||
|
||||
# Database and JWT initialization
|
||||
db.init_app(app)
|
||||
@ -53,6 +55,7 @@ def create_app(config_name="default"):
|
||||
|
||||
# Fill database by initial values (only if we are not testing)
|
||||
with app.app_context():
|
||||
wait_for_db(max_retries=100)
|
||||
db.create_all()
|
||||
if config_name != "testing":
|
||||
init_db()
|
||||
@ -61,5 +64,7 @@ def create_app(config_name="default"):
|
||||
|
||||
# Server start only if we run app directly
|
||||
if __name__ == "__main__":
|
||||
from waitress import serve
|
||||
app = create_app()
|
||||
app.run(host="0.0.0.0")
|
||||
port = os.getenv("APP_PORT", "80")
|
||||
serve(app, host="0.0.0.0", port=port)
|
||||
|
||||
@ -11,4 +11,5 @@ mysql-connector-python==9.2.0
|
||||
python-dotenv==1.0.0
|
||||
SQLAlchemy==2.0.23
|
||||
typing_extensions==4.8.0
|
||||
waitress==3.0.2
|
||||
Werkzeug==3.0.1
|
||||
|
||||
20
api/tech_views.py
Normal file
20
api/tech_views.py
Normal file
@ -0,0 +1,20 @@
|
||||
from flask import Blueprint, jsonify
|
||||
from models import db
|
||||
from sqlalchemy import text
|
||||
from utils import db_ready
|
||||
|
||||
# Blueprint with technical endpoints
|
||||
tech_bp = Blueprint('tech_bp', __name__)
|
||||
|
||||
@tech_bp.route('/health', methods=['GET'])
|
||||
def health_check():
|
||||
"Check if service works and database is functional"
|
||||
try:
|
||||
with db.engine.connect() as connection:
|
||||
connection.execute(text("SELECT 1"))
|
||||
return jsonify(status="healthy"), 200
|
||||
except Exception:
|
||||
if db_ready:
|
||||
return jsonify(status="unhealthy"), 500
|
||||
else:
|
||||
return jsonify(status="starting"), 503
|
||||
@ -1,6 +1,8 @@
|
||||
import pytest
|
||||
from app import create_app
|
||||
from models import db
|
||||
from flask_jwt_extended import create_access_token
|
||||
from models import db, User
|
||||
from werkzeug.security import generate_password_hash
|
||||
|
||||
@pytest.fixture
|
||||
def test_client():
|
||||
@ -13,3 +15,33 @@ def test_client():
|
||||
yield client
|
||||
db.session.remove()
|
||||
db.drop_all()
|
||||
|
||||
@pytest.fixture
|
||||
def test_user():
|
||||
"""Create a new user for testing."""
|
||||
user = User(username="testuser", email="test@example.com", password=generate_password_hash("testpass"), role="User")
|
||||
db.session.add(user)
|
||||
db.session.commit()
|
||||
return user
|
||||
|
||||
@pytest.fixture
|
||||
def test_user2():
|
||||
"""Create a user nr 2 for testing."""
|
||||
user2 = User(username="testuser2", email="test2@example.com", password=generate_password_hash("testpass2"), role="User")
|
||||
db.session.add(user2)
|
||||
db.session.commit()
|
||||
return user2
|
||||
|
||||
@pytest.fixture
|
||||
def test_admin():
|
||||
"""Create a new admin user for testing."""
|
||||
admin = User(username="adminuser", email="admin@example.com", password=generate_password_hash("adminpass"), role="Administrator")
|
||||
db.session.add(admin)
|
||||
db.session.commit()
|
||||
return admin
|
||||
|
||||
def login_test_user(identity):
|
||||
"""Return Bearer auth header for user identified by provided id"""
|
||||
access_token = create_access_token(identity=str(identity))
|
||||
auth_header = {"Authorization": f"Bearer {access_token}"}
|
||||
return auth_header
|
||||
|
||||
@ -1,130 +1,132 @@
|
||||
from conftest import login_test_user
|
||||
import json
|
||||
from models import User, db
|
||||
from flask_jwt_extended import create_access_token
|
||||
from werkzeug.security import generate_password_hash
|
||||
|
||||
def test_create_user(test_client):
|
||||
def test_create_user(test_client, test_user, test_admin):
|
||||
"""New user registration test"""
|
||||
|
||||
# Anonymous try to create common user
|
||||
test_user_data = {"username": "testuser", "email": "test@example.com", "password": "testpass", "role": "User"}
|
||||
test_user_data = {"username": "test", "email": "testemail@example.com", "password": "testpassword", "role": "User"}
|
||||
response = test_client.post("/users", data=json.dumps(test_user_data), content_type="application/json")
|
||||
assert response.status_code == 201 # User should be created successfully
|
||||
assert response.status_code == 201, "Each should can register in the service"
|
||||
data = response.get_json()
|
||||
assert data["username"] == "testuser"
|
||||
assert data["username"] == "test"
|
||||
|
||||
# Anonymous try to create admin user
|
||||
admin_user_data = {"username": "testadmin", "email": "testadmin@example.com", "password": "adminpass", "role": "Administrator"}
|
||||
response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json")
|
||||
assert response.status_code == 401 # Anonymous cannot create admin users
|
||||
assert response.status_code == 401, "Anonymous should cannot create admin users"
|
||||
|
||||
# Login common user and try to create admin user
|
||||
access_token = create_access_token(identity='1')
|
||||
headers = {"Authorization": f"Bearer {access_token}"}
|
||||
headers = login_test_user(test_user.id)
|
||||
response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json", headers=headers)
|
||||
assert response.status_code == 403 # Common user cannot create admin users
|
||||
assert response.status_code == 403, "Common user should cannot create admin users"
|
||||
|
||||
# Try to create admin user using admin account
|
||||
hashed_pass = generate_password_hash("adminpass")
|
||||
user = User(username="admin", email="admin@example.com", password=hashed_pass, role="Administrator")
|
||||
db.session.add(user)
|
||||
db.session.commit()
|
||||
access_token = create_access_token(identity=str(user.id))
|
||||
headers = {"Authorization": f"Bearer {access_token}"}
|
||||
headers = login_test_user(test_admin.id)
|
||||
response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json", headers=headers)
|
||||
assert response.status_code == 201 # Logged administrators can create new admin users
|
||||
assert response.status_code == 201, "Logged administrators should can create new admin users"
|
||||
|
||||
def test_edit_user(test_client, test_user, test_admin):
|
||||
"User edit test"
|
||||
# Anonymous cannot edit any user
|
||||
admin_data = test_admin.to_dict()
|
||||
response = test_client.patch(f"/users/{test_admin.id}", data=json.dumps({"username": admin_data["username"], "password": "adminpass"}))
|
||||
assert response.status_code == 401
|
||||
|
||||
def test_login(test_client):
|
||||
# Login users (get dict with auth header and merge it with dict with rest of headers)
|
||||
admin_headers = login_test_user(test_admin.id) | {"Content-Type": "application/json"}
|
||||
user_headers = login_test_user(test_user.id) | {"Content-Type": "application/json"}
|
||||
|
||||
# Check if PUT request contains all editable fields
|
||||
response = test_client.put(f"/users/{test_user.id}", data=json.dumps({"username": test_user.username, "password": "testpass"}), headers=user_headers)
|
||||
assert response.status_code == 400, "PUT request data must have all editable fields"
|
||||
|
||||
# Check if user can edit their own data
|
||||
response = test_client.patch(f"/users/{test_user.id}", data=json.dumps({"username": test_user.username, "password": "testpass"}), headers=user_headers)
|
||||
assert response.status_code == 200, "Common user should can edit own account data"
|
||||
|
||||
# Check if user cannot edit other user data
|
||||
response = test_client.patch(f"/users/{test_admin.id}", data=json.dumps({"username": admin_data["username"], "password": "adminpass"}), headers=user_headers)
|
||||
assert response.status_code == 403, "Common user should cannot edit other user data"
|
||||
|
||||
# Check if admin can edit other user data
|
||||
response = test_client.patch(f"/users/{test_user.id}", data=json.dumps({"username": test_user.username, "password": "testpass"}), headers=admin_headers)
|
||||
assert response.status_code == 200, "Admin user should can edit other user data"
|
||||
|
||||
def test_remove_user(test_client, test_user, test_user2, test_admin):
|
||||
"User remove test"
|
||||
# Anonymous try to remove user
|
||||
response = test_client.delete(f"/users/{test_user.id}")
|
||||
assert response.status_code == 401, "Anonymous should cannot remove user account"
|
||||
|
||||
# Logged user try to remove other user account
|
||||
headers = login_test_user(test_user.id)
|
||||
response = test_client.delete(f"/users/{test_admin.id}", headers=headers)
|
||||
assert response.status_code == 403, "Common user should cannot remove other user account"
|
||||
|
||||
# Logged user try to remove own account
|
||||
response = test_client.delete(f"/users/{test_user.id}", headers=headers)
|
||||
assert response.status_code == 200, "Common user should can remove their own account"
|
||||
|
||||
# Logged admin can remove other user account
|
||||
admin_headers = login_test_user(test_admin.id)
|
||||
response = test_client.delete(f"/users/{test_user2.id}", headers=admin_headers)
|
||||
assert response.status_code == 200, "Admin user should can remove other user account"
|
||||
|
||||
def test_login(test_client, test_user):
|
||||
"""User login test"""
|
||||
hashed_pass = generate_password_hash("testpass")
|
||||
user = User(username="testuser", email="test@example.com", password=hashed_pass, role="User")
|
||||
db.session.add(user)
|
||||
db.session.commit()
|
||||
|
||||
response = test_client.post(
|
||||
"/login",
|
||||
data=json.dumps({"username": "testuser", "password": "wrongpass"}),
|
||||
content_type="application/json",
|
||||
)
|
||||
assert response.status_code == 401 # User should not be logged - wrong password
|
||||
assert response.status_code == 401, "User should not become logged if provided wrong password"
|
||||
response = test_client.post(
|
||||
"/login",
|
||||
data=json.dumps({"username": "testuser", "password": "testpass"}),
|
||||
content_type="application/json",
|
||||
)
|
||||
assert response.status_code == 200 # User should be logged - right password
|
||||
assert response.status_code == 200, "User should become logged if provided right password"
|
||||
|
||||
|
||||
def test_get_users(test_client):
|
||||
def test_get_users(test_client, test_user, test_admin):
|
||||
"""Get all users test"""
|
||||
response = test_client.get("/users")
|
||||
assert response.status_code == 401 # Anonymous cannot get all users data
|
||||
assert response.status_code == 401, "Anonymous should cannot get all users data"
|
||||
|
||||
# Common user try to get all users data
|
||||
hashed_pass = generate_password_hash("testpass")
|
||||
user = User(username="testuser", email="test@example.com", password=hashed_pass, role="User")
|
||||
db.session.add(user)
|
||||
db.session.commit()
|
||||
access_token = create_access_token(identity=str(user.id))
|
||||
headers = {"Authorization": f"Bearer {access_token}"}
|
||||
headers = login_test_user(test_user.id)
|
||||
response = test_client.get("/users", headers=headers)
|
||||
assert response.status_code == 403 # Common user cannot get all users data
|
||||
assert response.status_code == 403, "Common user should cannot get all users data"
|
||||
|
||||
# Admin user try to get all users data
|
||||
hashed_pass = generate_password_hash("adminpass")
|
||||
user = User(username="testadmin", email="testadmin@example.com", password=hashed_pass, role="Administrator")
|
||||
db.session.add(user)
|
||||
db.session.commit()
|
||||
access_token = create_access_token(identity=str(user.id))
|
||||
headers = {"Authorization": f"Bearer {access_token}"}
|
||||
headers = login_test_user(test_admin.id)
|
||||
response = test_client.get("/users", headers=headers)
|
||||
assert response.status_code == 200 # Admin user should can get all users data
|
||||
assert response.status_code == 200, "Admin user should be able to get all users data"
|
||||
|
||||
|
||||
def test_get_user_with_token(test_client):
|
||||
def test_get_user_with_token(test_client, test_user, test_admin):
|
||||
"""Test to get user data before and after auth using JWT token"""
|
||||
admin_pass = generate_password_hash("admin_pass")
|
||||
admin = User(username="admin", email="admin@example.com", password=admin_pass, role="Administrator")
|
||||
db.session.add(admin)
|
||||
db.session.commit()
|
||||
response = test_client.get(f"/users/{test_admin.id}")
|
||||
assert response.status_code == 401, "Anonymous should cannot get user data without login"
|
||||
|
||||
response = test_client.get(f"/users/{admin.id}")
|
||||
assert response.status_code == 401 # Try to get user data without login
|
||||
|
||||
access_token = create_access_token(identity=str(admin.id))
|
||||
admin_headers = {"Authorization": f"Bearer {access_token}"}
|
||||
|
||||
response = test_client.get(f"/users/{admin.id}", headers=admin_headers)
|
||||
admin_headers = login_test_user(test_admin.id)
|
||||
response = test_client.get(f"/users/{test_admin.id}", headers=admin_headers)
|
||||
assert response.status_code == 200
|
||||
data = response.get_json()
|
||||
assert data["username"] == "admin"
|
||||
assert data["username"] == "adminuser"
|
||||
|
||||
user_pass = generate_password_hash("test_pass")
|
||||
user = User(username="testuser", email="test@example.com", password=user_pass, role="User")
|
||||
db.session.add(user)
|
||||
db.session.commit()
|
||||
access_token = create_access_token(identity=str(user.id))
|
||||
headers = {"Authorization": f"Bearer {access_token}"}
|
||||
response = test_client.get(f"/users/{user.id}", headers=headers)
|
||||
assert response.status_code == 200 # Common user can get own user data
|
||||
response = test_client.get(f"/users/{admin.id}", headers=headers)
|
||||
assert response.status_code == 403 # Common user cannot get other user data
|
||||
response = test_client.get(f"/users/{user.id}", headers=admin_headers)
|
||||
assert response.status_code == 200 # Admin can access all user data
|
||||
|
||||
|
||||
def test_user_logout(test_client):
|
||||
"""Test if logout work and JWT token is revoked"""
|
||||
hashed_pass = generate_password_hash("testpass")
|
||||
user = User(username="testuser", email="test@example.com", password=hashed_pass, role="User")
|
||||
db.session.add(user)
|
||||
db.session.commit()
|
||||
|
||||
access_token = create_access_token(identity=str(user.id))
|
||||
headers = {"Authorization": f"Bearer {access_token}"}
|
||||
headers = login_test_user(test_user.id)
|
||||
response = test_client.get(f"/users/{test_user.id}", headers=headers)
|
||||
assert response.status_code == 200, "Common user should can get own user data"
|
||||
response = test_client.get(f"/users/{test_admin.id}", headers=headers)
|
||||
assert response.status_code == 403, "Common user should cannot get other user data"
|
||||
response = test_client.get(f"/users/{test_user.id}", headers=admin_headers)
|
||||
assert response.status_code == 200, "Admin should can access all user data"
|
||||
|
||||
def test_user_logout(test_client, test_user):
|
||||
"""Test if logout works and JWT token is revoked"""
|
||||
headers = login_test_user(test_user.id)
|
||||
response = test_client.get(f"/logout", headers=headers)
|
||||
assert response.status_code == 200 # Logged user can logout
|
||||
assert response.status_code == 200, "Logged user should can logout"
|
||||
response = test_client.get(f"/logout", headers=headers)
|
||||
assert response.status_code == 401 # Token should be revoked after logout
|
||||
assert response.status_code == 401, "Token should be revoked after logout"
|
||||
|
||||
29
api/utils.py
29
api/utils.py
@ -2,23 +2,50 @@ from flask import abort
|
||||
from flask_jwt_extended import get_jwt_identity
|
||||
from models import User, db
|
||||
import os
|
||||
from sqlalchemy import text
|
||||
from sqlalchemy.exc import DatabaseError, InterfaceError
|
||||
import time
|
||||
from werkzeug.security import generate_password_hash
|
||||
|
||||
db_ready = False
|
||||
|
||||
def admin_required(user_id, message='Access denied.'):
|
||||
"Check if common user try to make administrative action."
|
||||
user = db.session.get(User, user_id)
|
||||
if user is None or user.role != "Administrator":
|
||||
abort(403, message)
|
||||
|
||||
|
||||
def validate_access(owner_id, message='Access denied.'):
|
||||
# Check if user try to access or edit resource that does not belong to them
|
||||
"Check if user try to access or edit resource that does not belong to them."
|
||||
logged_user_id = int(get_jwt_identity())
|
||||
logged_user_role = db.session.get(User, logged_user_id).role
|
||||
if logged_user_role != "Administrator" and logged_user_id != owner_id:
|
||||
abort(403, message)
|
||||
|
||||
|
||||
def get_user_or_404(user_id):
|
||||
"Get user from database or abort 404"
|
||||
user = db.session.get(User, user_id)
|
||||
if user is None:
|
||||
abort(404, "User not found")
|
||||
return user
|
||||
|
||||
|
||||
def wait_for_db(max_retries):
|
||||
"Try to connect with database <max_retries> times."
|
||||
global db_ready
|
||||
for _ in range(max_retries):
|
||||
try:
|
||||
with db.engine.connect() as connection:
|
||||
connection.execute(text("SELECT 1"))
|
||||
db_ready = True
|
||||
return
|
||||
except DatabaseError | InterfaceError:
|
||||
time.sleep(3)
|
||||
raise Exception("Failed to connect to database.")
|
||||
|
||||
|
||||
def init_db():
|
||||
"""Create default admin account if database is empty"""
|
||||
with db.session.begin():
|
||||
|
||||
20
api/views.py
20
api/views.py
@ -2,7 +2,8 @@ from flask import Blueprint, jsonify, request, abort
|
||||
from flask_jwt_extended import create_access_token, set_access_cookies, jwt_required, \
|
||||
verify_jwt_in_request, get_jwt_identity, unset_jwt_cookies, get_jwt
|
||||
from models import db, RevokedToken, User
|
||||
from utils import admin_required, validate_access
|
||||
import os
|
||||
from utils import admin_required, validate_access, get_user_or_404
|
||||
from werkzeug.security import check_password_hash, generate_password_hash
|
||||
|
||||
user_bp = Blueprint('user_bp', __name__)
|
||||
@ -23,9 +24,7 @@ def get_all_users():
|
||||
@jwt_required()
|
||||
def get_user(user_id):
|
||||
validate_access(user_id) # check if user tries to read other user account details
|
||||
user = db.session.get(User, user_id)
|
||||
if user is None:
|
||||
abort(404, "User not found.")
|
||||
user = get_user_or_404(user_id)
|
||||
return jsonify(user.to_dict())
|
||||
|
||||
|
||||
@ -59,7 +58,7 @@ def edit_user(user_id):
|
||||
if request_fields != editable_fields:
|
||||
abort(400, "Invalid request data structure.")
|
||||
|
||||
user_to_update = User.query.get_or_404(user_id)
|
||||
user_to_update = get_user_or_404(user_id)
|
||||
for field_name in editable_fields:
|
||||
requested_value = request_data.get(field_name)
|
||||
if requested_value is None:
|
||||
@ -75,9 +74,7 @@ def edit_user(user_id):
|
||||
@jwt_required()
|
||||
def remove_user(user_id):
|
||||
validate_access(user_id) # Only admin can remove other users accounts
|
||||
user_to_delete = db.session.get(User, user_id)
|
||||
if user_to_delete is None:
|
||||
abort(404, "User not found.")
|
||||
user_to_delete = get_user_or_404(user_id)
|
||||
db.session.delete(user_to_delete)
|
||||
db.session.commit()
|
||||
return jsonify({"msg": "User removed successfully."})
|
||||
@ -114,3 +111,10 @@ def user_logout():
|
||||
response = jsonify({"msg": "User logged out successfully."})
|
||||
unset_jwt_cookies(response)
|
||||
return response
|
||||
|
||||
@user_bp.route('/version', methods=['GET'])
|
||||
def version():
|
||||
return jsonify({
|
||||
"version": os.getenv("APP_VERSION", "unknown"),
|
||||
"build_time": os.getenv("BUILD_DATE", "unknown")
|
||||
})
|
||||
20
argo-workflows/argo-ingress.yaml
Normal file
20
argo-workflows/argo-ingress.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: argo-ingress
|
||||
namespace: argo
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
- host: argo.marcin00.pl
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: argo-server
|
||||
port:
|
||||
number: 2746
|
||||
23
argo-workflows/argo-workflow-manager-role.yaml
Normal file
23
argo-workflows/argo-workflow-manager-role.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: argo-workflow-manager
|
||||
namespace: argo-events
|
||||
rules:
|
||||
- apiGroups: ["argoproj.io"]
|
||||
resources: ["workflows", "workflowtemplates", "cronworkflows"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: argo-ui-user-read-access
|
||||
namespace: argo-events
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: argo-workflow-manager
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argo-ui-user
|
||||
namespace: argo
|
||||
109
argo-workflows/deploy-sensor.yaml
Normal file
109
argo-workflows/deploy-sensor.yaml
Normal file
@ -0,0 +1,109 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Sensor
|
||||
metadata:
|
||||
name: webhook-deploy
|
||||
namespace: argo-events
|
||||
spec:
|
||||
template:
|
||||
serviceAccountName: operate-workflow-sa
|
||||
dependencies:
|
||||
- name: gitea-push
|
||||
eventSourceName: webhook
|
||||
eventName: user-microservice-deploy
|
||||
triggers:
|
||||
- template:
|
||||
name: deploy-user-microservice
|
||||
k8s:
|
||||
operation: create
|
||||
source:
|
||||
resource:
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Workflow
|
||||
metadata:
|
||||
generateName: deploy-user-microservice-
|
||||
spec:
|
||||
entrypoint: main
|
||||
serviceAccountName: operate-workflow-sa
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: workspace
|
||||
spec:
|
||||
accessModes: ["ReadWriteOnce"]
|
||||
resources:
|
||||
requests:
|
||||
storage: 128Mi
|
||||
templates:
|
||||
- name: main
|
||||
steps:
|
||||
- - name: checkout
|
||||
template: checkout
|
||||
- - name: deploy
|
||||
template: deploy
|
||||
|
||||
- name: checkout
|
||||
container:
|
||||
image: alpine/git
|
||||
command: [sh, -c]
|
||||
workingDir: /workspace
|
||||
env:
|
||||
- name: REPO_URL
|
||||
value: https://gitea.marcin00.pl/pikram/user-microservice-deploy.git
|
||||
- name: REPO_BRANCH
|
||||
value: argo-deploy
|
||||
args:
|
||||
- |
|
||||
git clone --depth 1 --branch "${REPO_BRANCH}" --single-branch "${REPO_URL}" repo
|
||||
volumeMounts:
|
||||
- name: workspace
|
||||
mountPath: /workspace
|
||||
|
||||
- name: deploy
|
||||
container:
|
||||
image: marcin00.azurecr.io/azure-cli-kubectl:latest
|
||||
command: [sh, -c]
|
||||
workingDir: /workspace/repo
|
||||
env:
|
||||
- name: CLIENT_ID
|
||||
value: "c302726f-fafb-4143-94c1-67a70975574a"
|
||||
- name: CLUSTER_NAME
|
||||
value: "build"
|
||||
- name: RESOURCE_GROUP
|
||||
value: "tst-aks-rg"
|
||||
- name: DEPLOY_FILES
|
||||
value: "namespace.yaml secret-store.yaml deploy.yaml ingress.yaml"
|
||||
- name: DEPLOYMENT
|
||||
value: "api"
|
||||
- name: NAMESPACE
|
||||
value: "user-microservice"
|
||||
- name: HEALTHCHECK_URL
|
||||
value: "https://user-microservice.marcin00.pl/health"
|
||||
args:
|
||||
- |
|
||||
echo "===> Logging in to Azure"
|
||||
az login --identity --client-id $CLIENT_ID
|
||||
az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --overwrite-existing
|
||||
kubelogin convert-kubeconfig -l azurecli
|
||||
|
||||
echo "===> Applying Kubernetes manifests"
|
||||
for file in $DEPLOY_FILES; do
|
||||
kubectl apply -f "$file"
|
||||
done
|
||||
|
||||
echo "===> Waiting for deployment to complete"
|
||||
kubectl rollout status deployment/$DEPLOYMENT -n $NAMESPACE --timeout=60s
|
||||
|
||||
echo "===> Running health check"
|
||||
for i in $(seq 1 120); do
|
||||
if curl -sf $HEALTHCHECK_URL; then
|
||||
echo "Health check OK"
|
||||
exit 0
|
||||
else
|
||||
echo "Health check failed. Retry $i..."
|
||||
sleep 5
|
||||
fi
|
||||
done
|
||||
echo "Health check failed"
|
||||
exit 1
|
||||
volumeMounts:
|
||||
- name: workspace
|
||||
mountPath: /workspace
|
||||
13
argo-workflows/eventbus-default.yaml
Normal file
13
argo-workflows/eventbus-default.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: EventBus
|
||||
metadata:
|
||||
name: default
|
||||
namespace: argo-events
|
||||
spec:
|
||||
nats:
|
||||
native:
|
||||
# Optional, defaults to 3.
|
||||
# If it is < 3, set it to 3, that is the minimal requirement.
|
||||
replicas: 3
|
||||
# Optional, authen strategy, "none" or "token", defaults to "none"
|
||||
auth: token
|
||||
38
argo-workflows/permissions.yaml
Normal file
38
argo-workflows/permissions.yaml
Normal file
@ -0,0 +1,38 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: operate-workflow-sa
|
||||
namespace: argo-events
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: operate-workflow-role
|
||||
namespace: argo-events
|
||||
rules:
|
||||
- apiGroups: [ "argoproj.io" ]
|
||||
resources: [ "workflows" ]
|
||||
verbs: [ "*" ]
|
||||
- apiGroups: [ "argoproj.io" ]
|
||||
resources: [ "workflowtaskresults" ]
|
||||
verbs: [ "create", "patch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "pods" ]
|
||||
verbs: [ "get", "patch" ]
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: operate-workflow-role-binding
|
||||
namespace: argo-events
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: operate-workflow-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: operate-workflow-sa
|
||||
namespace: argo-events
|
||||
30
argo-workflows/secret-store.yaml
Normal file
30
argo-workflows/secret-store.yaml
Normal file
@ -0,0 +1,30 @@
|
||||
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: azure-keyvault
|
||||
namespace: argo-events
|
||||
spec:
|
||||
provider: azure
|
||||
secretObjects:
|
||||
- secretName: gitea-secrets
|
||||
type: Opaque
|
||||
data:
|
||||
- objectName: gitea-known-host
|
||||
key: GITEA_KNOWN_HOST
|
||||
- objectName: gitea-deploy-key
|
||||
key: GITEA_DEPLOY_KEY
|
||||
parameters:
|
||||
usePodIdentity: "false"
|
||||
useVMManagedIdentity: "true"
|
||||
userAssignedIdentityID: "f91aef65-7d2a-4df8-a884-e33b05d54a31" # client_id of the user-assigned managed identity
|
||||
clientID: "f91aef65-7d2a-4df8-a884-e33b05d54a31" # client_id of the user-assigned managed identity
|
||||
keyvaultName: "dev-aks"
|
||||
objects: |
|
||||
array:
|
||||
- |
|
||||
objectName: gitea-known-host
|
||||
objectType: secret
|
||||
- |
|
||||
objectName: gitea-deploy-key
|
||||
objectType: secret
|
||||
tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"
|
||||
172
argo-workflows/sensor.yaml
Normal file
172
argo-workflows/sensor.yaml
Normal file
@ -0,0 +1,172 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Sensor
|
||||
metadata:
|
||||
name: webhook-build
|
||||
namespace: argo-events
|
||||
spec:
|
||||
template:
|
||||
serviceAccountName: operate-workflow-sa
|
||||
dependencies:
|
||||
- name: gitea-push
|
||||
eventSourceName: webhook
|
||||
eventName: user-microservice
|
||||
triggers:
|
||||
- template:
|
||||
name: trigger-build-workflow
|
||||
k8s:
|
||||
group: argoproj.io
|
||||
version: v1alpha1
|
||||
resource: workflows
|
||||
operation: create
|
||||
source:
|
||||
resource:
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Workflow
|
||||
metadata:
|
||||
generateName: build-workflow-
|
||||
namespace: argo-events
|
||||
spec:
|
||||
entrypoint: main
|
||||
serviceAccountName: operate-workflow-sa
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: workspace
|
||||
spec:
|
||||
accessModes: ["ReadWriteOnce"]
|
||||
resources:
|
||||
requests:
|
||||
storage: 128Mi
|
||||
volumes:
|
||||
- name: secrets-store
|
||||
csi:
|
||||
driver: secrets-store.csi.k8s.io
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: azure-keyvault
|
||||
templates:
|
||||
- name: main
|
||||
steps:
|
||||
- - name: checkout
|
||||
template: checkout
|
||||
- - name: tests
|
||||
template: tests
|
||||
- - name: build-and-push-image
|
||||
template: build-and-push-image
|
||||
arguments:
|
||||
parameters:
|
||||
- name: git-sha
|
||||
value: "{{steps.checkout.outputs.parameters.git-sha}}"
|
||||
- - name: gitops-commit
|
||||
template: gitops-commit
|
||||
arguments:
|
||||
parameters:
|
||||
- name: git-sha
|
||||
value: "{{steps.checkout.outputs.parameters.git-sha}}"
|
||||
- name: checkout
|
||||
container:
|
||||
image: alpine/git
|
||||
command: [sh, -c]
|
||||
workingDir: /workspace
|
||||
env:
|
||||
- name: REPO_URL
|
||||
value: https://gitea.marcin00.pl/pikram/user-microservice.git
|
||||
- name: REPO_BRANCH
|
||||
value: argoworkflow-fluxcd
|
||||
args:
|
||||
- |
|
||||
git clone --depth 1 --branch "${REPO_BRANCH}" --single-branch "${REPO_URL}" repo
|
||||
cd repo
|
||||
git rev-parse HEAD > /tmp/gitsha.txt
|
||||
volumeMounts:
|
||||
- name: workspace
|
||||
mountPath: /workspace
|
||||
outputs:
|
||||
parameters:
|
||||
- name: git-sha
|
||||
valueFrom:
|
||||
path: /tmp/gitsha.txt
|
||||
- name: tests
|
||||
script:
|
||||
image: python:3.11.7-alpine
|
||||
command: [sh]
|
||||
workingDir: /workspace/repo/api
|
||||
source: |
|
||||
python3 -m venv env
|
||||
source env/bin/activate
|
||||
pip install -r requirements.txt pytest
|
||||
python3 -m pytest --junit-xml=pytest_junit.xml
|
||||
volumeMounts:
|
||||
- name: workspace
|
||||
mountPath: /workspace
|
||||
- name: build-and-push-image
|
||||
inputs:
|
||||
parameters:
|
||||
- name: git-sha
|
||||
podSpecPatch: |
|
||||
runtimeClassName: sysbox-runc
|
||||
metadata:
|
||||
annotations:
|
||||
io.kubernetes.cri-o.userns-mode: "auto:size=65536"
|
||||
container:
|
||||
image: marcin00.azurecr.io/azure-cli-docker:slim-bookworm
|
||||
command: [sh, -c]
|
||||
workingDir: /workspace/repo
|
||||
env:
|
||||
- name: DOCKER_IMAGE
|
||||
value: marcin00.azurecr.io/user-microservice:{{inputs.parameters.git-sha}}
|
||||
- name: CLIENT_ID
|
||||
value: c302726f-fafb-4143-94c1-67a70975574a
|
||||
- name: ACR_NAME
|
||||
value: marcin00
|
||||
args:
|
||||
- |
|
||||
dockerd &
|
||||
docker build -t $DOCKER_IMAGE --build-arg APP_VERSION={{inputs.parameters.git-sha}} --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") .
|
||||
az login --identity --client-id ${CLIENT_ID}
|
||||
az acr login --name ${ACR_NAME}
|
||||
docker push ${DOCKER_IMAGE}
|
||||
volumeMounts:
|
||||
- name: workspace
|
||||
mountPath: /workspace
|
||||
- name: gitops-commit
|
||||
inputs:
|
||||
parameters:
|
||||
- name: git-sha
|
||||
container:
|
||||
image: alpine/git
|
||||
command: [sh, -c]
|
||||
env:
|
||||
- name: DEPLOY_REPO_URL
|
||||
value: ssh://git@srv22.mikr.us:20343/pikram/user-microservice-deploy.git
|
||||
- name: DEPLOY_REPO_BRANCH
|
||||
value: argoworkflow-fluxcd
|
||||
- name: CI_COMMIT_SHA
|
||||
value: "{{inputs.parameters.git-sha}}"
|
||||
args:
|
||||
- |
|
||||
mkdir -p ~/.ssh
|
||||
cp /mnt/secrets/gitea-known-host ~/.ssh/known_hosts
|
||||
chmod 644 ~/.ssh/known_hosts
|
||||
cp /mnt/secrets/gitea-deploy-key ~/.ssh/id_ed25519
|
||||
chmod 600 ~/.ssh/id_ed25519
|
||||
git config --global user.name "argo[bot]"
|
||||
git config --global user.email "argo@marcin00.pl"
|
||||
git clone --depth 1 --branch $DEPLOY_REPO_BRANCH --single-branch $DEPLOY_REPO_URL repo
|
||||
cd repo/apps/user-microservice
|
||||
awk -v commit="$CI_COMMIT_SHA" '
|
||||
$0 ~ /name:[[:space:]]*api/ { in_api_container = 1; print; next }
|
||||
in_api_container && $0 ~ /^[[:space:]]*image:[[:space:]]*/ {
|
||||
sub(/:[^:[:space:]]+$/, ":" commit)
|
||||
in_api_container = 0
|
||||
print
|
||||
next
|
||||
}
|
||||
{ print }
|
||||
' deploy.yaml > deploy.tmp && mv deploy.tmp deploy.yaml
|
||||
git add deploy.yaml
|
||||
git diff-index --quiet HEAD || git commit -m "Argo: Changed deployed version to $CI_COMMIT_SHA"
|
||||
git push origin $DEPLOY_REPO_BRANCH
|
||||
volumeMounts:
|
||||
- name: secrets-store
|
||||
mountPath: "/mnt/secrets"
|
||||
readOnly: true
|
||||
19
argo-workflows/source.yaml
Normal file
19
argo-workflows/source.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: EventSource
|
||||
metadata:
|
||||
name: webhook
|
||||
namespace: argo-events
|
||||
spec:
|
||||
service:
|
||||
ports:
|
||||
- port: 12000
|
||||
targetPort: 12000
|
||||
webhook:
|
||||
user-microservice:
|
||||
endpoint: /user-microservice
|
||||
method: POST
|
||||
port: "12000"
|
||||
user-microservice-deploy:
|
||||
endpoint: /user-microservice-deploy
|
||||
method: POST
|
||||
port: "12000"
|
||||
27
argo-workflows/webhook-ingress.yaml
Normal file
27
argo-workflows/webhook-ingress.yaml
Normal file
@ -0,0 +1,27 @@
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: argo-ingress
|
||||
namespace: argo-events
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
- host: argo-hook.marcin00.pl
|
||||
http:
|
||||
paths:
|
||||
- path: /user-microservice
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: webhook-eventsource-svc
|
||||
port:
|
||||
number: 12000
|
||||
- path: /user-microservice-deploy
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: webhook-eventsource-svc
|
||||
port:
|
||||
number: 12000
|
||||
16
argo-workflows/webhook-service.yaml
Normal file
16
argo-workflows/webhook-service.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: webhook-eventsource-svc
|
||||
namespace: argo-events
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: default
|
||||
port: 12000
|
||||
protocol: TCP
|
||||
targetPort: 12000
|
||||
selector:
|
||||
controller: eventsource-controller
|
||||
eventsource-name: webhook
|
||||
owner-name: webhook
|
||||
65
deployment_timer.sh
Executable file
65
deployment_timer.sh
Executable file
@ -0,0 +1,65 @@
|
||||
#!/bin/bash
|
||||
|
||||
# === KONFIGURACJA ===
|
||||
APP_URL="https://user-microservice.marcin00.pl/version"
|
||||
MARKER_FILE="version_marker.txt"
|
||||
OUTPUT_FILE="deployment_times.csv"
|
||||
CHECK_INTERVAL=1 # sekundy
|
||||
|
||||
# === POBRANIE AKTUALNEJ WERSJI APLIKACJI ===
|
||||
echo "[INFO] Pobieranie aktualnej wersji z /version..."
|
||||
OLD_VERSION=$(curl -s "$APP_URL" | jq -r '.version')
|
||||
|
||||
if [[ -z "$OLD_VERSION" ]]; then
|
||||
echo "[ERROR] Nie udało się pobrać aktualnej wersji aplikacji."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "[INFO] Aktualna wersja: $OLD_VERSION"
|
||||
|
||||
# === Modyfikacja pliku, commit i push ===
|
||||
TIMESTAMP=$(date +%s)
|
||||
echo "$TIMESTAMP" > "$MARKER_FILE"
|
||||
|
||||
git add "$MARKER_FILE"
|
||||
git commit -m "Automatyczna zmiana: $TIMESTAMP"
|
||||
START_TIME=$(date +%s)
|
||||
|
||||
echo "[INFO] Wykonuję git push..."
|
||||
git push
|
||||
|
||||
if [[ $? -ne 0 ]]; then
|
||||
echo "[ERROR] Push nie powiódł się."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "[INFO] Oczekiwanie na wdrożenie nowej wersji..."
|
||||
|
||||
# === Odpytywanie endpointa /version ===
|
||||
WAITED=0
|
||||
echo "[WAIT] Oczekiwanie na nową wersję..."
|
||||
|
||||
while true; do
|
||||
sleep $CHECK_INTERVAL
|
||||
WAITED=$((WAITED + CHECK_INTERVAL))
|
||||
|
||||
NEW_VERSION=$(curl -s "$APP_URL" | jq -r '.version')
|
||||
|
||||
if [[ "$NEW_VERSION" != "$OLD_VERSION" ]]; then
|
||||
END_TIME=$(date +%s)
|
||||
DURATION=$((END_TIME - START_TIME))
|
||||
|
||||
# Nadpisujemy linię z licznikiem
|
||||
printf "\r[INFO] Nowa wersja wdrożona po %d healtcheck próbach: %s\n" "$WAITED" "$NEW_VERSION"
|
||||
echo "[INFO] Czas wdrożenia: $DURATION sekund"
|
||||
|
||||
echo "$START_TIME,$END_TIME,$DURATION,$OLD_VERSION,$NEW_VERSION" >> "$OUTPUT_FILE"
|
||||
break
|
||||
else
|
||||
# Nadpisujemy TYLKO linię z licznikiem
|
||||
printf "\r[WAIT] Czekam... wykonano %d healtcheck prób" "$WAITED"
|
||||
fi
|
||||
done
|
||||
|
||||
# Żeby kursor przeszedł do nowej linii po zakończeniu
|
||||
echo ""
|
||||
@ -7,9 +7,24 @@ services:
|
||||
build: .
|
||||
env_file:
|
||||
- api/.env
|
||||
ports:
|
||||
- 80:80
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-f", "http://localhost/health"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
start_period: 15s
|
||||
db:
|
||||
container_name: db
|
||||
hostname: db
|
||||
image: mysql:latest
|
||||
env_file:
|
||||
- db/.env
|
||||
ports:
|
||||
- 3306:3306
|
||||
healthcheck:
|
||||
test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
1
version_marker.txt
Normal file
1
version_marker.txt
Normal file
@ -0,0 +1 @@
|
||||
1754166304
|
||||
Reference in New Issue
Block a user