Merge pull request #362 from kikkomep/feat/bck-security-issues

feat: add maintenance tools

Makefile

@@ -236,6 +236,21 @@ start-testing: compose-files aux_images ro_crates images reset_compose permissio
 		exec -T lmtests /bin/bash -c "tests/wait-for-seek.sh 600"; \
 	printf "$(done)\n"
 
+start-maintenance: compose-files aux_images ro_crates images reset_compose permissions ## Start LifeMonitor in a Testing environment
+	@printf "\n$(bold)Starting testing services...$(reset)\n" ; \
+	base=$$(if [[ -f "docker-compose.yml" ]]; then echo "-f docker-compose.yml"; fi) ; \
+	echo "$$(USER_UID=$$(id -u) USER_GID=$$(id -g) \
+				$(docker_compose) $${base} \
+				-f docker-compose.extra.yml \
+				-f docker-compose.base.yml \
+				-f docker-compose.monitoring.yml \
+				-f docker-compose.dev.yml \
+				-f docker-compose.maintenance.yml \
+				config)" > docker-compose.yml \
+	&& cp {,.maintenance.}docker-compose.yml \
+	&& $(docker_compose) -f docker-compose.yml up -d db redis lm ws_server nginx console ;\
+	printf "$(done)\n"
+
 start-nginx: certs docker-compose.base.yml permissions ## Start a nginx front-end proxy for the LifeMonitor back-end
 	@printf "\n$(bold)Starting nginx proxy...$(reset)\n" ; \
 	base=$$(if [[ -f "docker-compose.yml" ]]; then echo "-f docker-compose.yml"; fi) ; \

docker-compose.monitoring.yml

@@ -2,7 +2,7 @@ version: "3.5"
 
 services:
   prometheus:
-    image: prom/prometheus:v2.24.1
+    image: prom/prometheus:v2.48.0
     ports:
       - "9090:9090"
     volumes:

docker/worker_entrypoint.sh

@@ -84,7 +84,6 @@ while : ; do
     ${threads:-} \
     lifemonitor.tasks.worker:broker lifemonitor.tasks ${queues}
   exit_code=$?
-  exit_code=$?
   if [[ $exit_code == 3 ]]; then
     log "dramatiq worker could not connect to message broker (exit code ${exit_code})" 
     log "Restarting..."

k8s/backup-key.secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: lifemonitor-api-backup-key
+type: Opaque
+data:
+  encryptionKey: <base64-encoded-encryption-key>

k8s/templates/_helpers.tpl

@@ -67,6 +67,13 @@ Define lifemonitor TLS secret name
 {{- printf "%s-tls" .Release.Name }}
 {{- end }}
 
+{{/*
+Define lifemonitor secret name for backup key
+*/}}
+{{- define "chart.lifemonitor.backup.key" -}}
+{{- printf "%s-backup-key" .Release.Name }}
+{{- end }}
+
 
 {{/*
 Define volume name of LifeMonitor backup data 

k8s/templates/backend.deployment.yaml

@@ -63,7 +63,11 @@ spec:
           image: {{ include "chart.lifemonitor.image" . }}
           imagePullPolicy: {{ .Values.lifemonitor.imagePullPolicy }}
           env:
-          {{- include "lifemonitor.common-env" . | nindent 12 }}
+          {{- include "lifemonitor.common-env" . | nindent 12 }}          
+            {{- if  .Values.maintenanceMode.enabled }}
+            - name: FLASK_ENV
+              value: "maintenance"
+            {{- end }}
           volumeMounts:
           {{- include "lifemonitor.common-volume-mounts" . | nindent 12 }}
           ports:

k8s/templates/backup.job.yaml

@@ -29,12 +29,22 @@ spec:
             {{- include "lifemonitor.common-volume-mounts" . | nindent 12 }}
             - name: lifemonitor-backup
               mountPath: "/var/data/backup"
+            {{- if .Values.backup.encryptionKeySecret }}
+            - name: lifemonitor-backup-encryption-key
+              mountPath: "/lm/backup/encryption.key"
+              subPath: encryptionKey
+            {{- end }}
           restartPolicy: OnFailure
           volumes:
             {{- include "lifemonitor.common-volume" . | nindent 10 }}
           - name: lifemonitor-backup
             persistentVolumeClaim:
               claimName: {{ .Values.backup.existingClaim }}
+          {{- if .Values.backup.encryptionKeySecret }}
+          - name: lifemonitor-backup-encryption-key
+            secret:
+              secretName: {{ .Values.backup.encryptionKeySecret }}
+          {{- end }}
           {{- with .Values.lifemonitor.nodeSelector }}
           nodeSelector:
             {{- toYaml . | nindent 10 }}

k8s/templates/console.deployment.yaml

@@ -0,0 +1,73 @@
+{{- if or (.Values.maintenanceMode.enabled) (.Values.console.enabled ) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "chart.fullname" . }}-console
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.lifemonitor.autoscaling.enabled }}
+  replicas: {{ .Values.lifemonitor.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "chart.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/settings: {{ include (print $.Template.BasePath "/settings.secret.yaml") . | sha256sum }}
+      {{- with .Values.lifemonitor.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}       
+      labels:
+        {{- include "chart.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.lifemonitor.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "chart.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.lifemonitor.podSecurityContext | nindent 8 }}
+      containers:
+        - name: app
+          securityContext:
+            {{- toYaml .Values.lifemonitor.securityContext | nindent 12 }}
+          image: {{ include "chart.lifemonitor.image" . }}
+          imagePullPolicy: {{ .Values.lifemonitor.imagePullPolicy }}
+          command: ["/bin/sh","-c"]
+          args: ["wait-for-redis.sh && wait-for-postgres.sh && sleep infinity"]
+          env:
+          {{- include "lifemonitor.common-env" . | nindent 12 }}
+            - name: LIFEMONITOR_MAINTENANCE_MODE
+              value: {{ .Values.maintenanceMode.enabled | quote }}
+            - name: LIFEMONITOR_CONSOLE_ENABLED
+              value: {{ .Values.console.enabled | quote }}
+          volumeMounts:
+          {{- include "lifemonitor.common-volume-mounts" . | nindent 12 }}
+            - name: lifemonitor-backup
+              mountPath: "/var/data/backup"
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP         
+          resources:
+            {{- toYaml .Values.lifemonitor.resources | nindent 12 }}
+      volumes:
+        - name: lifemonitor-backup
+          persistentVolumeClaim:
+            claimName: {{ .Values.backup.existingClaim }}
+      {{- include "lifemonitor.common-volume" . | nindent 8 }}
+      {{- with .Values.lifemonitor.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.lifemonitor.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.lifemonitor.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

k8s/templates/settings.secret.yaml

@@ -78,6 +78,9 @@ stringData:
     {{- if .Values.backup.retain_days }}
     BACKUP_RETAIN_DAYS={{ .Values.backup.retain_days }}
     {{- end }}
+    {{- if .Values.backup.encryptionKeySecret }}
+    BACKUP_ENCRYPTION_KEY_PATH=/lm/backup/encryption.key
+    {{- end }}    
     {{- if .Values.backup.remote.enabled }}
     BACKUP_REMOTE_PATH={{ .Values.backup.remote.path }}
     BACKUP_REMOTE_HOST={{ .Values.backup.remote.host }}
@@ -87,6 +90,12 @@ stringData:
     {{- end }}
     {{- end }}
 
+    # Maintenance Mode Settings
+    {{- if .Values.maintenanceMode.enabled -}}
+    MAINTENANCE_MODE={{.Values.maintenanceMode.enabled}}
+    MAINTENANCE_MODE_MAIN_MESSAGE={{.Values.maintenanceMode.mainMessage}}
+    MAINTENANCE_MODE_SECONDARY_MESSAGE={{.Values.maintenanceMode.secondaryMessage}}
+    {{- end }}
 
     # Set admin credentials
     LIFEMONITOR_ADMIN_PASSWORD={{ .Values.lifemonitor.administrator.password }}

k8s/templates/worker.deployment.yaml

@@ -72,6 +72,10 @@ spec:
               {{ else }}
               value: {{ $queue.name }}
               {{ end }}
+            {{- if  $.Values.maintenanceMode.enabled }}
+            - name: FLASK_ENV
+              value: "maintenance"
+            {{- end }}
           ports:
             - containerPort: 9191
           volumeMounts:

k8s/templates/wss.deployment.yaml

@@ -60,6 +60,10 @@ spec:
           imagePullPolicy: {{ .Values.lifemonitor.imagePullPolicy }}
           env:
           {{- include "lifemonitor.common-env" . | nindent 12 }}
+            {{- if  .Values.maintenanceMode.enabled }}
+            - name: FLASK_ENV
+              value: "maintenance"
+            {{- end }}
           volumeMounts:
           {{- include "lifemonitor.common-volume-mounts" . | nindent 12 }}
           ports:

k8s/values.yaml

@@ -6,6 +6,12 @@
 nameOverride: ""
 fullnameOverride: ""
 
+# manage maintenance mode
+maintenanceMode:
+  enabled: false
+  # mainMessage: "We're busy updating the Life-Monitor service for you."
+  # secondaryMessage: "We'll be back shortly."
+
 # The name and port number of the server (e.g.: 'lm.local:8000'),
 # used as base_url on all the links returned by the API
 externalServerName: &hostname api.lifemonitor.eu
@@ -120,6 +126,7 @@ backup:
   successfulJobsHistoryLimit: 30
   failedJobsHistoryLimit: 30
   existingClaim: data-api-backup
+  # encryptionKeySecret: lifemonitor-api-backup-key
   # Settings to mirror the (cluster) local backup
   # to a remote site via FTPS or SFTP
   remote:
@@ -150,6 +157,10 @@ monitoring:
           memory: 256Mi
           cpu: 0.2
 
+# management console settings
+console:
+  enabled: false
+
 rateLimiting:
   zone:
     accounts: