Moved K8s to base and Upgraded Bamboo (#43)

* Moved Bamboo kubernetes deployment to base directory this will standardise deployments

* Moved kubernetes kustomizer resource to point to base directory

* Upgraded Bamboo to version 9.2.4 LTS

* MOved Kubernetes files to base

* Updated docker file to include opencontainers description

* Moved part of Kubernetes securityContext spec to container level

This best practice applys the securityContext to all container in the deployment and reduces code duplications

Updated Kubernetes deployment spec set readOnlyRootFilesystem and increased initialDelaySeconds

Added apk package curl for internal use, updated folder path name by making it consistent

moved Bamboo logs to ephemeral storage

U[dated Kubernetes deployment manifest to include resources - this is to define resource specs, and added JAVA min max and opts from system resource

foo

* bugfix: fixed chown for Bamboo dir and process

* Updated base OpenJDK to 21-slim

* Added K8s mount point for catalina conf

* Disabled Kubernetes deployment automountServiceAccountToken and enableServiceLinks

This improves our security posture

Dockerfile

@@ -1,17 +1,16 @@
-FROM docker.io/openjdk:jre-alpine
+FROM docker.io/openjdk:11-slim
 
 ARG BUILD_ID=""
-ARG BAMBOO_VERSION=""
+ARG BAMBOO_VERSION="9.2.4"
 ARG PORT=""
 ARG REF=""
 
-LABEL description="Containerised Atlassian Bomboo Server"
+LABEL org.opencontainers.image.description="Containerised Atlassian Bamboo Server"
 LABEL maintainer="Said Sef <said@saidsef.co.uk> (saidsef.co.uk/)"
-LABEL version="8.2.7"
 LABEL "uk.co.saidsef.bamboo"="${REF}"
 
 ENV BAMBOO_HOME /data
-ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION:-8.2.9}
+ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION}
 ENV PATH /opt/$BB_PKG_NAME/bin:$PATH
 ENV HOME /tmp
 ENV PORT ${PORT:-8085}
@@ -22,22 +21,26 @@ USER root
 WORKDIR $BAMBOO_HOME
 
 # Install wget and Download Bamboo
-RUN apk add --update --no-cache wget bash openssl procps && \
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    # wget and curl are required by Atlassian Bamboo Server
+    apt-get install -yq procps wget curl && \
+    rm -rf /var/lib/apt/lists/* && \
     echo $BB_PKG_NAME && \
     wget https://www.atlassian.com/software/bamboo/downloads/binary/$BB_PKG_NAME.tar.gz && \
     tar xvzf $BB_PKG_NAME.tar.gz && \
     rm -vf $BB_PKG_NAME.tar.gz && \
     mkdir -p /opt && \
-    mv $BB_PKG_NAME /opt && \
-    rm -rf /var/cache/apk/*
+    mv $BB_PKG_NAME /opt/atlassian-bamboo && \
+    apt-get autoremove -y
 
 # COPY bamboo-init.properties config
-COPY config/bamboo-init.properties /opt/$BB_PKG_NAME/WEB-INF/classes/
-COPY config/bamboo-init.properties /opt/$BB_PKG_NAME/
+COPY config/bamboo-init.properties /opt/atlassian-bamboo/WEB-INF/classes/
+COPY config/bamboo-init.properties /opt/atlassian-bamboo/
 
-# # Fix dir permissions/ownership
-RUN chmod a+rwx /opt/$BB_PKG_NAME/WEB-INF/classes/bamboo-init.properties && \
-    chown nobody:nobody -R /opt/$BB_PKG_NAME
+# Fix dir permissions/ownership
+RUN chown nobody -R /opt/atlassian-bamboo && \
+    chmod g+rwx /opt/atlassian-bamboo/WEB-INF/classes/bamboo-init.properties
 
 USER nobody
 
@@ -48,4 +51,4 @@ VOLUME ["/data"]
 EXPOSE ${PORT}
 
 # Define default command.
-CMD /opt/$BB_PKG_NAME/bin/start-bamboo.sh -fg
+CMD /opt/atlassian-bamboo/bin/start-bamboo.sh -fg

deployment/base/kustomization.yml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- statefulset.yml
+- service.yml

deployment/statefulset.yml → deployment/base/statefulset.yml

@@ -22,6 +22,12 @@ spec:
         name: bamboo
         app: bamboo
     spec:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 65534
+        runAsUser: 65534
       containers:
         - image: docker.io/saidsef/atlassian-bamboo-cicd:v2023.04
           imagePullPolicy: Always
@@ -35,19 +41,24 @@ spec:
             - protocol: TCP
               containerPort: 8085
               name: bamboo
+          resources:
+            limits:
+              cpu: 500m
+              memory: 1Gi
+              ephemeral-storage: 3Gi
           livenessProbe:
             exec:
               command:
                 - pgrep
                 - java
-            initialDelaySeconds: 3
+            initialDelaySeconds: 10
             periodSeconds: 3
             successThreshold: 1
             timeoutSeconds: 2
           readinessProbe:
             tcpSocket:
               port: bamboo
-            initialDelaySeconds: 5
+            initialDelaySeconds: 10
             periodSeconds: 5
             successThreshold: 1
             timeoutSeconds: 1
@@ -56,18 +67,24 @@ spec:
               type: RuntimeDefault
             allowPrivilegeEscalation: false
             privileged: false
-            runAsGroup: 65534
-            runAsUser: 65534
-            runAsNonRoot: true
-            readOnlyRootFilesystem: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop:
                 - ALL
           volumeMounts:
-            - name: bamboo-storage
+            - name: data
               mountPath: /data
               subPath: data
+            - name: data
+              mountPath: /opt/atlassian-bamboo/logs
+              subPath: logs
+            - name: data
+              mountPath: /opt/atlassian-bamboo/work
+              subPath: work
+            - name: data
+              mountPath: /opt/atlassian-bamboo/conf/Catalina
+              subPath: catalina
       volumes:
-        - name: bamboo-storage
+        - name: data
           emptyDir:
             sizeLimit: 3Gi

deployment/kustomization.yml

@@ -3,10 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- statefulset.yml
-- service.yml
+- base/
 
 images:
 - name: bamboo
   newName: docker.io/saidsef/atlassian-bamboo-cicd
-  newTag: v2023.04
+  newTag: v2023.08