From 865ad5a865f918f88254dd24f36016f5cccea457 Mon Sep 17 00:00:00 2001 From: Said Sef Date: Thu, 24 Aug 2023 18:32:08 +0100 Subject: [PATCH 01/10] Moved Bamboo kubernetes deployment to base directory this will standardise deployments --- deployment/base/kustomization.yml | 7 +++ deployment/base/service.yml | 18 ++++++++ deployment/base/statefulset.yml | 73 +++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 deployment/base/kustomization.yml create mode 100644 deployment/base/service.yml create mode 100644 deployment/base/statefulset.yml diff --git a/deployment/base/kustomization.yml b/deployment/base/kustomization.yml new file mode 100644 index 0000000..8bbef8f --- /dev/null +++ b/deployment/base/kustomization.yml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- statefulset.yml +- service.yml diff --git a/deployment/base/service.yml b/deployment/base/service.yml new file mode 100644 index 0000000..35b147d --- /dev/null +++ b/deployment/base/service.yml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: bamboo + labels: + name: bamboo + app: bamboo +spec: + type: ClusterIP + sessionAffinity: ClientIP + selector: + app: bamboo + ports: + - port: 8085 + protocol: TCP + targetPort: bamboo + name: http diff --git a/deployment/base/statefulset.yml b/deployment/base/statefulset.yml new file mode 100644 index 0000000..2a892d5 --- /dev/null +++ b/deployment/base/statefulset.yml @@ -0,0 +1,73 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: bamboo + labels: + name: bamboo + app: bamboo +spec: + serviceName: "bamboo" + revisionHistoryLimit: 1 + replicas: 1 + selector: + matchLabels: + app: bamboo + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "4567" + labels: + name: bamboo + app: bamboo + spec: + containers: + - image: docker.io/saidsef/atlassian-bamboo-cicd:v2023.04 + imagePullPolicy: Always + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + name: bamboo + ports: + - protocol: TCP + containerPort: 8085 + name: bamboo + livenessProbe: + exec: + command: + - pgrep + - java + initialDelaySeconds: 3 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + readinessProbe: + tcpSocket: + port: bamboo + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + privileged: false + runAsGroup: 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: false + capabilities: + drop: + - ALL + volumeMounts: + - name: bamboo-storage + mountPath: /data + subPath: data + volumes: + - name: bamboo-storage + emptyDir: + sizeLimit: 3Gi From a093cbe23ecab51f190c2d663c56ce43c3d7c01a Mon Sep 17 00:00:00 2001 From: Said Sef Date: Thu, 24 Aug 2023 18:32:58 +0100 Subject: [PATCH 02/10] Moved kubernetes kustomizer resource to point to base directory --- deployment/kustomization.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deployment/kustomization.yml b/deployment/kustomization.yml index 7bfc29d..c082874 100644 --- a/deployment/kustomization.yml +++ b/deployment/kustomization.yml @@ -3,10 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- statefulset.yml -- service.yml +- base/ images: - name: bamboo newName: docker.io/saidsef/atlassian-bamboo-cicd - newTag: v2023.04 + newTag: v2023.08 From ad7d6ba1c7665970bc3dd9e556439dacfcbc157f Mon Sep 17 00:00:00 2001 From: Said Sef Date: Thu, 24 Aug 2023 18:33:54 +0100 Subject: [PATCH 03/10] Upgraded Bamboo to version 9.2.4 LTS --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c94f9e0..c5909d2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ LABEL version="8.2.7" LABEL "uk.co.saidsef.bamboo"="${REF}" ENV BAMBOO_HOME /data -ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION:-8.2.9} +ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION:-9.2.4} ENV PATH /opt/$BB_PKG_NAME/bin:$PATH ENV HOME /tmp ENV PORT ${PORT:-8085} From 05ca9dae8fe7fceac20bffde4ccde0b04e75340b Mon Sep 17 00:00:00 2001 From: Said Sef Date: Thu, 24 Aug 2023 18:34:10 +0100 Subject: [PATCH 04/10] MOved Kubernetes files to base --- deployment/service.yml | 18 ---------- deployment/statefulset.yml | 73 -------------------------------------- 2 files changed, 91 deletions(-) delete mode 100644 deployment/service.yml delete mode 100644 deployment/statefulset.yml diff --git a/deployment/service.yml b/deployment/service.yml deleted file mode 100644 index 35b147d..0000000 --- a/deployment/service.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: bamboo - labels: - name: bamboo - app: bamboo -spec: - type: ClusterIP - sessionAffinity: ClientIP - selector: - app: bamboo - ports: - - port: 8085 - protocol: TCP - targetPort: bamboo - name: http diff --git a/deployment/statefulset.yml b/deployment/statefulset.yml deleted file mode 100644 index 2a892d5..0000000 --- a/deployment/statefulset.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: bamboo - labels: - name: bamboo - app: bamboo -spec: - serviceName: "bamboo" - revisionHistoryLimit: 1 - replicas: 1 - selector: - matchLabels: - app: bamboo - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "4567" - labels: - name: bamboo - app: bamboo - spec: - containers: - - image: docker.io/saidsef/atlassian-bamboo-cicd:v2023.04 - imagePullPolicy: Always - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - name: bamboo - ports: - - protocol: TCP - containerPort: 8085 - name: bamboo - livenessProbe: - exec: - command: - - pgrep - - java - initialDelaySeconds: 3 - periodSeconds: 3 - successThreshold: 1 - timeoutSeconds: 2 - readinessProbe: - tcpSocket: - port: bamboo - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - seccompProfile: - type: RuntimeDefault - allowPrivilegeEscalation: false - privileged: false - runAsGroup: 65534 - runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: false - capabilities: - drop: - - ALL - volumeMounts: - - name: bamboo-storage - mountPath: /data - subPath: data - volumes: - - name: bamboo-storage - emptyDir: - sizeLimit: 3Gi From 527f299fa3e5d14a7c0a866f36db14bdc63151b9 Mon Sep 17 00:00:00 2001 From: Said Sef Date: Fri, 25 Aug 2023 10:30:17 +0100 Subject: [PATCH 05/10] Updated docker file to include opencontainers description --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c5909d2..0c7e22c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,12 +5,12 @@ ARG BAMBOO_VERSION="" ARG PORT="" ARG REF="" -LABEL description="Containerised Atlassian Bomboo Server" +LABEL org.opencontainers.image.description="Containerised Atlassian Bomboo Server" LABEL maintainer="Said Sef (saidsef.co.uk/)" -LABEL version="8.2.7" LABEL "uk.co.saidsef.bamboo"="${REF}" ENV BAMBOO_HOME /data +# If BAMBOO_VERSION is not supplied during build, use stable version 9.2.4 ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION:-9.2.4} ENV PATH /opt/$BB_PKG_NAME/bin:$PATH ENV HOME /tmp From 6f9e3899266ae6c7912d8b1f3428ab97e239a21b Mon Sep 17 00:00:00 2001 From: Said Sef Date: Fri, 25 Aug 2023 10:31:38 +0100 Subject: [PATCH 06/10] Moved part of Kubernetes securityContext spec to container level This best practice applys the securityContext to all container in the deployment and reduces code duplications Updated Kubernetes deployment spec set readOnlyRootFilesystem and increased initialDelaySeconds Added apk package curl for internal use, updated folder path name by making it consistent moved Bamboo logs to ephemeral storage U[dated Kubernetes deployment manifest to include resources - this is to define resource specs, and added JAVA min max and opts from system resource foo --- Dockerfile | 27 +++++++++++++-------------- deployment/base/statefulset.yml | 27 +++++++++++++++++++-------- 2 files changed, 32 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0c7e22c..810a285 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,16 @@ -FROM docker.io/openjdk:jre-alpine +FROM docker.io/openjdk:22-slim ARG BUILD_ID="" -ARG BAMBOO_VERSION="" +ARG BAMBOO_VERSION="9.2.4" ARG PORT="" ARG REF="" -LABEL org.opencontainers.image.description="Containerised Atlassian Bomboo Server" +LABEL org.opencontainers.image.description="Containerised Atlassian Bamboo Server" LABEL maintainer="Said Sef (saidsef.co.uk/)" LABEL "uk.co.saidsef.bamboo"="${REF}" ENV BAMBOO_HOME /data -# If BAMBOO_VERSION is not supplied during build, use stable version 9.2.4 -ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION:-9.2.4} +ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION} ENV PATH /opt/$BB_PKG_NAME/bin:$PATH ENV HOME /tmp ENV PORT ${PORT:-8085} @@ -22,22 +21,22 @@ USER root WORKDIR $BAMBOO_HOME # Install wget and Download Bamboo -RUN apk add --update --no-cache wget bash openssl procps && \ +RUN apt-get update && \ + apt-get install -yq wget curl && \ echo $BB_PKG_NAME && \ wget https://www.atlassian.com/software/bamboo/downloads/binary/$BB_PKG_NAME.tar.gz && \ tar xvzf $BB_PKG_NAME.tar.gz && \ rm -vf $BB_PKG_NAME.tar.gz && \ mkdir -p /opt && \ - mv $BB_PKG_NAME /opt && \ - rm -rf /var/cache/apk/* + mv $BB_PKG_NAME /opt/atlassian-bamboo # COPY bamboo-init.properties config -COPY config/bamboo-init.properties /opt/$BB_PKG_NAME/WEB-INF/classes/ -COPY config/bamboo-init.properties /opt/$BB_PKG_NAME/ +COPY config/bamboo-init.properties /opt/atlassian-bamboo/WEB-INF/classes/ +COPY config/bamboo-init.properties /opt/atlassian-bamboo/ -# # Fix dir permissions/ownership -RUN chmod a+rwx /opt/$BB_PKG_NAME/WEB-INF/classes/bamboo-init.properties && \ - chown nobody:nobody -R /opt/$BB_PKG_NAME +# Fix dir permissions/ownership +RUN chmod a+rwx /opt/atlassian-bamboo/WEB-INF/classes/bamboo-init.properties && \ + chown nobody:nobody -R /opt/atlassian-bamboo USER nobody @@ -48,4 +47,4 @@ VOLUME ["/data"] EXPOSE ${PORT} # Define default command. -CMD /opt/$BB_PKG_NAME/bin/start-bamboo.sh -fg +CMD /opt/atlassian-bamboo/bin/start-bamboo.sh -fg diff --git a/deployment/base/statefulset.yml b/deployment/base/statefulset.yml index 2a892d5..3d322e9 100644 --- a/deployment/base/statefulset.yml +++ b/deployment/base/statefulset.yml @@ -22,6 +22,10 @@ spec: name: bamboo app: bamboo spec: + securityContext: + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 containers: - image: docker.io/saidsef/atlassian-bamboo-cicd:v2023.04 imagePullPolicy: Always @@ -30,24 +34,31 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP + # - name: JAVA_OPTS + # value: "-XX:+UseContainerSupport" name: bamboo ports: - protocol: TCP containerPort: 8085 name: bamboo + resources: + limits: + cpu: 500m + memory: 1Gi + ephemeral-storage: 3Gi livenessProbe: exec: command: - pgrep - java - initialDelaySeconds: 3 + initialDelaySeconds: 30 periodSeconds: 3 successThreshold: 1 timeoutSeconds: 2 readinessProbe: tcpSocket: port: bamboo - initialDelaySeconds: 5 + initialDelaySeconds: 30 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 @@ -56,18 +67,18 @@ spec: type: RuntimeDefault allowPrivilegeEscalation: false privileged: false - runAsGroup: 65534 - runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: - ALL volumeMounts: - - name: bamboo-storage + - name: data mountPath: /data subPath: data + - name: data + mountPath: /opt/atlassian-bamboo/logs + subPath: logs volumes: - - name: bamboo-storage + - name: data emptyDir: sizeLimit: 3Gi From fcad678a7567572580ea94d2163b19b9b6e61c8e Mon Sep 17 00:00:00 2001 From: Said Sef Date: Fri, 25 Aug 2023 23:39:32 +0100 Subject: [PATCH 07/10] bugfix: fixed chown for Bamboo dir and process --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 810a285..c11dd10 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,7 +36,7 @@ COPY config/bamboo-init.properties /opt/atlassian-bamboo/ # Fix dir permissions/ownership RUN chmod a+rwx /opt/atlassian-bamboo/WEB-INF/classes/bamboo-init.properties && \ - chown nobody:nobody -R /opt/atlassian-bamboo + chown nobody -R /opt/atlassian-bamboo USER nobody From d2ff9f1a7f2444f17bb489c618f5939a51f08d16 Mon Sep 17 00:00:00 2001 From: Said Sef Date: Sat, 26 Aug 2023 00:06:27 +0100 Subject: [PATCH 08/10] Updated base OpenJDK to 21-slim --- Dockerfile | 2 +- deployment/base/statefulset.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index c11dd10..8f66653 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/openjdk:22-slim +FROM docker.io/openjdk:21-slim ARG BUILD_ID="" ARG BAMBOO_VERSION="9.2.4" diff --git a/deployment/base/statefulset.yml b/deployment/base/statefulset.yml index 3d322e9..fd4528f 100644 --- a/deployment/base/statefulset.yml +++ b/deployment/base/statefulset.yml @@ -34,8 +34,6 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP - # - name: JAVA_OPTS - # value: "-XX:+UseContainerSupport" name: bamboo ports: - protocol: TCP @@ -78,6 +76,9 @@ spec: - name: data mountPath: /opt/atlassian-bamboo/logs subPath: logs + - name: data + mountPath: /opt/atlassian-bamboo/work + subPath: work volumes: - name: data emptyDir: From 026b979d58ebb821d4ad1915cfb0c8338f9d36c8 Mon Sep 17 00:00:00 2001 From: Said Sef Date: Sat, 26 Aug 2023 00:13:05 +0100 Subject: [PATCH 09/10] Added K8s mount point for catalina conf --- Dockerfile | 2 +- deployment/base/statefulset.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8f66653..65bd6e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/openjdk:21-slim +FROM docker.io/openjdk:11-slim ARG BUILD_ID="" ARG BAMBOO_VERSION="9.2.4" diff --git a/deployment/base/statefulset.yml b/deployment/base/statefulset.yml index fd4528f..a12bda5 100644 --- a/deployment/base/statefulset.yml +++ b/deployment/base/statefulset.yml @@ -79,6 +79,9 @@ spec: - name: data mountPath: /opt/atlassian-bamboo/work subPath: work + - name: data + mountPath: /opt/atlassian-bamboo/conf/Catalina + subPath: catalina volumes: - name: data emptyDir: From e265e804e22009b3dedd0a00d7001d904f2c8537 Mon Sep 17 00:00:00 2001 From: Said Sef Date: Sat, 26 Aug 2023 00:28:55 +0100 Subject: [PATCH 10/10] Disabled Kubernetes deployment automountServiceAccountToken and enableServiceLinks This improves our security posture --- Dockerfile | 12 ++++++++---- deployment/base/statefulset.yml | 6 ++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 65bd6e1..f847d12 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,21 +22,25 @@ WORKDIR $BAMBOO_HOME # Install wget and Download Bamboo RUN apt-get update && \ - apt-get install -yq wget curl && \ + apt-get upgrade -y && \ + # wget and curl are required by Atlassian Bamboo Server + apt-get install -yq procps wget curl && \ + rm -rf /var/lib/apt/lists/* && \ echo $BB_PKG_NAME && \ wget https://www.atlassian.com/software/bamboo/downloads/binary/$BB_PKG_NAME.tar.gz && \ tar xvzf $BB_PKG_NAME.tar.gz && \ rm -vf $BB_PKG_NAME.tar.gz && \ mkdir -p /opt && \ - mv $BB_PKG_NAME /opt/atlassian-bamboo + mv $BB_PKG_NAME /opt/atlassian-bamboo && \ + apt-get autoremove -y # COPY bamboo-init.properties config COPY config/bamboo-init.properties /opt/atlassian-bamboo/WEB-INF/classes/ COPY config/bamboo-init.properties /opt/atlassian-bamboo/ # Fix dir permissions/ownership -RUN chmod a+rwx /opt/atlassian-bamboo/WEB-INF/classes/bamboo-init.properties && \ - chown nobody -R /opt/atlassian-bamboo +RUN chown nobody -R /opt/atlassian-bamboo && \ + chmod g+rwx /opt/atlassian-bamboo/WEB-INF/classes/bamboo-init.properties USER nobody diff --git a/deployment/base/statefulset.yml b/deployment/base/statefulset.yml index a12bda5..888eab1 100644 --- a/deployment/base/statefulset.yml +++ b/deployment/base/statefulset.yml @@ -22,6 +22,8 @@ spec: name: bamboo app: bamboo spec: + automountServiceAccountToken: false + enableServiceLinks: false securityContext: runAsNonRoot: true runAsGroup: 65534 @@ -49,14 +51,14 @@ spec: command: - pgrep - java - initialDelaySeconds: 30 + initialDelaySeconds: 10 periodSeconds: 3 successThreshold: 1 timeoutSeconds: 2 readinessProbe: tcpSocket: port: bamboo - initialDelaySeconds: 30 + initialDelaySeconds: 10 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1