Merge branch 'master' into fix/single-table-job-fixes

uc-cdis · Oct 22, 2024 · 73ab91a · 73ab91a
2 parents eda0c17 + 9508c8f
commit 73ab91a
Show file tree

Hide file tree

Showing 10 changed files with 90 additions and 171 deletions.
diff --git a/.github/workflows/image_build_push_squid.yaml b/.github/workflows/image_build_push_squid.yaml
@@ -1,6 +1,7 @@
 name: Build Squid images
 
 on: 
+  workflow_dispatch:
   push:
     paths:
       - .github/workflows/image_build_push_squid.yaml

diff --git a/files/scripts/ci-env-pool-reset.sh b/files/scripts/ci-env-pool-reset.sh
@@ -35,7 +35,6 @@ jenkins-niaid
 EOF
 
 cat - > jenkins-envs-releases.txt <<EOF
-jenkins-new
 jenkins-new-1
 jenkins-new-2
 jenkins-new-3

diff --git a/files/squid_whitelist/web_whitelist b/files/squid_whitelist/web_whitelist
@@ -124,6 +124,7 @@ neuro.debian.net
 neurodeb.pirsquared.org
 nginx.org
 nvidia.github.io
+ohsu-comp-bio.github.io
 opportunityinsights.org
 orcid.org
 pgp.mit.edu

diff --git a/files/squid_whitelist/web_wildcard_whitelist b/files/squid_whitelist/web_wildcard_whitelist
@@ -59,6 +59,7 @@
 .immport.org
 .jenkins.io
 .jenkins-ci.org
+.jetstack.io
 .k8s.io
 .kegg.jp
 .kidsfirstdrc.org

diff --git a/gen3/bin/kube-setup-ingress.sh b/gen3/bin/kube-setup-ingress.sh
@@ -15,23 +15,6 @@ ctxNamespace="$(g3kubectl config view -ojson | jq -r ".contexts | map(select(.na
 scriptDir="${GEN3_HOME}/kube/services/ingress"
 
 gen3_ingress_setup_waf() {
-    gen3_log_info "Starting GPE-312 waf setup"
-    #variable to see if WAF already exists
-    export waf=`aws wafv2 list-web-acls --scope REGIONAL | jq -r '.WebACLs[]|select(.Name| contains(env.vpc_name)).Name'`
-if [[ -z $waf ]]; then
-    gen3_log_info "Creating Web ACL. This may take a few minutes."
-    aws wafv2 create-web-acl\
-        --name $vpc_name-waf \
-        --scope REGIONAL \
-        --default-action Allow={} \
-        --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=GPE-312WebAclMetrics \
-        --rules file://${GEN3_HOME}/gen3/bin/waf-rules-GPE-312.json \
-        --region us-east-1
-    #Need to sleep to avoid "WAFUnavailableEntityException" error since the waf takes a bit to spin up
-    sleep 300
-else
-    gen3_log_info "WAF already exists. Skipping..."
-fi
     gen3_log_info "Attaching ACL to ALB."
     export acl_arn=`aws wafv2 list-web-acls --scope REGIONAL | jq -r '.WebACLs[]|select(.Name| contains(env.vpc_name)).ARN'`
     export alb_name=`kubectl get ingress gen3-ingress | awk '{print $4}' | tail +2 |  sed 's/^\([A-Za-z0-9]*-[A-Za-z0-9]*-[A-Za-z0-9]*\).*/\1/;q'`

diff --git a/gen3/bin/waf-rules-GPE-312.json b/gen3/bin/waf-rules-GPE-312.json
diff --git a/kube/services/node-affinity-daemonset/README.md b/kube/services/node-affinity-daemonset/README.md
@@ -0,0 +1,5 @@
+# Prerequisites
+
+This service needs certmanager to work. Please install certmanager before deploying this service. Once certmanager is installed, you can deploy this service by applying the manifests in this directory.
+
+Code lives in https://github.com/uc-cdis/node-affinity-webhook/
diff --git a/kube/services/node-affinity-daemonset/deployment.yaml b/kube/services/node-affinity-daemonset/deployment.yaml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: node-affinity-daemonset
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: node-affinity-daemonset
+  template:
+    metadata:
+      labels:
+        app: node-affinity-daemonset
+    spec:
+      containers:
+        - name: node-affinity-daemonset
+          image: quay.io/cdis/node-affinity-daemonset:master
+          ports:
+            - containerPort: 8443
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: webhook-certs #pragma: allowlist secret
diff --git a/kube/services/node-affinity-daemonset/service.yaml b/kube/services/node-affinity-daemonset/service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: node-affinity-daemonset
+  namespace: kube-system
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+  selector:
+    app: node-affinity-daemonset
diff --git a/kube/services/node-affinity-daemonset/webhook.yaml b/kube/services/node-affinity-daemonset/webhook.yaml
@@ -0,0 +1,43 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: node-affinity-daemonset
+  cert-manager.io/inject-ca-from: kube-system/node-affinity-daemonset-cert
+webhooks:
+  - name: node-affinity-daemonset.k8s.io
+    clientConfig:
+      service:
+        name: node-affinity-daemonset
+        namespace: kube-system
+        path: "/mutate"
+    rules:
+      - operations: ["CREATE"]
+        apiGroups: ["apps"]
+        apiVersions: ["v1"]
+        resources: ["daemonsets"]
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: node-affinity-daemonset-cert
+  namespace: kube-system
+spec:
+  secretName: webhook-certs #pragma: allowlist secret
+  dnsNames:
+  - node-affinity-daemonset.kube-system.svc
+  issuerRef:
+    name: selfsigned
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+  namespace: kube-system
+spec:
+  selfSigned: {}