release/v0.5.6

kubernetes-manifests/accounts-db.yaml

@@ -36,7 +36,7 @@ spec:
  serviceAccountName: default
  containers:
  - name: accounts-db
- image: gcr.io/bank-of-anthos-ci/accounts-db:v0.5.5
+ image: gcr.io/bank-of-anthos-ci/accounts-db:v0.5.6
  envFrom:
  - configMapRef:
  name: environment-config

kubernetes-manifests/balance-reader.yaml

@@ -28,16 +28,30 @@ spec:
  spec:
  serviceAccountName: default
  terminationGracePeriodSeconds: 5
+ securityContext:
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
  containers:
  - name: balancereader
- image: gcr.io/bank-of-anthos-ci/balancereader:v0.5.5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ image: gcr.io/bank-of-anthos-ci/balancereader:v0.5.6
  volumeMounts:
  - name: publickey
- mountPath: "/root/.ssh"
+ mountPath: "/tmp/.ssh"
  readOnly: true
+ - mountPath: /tmp
+ name: tmp
  env:
  - name: VERSION
- value: "v0.5.5"
+ value: "v0.5.6"
  - name: PORT
  value: "8080"
  # toggle Cloud Trace export
@@ -100,6 +114,8 @@ spec:
  items:
  - key: jwtRS256.key.pub
  path: publickey
+ - emptyDir: {}
+ name: tmp
 # [END gke_boa_kubernetes_manifests_balance_reader_deployment_balancereader]
 ---
 # [START gke_boa_kubernetes_manifests_balance_reader_service_balancereader]

kubernetes-manifests/config.yaml

@@ -19,7 +19,7 @@ metadata:
  name: environment-config
 data:
  LOCAL_ROUTING_NUM: "883745000"
- PUB_KEY_PATH: "/root/.ssh/publickey"
+ PUB_KEY_PATH: "/tmp/.ssh/publickey"
 # [END gke_boa_kubernetes_manifests_config_configmap_environment_config]
 ---
 # [START gke_boa_kubernetes_manifests_config_configmap_service_api_config]

kubernetes-manifests/contacts.yaml

@@ -28,16 +28,30 @@ spec:
  spec:
  serviceAccountName: default
  terminationGracePeriodSeconds: 5
+ securityContext:
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
  containers:
  - name: contacts
- image: gcr.io/bank-of-anthos-ci/contacts:v0.5.5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ image: gcr.io/bank-of-anthos-ci/contacts:v0.5.6
  volumeMounts:
  - name: publickey
- mountPath: "/root/.ssh"
+ mountPath: "/tmp/.ssh"
  readOnly: true
+ - mountPath: /tmp
+ name: tmp
  env:
  - name: VERSION
- value: "v0.5.5"
+ value: "v0.5.6"
  - name: PORT
  value: "8080"
  - name: ENABLE_TRACING
@@ -72,6 +86,8 @@ spec:
  items:
  - key: jwtRS256.key.pub
  path: publickey
+ - emptyDir: {}
+ name: tmp
 # [END gke_boa_kubernetes_manifests_contacts_deployment_contacts]
 ---
 # [START gke_boa_kubernetes_manifests_contacts_service_contacts]

kubernetes-manifests/frontend.yaml

@@ -28,16 +28,30 @@ spec:
  spec:
  serviceAccountName: default
  terminationGracePeriodSeconds: 5
+ securityContext:
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
  containers:
  - name: front
- image: gcr.io/bank-of-anthos-ci/frontend:v0.5.5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ image: gcr.io/bank-of-anthos-ci/frontend:v0.5.6
  volumeMounts:
  - name: publickey
- mountPath: "/root/.ssh"
+ mountPath: "/tmp/.ssh"
  readOnly: true
+ - mountPath: /tmp
+ name: tmp
  env:
  - name: VERSION
- value: "v0.5.5"
+ value: "v0.5.6"
  - name: PORT
  value: "8080"
  - name: ENABLE_TRACING
@@ -66,6 +80,18 @@ spec:
  configMapKeyRef:
  name: demo-data-config
  key: DEMO_LOGIN_PASSWORD
+ - name: REGISTERED_OAUTH_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ name: oauth-config
+ key: DEMO_OAUTH_CLIENT_ID
+ optional: true
+ - name: ALLOWED_OAUTH_REDIRECT_URI
+ valueFrom:
+ configMapKeyRef:
+ name: oauth-config
+ key: DEMO_OAUTH_REDIRECT_URI
+ optional: true
  # Customize the metadata server hostname to query for metadata
  #- name: METADATA_SERVER
  # value: "my-metadata-server"
@@ -105,6 +131,8 @@ spec:
  items:
  - key: jwtRS256.key.pub
  path: publickey
+ - emptyDir: {}
+ name: tmp
 # [END gke_boa_kubernetes_manifests_frontend_deployment_frontend]
 ---
 # [START gke_boa_kubernetes_manifests_frontend_service_frontend]

kubernetes-manifests/ledger-db.yaml

@@ -31,7 +31,7 @@ spec:
  serviceAccountName: default
  containers:
  - name: postgres
- image: gcr.io/bank-of-anthos-ci/ledger-db:v0.5.5
+ image: gcr.io/bank-of-anthos-ci/ledger-db:v0.5.6
  ports:
  - containerPort: 5432
  envFrom:

kubernetes-manifests/ledger-writer.yaml

@@ -28,16 +28,30 @@ spec:
  spec:
  serviceAccountName: default
  terminationGracePeriodSeconds: 5
+ securityContext:
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
  containers:
  - name: ledgerwriter
- image: gcr.io/bank-of-anthos-ci/ledgerwriter:v0.5.5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ image: gcr.io/bank-of-anthos-ci/ledgerwriter:v0.5.6
  volumeMounts:
  - name: publickey
- mountPath: "/root/.ssh"
+ mountPath: "/tmp/.ssh"
  readOnly: true
+ - mountPath: /tmp
+ name: tmp
  env:
  - name: VERSION
- value: "v0.5.5"
+ value: "v0.5.6"
  - name: PORT
  value: "8080"
  - name: ENABLE_TRACING
@@ -89,6 +103,8 @@ spec:
  items:
  - key: jwtRS256.key.pub
  path: publickey
+ - emptyDir: {}
+ name: tmp
 # [END gke_boa_kubernetes_manifests_ledger_writer_deployment_ledgerwriter]
 ---
 # [START gke_boa_kubernetes_manifests_ledger_writer_service_ledgerwriter]

kubernetes-manifests/loadgenerator.yaml

@@ -32,9 +32,21 @@ spec:
  serviceAccountName: default
  terminationGracePeriodSeconds: 5
  restartPolicy: Always
+ securityContext:
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
  containers:
  - name: loadgenerator
- image: gcr.io/bank-of-anthos-ci/loadgenerator:v0.5.5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ image: gcr.io/bank-of-anthos-ci/loadgenerator:v0.5.6
  env:
  - name: FRONTEND_ADDR
  value: "frontend:80"

kubernetes-manifests/transaction-history.yaml

@@ -28,16 +28,30 @@ spec:
  spec:
  serviceAccountName: default
  terminationGracePeriodSeconds: 5
+ securityContext:
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
  containers:
  - name: transactionhistory
- image: gcr.io/bank-of-anthos-ci/transactionhistory:v0.5.5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ image: gcr.io/bank-of-anthos-ci/transactionhistory:v0.5.6
  volumeMounts:
  - name: publickey
- mountPath: "/root/.ssh"
+ mountPath: "/tmp/.ssh"
  readOnly: true
+ - mountPath: /tmp
+ name: tmp
  env:
  - name: VERSION
- value: "v0.5.5"
+ value: "v0.5.6"
  - name: PORT
  value: "8080"
  - name: ENABLE_TRACING
@@ -105,6 +119,8 @@ spec:
  items:
  - key: jwtRS256.key.pub
  path: publickey
+ - emptyDir: {}
+ name: tmp
 # [END gke_boa_kubernetes_manifests_transaction_history_deployment_transactionhistory]
 ---
 # [START gke_boa_kubernetes_manifests_transaction_history_service_transactionhistory]

kubernetes-manifests/userservice.yaml

@@ -28,27 +28,41 @@ spec:
  spec:
  serviceAccountName: default
  terminationGracePeriodSeconds: 5
+ securityContext:
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
  containers:
  - name: userservice
- image: gcr.io/bank-of-anthos-ci/userservice:v0.5.5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ image: gcr.io/bank-of-anthos-ci/userservice:v0.5.6
  volumeMounts:
  - name: keys
- mountPath: "/root/.ssh"
+ mountPath: "/tmp/.ssh"
  readOnly: true
+ - mountPath: /tmp
+ name: tmp
  ports:
  - name: http-server
  containerPort: 8080
  env:
  - name: VERSION
- value: "v0.5.5"
+ value: "v0.5.6"
  - name: PORT
  value: "8080"
  - name: ENABLE_TRACING
  value: "true"
  - name: TOKEN_EXPIRY_SECONDS
  value: "3600"
  - name: PRIV_KEY_PATH
- value: "/root/.ssh/privatekey"
+ value: "/tmp/.ssh/privatekey"
  # Valid levels are debug, info, warning, error, critical. If no valid level is set, gunicorn will default to info.
  - name: LOG_LEVEL
  value: "info"
@@ -80,6 +94,8 @@ spec:
  path: privatekey
  - key: jwtRS256.key.pub
  path: publickey
+ - emptyDir: {}
+ name: tmp
 # [END gke_boa_kubernetes_manifests_userservice_deployment_userservice]
 ---
 # [START gke_boa_kubernetes_manifests_userservice_service_userservice]