Get latest geo ip data for identifying GCAdmin users

[jimleroyer]

Description

As a GCNotify operator, I want the latest IP/Geolocation database to be used to identify GCAdmin users, So that I can optimize security tracking and monitoring.

WHY are we building?

Why do we need this?

WHAT are we building?

Resurrect the ipv4-geolocate-webservice repository

VALUE created by our solution

Close to the business, what's the value?

Acceptance Criteria

• [x] The GitHub action should create an image and push into ECR again.
• [x] The authentication mechanism with AWS OIDC.
• [x] The repository should main instead master.
• [x] Renovate should be baked in into the repository.
• [x] (optional) Move the kubectl rollout command into the GitHub action and get rid of the kubernetes cron job from the manifest repository.
• [x] We can get the latest IP to locations data using a working license maxmind.com.

QA Steps

• [x] Check that the image is pushed into ECR.
• [x] Check that the image is automatically deployed and used by kubernetes.

[jimleroyer]

PR over here to resurrect the repository and change current ECR auth to OIDC: https://github.com/cds-snc/ipv4-geolocate-webservice/pull/6

[ben851]

Image is building and deploying to staging - next steps are to add renovate and verify the deployment restart job in k8s.

[jimleroyer]

Integrated renovate and upgraded to the latest lib dependencies, which required a code migration for the hyper web server: https://github.com/cds-snc/ipv4-geolocate-webservice/pull/14

[jimleroyer]

A few PRs to review and merge in that exact order (and which might be wrong; requires proper review), with the end goal of getting rid of the k8s cron job that rolls out the ipv4 deployment with a pull model, in favor of a push model, i.e. roll out the ipv4 deployment once a new image has been pushed to the public cds-snc AWS elastic container registry (ECR):

• Added ipv4-geolocate-webservice repo to aws notify accounts
• [MANIFEST] Adding ipv4 oidc role to k8s map roles
• Added kubectl rollout restart commands for AWS EKS dev,staging,prod

[jimleroyer]

There is also this PR to bump some dependencies I thought I upgraded to latest but turned out, I didn't: https://github.com/cds-snc/ipv4-geolocate-webservice/pull/17

[jimleroyer]

Jimmy to merge 2 remaining PRs today and test the release.

[jimleroyer]

The PR to add permissions to all kubernetes environment was merged yesterday by Steve during the release process. (thank you!)

[jimleroyer]

Tested the deployment from the github actions and that works. We could have this tested by someone else for QA process.

In the meantime, I removed the cron job that automated the kubernetes rollout for ipv4-geolocate-service as the github actions can do that work on a push model (kubectl rollout restart..) rather than a pull one (via cronjobs): https://github.com/cds-snc/notification-manifests/pull/2305

[jimleroyer]

Ben reviewed the PR and approved. We need to manually delete the resources and we'll do it tomorrow during the core group work session.

[jimleroyer]

Moved this to QA as we deleted the k8s resources around service account, roles and cronjob.

Steps to QA:

1- Go to the renovate dependency dashboard and click one of the issue that will trigger the creation of a renovate maintenance PR. The rust Docker image SHA ID would be a good candidate to select as this would be a minimal change. 2- Merge the PR that was created by renovate. 3- Monitor both the github actions to be successful and the kubernetes events of the deployment rollout in all environments (dev, staging and prod). 4- Compare the SHA ID of the built docker image that was pushed to AWS ECR with the reported one in Kubernetes.

[sastels]

Ben will QA.

[ben851]

Verified that the image is pushed to public ECR: https://gallery.ecr.aws/cds-snc/notify-ipv4-geolocate-webservice

Verified that k8s is using "latest" tag with image pull policy "Always". Each restart will pull latest.