Tracking pull request to merge release-1.22.0 to main (#608)

* initial update for 1.22.0

* upda pr number

* feat: itvr-595 - expiry email wording (#610)

* feat: itvr-594 - rebate expiry date offset (#611)

* feat: itvr-596 - expiry warning emails (#609)

* switch to crunchy

* switch to crunchy

* switch to crunchy

* update for crunchy on test

* update readme

* rename the readmed file for workflow

* udpate for autoscalling

* add manul trigger for dev build

* upgrade node and nginx to latest

* upgrade python base image to python-311:1-41

* update node packages for the specified CVE

* add sudo for yum command

* use ubi8/python-311

* custom build backend base image

* run yum under toot

* use new backend base image for tasqkq

* upgrade libnghttp2

* upgrade libnghttp2

* Register subscription for backend base image

* Register subscription for backend base image

* mount the etc-pki-entitlement

* mount the etc-pki-entitlement

* try ubi8

* dnf upgrade

* dnf upgrade

* use ubi9

* update to ubi9

* rm /etc/rhsm-host

* Docker builds using Subscription Manager

* try ubi9 only

* update frontend base image to use 20-slim

* update to 1.2_base

* update to 1.2_base

* add zap-scan.yaml

* update workflow name

* add zap scan

* add baseline scan

* update zap step name

---------

Co-authored-by: tim738745 <[email protected]>

.github/workflows/dev-cicd.yaml

@@ -1,13 +1,19 @@
 ## For each release, the value of workflow name, branches and PR_NUMBER need to be adjusted accordingly
 
-name: ITVR Dev release-1.21.0
+name: ITVR Dev release-1.22.0
 
 on:
   pull_request:
     types: [opened,edited,synchronize]
     paths:
       - frontend/**
       - backend/**    
+  workflow_dispatch:
+    inputs:
+      pull_request:
+        description: 'Tracking pull request number'
+        required: true
+        default: 608
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -58,3 +64,20 @@ jobs:
       openshift-server: ${{ secrets.OPENSHIFT_SERVER }}
       openshift-token: ${{ secrets.OPENSHIFT_TOKEN }}
 
+  zap-frontend-baseline-scan:
+    runs-on: ubuntu-latest
+    needs: deploy-on-dev
+    steps:
+      - name: Frontend Baseline Scan
+        uses: zaproxy/[email protected]
+        with:
+          target: 'https://itvr-dev.apps.silver.devops.gov.bc.ca'
+
+  zap-backend-baseline-scan:
+    runs-on: ubuntu-latest
+    needs: deploy-on-dev
+    steps:
+      - name: Backend Baseline Scan
+        uses: zaproxy/[email protected]
+        with:
+          target: 'https://itvr-backend-dev.apps.silver.devops.gov.bc.ca'

.github/workflows/release-build.yaml

@@ -1,16 +1,16 @@
-name: ITVR release-1.21.0
+name: ITVR release-1.22.0
 
 on:
   workflow_dispatch:
     inputs:
       pull_request:
         description: 'Tracking pull request number'
         required: true
-        default: 590
+        default: 608
       release_branch:
         description: 'The name of the release branch'
         required: true
-        default: release-1.21.0 
+        default: release-1.22.0 
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -40,7 +40,7 @@ jobs:
         uses: trstringer/[email protected]
         with:
           secret: ${{ github.TOKEN }}
-          approvers: AlexZorkin,emi-hi,tim738745,kuanfandevops,jig-patel,prv-proton,JulianForeman
+          approvers: emi-hi,tim738745,kuanfandevops,JulianForeman
           minimum-approvals: 1
           issue-title: "ITVR ${{ github.event.inputs.release_branch }} Test Deployment"
 
@@ -71,7 +71,7 @@ jobs:
         uses: trstringer/[email protected]
         with:
           secret: ${{ github.TOKEN }}
-          approvers: AlexZorkin,emi-hi,tim738745,kuanfandevops,jig-patel,prv-proton,JulianForeman
+          approvers: emi-hi,tim738745,kuanfandevops,JulianForeman
           minimum-approvals: 2
           issue-title: "ITVR ${{ github.event.inputs.release_branch }} Prod Deployment"
 

.github/workflows/zap-baseline-scan.yaml

@@ -0,0 +1,23 @@
+name: ZAP Baseline Scan
+on:
+  workflow_dispatch:
+    inputs:
+      envname:
+        description: 'dev or test'
+        required: true
+        default: dev
+jobs:
+
+  zap-baseline-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: ZAP Baseline Scan on Frontend
+        uses: zaproxy/[email protected]
+        with:
+          target: "https://itvr-${{ github.event.inputs.envname }}.apps.silver.devops.gov.bc.ca"
+          issue_title: "ZAP ${{ github.event.inputs.envname }} Frontend Baseline Scan Report"
+      - name: ZAP Baseline Scan on Backend
+        uses: zaproxy/[email protected]
+        with:
+          target: 'https://itvr-backend-${{ github.event.inputs.envname }}.apps.silver.devops.gov.bc.ca'
+          issue_title: "ZAP ${{ github.event.inputs.envname }} Backend Baseline Scan Report"

.github/workflows/zap-full-scan.yaml

@@ -0,0 +1,32 @@
+name: ZAP Full Scan
+on:
+  workflow_dispatch:
+jobs:
+
+  approval-zap-full-scan:
+    name: Approve the ZAP Full Scan on Test URLS
+    runs-on: ubuntu-latest
+    timeout-minutes: 60 
+    steps:
+      - name: Ask for approval for ITVR Prod deployment
+        uses: trstringer/[email protected]
+        with:
+          secret: ${{ github.TOKEN }}
+          approvers: emi-hi,tim738745,kuanfandevops,JulianForeman
+          minimum-approvals: 1
+          issue-title: "Please communicate with Platform Team for Zap Full Scan for the ITVR Test URLs and approve this request"
+
+  zap-full-scan:
+    runs-on: ubuntu-latest
+    needs: approval-zap-full-scan
+    steps:
+      - name: ZAP Full Scan on Frontend
+        uses: zaproxy/[email protected]
+        with:
+          target: 'https://itvr-test.apps.silver.devops.gov.bc.ca'
+          issue_title: ZAP Test Frontend Baseline Scan Report
+      - name: ZAP Full Scan on Backend
+        uses: zaproxy/[email protected]
+        with:
+          target: 'https://itvr-backend-test.apps.silver.devops.gov.bc.ca'
+          issue_title: ZAP Test Backend Baseline Scan Report

README.md

@@ -1,8 +1,23 @@
 [![SonarCloud](https://sonarcloud.io/images/project_badges/sonarcloud-white.svg)](https://sonarcloud.io/summary/new_code?id=bcgov_itvr)
 
-# itvr
+# ITVR
 [![Lifecycle:Stable](https://img.shields.io/badge/Lifecycle-Stable-97ca00)](https://goelectricbc.gov.bc.ca/)
 
+## Project description 
+
+The Clean Transportation Branch within the Ministry of Energy, Mines and Low Carbon Innovation instructed the build of the ITVR application. The instruction was to build an online portal to allow the public to apply for pre-approval, based on their income level, to receive a provincial rebate on the purchase of a new zero-emission vehicle. The application was launched to the public in August 2022. 
+
+The provincial program providing rebates has been running for several years and was open to anyone regardless of income. Changes to means-test the program created the need for a pre-approval process where applicants identities are verified, and their incomes checked with Canada Revenue Agency (CRA). 
+
+The program is managed by a government appointed delivery agent, the New Car Dealers Association (NCDA). They are responsible for working with car dealerships to provide the actual vehicle rebates to the public.  
+
+The ITVR application consists of these main elements: 
+* Online public application form, accessed using BCeID or Services Card app 
+* Internal console for government to search, review and process applications 
+* Ability to send/receive applicant data with CRA to check incomes (using FTP) 
+* Ability to send/receive income approved applicant data with NCDA (using API) 
+* Automated email functionality to provide applicants with information on their application 
+
 ## System
 
 ITVR system statuses and workflow can be [found documented in the flowchart](https://preview.uxpin.com/7f6104a26108508bb185e1b602677a5f91f49724#/pages/148655810/simulate/no-panels?mode=mf)

chart/itvr-apps/charts/itvr-backend/Chart.yaml

@@ -15,7 +15,8 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+# 1.0.1 update for autoscalling
+version: 1.0.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

chart/itvr-apps/charts/itvr-backend/templates/deploymentconfig.yaml

@@ -81,16 +81,20 @@ spec:
             - name: DB_ENGINE
               value: django.db.backends.postgresql
             - name: DB_HOST
-              {{ if eq .Values.suffix "-test" }}
-              value: itvr-spilo
+              {{ if eq .Values.suffix "-dev" }}
+              value: itvr-crunchy-dev-pgbouncer
+              {{ else if eq .Values.suffix "-test" }}
+              value: itvr-crunchy-test-pgbouncer
               {{ else if eq .Values.suffix "-prod" }}
               value: itvr-spilo
               {{ else }}
               value: itvr-spilo{{ .Values.suffix }}
               {{ end }}
             - name: DB_HOST_READONLY
-              {{ if eq .Values.suffix "-test" }}
-              value: itvr-spilo-readonly
+              {{ if eq .Values.suffix "-dev" }}
+              value: itvr-crunchy-dev-replicas
+              {{ else if eq .Values.suffix "-test" }}
+              value: itvr-crunchy-test-replicas
               {{ else if eq .Values.suffix "-prod" }}
               value: itvr-spilo-readonly
               {{ else }}

chart/itvr-apps/charts/itvr-backend/templates/hpa.yaml

@@ -1,13 +1,13 @@
 {{- if .Values.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "itvr-backend.fullname" . }}
   labels:
     {{- include "itvr-backend.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
-    apiVersion: apps.openshift.io/v1
+    apiVersion: apps/v1
     kind: DeploymentConfig
     name: {{ include "itvr-backend.fullname" . }}
   minReplicas: {{ .Values.autoscaling.minReplicas }}

chart/itvr-apps/charts/itvr-frontend/Chart.yaml

@@ -15,7 +15,8 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+# 1.0.1 update for autoscalling
+version: 1.0.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

chart/itvr-apps/charts/itvr-frontend/templates/hpa.yaml

@@ -1,13 +1,13 @@
 {{- if .Values.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "itvr-frontend.fullname" . }}
   labels:
     {{- include "itvr-frontend.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
-    apiVersion: apps.openshift.io/v1
+    apiVersion: apps/v1
     kind: DeploymentConfig
     name: {{ include "itvr-frontend.fullname" . }}
   minReplicas: {{ .Values.autoscaling.minReplicas }}

chart/itvr-apps/charts/itvr-task-queue/templates/deploymentconfig.yaml

@@ -44,16 +44,20 @@ spec:
             - name: DB_ENGINE
               value: django.db.backends.postgresql
             - name: DB_HOST
-              {{ if eq .Values.suffix "-test" }}
-              value: itvr-spilo
+              {{ if eq .Values.suffix "-dev" }}
+              value: itvr-crunchy-dev-pgbouncer
+              {{ else if eq .Values.suffix "-test" }}
+              value: itvr-crunchy-test-pgbouncer
               {{ else if eq .Values.suffix "-prod" }}
               value: itvr-spilo
               {{ else }}
               value: itvr-spilo{{ .Values.suffix }}
               {{ end }}
             - name: DB_HOST_READONLY
-              {{ if eq .Values.suffix "-test" }}
-              value: itvr-spilo-readonly
+              {{ if eq .Values.suffix "-dev" }}
+              value: itvr-crunchy-dev-replicas
+              {{ else if eq .Values.suffix "-test" }}
+              value: itvr-crunchy-test-replicas
               {{ else if eq .Values.suffix "-prod" }}
               value: itvr-spilo-readonly
               {{ else }}

django/api/apps.py

@@ -15,12 +15,14 @@ def ready(self):
             schedule_send_rebates_to_ncda,
             schedule_get_ncda_redeemed_rebates,
             schedule_expire_expired_applications,
+            schedule_send_expiry_emails,
         )
 
         if settings.RUN_JOBS and "qcluster" in sys.argv:
             schedule_send_rebates_to_ncda()
             schedule_get_ncda_redeemed_rebates()
             schedule_expire_expired_applications()
+            schedule_send_expiry_emails()
 
 
 class ITVRAdminConfig(AdminConfig):

django/api/scheduled_jobs.py

@@ -37,10 +37,25 @@ def schedule_expire_expired_applications():
         schedule(
             "api.tasks.expire_expired_applications",
             50,
+            15,
             name="expire_expired_applications",
             schedule_type="C",
             cron="45 * * * *",
             q_options={"timeout": 1200, "ack_failure": True},
         )
     except IntegrityError:
         pass
+
+
+def schedule_send_expiry_emails():
+    try:
+        schedule(
+            "api.tasks.send_expiry_emails",
+            14,
+            name="send_expiry_emails",
+            schedule_type="C",
+            cron="00 15 * * *",
+            q_options={"timeout": 1200, "ack_failure": True},
+        )
+    except IntegrityError:
+        pass