Skip to content

OpenCRVS Farajaland Configuration - v1.4.0
Compare
Choose a tag to compare
@github-actions github-actions released this 20 Feb 19:47
· 980 commits to develop since this release
v1.4.0
9e21669
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

An example OpenCRVS country configuration. To be used in conjunction with opencrvs-core release v1.4.0

Read the release notes!
Read the v1.3.* to v1.4.* migration notes!

What's Changed

  • Added examples for configuring HTTP-01, DNS-01, and manual HTTPS certificates. By default, development and QA environments use HTTP-01, while others use DNS-01.
  • All secrets & variables defined in Github Secrets are now passed automatically to the deployment script.
  • The VPN_HOST_ADDRESS variable is now required for staging and production installations to ensure deployments are not publicly accessible.
  • Replica limits have been removed; any number can now be deployed.
  • Each environment now has a dedicated docker-compose--deploy.yml. Use environment:init to create a new environment and generate a corresponding file for customizable configurations.
  • 🔒 OpenHIM console is no longer exposed via HTTP.
  • Ansible playbooks are refactored into smaller task files.

New features

  • We now recommend creating a new Ubuntu user provision with passwordless sudo rights for all automated operations on the server, instead of using the root user. New users for different operations will be created in future releases.
  • All human users on all servers now have their own Linux users with mandatory 2-factor authentication.
  • OpenCRVS Farajaland now has an interactive script environment:init for creating new Github environments and defining secrets. This script should also be run for existing environments to ensure all variables and secrets are defined, especially important when pulling the latest changes from the Farajaland repository to your own country resource package.
  • The environment creator script also manages the known hosts file automatically.
  • 🚰 New pipeline for automatic provisioning of Ubuntu servers (all environments).
  • 🚰 New pipeline for resetting data from an environment (non-production environments).
  • 🚰 New pipeline for resetting SSH 2FA for all environments.
  • 🚰 Development deploy pipeline now includes a "debug" option for SSHing into the action runner (non-production environments).
  • A new "staging" environment has been introduced, acting as a production environment clone that resets its data nightly to match the production environment.
  • The deployment script can now verify if there are undefined environment variables referred to in your compose files. All secrets and variables defined in Github Environments are automatically passed down to the deployment script.
  • 🔒 Backup archives are now secured with a passphrase.
  • HTTPS setup now offers three options: HTTP challenge, DNS challenge, and using a pre-issued certificate file.
  • There's now a generic purpose POST /email endpoint only available from the internal network. Elastalert2 is configured to use this endpoint instead of directly using SMTP details or the Sendgrid API key.
  • 🔒 QA environment now hosts a Wireguard server and admin panel (wg-easy). After deploying, you can access the admin panel at vpn..
  • Allow configuring additional SSH parameters globally using SSH_ARGS Github variable.

Breaking changes

  • Known hosts are now defined in the infrastructure/known-hosts file. You can clear the file and use bash infrastructure/environments/update-known-hosts.sh <domain> to add your own domains.
  • Ansible inventory files are now in .yml format. Please convert your old production.ini and similar files to this new format.
  • The authorized_keys file has been removed, and keys should now be defined in the inventory yaml files.
  • The DOCKER_PASSWORD secret has been replaced with DOCKER_TOKEN.

Note

In the next OpenCRVS release v1.5.0, there will be two significant changes:

  • The infrastructure directory and related pipelines will be moved to a new repository.
  • Both the new infrastructure repository and the OpenCRVS country resource package repositories will start following their own release cycles, mostly independent from the core's release cycle. From this release forward, both packages are released as "OpenCRVS minor compatible" releases, meaning that the OpenCRVS countryconfig 1.3.0- is compatible with OpenCRVS 1.3.0, 1.3.1, 1.3.2, etc. This allows for the release of new hotfix versions of the core without having to publish a new version of the infrastructure or countryconfig.

See Releases for release notes of older releases.

v1.4.0 (2024-02-20)

Other changes

  • Release v1.3.1 by @euanmillar in #786
  • Update auth to go through gateway by @naftis in #781
  • chore(deps): update dependency minimist to v1.2.8 by @renovate in #780
  • ocrvs-5493 Correction flow translations by @Zangetsu101 in #794
  • Sort staged translation files by @Zangetsu101 in #795
  • Ocrvs 6217 by @Nil20 in #801
  • Add CI pipeline for testing PRs before merging by @rikukissa in #802
  • chore(deps): update dependency @types/google-libphonenumber to v7.4.30 by @renovate in #800
  • chore(deps): update dependency @types/bcryptjs to v2.4.6 by @renovate in #799
  • return composition id confirm registration endpoint in core by @Nil20 in #797
  • chore(deps): update docker.elastic.co/kibana/kibana docker tag to v7.17.15 by @renovate in #804
  • chore(deps): update docker.elastic.co/beats/metricbeat docker tag to v7.17.15 by @renovate in #803
  • chore(deps): update dependency @graphql-codegen/add to v3.2.3 by @renovate in #774
  • chore(deps): update dependency jsonwebtoken to v9.0.2 by @renovate in #779
  • [OCRVS 6250] Add feature flags in application default config by @tahmidrahman-dsi in #806
  • Upgrade Cypress by @rikukissa in #793
  • chore: remove logrocket references by @naftis in #811
  • fix(deps): update dependency @types/csv2json to v1.4.5 by @renovate in #821
  • fix(deps): update dependency @types/code to v4.0.8 by @renovate in #820
  • chore(deps): update logstash docker tag to v7.17.16 by @renovate in #819
  • chore(deps): update dependency minimist to v1.2.8 by @renovate in #816
  • chore(deps): update docker.elastic.co/kibana/kibana docker tag to v7.17.16 by @renovate in #818
  • chore(deps): update docker.elastic.co/beats/metricbeat docker tag to v7.17.16 by @renovate in #817
  • fix(deps): update dependency @types/geojson to v7946.0.13 by @renovate in #837
  • fix(deps): update dependency @types/lodash to v4.14.202 by @renovate in #844
  • fix(deps): update dependency @types/mime-types to v2.1.4 by @renovate in #845
  • fix(deps): update dependency @types/uuid to v3.4.13 by @renovate in #855
  • fix(deps): update dependency google-libphonenumber to v3.2.34 by @renovate in #856
  • Merge master to develop by @rikukissa in #858
  • Define HTTPS certificate resolver differently for different environments by @rikukissa in #869
  • Fix repository secrets by @euanmillar in #873
  • Remove non-configurable variables like backup user and backup dir by @rikukissa in #874
  • Update known hosts automatically by @rikukissa in #879
  • InfluxDB backups fix by @rikukissa in #878
  • Add ashikul's public key in staging and qa by @Nil20 in #886
  • Fix syslog errors coming from missing metricbeat capabilities by @rikukissa in #889
  • Fix APM logs not showing by @rikukissa in #887
  • Release v1.4.0 by @rikukissa in #842
  • Merge master (1.4.0) to develop (1.5.0) by @rikukissa in #892
  • Update dependency @octokit/core to v4.2.4 by @renovate in #901
  • Update dependency @types/geojson to v7946.0.14 by @renovate in #902

Full Changelog: v1.3.2...v1.4.0

Contributors

rikukissa, naftis, and 5 other contributors
Assets 2
Loading