Skip to content

Commit

Permalink
Docker: Create a parameters.yaml.dist that works in a docker dev env (#…
Browse files Browse the repository at this point in the history
…405)

* Docker: Create a paramaters.yaml.dist that works in a docker dev environment

* parameters.yml.dist: Create sensible MariaDB usernames and secrets

* Parameters.yaml.dist: Change secrets to a unique secret

* Adding the Dockerfile and required configs

* Adding the Github workflows

* Testing the build

* We were copying from the wrong places

* GHA: Add dispatch option to the docker build action

* Default docker config: Add mailcatcher host

* Fix loas in the docker config

* Add demo gssp to the docker config

* Docker: Chown the var directory

* Docker: Fix permissions on the cache dir

* Docker: Add monolog configuration when running as a container
This will let the logs go to stdout when running as a container, which
is the Docker way to send logs

* Correct uri for selfservice

* Change the self-asserted loa to match the regular

* Fix a typo

* sed -i 's/authentication/assurance/'

* Rename loa's to a more standard name

---------

Co-authored-by: Dan <dan@hostatic.ro>
Co-authored-by: Michiel Kodde <mkodde@ibuildings.nl>
  • Loading branch information
3 people authored Sep 6, 2023
1 parent 550e687 commit dd36509
Show file tree
Hide file tree
Showing 6 changed files with 152 additions and 26 deletions.
48 changes: 48 additions & 0 deletions .github/workflows/build-push-docker-image.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: build-push-docker-image

#on: workflow_dispatch
on:
push:
branches: feature/docker_configs
workflow_dispatch:

jobs:
build-push-docker-image:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@v3

- name: Get the latest release
id: release
uses: robinraju/release-downloader@v1.7
with:
latest: true
fileName: "*.tar.bz2"

- name: Set up QEMU
uses: docker/setup-qemu-action@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push the Production image
uses: docker/build-push-action@v4
with:
context: .
file: docker/Dockerfile.prod
platforms: linux/amd64,linux/arm64
push: true
tags: |
ghcr.io/openconext/stepup-middleware/stepup-middleware:prod
ghcr.io/openconext/stepup-middleware/stepup-middleware:${{ github.sha }}
ghcr.io/openconext/stepup-middleware/stepup-middleware:${{ steps.release.outputs.tag_name }}
8 changes: 8 additions & 0 deletions .github/workflows/tag-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,11 @@ jobs:
with:
release_id: ${{ steps.create_release.outputs.id }}

after_build:
needs: build
runs-on: ubuntu-latest
steps:
- name: Trigger Docker container build
uses: benc-uk/workflow-dispatch@v1
with:
workflow: build-push-docker-image.yml
56 changes: 30 additions & 26 deletions config/legacy/parameters.yaml.dist
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
parameters:
application_name: StepUp Middleware
application_name: OpenConext Middleware
# IP addresses of any HTTP proxies that are sitting in from of the application
# See: http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html
trusted_proxies: ~

database_driver: pdo_mysql
database_host: 10.10.0.100
database_host: mariadb
database_port: ~
# Enabling the STRICT_ALL_TABLES SQL mode. To prevent 'magic' truncation problems where string
# values like the identity name id would be truncated after 255 characters without notice. Enabling
Expand All @@ -17,16 +17,16 @@ parameters:
# Also see: https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration
database_server_version: mariadb-10.0.38
database_middleware_name: middleware
database_middleware_user: middleware
database_middleware_password: middleware
database_middleware_user: middleware_user
database_middleware_password: middleware_secret
database_gateway_name: gateway
database_gateway_user: gateway
database_gateway_password: gateway
database_deploy_user: deploy
database_deploy_password: deploy
database_gateway_user: mw_gateway_user
database_gateway_password: mw_gateway_secret
database_deploy_user: mw_deploy_user
database_deploy_password: mw_deploy_secret

mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_host: mailcatcher
mailer_port: 25
mailer_user: ''
mailer_password: ''
Expand All @@ -46,35 +46,39 @@ parameters:
# - readonly access to all endpoints - user "apireader"
# - management - user "management"
# - GDPR compliance: deprovision and retrieval of user information - user "lifecycle"
selfservice_api_password: OI7Wr63wxx2-Pel
registration_authority_api_password: BAeBxn813SB4_QX
readonly_api_password: wkpTzg.CJzc5sWU
management_password: UktsgjiFJOSP87d
lifecycle_password: AXn0n9cOFymT_oF
selfservice_api_password: sa_secret
registration_authority_api_password: ra_secret
readonly_api_password: secret
management_password: secret
lifecycle_password: secret

self_service_email_verification_url_template: https://selfservice.tld/verify-email?n={nonce}
email_sender_name: SURFnet bv
email_sender_email: noreply@surfnet.nl
self_service_email_verification_url_template: https://selfservice.dev.openconext.local/verify-email?n={nonce}
email_sender_name: OpenConext DEV environment
email_sender_email: noreply@dev.openconext.local

email_verification_window: 3600 # the amout of seconds the email verification email/url is valid
email_verification_window: 3600 # the amount of seconds the email verification email/url is valid

stepup_loa_loa1: https://gateway.tld/authentication/loa1
stepup_loa_loa2: https://gateway.tld/authentication/loa2
stepup_loa_loa3: https://gateway.tld/authentication/loa3
stepup_loa_self_asserted: 'http://stepup.example.com/assurance/loa-self-asserted'
stepup_loa_loa1: http://dev.openconext.local/assurance/loa1
stepup_loa_loa2: http://dev.openconext.local/assurance/loa2
stepup_loa_loa3: http://dev.openconext.local/assurance/loa3
stepup_loa_self_asserted: 'http://dev.openconext.local/assurance/loa1.5'

self_service_url: https://selfservice.tld
self_service_url: https://selfservice.dev.openconext.local

enabled_generic_second_factors:
biometric:
loa: 3
azuremfa:
loa: 2
tiqr:
loa: 2
webauthn:
loa: 3
demo_gssp:
loa: 3

second_factors_display_name:
yubikey: Yubikey
azuremfa: AzureMFA
webauthn: WebAuthn
webauthn: FIDO2
tiqr: Tiqr
demo_gssp: GSSP Demo
demo_gssp_2: GSSP Demo 2
Expand Down
12 changes: 12 additions & 0 deletions config/packages/prod/monolog.yaml.docker
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
monolog:
handlers:
prod-signaler:
type: fingers_crossed
action_level: ERROR
passthru_level: NOTICE # this means that all message of level NOTICE or higher are always logged
handler: main_syslog
bubble: false # if we handle it, nothing else should
main_syslog:
type: stream
path: "php://stderr"
formatter: surfnet_stepup.monolog.json_formatter
20 changes: 20 additions & 0 deletions docker/Dockerfile.prod
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
FROM ghcr.io/openconext/openconext-basecontainers/php72-apache2:latest AS php-build
COPY *.tar.bz2 /tmp/
RUN tar -xvjf /tmp/*.tar.bz2 -C /var/www/html/ && \
rm -rf /tmp/*.tar.bz2

# Add the application configuration files
COPY .env .env
COPY config/legacy/parameters.yaml.dist config/legacy/parameters.yaml
COPY config/packages/prod/monolog.yaml.docker config/packages/prod/monolog.yaml

# Add the config files for Apache2
RUN rm -rf /etc/apache2/sites-enabled/*
COPY ./docker/conf/middleware-apache2.conf /etc/apache2/sites-enabled/middleware.conf
RUN rm -rf /var/www/html/var/cache/prod && chown -R www-data /var/www/html/var
EXPOSE 80

# Set the default workdir
WORKDIR /var/www/html

CMD ["apache2-foreground"]
34 changes: 34 additions & 0 deletions docker/conf/middleware-apache2.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<Virtualhost *:80>
ServerName middleware
ServerAdmin admin@surf.nl

DocumentRoot /var/www/html/public
SetEnv HTTPS on
SetEnv APP_ENV prod
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

<Directory "/var/www/html/public">
Require all granted

Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
<Location />
Require all granted
</Location>

Header always set X-Content-Type-Options "nosniff"

# Set the php application handler so mod_php interpets the files
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>

ExpiresActive on
ExpiresByType font/* "access plus 1 year"
ExpiresByType image/* "access plus 6 months"
ExpiresByType text/css "access plus 1 year"
ExpiresByType text/js "access plus 1 year"
</VirtualHost>

0 comments on commit dd36509

Please sign in to comment.