From dd365098f90f62abed9ae96efba4d88c3074b6fd Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 6 Sep 2023 14:11:13 +0200 Subject: [PATCH] Docker: Create a parameters.yaml.dist that works in a docker dev env (#405) * Docker: Create a paramaters.yaml.dist that works in a docker dev environment * parameters.yml.dist: Create sensible MariaDB usernames and secrets * Parameters.yaml.dist: Change secrets to a unique secret * Adding the Dockerfile and required configs * Adding the Github workflows * Testing the build * We were copying from the wrong places * GHA: Add dispatch option to the docker build action * Default docker config: Add mailcatcher host * Fix loas in the docker config * Add demo gssp to the docker config * Docker: Chown the var directory * Docker: Fix permissions on the cache dir * Docker: Add monolog configuration when running as a container This will let the logs go to stdout when running as a container, which is the Docker way to send logs * Correct uri for selfservice * Change the self-asserted loa to match the regular * Fix a typo * sed -i 's/authentication/assurance/' * Rename loa's to a more standard name --------- Co-authored-by: Dan Co-authored-by: Michiel Kodde --- .github/workflows/build-push-docker-image.yml | 48 ++++++++++++++++ .github/workflows/tag-release.yml | 8 +++ config/legacy/parameters.yaml.dist | 56 ++++++++++--------- config/packages/prod/monolog.yaml.docker | 12 ++++ docker/Dockerfile.prod | 20 +++++++ docker/conf/middleware-apache2.conf | 34 +++++++++++ 6 files changed, 152 insertions(+), 26 deletions(-) create mode 100644 .github/workflows/build-push-docker-image.yml create mode 100644 config/packages/prod/monolog.yaml.docker create mode 100644 docker/Dockerfile.prod create mode 100644 docker/conf/middleware-apache2.conf diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml new file mode 100644 index 000000000..0b56428aa --- /dev/null +++ b/.github/workflows/build-push-docker-image.yml @@ -0,0 +1,48 @@ +name: build-push-docker-image + +#on: workflow_dispatch +on: + push: + branches: feature/docker_configs + workflow_dispatch: + +jobs: + build-push-docker-image: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Get the latest release + id: release + uses: robinraju/release-downloader@v1.7 + with: + latest: true + fileName: "*.tar.bz2" + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push the Production image + uses: docker/build-push-action@v4 + with: + context: . + file: docker/Dockerfile.prod + platforms: linux/amd64,linux/arm64 + push: true + tags: | + ghcr.io/openconext/stepup-middleware/stepup-middleware:prod + ghcr.io/openconext/stepup-middleware/stepup-middleware:${{ github.sha }} + ghcr.io/openconext/stepup-middleware/stepup-middleware:${{ steps.release.outputs.tag_name }} diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index 234f27e28..e999d381c 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -62,3 +62,11 @@ jobs: with: release_id: ${{ steps.create_release.outputs.id }} + after_build: + needs: build + runs-on: ubuntu-latest + steps: + - name: Trigger Docker container build + uses: benc-uk/workflow-dispatch@v1 + with: + workflow: build-push-docker-image.yml diff --git a/config/legacy/parameters.yaml.dist b/config/legacy/parameters.yaml.dist index f62c859c0..ce9cd0f5c 100644 --- a/config/legacy/parameters.yaml.dist +++ b/config/legacy/parameters.yaml.dist @@ -1,11 +1,11 @@ parameters: - application_name: StepUp Middleware + application_name: OpenConext Middleware # IP addresses of any HTTP proxies that are sitting in from of the application # See: http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html trusted_proxies: ~ database_driver: pdo_mysql - database_host: 10.10.0.100 + database_host: mariadb database_port: ~ # Enabling the STRICT_ALL_TABLES SQL mode. To prevent 'magic' truncation problems where string # values like the identity name id would be truncated after 255 characters without notice. Enabling @@ -17,16 +17,16 @@ parameters: # Also see: https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration database_server_version: mariadb-10.0.38 database_middleware_name: middleware - database_middleware_user: middleware - database_middleware_password: middleware + database_middleware_user: middleware_user + database_middleware_password: middleware_secret database_gateway_name: gateway - database_gateway_user: gateway - database_gateway_password: gateway - database_deploy_user: deploy - database_deploy_password: deploy + database_gateway_user: mw_gateway_user + database_gateway_password: mw_gateway_secret + database_deploy_user: mw_deploy_user + database_deploy_password: mw_deploy_secret mailer_transport: smtp - mailer_host: 127.0.0.1 + mailer_host: mailcatcher mailer_port: 25 mailer_user: '' mailer_password: '' @@ -46,35 +46,39 @@ parameters: # - readonly access to all endpoints - user "apireader" # - management - user "management" # - GDPR compliance: deprovision and retrieval of user information - user "lifecycle" - selfservice_api_password: OI7Wr63wxx2-Pel - registration_authority_api_password: BAeBxn813SB4_QX - readonly_api_password: wkpTzg.CJzc5sWU - management_password: UktsgjiFJOSP87d - lifecycle_password: AXn0n9cOFymT_oF + selfservice_api_password: sa_secret + registration_authority_api_password: ra_secret + readonly_api_password: secret + management_password: secret + lifecycle_password: secret - self_service_email_verification_url_template: https://selfservice.tld/verify-email?n={nonce} - email_sender_name: SURFnet bv - email_sender_email: noreply@surfnet.nl + self_service_email_verification_url_template: https://selfservice.dev.openconext.local/verify-email?n={nonce} + email_sender_name: OpenConext DEV environment + email_sender_email: noreply@dev.openconext.local - email_verification_window: 3600 # the amout of seconds the email verification email/url is valid + email_verification_window: 3600 # the amount of seconds the email verification email/url is valid - stepup_loa_loa1: https://gateway.tld/authentication/loa1 - stepup_loa_loa2: https://gateway.tld/authentication/loa2 - stepup_loa_loa3: https://gateway.tld/authentication/loa3 - stepup_loa_self_asserted: 'http://stepup.example.com/assurance/loa-self-asserted' + stepup_loa_loa1: http://dev.openconext.local/assurance/loa1 + stepup_loa_loa2: http://dev.openconext.local/assurance/loa2 + stepup_loa_loa3: http://dev.openconext.local/assurance/loa3 + stepup_loa_self_asserted: 'http://dev.openconext.local/assurance/loa1.5' - self_service_url: https://selfservice.tld + self_service_url: https://selfservice.dev.openconext.local enabled_generic_second_factors: - biometric: - loa: 3 + azuremfa: + loa: 2 tiqr: + loa: 2 + webauthn: + loa: 3 + demo_gssp: loa: 3 second_factors_display_name: yubikey: Yubikey azuremfa: AzureMFA - webauthn: WebAuthn + webauthn: FIDO2 tiqr: Tiqr demo_gssp: GSSP Demo demo_gssp_2: GSSP Demo 2 diff --git a/config/packages/prod/monolog.yaml.docker b/config/packages/prod/monolog.yaml.docker new file mode 100644 index 000000000..f1a1e7e91 --- /dev/null +++ b/config/packages/prod/monolog.yaml.docker @@ -0,0 +1,12 @@ +monolog: + handlers: + prod-signaler: + type: fingers_crossed + action_level: ERROR + passthru_level: NOTICE # this means that all message of level NOTICE or higher are always logged + handler: main_syslog + bubble: false # if we handle it, nothing else should + main_syslog: + type: stream + path: "php://stderr" + formatter: surfnet_stepup.monolog.json_formatter diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod new file mode 100644 index 000000000..69b9ee2d9 --- /dev/null +++ b/docker/Dockerfile.prod @@ -0,0 +1,20 @@ +FROM ghcr.io/openconext/openconext-basecontainers/php72-apache2:latest AS php-build +COPY *.tar.bz2 /tmp/ +RUN tar -xvjf /tmp/*.tar.bz2 -C /var/www/html/ && \ + rm -rf /tmp/*.tar.bz2 + +# Add the application configuration files +COPY .env .env +COPY config/legacy/parameters.yaml.dist config/legacy/parameters.yaml +COPY config/packages/prod/monolog.yaml.docker config/packages/prod/monolog.yaml + +# Add the config files for Apache2 +RUN rm -rf /etc/apache2/sites-enabled/* +COPY ./docker/conf/middleware-apache2.conf /etc/apache2/sites-enabled/middleware.conf +RUN rm -rf /var/www/html/var/cache/prod && chown -R www-data /var/www/html/var +EXPOSE 80 + +# Set the default workdir +WORKDIR /var/www/html + +CMD ["apache2-foreground"] diff --git a/docker/conf/middleware-apache2.conf b/docker/conf/middleware-apache2.conf new file mode 100644 index 000000000..2aff203fe --- /dev/null +++ b/docker/conf/middleware-apache2.conf @@ -0,0 +1,34 @@ + + ServerName middleware + ServerAdmin admin@surf.nl + + DocumentRoot /var/www/html/public + SetEnv HTTPS on + SetEnv APP_ENV prod + SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + + + Require all granted + + Options -MultiViews + RewriteEngine On + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^(.*)$ index.php [QSA,L] + + + Require all granted + + + Header always set X-Content-Type-Options "nosniff" + + # Set the php application handler so mod_php interpets the files + + SetHandler application/x-httpd-php + + + ExpiresActive on + ExpiresByType font/* "access plus 1 year" + ExpiresByType image/* "access plus 6 months" + ExpiresByType text/css "access plus 1 year" + ExpiresByType text/js "access plus 1 year" +