diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml new file mode 100644 index 0000000..42bfb36 --- /dev/null +++ b/.github/workflows/build-push-docker-image.yml @@ -0,0 +1,44 @@ +name: build-push-docker-image + +on: workflow_dispatch + +jobs: + build-push-docker-image: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Get the latest release + id: release + uses: robinraju/release-downloader@v1.7 + with: + latest: true + fileName: "*.tar.bz2" + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push the Production image + uses: docker/build-push-action@v4 + with: + context: . + file: docker/Dockerfile.prod + platforms: linux/amd64,linux/arm64 + push: true + tags: | + ghcr.io/openconext/stepup-gssp-example/stepup-gssp-example:prod + ghcr.io/openconext/stepup-gssp-example/stepup-gssp-example:${{ github.sha }} + ghcr.io/openconext/stepup-gssp-example/stepup-gssp-example:${{ steps.release.outputs.tag_name }} diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index d94e89e..e9f06b9 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -63,4 +63,13 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: release_id: ${{ steps.create_release.outputs.id }} + + after_build: + needs: build + runs-on: ubuntu-latest + steps: + - name: Trigger Docker container build + uses: benc-uk/workflow-dispatch@v1 + with: + workflow: build-push-docker-image.yml diff --git a/config/packages/parameters.yaml.dist b/config/packages/parameters.yaml.dist index ec93355..cf18cdc 100644 --- a/config/packages/parameters.yaml.dist +++ b/config/packages/parameters.yaml.dist @@ -2,12 +2,11 @@ # Set parameters here that may be different on each deployment target of the app, e.g. development, staging, production. # https://symfony.com/doc/current/best_practices/configuration.html#infrastructure-related-configuration parameters: - saml_idp_publickey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer' - saml_idp_privatekey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem' - saml_metadata_publickey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer' - saml_metadata_privatekey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem' - saml_remote_sp_entity_id: 'https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/metadata.php/default-sp' - saml_remote_sp_sso_url: '"https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"' - saml_remote_sp_certificate: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-gssp-bundle/src/Resources/keys/pieter.aai.surfnet.nl.pem' - saml_remote_sp_acs: 'https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp' + saml_idp_publickey: '/config/demogssp/demo_gssp_idp.crt' + saml_idp_privatekey: '/config/demogssp/demo_gssp_idp.key' + saml_metadata_publickey: '/config/demogssp/demo_gssp_idp.crt' + saml_metadata_privatekey: '/config/demogssp/demo_gssp_idp.key' + saml_remote_sp_entity_id: 'https://gateway.dev.openconext.local/authentication/metadata' + saml_remote_sp_certificate: '/config/gateway/gateway_gssp_sp.crt' + saml_remote_sp_acs: 'https://gateway.dev.openconext.local/authentication/consume-assertion' diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod new file mode 100644 index 0000000..a3d54d8 --- /dev/null +++ b/docker/Dockerfile.prod @@ -0,0 +1,17 @@ +FROM ghcr.io/openconext/openconext-basecontainers/php72-apache2:latest AS php-build +COPY *.tar.bz2 /tmp/ +RUN tar -xvjf /tmp/*.tar.bz2 -C /var/www/html/ && \ + rm -rf /tmp/*.tar.bz2 + +# Add the application configuration files +COPY config/packages/parameters.yaml.dist config/packages/parameters.yaml + +# Add the config files for Apache2 +RUN rm -rf /etc/apache2/sites-enabled/* +COPY ./docker/conf/apache2.conf /etc/apache2/sites-enabled/apache2.conf +RUN rm -rf /var/www/html/var/cache/prod && chown -R www-data /var/www/html/var + +# Set the default workdir +WORKDIR /var/www/html + +CMD ["apache2-foreground"] diff --git a/docker/conf/apache2.conf b/docker/conf/apache2.conf new file mode 100644 index 0000000..79ae9a3 --- /dev/null +++ b/docker/conf/apache2.conf @@ -0,0 +1,35 @@ + + ServerName demogssp + ServerAdmin admin@dev.openconext.local + + DocumentRoot /var/www/html/public + + SetEnv HTTPS on + SetEnv APP_ENV prod + SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + + + Require all granted + + Options -MultiViews + RewriteEngine On + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^(.*)$ index.php [QSA,L] + + + Require all granted + + + Header always set X-Content-Type-Options "nosniff" + + # Set the php application handler so mod_php interpets the files + + SetHandler application/x-httpd-php + + + ExpiresActive on + ExpiresByType font/* "access plus 1 year" + ExpiresByType image/* "access plus 6 months" + ExpiresByType text/css "access plus 1 year" + ExpiresByType text/js "access plus 1 year" +