From 58798e41a6440daf58e70097dcd47759e815d462 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 13 Nov 2023 17:13:11 +0200 Subject: [PATCH 01/11] Adding the files and workflows to build the account gui image --- .github/workflows/deploy.yml | 22 ++++++++++++ account-gui/docker/Dockerfile | 4 +++ account-gui/docker/appconf.conf | 63 +++++++++++++++++++++++++++++++++ 3 files changed, 89 insertions(+) create mode 100644 account-gui/docker/Dockerfile create mode 100644 account-gui/docker/appconf.conf diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index fc003784..a723d3b0 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -7,6 +7,8 @@ on: jobs: deployment: + permissions: + packages: write environment: deploy runs-on: ubuntu-latest @@ -115,3 +117,23 @@ jobs: asset_path: /home/runner/work/OpenConext-myconext/OpenConext-myconext/myconext-server/target/myconext-server-${{ github.ref_name }}.jar asset_name: myconext-server-${{ github.ref_name }}.jar asset_content_type: application/zip + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push the account gui image + uses: docker/build-push-action@v4 + with: + context: account-gui + file: account-gui/docker/Dockerfile + platforms: linux/amd64 + push: true + tags: | + ghcr.io/openconext/openconext-myconext/account-gui:${{ steps.versioncheck.outputs.version }} diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile new file mode 100644 index 00000000..c37c5638 --- /dev/null +++ b/account-gui/docker/Dockerfile @@ -0,0 +1,4 @@ +FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest +ADD ./build/ /var/www/ +RUN rm -rf /etc/apache2/sites-enabled/*.conf +COPY ./docker/appconf.conf /etc/apache2/sites-enabled/ diff --git a/account-gui/docker/appconf.conf b/account-gui/docker/appconf.conf new file mode 100644 index 00000000..7c5b2387 --- /dev/null +++ b/account-gui/docker/appconf.conf @@ -0,0 +1,63 @@ +ServerName accessclient +RewriteEngine On +RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ +RewriteCond %{REQUEST_URI} !\.svg$ +RewriteCond %{REQUEST_URI} !\.png$ +RewriteCond %{REQUEST_URI} !\.ico$ +RewriteCond %{REQUEST_URI} !\.woff$ +RewriteCond %{REQUEST_URI} !\.woff2$ +RewriteCond %{REQUEST_URI} !\.ttf$ +RewriteCond %{REQUEST_URI} !\.wav$ +RewriteCond %{REQUEST_URI} !\.eot$ +RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ +RewriteCond %{REQUEST_URI} !^/api/ +RewriteCond %{REQUEST_URI} !^/login/ +RewriteCond %{REQUEST_URI} !^/oauth2/ +RewriteCond %{REQUEST_URI} !^/ui/ +RewriteCond %{REQUEST_URI} !^/internal/ +RewriteCond %{REQUEST_URI} !^/deprovision/ +RewriteCond %{REQUEST_URI} !^/fonts/ +RewriteRule (.*) /index.html [L] +ProxyPass /api http://inviteserver:8080/api retry=0 +ProxyPassReverse /api http://inviteserver:8080/api +ProxyPassMatch ^/oauth2(.*)$ http://inviteserver:8080 +ProxyPassReverse /oauth2 http://inviteserver:8080/oauth2 +ProxyPassMatch ^/internal(.*)$ http://inviteserver:8080 +ProxyPassReverse /internal http://inviteserver:8080/internal +ProxyPassMatch ^/login(.*)$ http://inviteserver:8080 +ProxyPassReverse /login http://inviteserver:8080/login +ProxyPassMatch ^/ui(.*)$ http://inviteserver:8080 +ProxyPassReverse /ui http://inviteserver:8080/ui +ProxyPass /deprovision http://inviteserver:8080/api +ProxyPassReverse /deprovision http://inviteserver:8080/api + +ErrorLog /proc/self/fd/2 +CustomLog /proc/self/fd/1 common + +DocumentRoot /var/www/ + + + ProxyPreserveHost On + + + ProxyPreserveHost On + + + ProxyPreserveHost On + + + ProxyPreserveHost On + + + Require all granted + Options -Indexes + + + +Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" +Header set Expires "Sun, 8 Jun 1986 08:06:00 GMT" + + +Header always set X-Frame-Options "DENY" +Header always set Referrer-Policy "origin-when-cross-origin" +Header always set X-Content-Type-Options "nosniff" From 78fc9d5ea254f59bcd717726de433cec8fb3a483 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 13 Nov 2023 17:14:00 +0200 Subject: [PATCH 02/11] Not sure we need this yet --- account-gui/docker/Dockerfile | 1 - account-gui/docker/appconf.conf | 63 --------------------------------- 2 files changed, 64 deletions(-) delete mode 100644 account-gui/docker/appconf.conf diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile index c37c5638..5707bf53 100644 --- a/account-gui/docker/Dockerfile +++ b/account-gui/docker/Dockerfile @@ -1,4 +1,3 @@ FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest ADD ./build/ /var/www/ RUN rm -rf /etc/apache2/sites-enabled/*.conf -COPY ./docker/appconf.conf /etc/apache2/sites-enabled/ diff --git a/account-gui/docker/appconf.conf b/account-gui/docker/appconf.conf deleted file mode 100644 index 7c5b2387..00000000 --- a/account-gui/docker/appconf.conf +++ /dev/null @@ -1,63 +0,0 @@ -ServerName accessclient -RewriteEngine On -RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ -RewriteCond %{REQUEST_URI} !\.svg$ -RewriteCond %{REQUEST_URI} !\.png$ -RewriteCond %{REQUEST_URI} !\.ico$ -RewriteCond %{REQUEST_URI} !\.woff$ -RewriteCond %{REQUEST_URI} !\.woff2$ -RewriteCond %{REQUEST_URI} !\.ttf$ -RewriteCond %{REQUEST_URI} !\.wav$ -RewriteCond %{REQUEST_URI} !\.eot$ -RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ -RewriteCond %{REQUEST_URI} !^/api/ -RewriteCond %{REQUEST_URI} !^/login/ -RewriteCond %{REQUEST_URI} !^/oauth2/ -RewriteCond %{REQUEST_URI} !^/ui/ -RewriteCond %{REQUEST_URI} !^/internal/ -RewriteCond %{REQUEST_URI} !^/deprovision/ -RewriteCond %{REQUEST_URI} !^/fonts/ -RewriteRule (.*) /index.html [L] -ProxyPass /api http://inviteserver:8080/api retry=0 -ProxyPassReverse /api http://inviteserver:8080/api -ProxyPassMatch ^/oauth2(.*)$ http://inviteserver:8080 -ProxyPassReverse /oauth2 http://inviteserver:8080/oauth2 -ProxyPassMatch ^/internal(.*)$ http://inviteserver:8080 -ProxyPassReverse /internal http://inviteserver:8080/internal -ProxyPassMatch ^/login(.*)$ http://inviteserver:8080 -ProxyPassReverse /login http://inviteserver:8080/login -ProxyPassMatch ^/ui(.*)$ http://inviteserver:8080 -ProxyPassReverse /ui http://inviteserver:8080/ui -ProxyPass /deprovision http://inviteserver:8080/api -ProxyPassReverse /deprovision http://inviteserver:8080/api - -ErrorLog /proc/self/fd/2 -CustomLog /proc/self/fd/1 common - -DocumentRoot /var/www/ - - - ProxyPreserveHost On - - - ProxyPreserveHost On - - - ProxyPreserveHost On - - - ProxyPreserveHost On - - - Require all granted - Options -Indexes - - - -Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" -Header set Expires "Sun, 8 Jun 1986 08:06:00 GMT" - - -Header always set X-Frame-Options "DENY" -Header always set Referrer-Policy "origin-when-cross-origin" -Header always set X-Content-Type-Options "nosniff" From 25efb842b00391d64d6bd204135fbf3b359c1a82 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 13 Nov 2023 17:17:51 +0200 Subject: [PATCH 03/11] Adding the files and workflows for the myconext gui --- .github/workflows/deploy.yml | 12 +++++++++++- account-gui/docker/Dockerfile | 1 - myconext-gui/docker/Dockerfile | 2 ++ 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 myconext-gui/docker/Dockerfile diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a723d3b0..19c438f2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -136,4 +136,14 @@ jobs: platforms: linux/amd64 push: true tags: | - ghcr.io/openconext/openconext-myconext/account-gui:${{ steps.versioncheck.outputs.version }} + ghcr.io/openconext/openconext-myconext/account-gui:${{ github.ref_name }} + + - name: Build and push the myconext gui image + uses: docker/build-push-action@v4 + with: + context: myconext-gui + file: myconext-gui/docker/Dockerfile + platforms: linux/amd64 + push: true + tags: | + ghcr.io/openconext/openconext-myconext/myconext-gui:${{ github.ref_name }} diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile index 5707bf53..58f13881 100644 --- a/account-gui/docker/Dockerfile +++ b/account-gui/docker/Dockerfile @@ -1,3 +1,2 @@ FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest ADD ./build/ /var/www/ -RUN rm -rf /etc/apache2/sites-enabled/*.conf diff --git a/myconext-gui/docker/Dockerfile b/myconext-gui/docker/Dockerfile new file mode 100644 index 00000000..58f13881 --- /dev/null +++ b/myconext-gui/docker/Dockerfile @@ -0,0 +1,2 @@ +FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest +ADD ./build/ /var/www/ From 0cb861262eebcea89485ff908549664aaf857a5f Mon Sep 17 00:00:00 2001 From: Dan Date: Tue, 14 Nov 2023 15:13:42 +0200 Subject: [PATCH 04/11] Adding the actions and build files for myconext server --- .github/workflows/deploy.yml | 10 ++++++++++ myconext-server/docker/Dockerfile | 3 +++ 2 files changed, 13 insertions(+) create mode 100644 myconext-server/docker/Dockerfile diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 19c438f2..917dbdbe 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -147,3 +147,13 @@ jobs: push: true tags: | ghcr.io/openconext/openconext-myconext/myconext-gui:${{ github.ref_name }} + + - name: Build and push the server image + uses: docker/build-push-action@v4 + with: + context: myconext-server + file: myconext-server/docker/Dockerfile + platforms: linux/amd64 + push: true + tags: | + ghcr.io/openconext/openconext-myconext/myconext-server:${{ github.ref_name }} diff --git a/myconext-server/docker/Dockerfile b/myconext-server/docker/Dockerfile new file mode 100644 index 00000000..c9a98d44 --- /dev/null +++ b/myconext-server/docker/Dockerfile @@ -0,0 +1,3 @@ +FROM eclipse-temurin:17-jdk-alpine +COPY target/*.jar app.jar +ENTRYPOINT ["java","-jar","/app.jar"] From fee38ddde9e12e43e9b5208135844be152dc4a60 Mon Sep 17 00:00:00 2001 From: Dan Date: Tue, 14 Nov 2023 15:14:07 +0200 Subject: [PATCH 05/11] Updating the guis to use the shibboleth image --- account-gui/docker/Dockerfile | 2 +- myconext-gui/docker/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile index 58f13881..2f90e4db 100644 --- a/account-gui/docker/Dockerfile +++ b/account-gui/docker/Dockerfile @@ -1,2 +1,2 @@ -FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest +FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest ADD ./build/ /var/www/ diff --git a/myconext-gui/docker/Dockerfile b/myconext-gui/docker/Dockerfile index 58f13881..2f90e4db 100644 --- a/myconext-gui/docker/Dockerfile +++ b/myconext-gui/docker/Dockerfile @@ -1,2 +1,2 @@ -FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest +FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest ADD ./build/ /var/www/ From 51972a83c3386b432a0fbc1575abf7de842f9020 Mon Sep 17 00:00:00 2001 From: Dan Date: Thu, 16 Nov 2023 16:53:44 +0200 Subject: [PATCH 06/11] Fixed yaml formatting --- .github/workflows/deploy.yml | 70 ++++++++++++++++++------------------ 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 917dbdbe..50bb72e0 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -118,42 +118,42 @@ jobs: asset_name: myconext-server-${{ github.ref_name }}.jar asset_content_type: application/zip - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push the account gui image - uses: docker/build-push-action@v4 - with: - context: account-gui - file: account-gui/docker/Dockerfile - platforms: linux/amd64 - push: true - tags: | - ghcr.io/openconext/openconext-myconext/account-gui:${{ github.ref_name }} + - name: Build and push the account gui image + uses: docker/build-push-action@v4 + with: + context: account-gui + file: account-gui/docker/Dockerfile + platforms: linux/amd64 + push: true + tags: | + ghcr.io/openconext/openconext-myconext/account-gui:${{ github.ref_name }} - - name: Build and push the myconext gui image - uses: docker/build-push-action@v4 - with: - context: myconext-gui - file: myconext-gui/docker/Dockerfile - platforms: linux/amd64 - push: true - tags: | - ghcr.io/openconext/openconext-myconext/myconext-gui:${{ github.ref_name }} + - name: Build and push the myconext gui image + uses: docker/build-push-action@v4 + with: + context: myconext-gui + file: myconext-gui/docker/Dockerfile + platforms: linux/amd64 + push: true + tags: | + ghcr.io/openconext/openconext-myconext/myconext-gui:${{ github.ref_name }} - - name: Build and push the server image - uses: docker/build-push-action@v4 - with: - context: myconext-server - file: myconext-server/docker/Dockerfile - platforms: linux/amd64 - push: true - tags: | - ghcr.io/openconext/openconext-myconext/myconext-server:${{ github.ref_name }} + - name: Build and push the server image + uses: docker/build-push-action@v4 + with: + context: myconext-server + file: myconext-server/docker/Dockerfile + platforms: linux/amd64 + push: true + tags: | + ghcr.io/openconext/openconext-myconext/myconext-server:${{ github.ref_name }} From a284c3c354d1fbfdea54e16a1880ce69074df898 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 17 Nov 2023 16:59:15 +0200 Subject: [PATCH 07/11] Using java 11 and the copy command --- account-gui/docker/Dockerfile | 2 +- myconext-gui/docker/Dockerfile | 2 +- myconext-server/docker/Dockerfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile index 2f90e4db..fc665ace 100644 --- a/account-gui/docker/Dockerfile +++ b/account-gui/docker/Dockerfile @@ -1,2 +1,2 @@ FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest -ADD ./build/ /var/www/ +COPY ./build/ /var/www/ diff --git a/myconext-gui/docker/Dockerfile b/myconext-gui/docker/Dockerfile index 2f90e4db..fc665ace 100644 --- a/myconext-gui/docker/Dockerfile +++ b/myconext-gui/docker/Dockerfile @@ -1,2 +1,2 @@ FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest -ADD ./build/ /var/www/ +COPY ./build/ /var/www/ diff --git a/myconext-server/docker/Dockerfile b/myconext-server/docker/Dockerfile index c9a98d44..6db5b001 100644 --- a/myconext-server/docker/Dockerfile +++ b/myconext-server/docker/Dockerfile @@ -1,3 +1,3 @@ -FROM eclipse-temurin:17-jdk-alpine +FROM eclipse-temurin:11-jdk-alpine COPY target/*.jar app.jar ENTRYPOINT ["java","-jar","/app.jar"] From 1af33883cff1ff36c8593344ac1c06e414039431 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 27 Nov 2023 17:39:35 +0200 Subject: [PATCH 08/11] Adding the ability to build snapshot releases --- .github/workflows/deploy.yml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 50bb72e0..eafd0b68 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -36,14 +36,21 @@ jobs: restore-keys: | ${{ runner.os }}-maven- - - name: Extract Maven project version + - name: Determine the version run: echo ::set-output name=version::$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) - id: project - - name: Check if git tag matches project version + id: versioncheck + + - name: Exit when workflow_dispatch is triggered, and the version does not contain SNAPSHOT in it's name + run: | + echo "Only SNAPSHOT releases can be triggered with the workflow_dispatch" + exit 1 + if: github.event_name == 'workflow_dispatch' && ( !endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) + + - name: Exit when a production build is triggered, and the github tag is not the same as the version in pom.xml run: | - echo "Project version ${{ steps.project.outputs.version }} does not match git tag ${{ github.ref_name }}" + echo "Project version ${{ steps.versioncheck.outputs.version }} does not match git tag ${{ github.ref_name }}" exit 1 - if: ${{ steps.project.outputs.version != github.ref_name }} + if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name - name: Deploy with Maven run: mvn --batch-mode deploy -DskipTests @@ -136,7 +143,7 @@ jobs: platforms: linux/amd64 push: true tags: | - ghcr.io/openconext/openconext-myconext/account-gui:${{ github.ref_name }} + ghcr.io/openconext/openconext-myconext/account-gui:${{ steps.versioncheck.outputs.version }} - name: Build and push the myconext gui image uses: docker/build-push-action@v4 @@ -146,7 +153,7 @@ jobs: platforms: linux/amd64 push: true tags: | - ghcr.io/openconext/openconext-myconext/myconext-gui:${{ github.ref_name }} + ghcr.io/openconext/openconext-myconext/myconext-gui:${{ steps.versioncheck.outputs.version } - name: Build and push the server image uses: docker/build-push-action@v4 @@ -156,4 +163,4 @@ jobs: platforms: linux/amd64 push: true tags: | - ghcr.io/openconext/openconext-myconext/myconext-server:${{ github.ref_name }} + ghcr.io/openconext/openconext-myconext/myconext-server:${{ steps.versioncheck.outputs.version } From 761783863e24c31d7cce1a3015049ae5904315d6 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 27 Nov 2023 17:44:05 +0200 Subject: [PATCH 09/11] Fix typo --- .github/workflows/deploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index eafd0b68..0637cc0e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -153,7 +153,7 @@ jobs: platforms: linux/amd64 push: true tags: | - ghcr.io/openconext/openconext-myconext/myconext-gui:${{ steps.versioncheck.outputs.version } + ghcr.io/openconext/openconext-myconext/myconext-gui:${{ steps.versioncheck.outputs.version }} - name: Build and push the server image uses: docker/build-push-action@v4 @@ -163,4 +163,4 @@ jobs: platforms: linux/amd64 push: true tags: | - ghcr.io/openconext/openconext-myconext/myconext-server:${{ steps.versioncheck.outputs.version } + ghcr.io/openconext/openconext-myconext/myconext-server:${{ steps.versioncheck.outputs.version }} From 5c1c8f4c3fc889213e1f46bf5c5e54154c100105 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 3 Apr 2024 14:42:58 +0200 Subject: [PATCH 10/11] GHA: Version updates for the docker build action and addition of labels and tags --- .github/workflows/deploy.yml | 76 ++++++++++++++++++++++++++++-------- 1 file changed, 60 insertions(+), 16 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0637cc0e..d50b6255 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -4,6 +4,7 @@ on: push: tags: - "*" + workflow_dispatch: jobs: deployment: @@ -13,14 +14,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: 16 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' @@ -29,7 +30,7 @@ jobs: server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD - name: Set up cache - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -37,7 +38,7 @@ jobs: ${{ runner.os }}-maven- - name: Determine the version - run: echo ::set-output name=version::$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) + run: echo "version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)" >> $GITHUB_OUTPUT id: versioncheck - name: Exit when workflow_dispatch is triggered, and the version does not contain SNAPSHOT in it's name @@ -126,41 +127,84 @@ jobs: asset_content_type: application/zip - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract metadata (tags, labels) for MyConext GUI Docker + id: meta_account_gui + uses: docker/metadata-action@v5 + with: + images: ghcr.io/openconext/openconext-myconext/myconext-gui + flavor: | + latest=false + tags: | + type=ref,event=tag + type=raw,event=tag,value=latest + type=raw,event=workflow_dispatch,value=snapshot + type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }} + type=sha + + - name: Extract metadata (tags, labels) for acount GUI Docker + id: meta_server_gui + uses: docker/metadata-action@v5 + with: + images: ghcr.io/openconext/openconext-myconext/account-gui + flavor: | + latest=false + tags: | + type=ref,event=tag + type=raw,event=tag,value=latest + type=raw,event=workflow_dispatch,value=snapshot + type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }} + type=sha + + - name: Extract metadata (tags, labels) for Server Docker + id: meta_server + uses: docker/metadata-action@v5 + with: + images: ghcr.io/openconext/openconext-myconext/myconext-server + flavor: | + latest=false + tags: | + type=ref,event=tag + type=raw,event=tag,value=latest + type=raw,event=workflow_dispatch,value=snapshot + type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }} + type=sha + + - name: Build and push the account gui image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: account-gui file: account-gui/docker/Dockerfile platforms: linux/amd64 push: true - tags: | - ghcr.io/openconext/openconext-myconext/account-gui:${{ steps.versioncheck.outputs.version }} + tags: ${{ steps.meta_account_gui.outputs.tags }} + labels: ${{ steps.meta_account_gui.outputs.labels }} - name: Build and push the myconext gui image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: myconext-gui file: myconext-gui/docker/Dockerfile platforms: linux/amd64 push: true - tags: | - ghcr.io/openconext/openconext-myconext/myconext-gui:${{ steps.versioncheck.outputs.version }} + tags: ${{ steps.meta_server_gui.outputs.tags }} + labels: ${{ steps.meta_server_gui.outputs.labels }} - name: Build and push the server image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: myconext-server file: myconext-server/docker/Dockerfile platforms: linux/amd64 push: true - tags: | - ghcr.io/openconext/openconext-myconext/myconext-server:${{ steps.versioncheck.outputs.version }} + tags: ${{ steps.meta_server.outputs.tags }} + labels: ${{ steps.meta_server.outputs.labels }} From e4e7715743f551019544b1f0c99154a85e1a59d5 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 3 Apr 2024 15:15:58 +0200 Subject: [PATCH 11/11] Docker: Add apache configs for the gui containers --- account-gui/docker/Dockerfile | 1 + account-gui/docker/conf/000-default.conf | 59 +++++++++++++++ myconext-gui/docker/Dockerfile | 2 + myconext-gui/docker/conf/000-default.conf | 87 +++++++++++++++++++++++ 4 files changed, 149 insertions(+) create mode 100644 account-gui/docker/conf/000-default.conf create mode 100644 myconext-gui/docker/conf/000-default.conf diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile index fc665ace..815fb316 100644 --- a/account-gui/docker/Dockerfile +++ b/account-gui/docker/Dockerfile @@ -1,2 +1,3 @@ FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest +COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/000-default.conf COPY ./build/ /var/www/ diff --git a/account-gui/docker/conf/000-default.conf b/account-gui/docker/conf/000-default.conf new file mode 100644 index 00000000..d6a38e6a --- /dev/null +++ b/account-gui/docker/conf/000-default.conf @@ -0,0 +1,59 @@ +ServerName https://${HTTPD_SERVERNAME} +RewriteEngine on +RewriteCond %{REQUEST_URI} !\.html$ +RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ +RewriteCond %{REQUEST_URI} !\.svg$ +RewriteCond %{REQUEST_URI} !\.png$ +RewriteCond %{REQUEST_URI} !\.ico$ +RewriteCond %{REQUEST_URI} !\.woff$ +RewriteCond %{REQUEST_URI} !\.woff2$ +RewriteCond %{REQUEST_URI} !\.ttf$ +RewriteCond %{REQUEST_URI} !\.eot$ +RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ +RewriteCond %{REQUEST_URI} !^/myconext +RewriteCond %{REQUEST_URI} !^/mobile +RewriteCond %{REQUEST_URI} !^/tiqr +RewriteCond %{REQUEST_URI} !^/config +RewriteCond %{REQUEST_URI} !^/register +RewriteCond %{REQUEST_URI} !^/doLogin +RewriteCond %{REQUEST_URI} !^/doLogout +RewriteCond %{REQUEST_URI} !^/create-from-institution-login +RewriteCond %{REQUEST_URI} !^/saml +RewriteCond %{REQUEST_URI} !^/actuator +RewriteCond %{REQUEST_URI} !^/internal +RewriteCond %{REQUEST_URI} !^/fonts +RewriteCond %{REQUEST_URI} !^/.well-known +RewriteRule (.*) /index.html [L] + +ProxyPass /myconext/api http://myconext:8080/myconext/api retry=0 +ProxyPassReverse /myconext/api http://myconext:8080/myconext/api + +ProxyPass /mobile http://myconext:8080/mobile retry=0 +ProxyPassReverse /mobile http://myconext:8080/mobile + +ProxyPass /tiqr http://myconext:8080/tiqr retry=0 +ProxyPassReverse /tiqr http://myconext:8080/tiqr + +ProxyPass /saml/guest-idp http://myconext:8080/saml/guest-idp retry=0 +ProxyPassReverse /saml/guest-idp http://myconext:8080/saml/guest-idp + +ProxyPass /actuator http://myconext:8080/internal retry=0 +ProxyPass /internal http://myconext:8080/internal retry=0 +ProxyPass /config http://myconext:8080/config retry=0 +ProxyPass /register http://myconext:8080/register retry=0 +ProxyPass /doLogin http://myconext:8080/doLogin retry=0 +ProxyPass /doLogout http://myconext:8080/doLogout retry=0 +ProxyPass /create-from-institution-login http://myconext:8080/create-from-institution-login retry=0 + +DocumentRoot "/var/www" + + + Require all granted + Options -Indexes + + +Header always set X-Frame-Options "DENY" +Header always set Referrer-Policy "same-origin" +Header always set X-Content-Type-Options "nosniff" + + diff --git a/myconext-gui/docker/Dockerfile b/myconext-gui/docker/Dockerfile index fc665ace..a46e57c8 100644 --- a/myconext-gui/docker/Dockerfile +++ b/myconext-gui/docker/Dockerfile @@ -1,2 +1,4 @@ FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest COPY ./build/ /var/www/ +COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/000-default.conf + diff --git a/myconext-gui/docker/conf/000-default.conf b/myconext-gui/docker/conf/000-default.conf new file mode 100644 index 00000000..e810606b --- /dev/null +++ b/myconext-gui/docker/conf/000-default.conf @@ -0,0 +1,87 @@ +ServerName https://${HTTPD_SERVERNAME} +RewriteEngine on + +RewriteCond %{REQUEST_URI} !\.html$ +RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ +RewriteCond %{REQUEST_URI} !\.svg$ +RewriteCond %{REQUEST_URI} !\.png$ +RewriteCond %{REQUEST_URI} !\.ico$ +RewriteCond %{REQUEST_URI} !\.woff$ +RewriteCond %{REQUEST_URI} !\.woff2$ +RewriteCond %{REQUEST_URI} !\.ttf$ +RewriteCond %{REQUEST_URI} !\.eot$ +RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ +RewriteCond %{REQUEST_URI} !^/myconext +RewriteCond %{REQUEST_URI} !^/tiqr +RewriteCond %{REQUEST_URI} !^/actuator +RewriteCond %{REQUEST_URI} !^/internal +RewriteCond %{REQUEST_URI} !^/config +RewriteCond %{REQUEST_URI} !^/login +RewriteCond %{REQUEST_URI} !^/startSSO +RewriteCond %{REQUEST_URI} !^/fonts +RewriteCond %{REQUEST_URI} !^/.well-known +RewriteRule (.*) /index.html [L] + +ProxyPass /Shibboleth.sso ! + +ProxyPass /myconext/api http://myconext:8080/myconext/api +ProxyPassReverse /myconext/api http://myconext:8080/myconext/api + +ProxyPass /tiqr http://myconext:8080/tiqr +ProxyPassReverse /tiqr http://myconext:8080/tiqr + +ProxyPass /internal http://myconext:8080/internal +ProxyPass /actuator http://myconext:8080/internal +ProxyPass /login http://myconext:8080/login +ProxyPass /startSSO http://myconext:8080/startSSO +ProxyPass /config http://myconext:8080/config + + + AuthType shibboleth + ShibUseHeaders On + ShibRequireSession On + Require valid-user + + +DocumentRoot "/var/www" + + + Require all granted + Options -Indexes + + +# Public endpoints + + Require all granted + + +# After logout / delete + + Require all granted + + + + Require all granted + + + + Require all granted + + +# Svelte resources + + Require all granted + + + + Require all granted + + + + Require all granted + + +Header always set X-Frame-Options "DENY" +Header always set Referrer-Policy "same-origin" +Header always set X-Content-Type-Options "nosniff" +