Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add workflow to publish nginx and service images to GHCR #676

Merged
merged 8 commits into from
Jun 26, 2024
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .github/workflows/ghcr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: GHCR

on:
workflow_dispatch:
push:
branches: [master]
tags: ["v*.*.*"]

env:
REGISTRY: ghcr.io

jobs:
build-push-image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write

strategy:
matrix:
image: [nginx, service]

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
submodules: recursive

- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/central-${{ matrix.image }}

- name: Set up QEMU emulator for multi-arch images
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build and push ${{ matrix.image }} Docker image
uses: docker/build-push-action@v5
with:
file: ${{ matrix.image }}.dockerfile
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: 'linux/amd64,linux/arm64'
9 changes: 7 additions & 2 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,6 @@ services:
nginx:
build:
context: .
args:
- OIDC_ENABLED=${OIDC_ENABLED:-false}
dockerfile: nginx.dockerfile
depends_on:
- service
Expand All @@ -90,6 +88,13 @@ services:
- SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
- SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
- SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
- OIDC_ENABLED=${OIDC_ENABLED:-false}
volumes:
- ./files/local/customssl/:/etc/customssl/live/local/:ro
- ./files/nginx/redirector.conf:/etc/nginx/conf.d/redirector.conf:ro
- ./files/nginx/common-headers.conf:/usr/share/odk/nginx/common-headers.conf:ro
- ./files/nginx/odk.conf.template:/usr/share/odk/nginx/odk.conf.template:ro
- ./files/nginx/client-config.json.template:/usr/share/odk/nginx/client-config.json.template:ro
ports:
- "${HTTP_PORT:-80}:80"
- "${HTTPS_PORT:-443}:443"
Expand Down
11 changes: 10 additions & 1 deletion files/nginx/setup-odk.sh
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
#!/bin/bash


echo "writing client config..."
if [[ $OIDC_ENABLED != 'true' ]] && [[ $OIDC_ENABLED != 'false' ]]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is more robust, but we don't do any other such checking elsewhere. I'd bias toward if true, then it's enabled. If it's anything else, it's not enabled.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This came in as part of other work. I'd rather leave it like this here and file an issue to reconsider if you really want.

echo 'OIDC_ENABLED must be either true or false'
exit 1
fi

envsubst < /usr/share/odk/nginx/client-config.json.template > /usr/share/nginx/html/client-config.json


DH_PATH=/etc/dh/nginx.pem
if [ "$SSL_TYPE" != "upstream" ] && [ ! -s "$DH_PATH" ]; then
openssl dhparam -out "$DH_PATH" 2048
Expand All @@ -17,7 +27,6 @@ fi

# start from fresh templates in case ssl type has changed
echo "writing fresh nginx templates..."
cp /usr/share/odk/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll likely need to add this back. It was there because if you go from upstream to letsencrypt, the file at /etc/nginx/conf.d/redirector.conf gets overwritten and you need a fresh template.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, yes. I've added a comment.

CNAME=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
envsubst '$SSL_TYPE $CNAME $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
< /usr/share/odk/nginx/odk.conf.template \
Expand Down
12 changes: 5 additions & 7 deletions nginx.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,6 @@ RUN apt-get update \
COPY ./ ./
RUN files/prebuild/write-version.sh
RUN files/prebuild/build-frontend.sh
ARG OIDC_ENABLED
RUN files/prebuild/write-client-config.sh



Expand All @@ -21,17 +19,17 @@ FROM jonasal/nginx-certbot:5.0.1
EXPOSE 80
EXPOSE 443

VOLUME [ "/etc/dh", "/etc/selfsign", "/etc/nginx/conf.d" ]
ENTRYPOINT [ "/bin/bash", "/scripts/setup-odk.sh" ]
# Persist Diffie-Hellman parameters and/or selfsign key
VOLUME [ "/etc/dh", "/etc/selfsign" ]

RUN apt-get update && apt-get install -y netcat-openbsd

RUN mkdir -p /usr/share/odk/nginx/

COPY files/nginx/setup-odk.sh /scripts/
COPY files/local/customssl/*.pem /etc/customssl/live/local/
COPY files/nginx/*.conf* /usr/share/odk/nginx/
RUN chmod +x /scripts/setup-odk.sh

COPY --from=intermediate client/dist/ /usr/share/nginx/html
COPY --from=intermediate /tmp/version.txt /usr/share/nginx/html
COPY --from=intermediate /tmp/client-config.json /usr/share/nginx/html

ENTRYPOINT [ "/scripts/setup-odk.sh" ]