Docker: Create a parameters.yaml.dist that works in a docker dev env (#405)

quartje · danakim · MKodde · web-flow · commit dd365098f90f · 2023-09-06T14:11:13.000+02:00
* Docker: Create a paramaters.yaml.dist that works in a docker dev environment

* parameters.yml.dist: Create sensible MariaDB usernames and secrets

* Parameters.yaml.dist: Change secrets to a unique secret

* Adding the Dockerfile and required configs

* Adding the Github workflows

* Testing the build

* We were copying from the wrong places

* GHA: Add dispatch option to the docker build action

* Default docker config: Add mailcatcher host

* Fix loas in the docker config

* Add demo gssp to the docker config

* Docker: Chown the var directory

* Docker: Fix permissions on the cache dir

* Docker: Add monolog configuration when running as a container
This will let the logs go to stdout when running as a container, which
is the Docker way to send logs

* Correct uri for selfservice

* Change the self-asserted loa to match the regular

* Fix a typo

* sed -i 's/authentication/assurance/'

* Rename loa's to a more standard name

---------

Co-authored-by: Dan &lt;dan@hostatic.ro&gt;
Co-authored-by: Michiel Kodde &lt;mkodde@ibuildings.nl&gt;
diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml
@@ -0,0 +1,48 @@
+name: build-push-docker-image
+
+#on: workflow_dispatch
+on:
+  push:
+    branches: feature/docker_configs
+  workflow_dispatch:
+
+jobs:
+  build-push-docker-image:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Get the latest release
+        id: release
+        uses: robinraju/release-downloader@v1.7
+        with:
+          latest: true
+          fileName: "*.tar.bz2"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push the Production image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: docker/Dockerfile.prod
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/openconext/stepup-middleware/stepup-middleware:prod
+            ghcr.io/openconext/stepup-middleware/stepup-middleware:${{ github.sha }}
+            ghcr.io/openconext/stepup-middleware/stepup-middleware:${{ steps.release.outputs.tag_name }}
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -62,3 +62,11 @@ jobs:
         with:
           release_id: ${{ steps.create_release.outputs.id }}
 
+  after_build:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Docker container build
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: build-push-docker-image.yml
diff --git a/config/legacy/parameters.yaml.dist b/config/legacy/parameters.yaml.dist
@@ -1,11 +1,11 @@
 parameters:
-    application_name: StepUp Middleware
+    application_name: OpenConext Middleware
     # IP addresses of any HTTP proxies that are sitting in from of the application
     # See: http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html
     trusted_proxies:   ~
 
     database_driver:   pdo_mysql
-    database_host:     10.10.0.100
+    database_host:     mariadb
     database_port:     ~
     # Enabling the STRICT_ALL_TABLES SQL mode. To prevent 'magic' truncation problems where string
     # values like the identity name id would be truncated after 255 characters without notice. Enabling
@@ -17,16 +17,16 @@ parameters:
     # Also see: https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration
     database_server_version: mariadb-10.0.38
     database_middleware_name:     middleware
-    database_middleware_user:     middleware
-    database_middleware_password: middleware
+    database_middleware_user:     middleware_user
+    database_middleware_password: middleware_secret
     database_gateway_name:     gateway
-    database_gateway_user:     gateway
-    database_gateway_password: gateway
-    database_deploy_user:      deploy
-    database_deploy_password:  deploy
+    database_gateway_user:     mw_gateway_user
+    database_gateway_password: mw_gateway_secret
+    database_deploy_user:      mw_deploy_user
+    database_deploy_password:  mw_deploy_secret
 
     mailer_transport:  smtp
-    mailer_host:       127.0.0.1
+    mailer_host:       mailcatcher
     mailer_port:       25
     mailer_user:       ''
     mailer_password:   ''
@@ -46,35 +46,39 @@ parameters:
     # - readonly access to all endpoints - user "apireader"
     # - management - user "management"
     # - GDPR compliance: deprovision and retrieval of user information - user "lifecycle"
-    selfservice_api_password: OI7Wr63wxx2-Pel
-    registration_authority_api_password: BAeBxn813SB4_QX
-    readonly_api_password: wkpTzg.CJzc5sWU
-    management_password: UktsgjiFJOSP87d
-    lifecycle_password: AXn0n9cOFymT_oF
+    selfservice_api_password: sa_secret
+    registration_authority_api_password: ra_secret
+    readonly_api_password: secret
+    management_password: secret
+    lifecycle_password: secret
 
-    self_service_email_verification_url_template: https://selfservice.tld/verify-email?n={nonce}
-    email_sender_name: SURFnet bv
-    email_sender_email: noreply@surfnet.nl
+    self_service_email_verification_url_template: https://selfservice.dev.openconext.local/verify-email?n={nonce}
+    email_sender_name: OpenConext DEV environment
+    email_sender_email: noreply@dev.openconext.local
 
-    email_verification_window: 3600 # the amout of seconds the email verification email/url is valid
+    email_verification_window: 3600 # the amount of seconds the email verification email/url is valid
 
-    stepup_loa_loa1: https://gateway.tld/authentication/loa1
-    stepup_loa_loa2: https://gateway.tld/authentication/loa2
-    stepup_loa_loa3: https://gateway.tld/authentication/loa3
-    stepup_loa_self_asserted: 'http://stepup.example.com/assurance/loa-self-asserted'
+    stepup_loa_loa1: http://dev.openconext.local/assurance/loa1
+    stepup_loa_loa2: http://dev.openconext.local/assurance/loa2
+    stepup_loa_loa3: http://dev.openconext.local/assurance/loa3
+    stepup_loa_self_asserted: 'http://dev.openconext.local/assurance/loa1.5'
 
-    self_service_url: https://selfservice.tld
+    self_service_url: https://selfservice.dev.openconext.local
 
     enabled_generic_second_factors:
-        biometric:
-            loa: 3
+        azuremfa:
+            loa: 2
         tiqr:
+            loa: 2
+        webauthn:
+            loa: 3
+        demo_gssp:
             loa: 3
 
     second_factors_display_name:
       yubikey: Yubikey
       azuremfa: AzureMFA
-      webauthn: WebAuthn
+      webauthn: FIDO2
       tiqr: Tiqr
       demo_gssp: GSSP Demo
       demo_gssp_2: GSSP Demo 2
diff --git a/config/packages/prod/monolog.yaml.docker b/config/packages/prod/monolog.yaml.docker
@@ -0,0 +1,12 @@
+monolog:
+    handlers:
+        prod-signaler:
+            type: fingers_crossed
+            action_level: ERROR
+            passthru_level: NOTICE # this means that all message of level NOTICE or higher are always logged
+            handler: main_syslog
+            bubble: false # if we handle it, nothing else should
+        main_syslog:
+            type: stream
+            path: "php://stderr"
+            formatter: surfnet_stepup.monolog.json_formatter
diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod
@@ -0,0 +1,20 @@
+FROM ghcr.io/openconext/openconext-basecontainers/php72-apache2:latest AS php-build
+COPY *.tar.bz2 /tmp/
+RUN tar -xvjf /tmp/*.tar.bz2 -C /var/www/html/ && \
+  rm -rf /tmp/*.tar.bz2
+
+# Add the application configuration files
+COPY .env .env
+COPY config/legacy/parameters.yaml.dist config/legacy/parameters.yaml
+COPY config/packages/prod/monolog.yaml.docker config/packages/prod/monolog.yaml
+
+# Add the config files for Apache2
+RUN rm -rf /etc/apache2/sites-enabled/*
+COPY ./docker/conf/middleware-apache2.conf /etc/apache2/sites-enabled/middleware.conf
+RUN rm -rf /var/www/html/var/cache/prod && chown -R www-data /var/www/html/var
+EXPOSE 80
+
+# Set the default workdir
+WORKDIR /var/www/html
+
+CMD ["apache2-foreground"]
diff --git a/docker/conf/middleware-apache2.conf b/docker/conf/middleware-apache2.conf
@@ -0,0 +1,34 @@
+<Virtualhost *:80>
+    ServerName  middleware
+    ServerAdmin admin@surf.nl
+
+    DocumentRoot /var/www/html/public
+    SetEnv HTTPS on
+    SetEnv APP_ENV prod
+    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+
+    <Directory "/var/www/html/public">
+        Require all granted
+
+        Options -MultiViews
+        RewriteEngine On
+        RewriteCond %{REQUEST_FILENAME} !-f
+        RewriteRule ^(.*)$ index.php [QSA,L]
+    </Directory>
+    <Location />
+        Require all granted
+    </Location>
+
+    Header always set X-Content-Type-Options "nosniff"
+
+    # Set the php application handler so mod_php interpets the files
+    <FilesMatch \.php$>
+        SetHandler application/x-httpd-php
+    </FilesMatch>
+
+    ExpiresActive on
+    ExpiresByType font/* "access plus 1 year"
+    ExpiresByType image/* "access plus 6 months"
+    ExpiresByType text/css "access plus 1 year"
+    ExpiresByType text/js "access plus 1 year"
+</VirtualHost>
