Support reverse proxies + CI integration test

.env

@@ -30,7 +30,7 @@ CONSISTENCY=delegated
 ISLANDORA_REPOSITORY=islandora
 
 # The version of the isle-buildkit images to use.
-ISLANDORA_TAG=3.2.4
+ISLANDORA_TAG=3.2.5
 
 # The Docker image repository, to push/pull custom images from.
 # islandora.io redirects to localhost.
@@ -42,6 +42,19 @@ TAG=local
 # The domain at which your production site is hosted.
 DOMAIN=islandora.dev
 
+# Set to "on" if your ISLE docker deployment is behind a reverse proxy
+REVERSE_PROXY=off
+
+# This list should be all the IPs in front of your Drupal docker container
+# this is used to pass the original client IP to the drupal container so
+# drupal/php is aware of who sent the original request
+# if you're not behind a reverse proxy, you probably do not need to edit these IPs
+# if you are behind a reverse proxy, most likely you can just replace FRONTEND_IP_1
+# with the IP address used on your front end // reverse proxy domain
+FRONTEND_IP_1=127.0.0.1/32
+FRONTEND_IP_2=172.0.0.0/8
+FRONTEND_IP_3=192.168.0.0/16
+
 # The email to use for admin users and Lets Encrypt.
 [email protected]
 

.github/workflows/integration-test.yml

@@ -0,0 +1,45 @@
+name: Run tests
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      buildkit-tag:
+        description: "The isle-buildkit tag to pull for the fleet of docker containers"
+        required: true
+        type: string
+        default: 'main'
+      starter-site-ref:
+        description: "The islandora-starter-site ref to checkout (heads/BRANCH-NAME or tags/TAG-NAME)"
+        required: true
+        type: string
+        default: 'heads/main'
+  schedule:
+    - cron: '15 11 * * *'
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      ISLANDORA_TAG: "${{ github.event.inputs.buildkit-tag }}"
+      ISLANDORA_STARTER_REF: "${{ github.event.inputs.starter-site-ref }}"
+    steps:
+      - uses: actions/checkout@v4
+
+      - run: shellcheck tests/*.sh
+
+      - name: install mkcert
+        run: |-
+          curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
+          chmod +x mkcert-v*-linux-amd64
+          sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert
+
+      - name: start islandora-starter-site
+        run: ./tests/init-template-starter.sh
+
+      - name: Notify Slack on nightly test failure
+        if: failure() && github.event_name == 'schedule'
+        run: |-
+          curl -s -o /dev/null -XPOST $SLACK_WEBHOOK_URL -d '{
+            "text": "🚨 Scheduled job failed! Click to view the run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
+          }'
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

docker-compose.yml

@@ -360,6 +360,10 @@ services:
             DRUPAL_DEFAULT_MATOMO_URL: "https://${DOMAIN}/matomo/"
             DRUPAL_DEFAULT_SITE_URL: "${DOMAIN}"
             DRUPAL_DRUSH_URI: "https://${DOMAIN}"
+            NGINX_REAL_IP_RECURSIVE: ${REVERSE_PROXY}
+            NGINX_SET_REAL_IP_FROM: ${FRONTEND_IP_1}
+            NGINX_SET_REAL_IP_FROM2: ${FRONTEND_IP_2}
+            NGINX_SET_REAL_IP_FROM3: ${FRONTEND_IP_3}
         labels:
             <<: [*traefik-enable, *traefik-https-redirect-middleware, *traefik-drupal-labels]
             traefik.http.routers.drupal_http.rule: &traefik-host-drupal-prod Host(`${DOMAIN}`)
@@ -663,6 +667,8 @@ services:
             --api.debug=false
             --entryPoints.http.address=:80
             --entryPoints.https.address=:443
+            --entryPoints.http.forwardedHeaders.trustedIPs=${FRONTEND_IP_1},${FRONTEND_IP_2},${FRONTEND_IP_3}
+            --entryPoints.https.forwardedHeaders.trustedIPs=${FRONTEND_IP_1},${FRONTEND_IP_2},${FRONTEND_IP_3}
             --entrypoints.https.http.tls.certResolver=resolver
             --providers.file.filename=/etc/traefik/tls.yml
             --providers.docker

setup.sh

@@ -102,7 +102,7 @@ function initialize_from_site_template {
   echo "Initializing from site template..."
   ref=$(choose_ref "${repo}")
   curl -L "${repo}/archive/${ref}.tar.gz" | tar -xz --strip-components=1
-  rm -fr .github setup.sh
+  rm -fr .github setup.sh tests
   git add .
   git commit -am "First commit, added isle-site-template."
 }

tests/init-template-starter.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+if [ ! -v ISLANDORA_STARTER_REF ] || [ "$ISLANDORA_STARTER_REF" = "" ]; then
+  ISLANDORA_STARTER_REF=heads/main
+fi
+
+if [ ! -v ISLANDORA_TAG ] || [ "$ISLANDORA_TAG" = "" ]; then
+  ISLANDORA_TAG=main
+fi
+
+mv drupal/rootfs/var/www/drupal/assets/patches/default_settings.txt .
+
+curl -L "https://github.com/Islandora-Devops/islandora-starter-site/archive/refs/${ISLANDORA_STARTER_REF}.tar.gz" \
+  | tar --strip-components=1 -C drupal/rootfs/var/www/drupal -xz
+
+mv default_settings.txt drupal/rootfs/var/www/drupal/assets/patches/default_settings.txt
+
+./generate-certs.sh
+./generate-secrets.sh
+
+docker compose --profile dev up -d
+
+./tests/ping.sh

tests/ping.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+COUNTER=0
+while true; do
+  HTTP_STATUS=$(curl -w '%{http_code}' -o /dev/null -s https://islandora.dev/)
+  echo "Ping returned http status ${HTTP_STATUS}, exit code $?"
+  if [ "${HTTP_STATUS}" -eq 200 ]; then
+    echo "We're live 🚀"
+    exit 0
+  fi
+
+  ((COUNTER++))
+  if [ "${COUNTER}" -eq 50 ]; then
+    echo "Failed to come online after 4m"
+    exit 1
+  fi
+  sleep 5;
+done