A revised docker build procedure and infrastructure (#79)

* (feat) Cue network defaults by hostname
(feat) Button to remove browser settings

* (fix) Build fixes

* (feat) Current state of the world - a new dockerfile and a start at container builds in CD

* (fix) Prettier

* (feat) cd files
(feat) If you start up with no erigonURL defined, default to the first configured connection

* (feat) update build container base OS

* (hack) Deploy to staging for testing.

* (fix) Actually push the image

* (fix) Fix config
(feat) Health check now checks the root, which is at least makes sure we can serve something.

* (fix) prettier

* (fix) Remove hacks from cicd-stg.yaml

* (fix) Fix oddly assigned env var

* (fix) "yes", it turns out, is also a bool. Try "disable" to make the configuration apply

.github/workflows/cicd-stg.yaml

@@ -0,0 +1,136 @@
+name: "CICD staging"
+
+on:
+  # Test run before merging
+  pull_request:
+    branches:
+      - main
+  # On merged
+  push:
+    branches:
+      - main
+
+jobs:
+  build-makefile:
+    permissions:
+      id-token: write
+      contents: write
+    runs-on: ubuntu-24.04
+    # To test deployments, remove the github.ref_name clause: see devops/docs/z2-testing-apps.md - rrw 2024-04-12
+    # && github.ref_name == 'main'
+    if: github.actor != 'dependabot[bot]'
+    name: "Build image with Makefile"
+    strategy:
+      fail-fast: false
+      matrix:
+        application: [otterscan]
+        include:
+          - application: otterscan
+            image_name: otterscan
+            path: .
+            tag_length: 8
+            tag_latest: false
+    env:
+      DOCKER_DOMAIN: asia-docker.pkg.dev
+      REGISTRY: asia-docker.pkg.dev/prj-d-devops-services-4dgwlsse/zilliqa-public
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        with:
+          submodules: recursive
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 0
+
+      - name: "Authenticate to Google Cloud - staging"
+        id: google-auth
+        uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa"
+        with:
+          token_format: "access_token"
+          workload_identity_provider: "${{ secrets.GCP_PRD_GITHUB_WIF }}"
+          service_account: "${{ secrets.GCP_STG_GITHUB_SA_DOCKER_REGISTRY }}"
+          create_credentials_file: true
+
+      - name: Login to the registry - staging
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
+        with:
+          registry: ${{ env.DOCKER_DOMAIN }}
+          username: "oauth2accesstoken"
+          password: "${{ steps.google-auth.outputs.access_token }}"
+
+      - name: Get tag version - staging
+        id: set-tag
+        uses: Zilliqa/gh-actions-workflows/actions/generate-tag@v1
+        with:
+          tag: ${{ env.REGISTRY }}/${{ matrix.image_name }}
+          length: ${{ matrix.tag_length }}
+
+      - name: "Build and push ${{ matrix.application }} - staging"
+        env:
+          ENVIRONMENT: stg
+          IMAGE_TAG: ${{ steps.set-tag.outputs.tags }}
+        run: |
+          cd ${{ matrix.path }}
+          make image/build-and-push
+
+      - name: "Build and push ${{ matrix.application }} tag latest - staging"
+        if: ${{ matrix.tag_latest == true }}
+        env:
+          ENVIRONMENT: stg
+          IMAGE_TAG: "${{ env.REGISTRY }}/${{ matrix.image_name }}:latest"
+        run: |
+          cd ${{ matrix.path }}
+          make image/build-and-push
+
+  deploy-to-staging:
+    needs: [build-makefile]
+    permissions:
+      id-token: write
+      contents: write
+    runs-on: ubuntu-22.04
+    if: github.actor != 'dependabot[bot]' && github.ref_name == 'main'
+    strategy:
+      fail-fast: false
+      matrix:
+        application:
+          - developer-portal
+    env:
+      APP_NAME: ${{ matrix.application }}
+      Z_ENV: infra/live/gcp/non-production/prj-d-staging/z_ase1.yaml
+      Z_SERVICE_ACCOUNT: ${{ secrets.GCP_STG_GITHUB_SA_K8S_DEPLOY }}
+      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_STG }}
+      GITHUB_PAT: ${{ secrets.GH_PAT }}
+      Z_IMAGE: asia-docker.pkg.dev/prj-d-devops-services-4dgwlsse/zilliqa-private/z:latest
+      REGISTRY: asia-docker.pkg.dev
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        with:
+          repository: Zilliqa/devops
+          token: ${{ env.GITHUB_PAT }}
+          ref: main
+          sparse-checkout: |
+            ${{ env.Z_ENV }}
+
+      - name: Authenticate to Google Cloud
+        id: google-auth
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa
+        with:
+          token_format: "access_token"
+          workload_identity_provider: "${{ secrets.GCP_PRD_GITHUB_WIF }}"
+          service_account: ${{ env.Z_SERVICE_ACCOUNT }}
+          create_credentials_file: true
+
+      - name: Deploy application
+        run: |
+          gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://${{ env.REGISTRY }}
+          docker run --rm \
+              -e ZQ_USER='${{ env.Z_SERVICE_ACCOUNT }}' \
+              -e Z_ENV='/devops/${{ env.Z_ENV }}' \
+              -e OP_SERVICE_ACCOUNT_TOKEN='${{ env.OP_SERVICE_ACCOUNT_TOKEN }}' \
+              -e GITHUB_PAT='${{ env.GITHUB_PAT }}' \
+              -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/google/application_default_credentials.json' \
+              -v `pwd`:/devops \
+              -v ${{ steps.google-auth.outputs.credentials_file_path }}:/google/application_default_credentials.json \
+              --name z_container ${{ env.Z_IMAGE }} \
+              bash -c "gcloud config set account ${{ env.Z_SERVICE_ACCOUNT }} && z /app /devops app sync --cache-dir .cache ${{ env.APP_NAME }}"

.github/workflows/docker-publish.yaml

@@ -83,14 +83,11 @@ jobs:
             type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
             type=semver,pattern={{raw}}
 
-      - name: Build and push by digest
-        id: build
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+      - name: "Build and push ${{ matrix.application }}"
+        env:
+          ENVIRONMENT: stg
+          IMAGE_TAG: ${{ steps.set-tag.outputs.tags }}
+        run: |
+          cd ${{ matrix.path }}
+          make image/build-and-push
+

Dockerfile.zilliqa

@@ -0,0 +1,26 @@
+FROM node:22.9.0-alpine3.19 AS builder
+WORKDIR /otterscan-build
+COPY --link ["package.json", "package-lock.json", "/otterscan-build/"]
+RUN npm ci --fetch-timeout 6000000 --verbose
+COPY --link ["run-nginx.sh", "tsconfig.json", "tsconfig.node.json", "postcss.config.js", "tailwind.config.js", "vite.config.ts", "index.html", "/otterscan-build/"]
+COPY --link ["public", "/otterscan-build/public/"]
+COPY --link ["src", "/otterscan-build/src/"]
+COPY --link ["autogen", "/otterscan-build/autogen/"]
+RUN npm run just-build
+
+FROM nginx:1.27.3-alpine3.20
+RUN set -ex \
+    && apk update \
+    && apk add nginx-mod-http-brotli jq
+WORKDIR /usr/share/nginx/html/
+COPY --link --from=otterscan/otterscan-assets:v1.1.1 /usr/share/nginx/html/chains chains/
+COPY --link --from=otterscan/otterscan-assets:v1.1.1 /usr/share/nginx/html/topic0 topic0/
+COPY --link --from=otterscan/otterscan-assets:v1.1.1 /usr/share/nginx/html/assets assets/
+COPY --link --from=otterscan/otterscan-assets:v1.1.1 /usr/share/nginx/html/signatures signatures/
+COPY --link nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
+COPY --link nginx/nginx.conf /etc/nginx/nginx.conf
+COPY --link --from=builder /otterscan-build/dist /usr/share/nginx/html/
+COPY --link --from=builder /otterscan-build/run-nginx.sh /
+WORKDIR /
+
+CMD ["/run-nginx.sh"]

Makefile

@@ -0,0 +1,24 @@
+.PHONY: all
+all: image/build-and-push
+
+.ONESHELL:
+SHELL := /bin/bash
+.SHELLFLAGS = -ec
+
+ENVIRONMENT ?= dev
+VALID_ENVIRONMENTS := dev stg prd
+# Check if the ENVIRONMENT variable is in the list of valid environments
+ifeq ($(filter $(ENVIRONMENT),$(VALID_ENVIRONMENTS)),)
+$(error Invalid value for ENVIRONMENT. Valid values are dev, stg, or prd.)
+endif
+
+HERE=$(shell pwd)
+
+IMAGE_TAG ?= otterscan:latest
+export IMAGE_TAG
+
+.PHONY: image/build-and-push
+image/build-and-push:
+	./scripts/gen-version.sh autogen/version.ts
+	docker buildx build -f Dockerfile.zilliqa . -t "${IMAGE_TAG}"
+	docker push "${IMAGE_TAG}"

cd/base/backend-config.yaml

@@ -0,0 +1,11 @@
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+  name: otterscan
+  namespace: otterscan
+  labels:
+    app.kubernetes.io/name: "otterscan"
+spec:
+  timeoutSec: 120
+  healthCheck:
+    requestPath: /health

cd/base/deployment.yaml

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: otterscan
+  namespace: otterscan
+  labels:
+    app.kubernetes.io/name: "otterscan"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: "otterscan"
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: "otterscan"
+    spec:
+      containers:
+        - image: otterscan
+          name: otterscan
+          env:
+            - name: DISABLE_CONFIG_OVERWRITE
+              value: "disable"
+          volumeMounts:
+            - name: config-vol
+              subPath: config.json
+              mountPath: /usr/share/nginx/html/config.json
+          ports:
+            - containerPort: 80
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              memory: 100Mi
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 80
+      volumes:
+        - name: config-vol
+          configMap:
+            name: config

cd/base/frontend-config.yaml

@@ -0,0 +1,11 @@
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: developer-portal
+  namespace: developer-portal
+  labels:
+    app.kubernetes.io/name: "otterscan"
+spec:
+  redirectToHttps:
+    enabled: true
+    responseCodeName: RESPONSE_CODE

cd/base/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: otterscan
+  namespace: otterscan
+  labels:
+    app.kubernetes.io/name: "otterscan"
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+spec:
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: otterscan
+                port:
+                  number: 80

cd/base/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - svc.yaml
+  - ingress.yaml
+  - backend-config.yaml
+  - frontend-config.yaml

cd/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: developer-portal

cd/base/svc.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: otterscan
+  namespace: otterscan
+  labels:
+    app.kubernetes.io/name: "otterscan"
+  annotations:
+    beta.cloud.google.com/backend-config: '{"default": "otterscan"}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: "otterscan"

cd/overlays/staging/certificate.yaml

@@ -0,0 +1,7 @@
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: otterscan
+spec:
+  domains:
+    - otterscan.zilstg.dev