-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* docker image and configuration * add auto build action * add directory .github * add ansible and workflows * correct name change * github actions adjusted to h5p * remove secretref * remove secret task * add Readme comment security context * change port to 8080 * path corrector * add location nginx.conf * clean folder and use Port Var * nginx.conf: handle only exact /ping * add seurity user / change nginx config * syntax corrector * use debian for build stage * add nginx user * add when option and h5p-ingress config * add same specific version to the Libraries as Lumi * remove docker.io image from tag.yml * remove unused variable * add variables * edit configmap * edit nginx config * set reusable workflow to main * change to WITH variable * change reusable workflow target branch to main * add release info to readme --------- Co-authored-by: Andre Blome <[email protected]> Co-authored-by: André Blome <[email protected]>
- Loading branch information
1 parent
d2fa96f
commit 6e1eb4d
Showing
14 changed files
with
376 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
--- | ||
name: Clean Deployment | ||
on: delete | ||
|
||
jobs: | ||
clean: | ||
uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@main | ||
with: | ||
branch: ${{ github.event.ref }} | ||
secrets: | ||
token: ${{ secrets.GITHUB_TOKEN }} | ||
DEV_KUBE_CONFIG: ${{ secrets.DEV_KUBE_CONFIG }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
name: Build and push Docker Image | ||
|
||
on: | ||
push: | ||
branches-ignore: | ||
- dependabot/** | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
build_and_push: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
packages: write | ||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- name: Docker meta Service Name | ||
id: docker_meta_img | ||
uses: docker/metadata-action@v4 | ||
with: | ||
images: ghcr.io/${{ github.repository }} | ||
tags: | | ||
type=ref,event=branch,enable=false,priority=600 | ||
type=sha,enable=true,priority=600,prefix= | ||
- name: Log into registry | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: test image exists | ||
run: | | ||
mkdir -p ~/.docker | ||
echo '{"experimental": "enabled"}' >> ~/.docker/config.json | ||
echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV | ||
- name: Set up Docker Buildx | ||
if: ${{ env.IMAGE_EXISTS == 0 }} | ||
uses: docker/setup-buildx-action@v2 | ||
|
||
- name: Build and push ${{ github.repository }} | ||
if: ${{ env.IMAGE_EXISTS == 0 }} | ||
uses: docker/build-push-action@v3 | ||
with: | ||
context: . | ||
file: ./Dockerfile | ||
platforms: linux/amd64 | ||
push: true | ||
tags: ghcr.io/${{ github.repository }}:${{ github.sha }} | ||
labels: ${{ steps.docker_meta_img.outputs.labels }} | ||
|
||
branch_name: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
branch: ${{ steps.extract_branch.outputs.branch }} | ||
steps: | ||
- name: Extract branch name | ||
shell: bash | ||
run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT | ||
id: extract_branch | ||
|
||
deploy: | ||
needs: | ||
- build_and_push | ||
- branch_name | ||
uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main | ||
with: | ||
branch: ${{ needs.branch_name.outputs.branch }} | ||
secrets: | ||
token: ${{ secrets.GITHUB_TOKEN }} | ||
DEV_VAULT: ${{ secrets.DEV_VAULT }} | ||
DEV_KUBE_CONFIG: ${{ secrets.DEV_KUBE_CONFIG }} | ||
|
||
deploy-successful: | ||
needs: | ||
- deploy | ||
runs-on: ubuntu-latest | ||
steps: | ||
- run: echo "deploy was successful" | ||
|
||
trivy-vulnerability-scanning: | ||
needs: | ||
- build_and_push | ||
- branch_name | ||
runs-on: ubuntu-latest | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
steps: | ||
- name: run trivy vulnerability scanner | ||
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 | ||
with: | ||
image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}' | ||
format: 'sarif' | ||
output: 'trivy-results.sarif' | ||
severity: 'CRITICAL,HIGH' | ||
ignore-unfixed: true | ||
- name: upload trivy results | ||
if: ${{ always() }} | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: 'trivy-results.sarif' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
--- | ||
name: Build and push Docker Image on Tag | ||
|
||
on: | ||
push: | ||
tags: | ||
- '[0-9]*' | ||
|
||
jobs: | ||
build_and_push: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
packages: write | ||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- name: Docker meta Service Name | ||
id: docker_meta_img_hub | ||
uses: docker/metadata-action@v4 | ||
with: | ||
images: quay.io/schulcloudverbund/h5p-staticfiles-server | ||
tags: | | ||
type=semver,pattern={{version}} | ||
type=semver,pattern={{major}}.{{minor}} | ||
- name: Log into docker registry | ||
uses: docker/login-action@v2 | ||
with: | ||
username: ${{ secrets.DOCKER_USERNAME }} | ||
password: ${{ secrets.DOCKER_TOKEN }} | ||
|
||
- name: Log into quay registry | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: quay.io | ||
username: ${{ secrets.QUAY_USERNAME }} | ||
password: ${{ secrets.QUAY_TOKEN }} | ||
|
||
- name: Build and push ${{ github.repository }} | ||
uses: docker/build-push-action@v4 | ||
with: | ||
context: . | ||
file: ./Dockerfile | ||
platforms: linux/amd64 | ||
push: true | ||
tags: ${{ steps.docker_meta_img_hub.outputs.tags }} | ||
labels: ${{ steps.docker_meta_img_hub.outputs.labels }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# Use Debian "builder" for build stage | ||
FROM docker.io/debian:bullseye as builder | ||
|
||
# Install git | ||
RUN apt-get update | ||
RUN apt-get install -y git | ||
|
||
# the last used version from Lumi | ||
ENV LAST_USED_H5P_LIBRARY=661d4f6c7d7b1117587654941f5fcf91acb5f4eb | ||
ENV LAST_USED_H5P_EDITOR_LIBRARY=0365b081efa8b55ab9fd58594aa599f9630268f6 | ||
|
||
# Clone H5P repositories | ||
RUN git clone https://github.com/h5p/h5p-php-library && git -C h5p-php-library checkout $LAST_USED_H5P_LIBRARY | ||
RUN git clone https://github.com/h5p/h5p-editor-php-library && git -C h5p-editor-php-library checkout $LAST_USED_H5P_EDITOR_LIBRARY | ||
|
||
# Remove unused files | ||
RUN rm h5p-php-library/*.php | ||
RUN rm h5p-editor-php-library/*.php | ||
|
||
# Use nginx as server for run stage | ||
FROM docker.io/nginx:1.25 | ||
|
||
# Copy configuration | ||
COPY nginx.conf /etc/nginx/nginx.conf | ||
|
||
# Copy H5P files to webroot | ||
RUN rm -r /usr/share/nginx/html/* | ||
COPY --from=builder /h5p-php-library /usr/share/nginx/html/core | ||
COPY --from=builder /h5p-editor-php-library /usr/share/nginx/html/editor | ||
|
||
RUN chown -R nginx:nginx /usr/share/nginx && \ | ||
chown -R nginx:nginx /var/cache/nginx && \ | ||
chown -R nginx:nginx /etc/nginx | ||
|
||
RUN touch /var/run/nginx.pid && \ | ||
chown -R nginx:nginx /var/run/nginx.pid | ||
USER nginx | ||
|
||
EXPOSE 8080 | ||
CMD ["nginx", "-g", "daemon off;"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,7 @@ | ||
# Service repo: | ||
this Repo is only to host the static Files for h5p Editor und Player | ||
from h5p Repos to the the schulcloud server | ||
# Serving the H5P Static Files: | ||
This Repo contains the docker configuration for nginx-image to serve the static Files for h5p Editor and Player from h5p Repos required by the schulcloud Application. | ||
|
||
# update von releases | ||
the docker file soll Parallel like https://github.com/Lumieducation/H5P-Nodejs-library/releases to have always same versions from : | ||
- https://github.com/h5p/h5p-php-library | ||
- https://github.com/h5p/h5p-editor-php-library |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
H5P_STATICFILES_SERVER_IMAGE: quay.io/schulcloudverbund/h5p-staticfiles-server | ||
H5P_STATICFILES_SERVER_REPLICAS: 1 | ||
H5P_PORT: 8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
--- | ||
H5P_STATICFILES_SERVER_IMAGE: ghcr.io/hpi-schul-cloud/h5p-staticfiles-server | ||
H5P_STATICFILES_SERVER_REPLICAS: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
galaxy_info: | ||
role_name: h5p-staticfiles-server-core | ||
author: Schul-Cloud Verbund | ||
description: Core role for the h5p static files | ||
company: Schul-Cloud Verbund | ||
license: license (AGPLv3) | ||
min_ansible_version: 2.8 | ||
galaxy_tags: [] | ||
dependencies: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
- name: Service | ||
kubernetes.core.k8s: | ||
kubeconfig: ~/.kube/config | ||
namespace: "{{ NAMESPACE }}" | ||
template: svc.yml.j2 | ||
when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool | ||
|
||
- name: Configmap | ||
kubernetes.core.k8s: | ||
kubeconfig: ~/.kube/config | ||
namespace: "{{ NAMESPACE }}" | ||
template: configmap.yml.j2 | ||
apply: yes | ||
when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool | ||
|
||
- name: Deployment | ||
kubernetes.core.k8s: | ||
kubeconfig: ~/.kube/config | ||
namespace: "{{ NAMESPACE }}" | ||
template: deployment.yml.j2 | ||
when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool |
10 changes: 10 additions & 0 deletions
10
ansible/roles/h5p-staticfiles-server-core/templates/configmap.yml.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: h5p-staticfiles-server-configmap | ||
namespace: {{ NAMESPACE }} | ||
labels: | ||
app: h5p-staticfiles-server | ||
data: | ||
TZ: "Europe/Berlin" | ||
|
67 changes: 67 additions & 0 deletions
67
ansible/roles/h5p-staticfiles-server-core/templates/deployment.yml.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: h5p-staticfiles-server-deployment | ||
namespace: {{ NAMESPACE }} | ||
labels: | ||
app: h5p-staticfiles-server | ||
spec: | ||
replicas: {{ H5P_STATICFILES_SERVER_REPLICAS|default("1", true) }} | ||
selector: | ||
matchLabels: | ||
app: h5p-staticfiles-server | ||
template: | ||
metadata: | ||
labels: | ||
app: h5p-staticfiles-server | ||
spec: | ||
securityContext: | ||
runAsUser: 101 | ||
runAsGroup: 101 | ||
fsGroup: 101 | ||
runAsNonRoot: true | ||
containers: | ||
- name: h5p-staticfiles-server | ||
image: {{ H5P_STATICFILES_SERVER_IMAGE }}:{{ H5P_STATICFILES_SERVER_IMAGE_TAG }} | ||
imagePullPolicy: IfNotPresent | ||
ports: | ||
- containerPort: {{ H5P_PORT }} | ||
envFrom: | ||
- configMapRef: | ||
name: h5p-staticfiles-server-configmap | ||
livenessProbe: | ||
failureThreshold: 3 | ||
httpGet: | ||
path: /ping | ||
port: {{ H5P_PORT }} | ||
scheme: HTTP | ||
periodSeconds: 15 | ||
successThreshold: 1 | ||
timeoutSeconds: 4 | ||
readinessProbe: | ||
failureThreshold: 3 | ||
httpGet: | ||
path: /ping | ||
port: {{ H5P_PORT }} | ||
scheme: HTTP | ||
periodSeconds: 5 | ||
successThreshold: 1 | ||
timeoutSeconds: 4 | ||
startupProbe: | ||
failureThreshold: 4 | ||
httpGet: | ||
path: /ping | ||
port: {{ H5P_PORT }} | ||
scheme: HTTP | ||
periodSeconds: 15 | ||
successThreshold: 1 | ||
timeoutSeconds: 4 | ||
resources: | ||
# find reasonable limits | ||
limits: | ||
cpu: {{ H5P_STATICFIILES_SERVER_CPU_LIMITS|default("1000m", true) }} | ||
memory: {{ H5P_STATICFIILES_SERVER_MEMORY_LIMITS|default("1Gi", true) }} | ||
requests: | ||
cpu: {{ H5P_STATICFIILES_SERVER_CPU_REQUESTS|default("100m", true) }} | ||
memory: {{ H5P_STATICFIILES_SERVER_MEMORY_REQUESTS|default("128Mi", true) }} | ||
|
16 changes: 16 additions & 0 deletions
16
ansible/roles/h5p-staticfiles-server-core/templates/svc.yml.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: h5p-staticfiles-server-svc | ||
namespace: {{ NAMESPACE }} | ||
labels: | ||
app: h5p-staticfiles-server | ||
spec: | ||
type: ClusterIP | ||
ports: | ||
- port: {{ H5P_PORT }} | ||
targetPort: {{ H5P_PORT }} | ||
protocol: TCP | ||
name: h5p-staticfiles-server | ||
selector: | ||
app: h5p-staticfiles-server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
types { | ||
text/html html htm shtml; | ||
text/css css; | ||
text/scss scss; | ||
text/javascript js; | ||
text/plain txt; | ||
image/png png; | ||
font/woff2 woff2; | ||
font/eot eot; | ||
font/svg svg; | ||
font/woff woff; | ||
font/ttf ttf; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
events { | ||
} | ||
http { | ||
include mime.types; | ||
sendfile on; | ||
server { | ||
listen 8080; | ||
listen [::]:8080; | ||
server_name _; | ||
location / { | ||
return 404; | ||
} | ||
location /h5pstatics/ { | ||
alias /usr/share/nginx/html/; | ||
} | ||
location = /ping { | ||
return 200 'pong'; | ||
} | ||
} | ||
} |