Skip to content

Commit

Permalink
Thr 28 docker static h5p files (#1)
Browse files Browse the repository at this point in the history
* docker image and configuration

* add auto build action

* add directory .github

* add ansible and workflows

* correct name change

* github actions adjusted to h5p

* remove secretref

* remove secret task

* add Readme comment security context

* change port to 8080

* path corrector

* add location nginx.conf

* clean folder and use Port Var

* nginx.conf: handle only exact /ping

* add seurity user / change nginx config

* syntax corrector

* use debian for build stage

* add nginx user

* add when option and h5p-ingress config

* add same specific version to the Libraries as Lumi

* remove docker.io image from tag.yml

* remove unused variable

* add variables

* edit configmap

* edit nginx config

* set reusable workflow to main

* change to WITH variable

* change reusable workflow target branch to main

* add release info to readme

---------

Co-authored-by: Andre Blome <[email protected]>
Co-authored-by: André Blome <[email protected]>
  • Loading branch information
3 people authored Jul 17, 2023
1 parent d2fa96f commit 6e1eb4d
Show file tree
Hide file tree
Showing 14 changed files with 376 additions and 3 deletions.
12 changes: 12 additions & 0 deletions .github/workflows/clean.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
name: Clean Deployment
on: delete

jobs:
clean:
uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@main
with:
branch: ${{ github.event.ref }}
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
DEV_KUBE_CONFIG: ${{ secrets.DEV_KUBE_CONFIG }}
107 changes: 107 additions & 0 deletions .github/workflows/push.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
name: Build and push Docker Image

on:
push:
branches-ignore:
- dependabot/**

permissions:
contents: read

jobs:
build_and_push:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- uses: actions/checkout@v3

- name: Docker meta Service Name
id: docker_meta_img
uses: docker/metadata-action@v4
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch,enable=false,priority=600
type=sha,enable=true,priority=600,prefix=
- name: Log into registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: test image exists
run: |
mkdir -p ~/.docker
echo '{"experimental": "enabled"}' >> ~/.docker/config.json
echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV
- name: Set up Docker Buildx
if: ${{ env.IMAGE_EXISTS == 0 }}
uses: docker/setup-buildx-action@v2

- name: Build and push ${{ github.repository }}
if: ${{ env.IMAGE_EXISTS == 0 }}
uses: docker/build-push-action@v3
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
labels: ${{ steps.docker_meta_img.outputs.labels }}

branch_name:
runs-on: ubuntu-latest
outputs:
branch: ${{ steps.extract_branch.outputs.branch }}
steps:
- name: Extract branch name
shell: bash
run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
id: extract_branch

deploy:
needs:
- build_and_push
- branch_name
uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main
with:
branch: ${{ needs.branch_name.outputs.branch }}
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
DEV_VAULT: ${{ secrets.DEV_VAULT }}
DEV_KUBE_CONFIG: ${{ secrets.DEV_KUBE_CONFIG }}

deploy-successful:
needs:
- deploy
runs-on: ubuntu-latest
steps:
- run: echo "deploy was successful"

trivy-vulnerability-scanning:
needs:
- build_and_push
- branch_name
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: run trivy vulnerability scanner
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
with:
image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: upload trivy results
if: ${{ always() }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
48 changes: 48 additions & 0 deletions .github/workflows/tag.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
name: Build and push Docker Image on Tag

on:
push:
tags:
- '[0-9]*'

jobs:
build_and_push:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v3

- name: Docker meta Service Name
id: docker_meta_img_hub
uses: docker/metadata-action@v4
with:
images: quay.io/schulcloudverbund/h5p-staticfiles-server
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Log into docker registry
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}

- name: Log into quay registry
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}

- name: Build and push ${{ github.repository }}
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
push: true
tags: ${{ steps.docker_meta_img_hub.outputs.tags }}
labels: ${{ steps.docker_meta_img_hub.outputs.labels }}
40 changes: 40 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Use Debian "builder" for build stage
FROM docker.io/debian:bullseye as builder

# Install git
RUN apt-get update
RUN apt-get install -y git

# the last used version from Lumi
ENV LAST_USED_H5P_LIBRARY=661d4f6c7d7b1117587654941f5fcf91acb5f4eb
ENV LAST_USED_H5P_EDITOR_LIBRARY=0365b081efa8b55ab9fd58594aa599f9630268f6

# Clone H5P repositories
RUN git clone https://github.com/h5p/h5p-php-library && git -C h5p-php-library checkout $LAST_USED_H5P_LIBRARY
RUN git clone https://github.com/h5p/h5p-editor-php-library && git -C h5p-editor-php-library checkout $LAST_USED_H5P_EDITOR_LIBRARY

# Remove unused files
RUN rm h5p-php-library/*.php
RUN rm h5p-editor-php-library/*.php

# Use nginx as server for run stage
FROM docker.io/nginx:1.25

# Copy configuration
COPY nginx.conf /etc/nginx/nginx.conf

# Copy H5P files to webroot
RUN rm -r /usr/share/nginx/html/*
COPY --from=builder /h5p-php-library /usr/share/nginx/html/core
COPY --from=builder /h5p-editor-php-library /usr/share/nginx/html/editor

RUN chown -R nginx:nginx /usr/share/nginx && \
chown -R nginx:nginx /var/cache/nginx && \
chown -R nginx:nginx /etc/nginx

RUN touch /var/run/nginx.pid && \
chown -R nginx:nginx /var/run/nginx.pid
USER nginx

EXPOSE 8080
CMD ["nginx", "-g", "daemon off;"]
10 changes: 7 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# Service repo:
this Repo is only to host the static Files for h5p Editor und Player
from h5p Repos to the the schulcloud server
# Serving the H5P Static Files:
This Repo contains the docker configuration for nginx-image to serve the static Files for h5p Editor and Player from h5p Repos required by the schulcloud Application.

# update von releases
the docker file soll Parallel like https://github.com/Lumieducation/H5P-Nodejs-library/releases to have always same versions from :
- https://github.com/h5p/h5p-php-library
- https://github.com/h5p/h5p-editor-php-library
3 changes: 3 additions & 0 deletions ansible/group_vars/all/h5p-staticfiles-server.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
H5P_STATICFILES_SERVER_IMAGE: quay.io/schulcloudverbund/h5p-staticfiles-server
H5P_STATICFILES_SERVER_REPLICAS: 1
H5P_PORT: 8080
3 changes: 3 additions & 0 deletions ansible/group_vars/develop/h5p-staticfiles-server.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
H5P_STATICFILES_SERVER_IMAGE: ghcr.io/hpi-schul-cloud/h5p-staticfiles-server
H5P_STATICFILES_SERVER_REPLICAS: 1
9 changes: 9 additions & 0 deletions ansible/roles/h5p-staticfiles-server-core/meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
galaxy_info:
role_name: h5p-staticfiles-server-core
author: Schul-Cloud Verbund
description: Core role for the h5p static files
company: Schul-Cloud Verbund
license: license (AGPLv3)
min_ansible_version: 2.8
galaxy_tags: []
dependencies: []
21 changes: 21 additions & 0 deletions ansible/roles/h5p-staticfiles-server-core/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
- name: Service
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: svc.yml.j2
when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool

- name: Configmap
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: configmap.yml.j2
apply: yes
when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool

- name: Deployment
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: deployment.yml.j2
when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: h5p-staticfiles-server-configmap
namespace: {{ NAMESPACE }}
labels:
app: h5p-staticfiles-server
data:
TZ: "Europe/Berlin"

Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: h5p-staticfiles-server-deployment
namespace: {{ NAMESPACE }}
labels:
app: h5p-staticfiles-server
spec:
replicas: {{ H5P_STATICFILES_SERVER_REPLICAS|default("1", true) }}
selector:
matchLabels:
app: h5p-staticfiles-server
template:
metadata:
labels:
app: h5p-staticfiles-server
spec:
securityContext:
runAsUser: 101
runAsGroup: 101
fsGroup: 101
runAsNonRoot: true
containers:
- name: h5p-staticfiles-server
image: {{ H5P_STATICFILES_SERVER_IMAGE }}:{{ H5P_STATICFILES_SERVER_IMAGE_TAG }}
imagePullPolicy: IfNotPresent
ports:
- containerPort: {{ H5P_PORT }}
envFrom:
- configMapRef:
name: h5p-staticfiles-server-configmap
livenessProbe:
failureThreshold: 3
httpGet:
path: /ping
port: {{ H5P_PORT }}
scheme: HTTP
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 4
readinessProbe:
failureThreshold: 3
httpGet:
path: /ping
port: {{ H5P_PORT }}
scheme: HTTP
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 4
startupProbe:
failureThreshold: 4
httpGet:
path: /ping
port: {{ H5P_PORT }}
scheme: HTTP
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 4
resources:
# find reasonable limits
limits:
cpu: {{ H5P_STATICFIILES_SERVER_CPU_LIMITS|default("1000m", true) }}
memory: {{ H5P_STATICFIILES_SERVER_MEMORY_LIMITS|default("1Gi", true) }}
requests:
cpu: {{ H5P_STATICFIILES_SERVER_CPU_REQUESTS|default("100m", true) }}
memory: {{ H5P_STATICFIILES_SERVER_MEMORY_REQUESTS|default("128Mi", true) }}

16 changes: 16 additions & 0 deletions ansible/roles/h5p-staticfiles-server-core/templates/svc.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: h5p-staticfiles-server-svc
namespace: {{ NAMESPACE }}
labels:
app: h5p-staticfiles-server
spec:
type: ClusterIP
ports:
- port: {{ H5P_PORT }}
targetPort: {{ H5P_PORT }}
protocol: TCP
name: h5p-staticfiles-server
selector:
app: h5p-staticfiles-server
13 changes: 13 additions & 0 deletions mime.types
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
types {
text/html html htm shtml;
text/css css;
text/scss scss;
text/javascript js;
text/plain txt;
image/png png;
font/woff2 woff2;
font/eot eot;
font/svg svg;
font/woff woff;
font/ttf ttf;
}
20 changes: 20 additions & 0 deletions nginx.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
events {
}
http {
include mime.types;
sendfile on;
server {
listen 8080;
listen [::]:8080;
server_name _;
location / {
return 404;
}
location /h5pstatics/ {
alias /usr/share/nginx/html/;
}
location = /ping {
return 200 'pong';
}
}
}

0 comments on commit 6e1eb4d

Please sign in to comment.