From 6e1eb4d9e1085552ef39ef770d4d0642cef9bc51 Mon Sep 17 00:00:00 2001 From: Majed Mak <132336669+MajedAlaitwniCap@users.noreply.github.com> Date: Mon, 17 Jul 2023 15:59:20 +0200 Subject: [PATCH] Thr 28 docker static h5p files (#1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * docker image and configuration * add auto build action * add directory .github * add ansible and workflows * correct name change * github actions adjusted to h5p * remove secretref * remove secret task * add Readme comment security context * change port to 8080 * path corrector * add location nginx.conf * clean folder and use Port Var * nginx.conf: handle only exact /ping * add seurity user / change nginx config * syntax corrector * use debian for build stage * add nginx user * add when option and h5p-ingress config * add same specific version to the Libraries as Lumi * remove docker.io image from tag.yml * remove unused variable * add variables * edit configmap * edit nginx config * set reusable workflow to main * change to WITH variable * change reusable workflow target branch to main * add release info to readme --------- Co-authored-by: Andre Blome Co-authored-by: André Blome <43345275+ssmid@users.noreply.github.com> --- .github/workflows/clean.yml | 12 ++ .github/workflows/push.yml | 107 ++++++++++++++++++ .github/workflows/tag.yml | 48 ++++++++ Dockerfile | 40 +++++++ README.md | 10 +- .../group_vars/all/h5p-staticfiles-server.yml | 3 + .../develop/h5p-staticfiles-server.yml | 3 + .../h5p-staticfiles-server-core/meta/main.yml | 9 ++ .../tasks/main.yml | 21 ++++ .../templates/configmap.yml.j2 | 10 ++ .../templates/deployment.yml.j2 | 67 +++++++++++ .../templates/svc.yml.j2 | 16 +++ mime.types | 13 +++ nginx.conf | 20 ++++ 14 files changed, 376 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/clean.yml create mode 100644 .github/workflows/push.yml create mode 100644 .github/workflows/tag.yml create mode 100644 Dockerfile create mode 100644 ansible/group_vars/all/h5p-staticfiles-server.yml create mode 100644 ansible/group_vars/develop/h5p-staticfiles-server.yml create mode 100644 ansible/roles/h5p-staticfiles-server-core/meta/main.yml create mode 100644 ansible/roles/h5p-staticfiles-server-core/tasks/main.yml create mode 100644 ansible/roles/h5p-staticfiles-server-core/templates/configmap.yml.j2 create mode 100644 ansible/roles/h5p-staticfiles-server-core/templates/deployment.yml.j2 create mode 100644 ansible/roles/h5p-staticfiles-server-core/templates/svc.yml.j2 create mode 100644 mime.types create mode 100644 nginx.conf diff --git a/.github/workflows/clean.yml b/.github/workflows/clean.yml new file mode 100644 index 0000000..8139e9a --- /dev/null +++ b/.github/workflows/clean.yml @@ -0,0 +1,12 @@ +--- +name: Clean Deployment +on: delete + +jobs: + clean: + uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@main + with: + branch: ${{ github.event.ref }} + secrets: + token: ${{ secrets.GITHUB_TOKEN }} + DEV_KUBE_CONFIG: ${{ secrets.DEV_KUBE_CONFIG }} diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 0000000..98e66b8 --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,107 @@ +name: Build and push Docker Image + +on: + push: + branches-ignore: + - dependabot/** + +permissions: + contents: read + +jobs: + build_and_push: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: actions/checkout@v3 + + - name: Docker meta Service Name + id: docker_meta_img + uses: docker/metadata-action@v4 + with: + images: ghcr.io/${{ github.repository }} + tags: | + type=ref,event=branch,enable=false,priority=600 + type=sha,enable=true,priority=600,prefix= + + - name: Log into registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: test image exists + run: | + mkdir -p ~/.docker + echo '{"experimental": "enabled"}' >> ~/.docker/config.json + echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV + + - name: Set up Docker Buildx + if: ${{ env.IMAGE_EXISTS == 0 }} + uses: docker/setup-buildx-action@v2 + + - name: Build and push ${{ github.repository }} + if: ${{ env.IMAGE_EXISTS == 0 }} + uses: docker/build-push-action@v3 + with: + context: . + file: ./Dockerfile + platforms: linux/amd64 + push: true + tags: ghcr.io/${{ github.repository }}:${{ github.sha }} + labels: ${{ steps.docker_meta_img.outputs.labels }} + + branch_name: + runs-on: ubuntu-latest + outputs: + branch: ${{ steps.extract_branch.outputs.branch }} + steps: + - name: Extract branch name + shell: bash + run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT + id: extract_branch + + deploy: + needs: + - build_and_push + - branch_name + uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main + with: + branch: ${{ needs.branch_name.outputs.branch }} + secrets: + token: ${{ secrets.GITHUB_TOKEN }} + DEV_VAULT: ${{ secrets.DEV_VAULT }} + DEV_KUBE_CONFIG: ${{ secrets.DEV_KUBE_CONFIG }} + + deploy-successful: + needs: + - deploy + runs-on: ubuntu-latest + steps: + - run: echo "deploy was successful" + + trivy-vulnerability-scanning: + needs: + - build_and_push + - branch_name + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: run trivy vulnerability scanner + uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 + with: + image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true + - name: upload trivy results + if: ${{ always() }} + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml new file mode 100644 index 0000000..4a897d6 --- /dev/null +++ b/.github/workflows/tag.yml @@ -0,0 +1,48 @@ +--- +name: Build and push Docker Image on Tag + +on: + push: + tags: + - '[0-9]*' + +jobs: + build_and_push: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v3 + + - name: Docker meta Service Name + id: docker_meta_img_hub + uses: docker/metadata-action@v4 + with: + images: quay.io/schulcloudverbund/h5p-staticfiles-server + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + + - name: Log into docker registry + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + + - name: Log into quay registry + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + + - name: Build and push ${{ github.repository }} + uses: docker/build-push-action@v4 + with: + context: . + file: ./Dockerfile + platforms: linux/amd64 + push: true + tags: ${{ steps.docker_meta_img_hub.outputs.tags }} + labels: ${{ steps.docker_meta_img_hub.outputs.labels }} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..96eab75 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,40 @@ +# Use Debian "builder" for build stage +FROM docker.io/debian:bullseye as builder + +# Install git +RUN apt-get update +RUN apt-get install -y git + +# the last used version from Lumi +ENV LAST_USED_H5P_LIBRARY=661d4f6c7d7b1117587654941f5fcf91acb5f4eb +ENV LAST_USED_H5P_EDITOR_LIBRARY=0365b081efa8b55ab9fd58594aa599f9630268f6 + +# Clone H5P repositories +RUN git clone https://github.com/h5p/h5p-php-library && git -C h5p-php-library checkout $LAST_USED_H5P_LIBRARY +RUN git clone https://github.com/h5p/h5p-editor-php-library && git -C h5p-editor-php-library checkout $LAST_USED_H5P_EDITOR_LIBRARY + +# Remove unused files +RUN rm h5p-php-library/*.php +RUN rm h5p-editor-php-library/*.php + +# Use nginx as server for run stage +FROM docker.io/nginx:1.25 + +# Copy configuration +COPY nginx.conf /etc/nginx/nginx.conf + +# Copy H5P files to webroot +RUN rm -r /usr/share/nginx/html/* +COPY --from=builder /h5p-php-library /usr/share/nginx/html/core +COPY --from=builder /h5p-editor-php-library /usr/share/nginx/html/editor + +RUN chown -R nginx:nginx /usr/share/nginx && \ + chown -R nginx:nginx /var/cache/nginx && \ + chown -R nginx:nginx /etc/nginx + +RUN touch /var/run/nginx.pid && \ + chown -R nginx:nginx /var/run/nginx.pid +USER nginx + +EXPOSE 8080 +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/README.md b/README.md index 2e1f457..97fa6c7 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ -# Service repo: -this Repo is only to host the static Files for h5p Editor und Player -from h5p Repos to the the schulcloud server \ No newline at end of file +# Serving the H5P Static Files: +This Repo contains the docker configuration for nginx-image to serve the static Files for h5p Editor and Player from h5p Repos required by the schulcloud Application. + +# update von releases +the docker file soll Parallel like https://github.com/Lumieducation/H5P-Nodejs-library/releases to have always same versions from : + - https://github.com/h5p/h5p-php-library + - https://github.com/h5p/h5p-editor-php-library \ No newline at end of file diff --git a/ansible/group_vars/all/h5p-staticfiles-server.yml b/ansible/group_vars/all/h5p-staticfiles-server.yml new file mode 100644 index 0000000..eeefd90 --- /dev/null +++ b/ansible/group_vars/all/h5p-staticfiles-server.yml @@ -0,0 +1,3 @@ +H5P_STATICFILES_SERVER_IMAGE: quay.io/schulcloudverbund/h5p-staticfiles-server +H5P_STATICFILES_SERVER_REPLICAS: 1 +H5P_PORT: 8080 \ No newline at end of file diff --git a/ansible/group_vars/develop/h5p-staticfiles-server.yml b/ansible/group_vars/develop/h5p-staticfiles-server.yml new file mode 100644 index 0000000..dff0ff1 --- /dev/null +++ b/ansible/group_vars/develop/h5p-staticfiles-server.yml @@ -0,0 +1,3 @@ +--- +H5P_STATICFILES_SERVER_IMAGE: ghcr.io/hpi-schul-cloud/h5p-staticfiles-server +H5P_STATICFILES_SERVER_REPLICAS: 1 diff --git a/ansible/roles/h5p-staticfiles-server-core/meta/main.yml b/ansible/roles/h5p-staticfiles-server-core/meta/main.yml new file mode 100644 index 0000000..6844dbf --- /dev/null +++ b/ansible/roles/h5p-staticfiles-server-core/meta/main.yml @@ -0,0 +1,9 @@ +galaxy_info: + role_name: h5p-staticfiles-server-core + author: Schul-Cloud Verbund + description: Core role for the h5p static files + company: Schul-Cloud Verbund + license: license (AGPLv3) + min_ansible_version: 2.8 + galaxy_tags: [] +dependencies: [] diff --git a/ansible/roles/h5p-staticfiles-server-core/tasks/main.yml b/ansible/roles/h5p-staticfiles-server-core/tasks/main.yml new file mode 100644 index 0000000..d73fcbb --- /dev/null +++ b/ansible/roles/h5p-staticfiles-server-core/tasks/main.yml @@ -0,0 +1,21 @@ + - name: Service + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: svc.yml.j2 + when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool + + - name: Configmap + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: configmap.yml.j2 + apply: yes + when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool + + - name: Deployment + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: deployment.yml.j2 + when: WITH_H5P_EDITOR is defined and WITH_H5P_EDITOR|bool diff --git a/ansible/roles/h5p-staticfiles-server-core/templates/configmap.yml.j2 b/ansible/roles/h5p-staticfiles-server-core/templates/configmap.yml.j2 new file mode 100644 index 0000000..f63a8df --- /dev/null +++ b/ansible/roles/h5p-staticfiles-server-core/templates/configmap.yml.j2 @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: h5p-staticfiles-server-configmap + namespace: {{ NAMESPACE }} + labels: + app: h5p-staticfiles-server +data: + TZ: "Europe/Berlin" + diff --git a/ansible/roles/h5p-staticfiles-server-core/templates/deployment.yml.j2 b/ansible/roles/h5p-staticfiles-server-core/templates/deployment.yml.j2 new file mode 100644 index 0000000..7850ad8 --- /dev/null +++ b/ansible/roles/h5p-staticfiles-server-core/templates/deployment.yml.j2 @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: h5p-staticfiles-server-deployment + namespace: {{ NAMESPACE }} + labels: + app: h5p-staticfiles-server +spec: + replicas: {{ H5P_STATICFILES_SERVER_REPLICAS|default("1", true) }} + selector: + matchLabels: + app: h5p-staticfiles-server + template: + metadata: + labels: + app: h5p-staticfiles-server + spec: + securityContext: + runAsUser: 101 + runAsGroup: 101 + fsGroup: 101 + runAsNonRoot: true + containers: + - name: h5p-staticfiles-server + image: {{ H5P_STATICFILES_SERVER_IMAGE }}:{{ H5P_STATICFILES_SERVER_IMAGE_TAG }} + imagePullPolicy: IfNotPresent + ports: + - containerPort: {{ H5P_PORT }} + envFrom: + - configMapRef: + name: h5p-staticfiles-server-configmap + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: {{ H5P_PORT }} + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 4 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: {{ H5P_PORT }} + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 4 + startupProbe: + failureThreshold: 4 + httpGet: + path: /ping + port: {{ H5P_PORT }} + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 4 + resources: + # find reasonable limits + limits: + cpu: {{ H5P_STATICFIILES_SERVER_CPU_LIMITS|default("1000m", true) }} + memory: {{ H5P_STATICFIILES_SERVER_MEMORY_LIMITS|default("1Gi", true) }} + requests: + cpu: {{ H5P_STATICFIILES_SERVER_CPU_REQUESTS|default("100m", true) }} + memory: {{ H5P_STATICFIILES_SERVER_MEMORY_REQUESTS|default("128Mi", true) }} + diff --git a/ansible/roles/h5p-staticfiles-server-core/templates/svc.yml.j2 b/ansible/roles/h5p-staticfiles-server-core/templates/svc.yml.j2 new file mode 100644 index 0000000..cf96eb6 --- /dev/null +++ b/ansible/roles/h5p-staticfiles-server-core/templates/svc.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: h5p-staticfiles-server-svc + namespace: {{ NAMESPACE }} + labels: + app: h5p-staticfiles-server +spec: + type: ClusterIP + ports: + - port: {{ H5P_PORT }} + targetPort: {{ H5P_PORT }} + protocol: TCP + name: h5p-staticfiles-server + selector: + app: h5p-staticfiles-server diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..f5e765a --- /dev/null +++ b/mime.types @@ -0,0 +1,13 @@ +types { + text/html html htm shtml; + text/css css; + text/scss scss; + text/javascript js; + text/plain txt; + image/png png; + font/woff2 woff2; + font/eot eot; + font/svg svg; + font/woff woff; + font/ttf ttf; +} \ No newline at end of file diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..c9f0506 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,20 @@ +events { +} +http { + include mime.types; + sendfile on; + server { + listen 8080; + listen [::]:8080; + server_name _; + location / { + return 404; + } + location /h5pstatics/ { + alias /usr/share/nginx/html/; + } + location = /ping { + return 200 'pong'; + } + } +}