Unverified Commit cc41079a authored by Christopher Guindon's avatar Christopher Guindon 🌴 Committed by GitHub
Browse files

fix staging deployments (#124)



* fix staging deployments
Signed-off-by: Christopher Guindon's avatarChristopher Guindon <chris.guindon@eclipse-foundation.org>

* fix staging deployments
Signed-off-by: Christopher Guindon's avatarChristopher Guindon <chris.guindon@eclipse-foundation.org>
parent c2b26426
......@@ -6,27 +6,28 @@ Supported by our member organizations, the Eclipse Foundation provides our commu
<!-- TOC -->
- [Getting Started](#getting-started)
- [CSRF and API Security](#csrf-and-api-security)
- [Running the project in included web server](#running-the-project-in-included-web-server)
- [react-eclipsefdn-members](#react-eclipsefdn-members)
- [Getting Started](#getting-started)
- [CSRF and API Security](#csrf-and-api-security)
- [Running the project in included web server](#running-the-project-in-included-web-server)
- [Dependencies to run](#dependencies-to-run)
- [Setup](#setup)
- [Running](#running)
- [Docker](#docker)
- [Generate Certs for HTTPS](#generate-certs-for-https)
- [Update your Host file](#update-your-host-file)
- [Environment Variables](#environment-variables)
- [Generate Certs for HTTPS](#generate-certs-for-https)
- [Update your Host file](#update-your-host-file)
- [Environment Variables](#environment-variables)
- [KeyCloak Setup](#keycloak-setup)
- [Create a realm](#create-a-realm)
- [Create a user](#create-a-user)
- [Eclipse Foundation as an Identity Provider](#eclipse-foundation-as-an-identity-provider)
- [Client Configuration](#client-configuration)
- [Contributing](#contributing)
- [Create a realm](#create-a-realm)
- [Create a user](#create-a-user)
- [Eclipse Foundation as an Identity Provider](#eclipse-foundation-as-an-identity-provider)
- [Client Configuration](#client-configuration)
- [Contributing](#contributing)
- [Declared Project Licenses](#declared-project-licenses)
- [Bugs and feature requests](#bugs-and-feature-requests)
- [Authors](#authors)
- [Trademarks](#trademarks)
- [Copyright and license](#copyright-and-license)
- [Bugs and feature requests](#bugs-and-feature-requests)
- [Authors](#authors)
- [Trademarks](#trademarks)
- [Copyright and license](#copyright-and-license)
<!-- /TOC -->
## Getting Started
......@@ -50,7 +51,7 @@ You will also see any lint errors in the console.
## CSRF and API Security
Currently, the endpoints that can contain personal data of users have been secured by OIDC and CSRF. What this means for development in the front end is all requests will need to be performed with a legitimate Eclipse Foundation login and account for the CSRF header.
Currently, the endpoints that can contain personal data of users have been secured by OIDC and CSRF. What this means for development in the front end is all requests will need to be performed with a legitimate Eclipse Foundation login and account for the CSRF header.
Pertaining to data posted to the API, there is no current automatic deletion policy enforced, and no current way in the UI to send a call to delete data. If you wish to delete this data, you will need to craft javascript within the site to take advantage of the session and CSRF headers, and manually make the call. More information on the form deletion endpoint can be seen in the OpenAPI spec under `/spec/openapi.yml`.
......@@ -59,7 +60,7 @@ Additionally, when requesting any PII/form data, a CSRF token will need to be pa
[^ Top](#react-eclipsefdn-members)
## Running the project in included web server
### Dependencies to run
### Dependencies to run
- Docker-compose
- Maven
......@@ -68,27 +69,27 @@ Additionally, when requesting any PII/form data, a CSRF token will need to be pa
[^ Top](#react-eclipsefdn-members)
### Setup
As part of the set up, you will need to create a `secret.properties` file within the `./config` folder and set up the secrets that are required to run the application. If named `secret.properties`, the file should be ignored by Github automatically, making it less risky that credentials are accidentally uploaded to a branch.
As part of the set up, you will need to create a `secret.properties` file within the `./config` folder and set up the secrets that are required to run the application. If named `secret.properties`, the file should be ignored by Github automatically, making it less risky that credentials are accidentally uploaded to a branch.
The fields required to run are the datasource and OIDC properties. The datasource properties should be a set of user credentials that can write to a local mariadb instance. Within that mariadb instance, a database should be created to contain the data used in development. Once created, a JDBC URL can now be formed for the new database. This URL should follow the pattern below, with port not always required (depending on your local setup and proxy settings). This will be set in the `secret.properties` file.
The fields required to run are the datasource and OIDC properties. The datasource properties should be a set of user credentials that can write to a local mariadb instance. Within that mariadb instance, a database should be created to contain the data used in development. Once created, a JDBC URL can now be formed for the new database. This URL should follow the pattern below, with port not always required (depending on your local setup and proxy settings). This will be set in the `secret.properties` file.
```
```
quarkus.datasource.jdbc.url = jdbc:mariadb://<host><:port?>/<databaseName>
```
```
Once this is set, set the `quarkus.datasource.username` and `quarkus.datasource.password` fields to the user with access to the given database in the `secret.properties` file.
Once this is set, set the `quarkus.datasource.username` and `quarkus.datasource.password` fields to the user with access to the given database in the `secret.properties` file.
The other half of secret configuration is setting up the OIDC credentials for connecting to a keycloak server. This server will require a realm to be set up for access. Using the name `rem_realm` is easiest as it requires no changes to the configuration to work.
The other half of secret configuration is setting up the OIDC credentials for connecting to a keycloak server. This server will require a realm to be set up for access. Using the name `rem_realm` is easiest as it requires no changes to the configuration to work.
The `quarkus.oidc.auth-server-url` property in the `secret.properties` file will need to be updated. The value set should be the public realm address for your server and realm. The rest of the endpoints will be taken care of by the wellknown endpoint available in Keycloak, and don't need to be configured. For the dockerized service, this should be set to your local IP address (note, not your public address). This can be retrieved from your IP configuration application and added in the format displayed in the `sample.secret.properties` file.
Inside that realm, create a client and update the `quarkus.oidc.client-id` property within the `secret.properties` file. Inside that client, open the settings and go to the credentials tab. The secret will need to be copied and set into the `secret.properties` file in the `quarkus.oidc.credentials.client-secret.value` property. For proper reading and usage of development data, 3 users should be created and added to the realm with the usernames `user1`, `user2`, and `user3`.
Inside that realm, create a client and update the `quarkus.oidc.client-id` property within the `secret.properties` file. Inside that client, open the settings and go to the credentials tab. The secret will need to be copied and set into the `secret.properties` file in the `quarkus.oidc.credentials.client-secret.value` property. For proper reading and usage of development data, 3 users should be created and added to the realm with the usernames `user1`, `user2`, and `user3`.
With these properties updated, the server should be able to start and authenticate properly. If the 3 users mentioned within the OIDC configuration section were added, the data should be accessible in a way that is comparable to how it would be in production.
As a side note, regeneration of the database on start along with the insertion of data into the database can be disabled for development environments by setting the following fields within `src/main/resources/application.properties`:
1. Setting `%dev.eclipse.dataloader.enabled` to false. This property is what enables the Data bootstrap to load in mock data.
1. Setting `%dev.eclipse.dataloader.enabled` to false. This property is what enables the Data bootstrap to load in mock data.
2. Removing the `%dev.quarkus.hibernate-orm.database.generation` property or commenting it out. This is what resets the database to empty on start.
[^ Top](#react-eclipsefdn-members)
......@@ -128,6 +129,7 @@ Linux / MacOS: /etc/hosts
127.0.0.1 keycloak
127.0.0.1 api.rem.docker
127.0.0.1 www.rem.docker
127.0.0.1 nginx.rem.docker
```
#### Environment Variables
......
server {
listen 8080;
server_name localhost;
port_in_redirect off;
#access_log /var/log/nginx/host.access.log main;
location = /api {
return 302 /api/;
}
location /api/ {
proxy_pass http://api:8090/; # note the trailing slash here, it matters!
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri /index.html;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
/ $ cat /etc/nginx/nginx.conf
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
\ No newline at end of file
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
server {
listen 8080;
server_name localhost;
port_in_redirect off;
#access_log /var/log/nginx/host.access.log main;
location = /api {
return 302 /api/;
}
location /api/ {
proxy_pass http://api:8090/; # note the trailing slash here, it matters!
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri /index.html;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
}
version: '3'
services:
www:
build:
context: .
dockerfile: ./src/main/docker/Dockerfile.www
image: eclipsefdn/membership-rest-api-www:latest
ports:
- 8080
environment:
- VIRTUAL_HOST=nginx.rem.docker
- VIRTUAL_PORT=8080
nodejs:
build: ./src/main/www
image: eclipsefdn/membership-www:latest
ports:
......@@ -9,9 +19,9 @@ services:
- ./src/main/www:/app
- /app/node_modules
environment:
- VIRTUAL_PORT=3000
- VIRTUAL_HOST=www.rem.docker
- CHOKIDAR_USEPOLLING=true
- VIRTUAL_PORT=3000
api:
build:
context: .
......@@ -22,6 +32,7 @@ services:
environment:
- VIRTUAL_HOST=api.rem.docker
- CONFIG_SECRET_PATH=/var/run/secrets/secret.properties
- VIRTUAL_PORT=8090
volumes:
- ./config/secret.properties:/var/run/secrets/secret.properties
deploy:
......
......@@ -30,25 +30,6 @@ spec:
weight: 1
containers:
- name: api
image: eclipsefdn/eclipsefdn-react-membership:latest
imagePullPolicy: Always
ports:
- containerPort: 8080
resources:
limits:
cpu: '1'
memory: 256Mi
requests:
cpu: 200m
memory: 128Mi
env:
- name: CONFIG_SECRET_PATH
value: "/run/secrets/react-membership-app/secret.properties"
volumeMounts:
- name: secret-properties
mountPath: "/run/secrets/react-membership-app"
readOnly: true
- name: app
image: eclipsefdn/eclipsefdn-react-membership:latest
imagePullPolicy: Always
ports:
......
......@@ -30,25 +30,6 @@ spec:
weight: 1
containers:
- name: api
image: eclipsefdn/eclipsefdn-react-membership:latest
imagePullPolicy: Always
ports:
- containerPort: 8080
resources:
limits:
cpu: '1'
memory: 256Mi
requests:
cpu: 200m
memory: 128Mi
env:
- name: CONFIG_SECRET_PATH
value: "/run/secrets/react-membership-app/secret.properties"
volumeMounts:
- name: secret-properties
mountPath: "/run/secrets/react-membership-app"
readOnly: true
- name: app
image: eclipsefdn/eclipsefdn-react-membership:latest
imagePullPolicy: Always
ports:
......
......@@ -21,9 +21,9 @@ quarkus.oauth2.enabled=false
quarkus.oidc.application-type=web-app
quarkus.oidc.discovery-enabled=true
quarkus.oidc.roles.source=accesstoken
quarkus.oidc.authentication.redirect-path=/login
quarkus.oidc.authentication.redirect-path=/api/login
quarkus.oidc.logout.post-logout-path=/
quarkus.oidc.logout.path=/logout
quarkus.oidc.logout.path=/api/logout
## Recreate DB profile (easy to trigger in remote envs)
%dbfresh.quarkus.hibernate-orm.database.generation=drop-and-create
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment