Merge pull request #1561 from govuk-one-login/AUT-1984/rebuild-nginx

AUT-1984: Rebuild nginx with headers-more module
govuk-one-login · May 24, 2024 · 4fb1eb9 · 4fb1eb9
2 parents 65ec077 + 5344d1e
commit 4fb1eb9
Show file tree

Hide file tree

Showing 11 changed files with 1,255 additions and 70 deletions.
diff --git a/.github/workflows/build-and-push-frontend.yml b/.github/workflows/build-and-push-frontend.yml
@@ -7,7 +7,7 @@ env:
 on:
   push:
     branches:
-    - main
+      - main
 
 jobs:
   build:
@@ -17,36 +17,36 @@ jobs:
       id-token: write
       contents: read
     steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-    - name: Assume AWS DEPLOYER role in tooling acct
-      uses: aws-actions/configure-aws-credentials@v1-node16
-      with:
-        role-to-assume: ${{ secrets.DEPLOYER_ROLE }}
-        aws-region: ${{ env.AWS_REGION }}
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v1
-    - name: Login to GDS Dev Dynatrace Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: khw46367.live.dynatrace.com
-        username: khw46367
-        password: ${{ secrets.DYNATRACE_PAAS_TOKEN }}
-    - name: Build, tag, and push frontend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        ECR_REPOSITORY: ${{ secrets.TOOLING_ECR_FRONTEND_REPO }}
-        IMAGE_TAG: ${{ github.sha }}
-      run: |
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-    - name: Build, tag, and push basic-auth-sidecar
-      working-directory: basic-auth-sidecar
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        ECR_REPOSITORY: ${{ secrets.BASIC_SIDECAR_ECR_REPO }}
-        IMAGE_TAG: ${{ github.sha }}
-      run: |
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Assume AWS DEPLOYER role in tooling acct
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ secrets.DEPLOYER_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+      - name: Login to GDS Dev Dynatrace Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: khw46367.live.dynatrace.com
+          username: khw46367
+          password: ${{ secrets.DYNATRACE_PAAS_TOKEN }}
+      - name: Build, tag, and push frontend
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ${{ secrets.TOOLING_ECR_FRONTEND_REPO }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+      - name: Build, tag, and push basic-auth-sidecar
+        working-directory: basic-auth-sidecar
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ${{ secrets.BASIC_SIDECAR_ECR_REPO }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
diff --git a/.github/workflows/pre-merge-checks.yml b/.github/workflows/pre-merge-checks.yml
@@ -28,6 +28,16 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18.12.1
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+      - uses: actions/cache@v3
+        id: yarn-cache
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
       - name: Install dependencies
         run: yarn install
       - name: Check formatting

diff --git a/.github/workflows/test-sidecar.yml b/.github/workflows/test-sidecar.yml
@@ -0,0 +1,54 @@
+name: Test Sidecar Container
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - ready_for_review
+      - synchronize
+
+jobs:
+  run-tests:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js 18.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18.12.1
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+      - uses: actions/cache@v3
+        id: yarn-cache
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Install dependencies
+        run: yarn install
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: build sidecar container
+        uses: docker/build-push-action@v5
+        with:
+          context: basic-auth-sidecar
+          push: false
+          tags: "basic-auth-sidecar-test:latest"
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: build sidecar httpie container
+        uses: docker/build-push-action@v5
+        with:
+          context: basic-auth-sidecar
+          file: basic-auth-sidecar/Dockerfile.httpie
+          push: false
+          tags: "basic-auth-sidecar-test-httpie:latest"
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Run sidecar tests
+        run: yarn test:sidecar
diff --git a/basic-auth-sidecar/Dockerfile b/basic-auth-sidecar/Dockerfile
@@ -1,12 +1,83 @@
-FROM nginx:alpine
+FROM nginx:mainline-alpine as builder
+
+ARG ENABLED_MODULES=headers-more
+
+RUN set -ex \
+      && if [ "$ENABLED_MODULES" = "" ]; then \
+      echo "No additional modules enabled, exiting"; \
+      exit 1; \
+      fi
+
+# COPY ./ /modules/ # removed this line as we're not using custom modules, and this line can cause cache invalidation
+
+RUN set -ex \
+      && apk update \
+      && apk add linux-headers openssl-dev pcre2-dev zlib-dev openssl abuild \
+      musl-dev libxslt libxml2-utils make mercurial gcc unzip git \
+      xz g++ coreutils \
+      # allow abuild as a root user \
+      && printf "#!/bin/sh\\nSETFATTR=true /usr/bin/abuild -F \"\$@\"\\n" > /usr/local/bin/abuild \
+      && chmod +x /usr/local/bin/abuild \
+      && hg clone -r ${NGINX_VERSION}-${PKG_RELEASE} https://hg.nginx.org/pkg-oss/ \
+      && cd pkg-oss \
+      && mkdir /tmp/packages \
+      && for module in $ENABLED_MODULES; do \
+      echo "Building $module for nginx-$NGINX_VERSION"; \
+      if [ -d /modules/$module ]; then \
+      echo "Building $module from user-supplied sources"; \
+      # check if module sources file is there and not empty
+      if [ ! -s /modules/$module/source ]; then \
+      echo "No source file for $module in modules/$module/source, exiting"; \
+      exit 1; \
+      fi; \
+      # some modules require build dependencies
+      if [ -f /modules/$module/build-deps ]; then \
+      echo "Installing $module build dependencies"; \
+      apk update && apk add $(cat /modules/$module/build-deps | xargs); \
+      fi; \
+      # if a module has a build dependency that is not in a distro, provide a
+      # shell script to fetch/build/install those
+      # note that shared libraries produced as a result of this script will
+      # not be copied from the builder image to the main one so build static
+      if [ -x /modules/$module/prebuild ]; then \
+      echo "Running prebuild script for $module"; \
+      /modules/$module/prebuild; \
+      fi; \
+      /pkg-oss/build_module.sh -v $NGINX_VERSION -f -y -o /tmp/packages -n $module $(cat /modules/$module/source); \
+      BUILT_MODULES="$BUILT_MODULES $(echo $module | tr '[A-Z]' '[a-z]' | tr -d '[/_\-\.\t ]')"; \
+      elif make -C /pkg-oss/alpine list | grep -E "^$module\s+\d+" > /dev/null; then \
+      echo "Building $module from pkg-oss sources"; \
+      cd /pkg-oss/alpine; \
+      make abuild-module-$module BASE_VERSION=$NGINX_VERSION NGINX_VERSION=$NGINX_VERSION; \
+      apk add $(. ./abuild-module-$module/APKBUILD; echo $makedepends;); \
+      make module-$module BASE_VERSION=$NGINX_VERSION NGINX_VERSION=$NGINX_VERSION; \
+      find ~/packages -type f -name "*.apk" -exec mv -v {} /tmp/packages/ \;; \
+      BUILT_MODULES="$BUILT_MODULES $module"; \
+      else \
+      echo "Don't know how to build $module module, exiting"; \
+      exit 1; \
+      fi; \
+      done \
+      && echo "BUILT_MODULES=\"$BUILT_MODULES\"" > /tmp/packages/modules.env
+
+FROM nginx:mainline-alpine
+COPY --from=builder /tmp/packages /tmp/packages
+RUN set -ex \
+      && . /tmp/packages/modules.env \
+      && for module in $BUILT_MODULES; do \
+      apk add --no-cache --allow-untrusted /tmp/packages/nginx-module-${module}-${NGINX_VERSION}*.apk; \
+      done \
+      && rm -rf /tmp/packages
 
 ENV NGINX_PORT=8080
 
 RUN apk add --no-cache --update \
-      apache2-utils jq
+      apache2-utils \
+      jq
 
 COPY entrypoint.sh /entrypoint.sh
-COPY nginx.conf /etc/nginx/templates/default.conf.template
+COPY default.conf /etc/nginx/templates/default.conf.template
+COPY nginx.conf /etc/nginx/nginx.conf
 
 CMD ["nginx", "-g", "daemon off;"]
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/basic-auth-sidecar/Dockerfile.httpie b/basic-auth-sidecar/Dockerfile.httpie
@@ -0,0 +1,6 @@
+FROM alpine:3.19
+
+RUN apk add --no-cache --update \
+    httpie
+
+CMD ["sleep", "infinity"]
diff --git a/basic-auth-sidecar/default.conf b/basic-auth-sidecar/default.conf
@@ -0,0 +1,29 @@
+server {
+    listen ${NGINX_PORT};
+    server_name ${NGINX_HOST};
+
+    location / {
+      proxy_pass ${PROXY_PASS};
+
+      satisfy any;
+
+      real_ip_header X-Forwarded-For;
+      real_ip_recursive on;
+      include /etc/nginx/trusted-proxies.conf;
+
+      include /etc/nginx/allow-list.conf;
+      deny all;
+
+      auth_basic "Restricted";
+      auth_basic_user_file /etc/nginx/.htpasswd;
+
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header Authorization "";
+      proxy_redirect off;
+    }
+
+    location /healthcheck {
+        more_set_headers 'Content-Type: text/plain';
+        return 200 'OK';
+    }
+}
diff --git a/basic-auth-sidecar/entrypoint.sh b/basic-auth-sidecar/entrypoint.sh
@@ -1,5 +1,7 @@
-#!/bin/sh
-set -euo
+#!/bin/ash
+# shellcheck shell=dash
+
+set -euo pipefail
 
 if [ -z "$BASIC_AUTH_USERNAME" ]; then
   echo >&2 "BASIC_AUTH_USERNAME must be set"

diff --git a/basic-auth-sidecar/nginx.conf b/basic-auth-sidecar/nginx.conf
@@ -1,29 +1,35 @@
-server {
-    listen ${NGINX_PORT};
-    server_name ${NGINX_HOST};
+user  nginx;
+worker_processes  auto;
 
-    location / {
-      proxy_pass ${PROXY_PASS};
+load_module /etc/nginx/modules/ngx_http_headers_more_filter_module.so;
 
-      satisfy any;
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
 
-      real_ip_header X-Forwarded-For;
-      real_ip_recursive on;
-      include /etc/nginx/trusted-proxies.conf;
 
-      include /etc/nginx/allow-list.conf;
-      deny all;
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    server_tokens off;
+    more_clear_headers 'Server';
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
 
-      auth_basic "Restricted";
-      auth_basic_user_file /etc/nginx/.htpasswd;
+    keepalive_timeout  65;
 
-      proxy_set_header X-Forwarded-Host $host;
-      proxy_set_header Authorization "";
-      proxy_redirect off;
-    }
+    #gzip  on;
 
-    location /healthcheck {
-        add_header Content-Type text/plain;
-        return 200 'OK';
-    }
+    include /etc/nginx/conf.d/*.conf;
 }
diff --git a/package.json b/package.json
@@ -26,6 +26,7 @@
     "test:integration": "rm -rf test/coverage && NODE_ENV=development nyc mocha -r dotenv/config  \"src/**/*-integration.test.ts\"",
     "test:integration-no-clear-cov": "NODE_ENV=development nyc --no-clean mocha -r dotenv/config  \"src/**/*-integration.test.ts\"",
     "test:integration-nocov": "NODE_ENV=development mocha -r dotenv/config  \"src/**/*-integration.test.ts\"",
+    "test:sidecar": "mocha --exclude \"src/**/*-integration.test.ts\"  \"test/basic-auth-sidecar/*.test.ts\"",
     "test:unit": "rm -rf test/coverage && NODE_ENV=development nyc mocha --exclude \"src/**/*-integration.test.ts\"  \"test/unit/**/*.test.ts\" --recursive \"src/**/*.test.ts\"",
     "test:unit-nocov": "NODE_ENV=development mocha --exclude \"src/**/*-integration.test.ts\"  \"test/unit/**/*.test.ts\" --recursive \"src/**/*.test.ts\"",
     "test:u1": "rm -rf test/coverage && NODE_ENV=development nyc mocha --exclude \"src/**/*-integration.test.ts\" --recursive \"src/**/your-test*.test.ts\"",
@@ -103,6 +104,7 @@
     "@types/cheerio": "^0.22.31",
     "@types/cookie-parser": "^1.4.2",
     "@types/csurf": "^1.11.2",
+    "@types/debug": "^4.1.12",
     "@types/express": "^4.17.13",
     "@types/express-session": "^1.17.4",
     "@types/i18next-fs-backend": "^1.1.1",
@@ -120,9 +122,11 @@
     "@typescript-eslint/parser": "^7.1.0",
     "chai": "^4.3.6",
     "chai-as-promised": "^7.1.1",
+    "chai-http": "^4.4.0",
     "cheerio": "^1.0.0-rc.10",
     "concurrently": "^8.2.2",
     "copyfiles": "^2.4.1",
+    "debug": "^4.3.4",
     "decache": "^4.6.1",
     "dotenv": "^16.4.1",
     "eslint": "^8.57.0",
@@ -140,6 +144,7 @@
     "sinon": "^13.0.1",
     "sinon-chai": "^3.7.0",
     "supertest": "^6.3.4",
+    "testcontainers": "^10.7.2",
     "ts-node": "^10.5.0",
     "typescript": "^4.5.4",
     "uglify-js": "^3.14.5"