Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AUT-1984] Another attempt at getting the sidecar deployed #1470

Merged
merged 4 commits into from
Apr 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/pre-merge-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ jobs:
run: yarn lint
- name: Build app
run: yarn build
- name: Run sidecar tests
run: yarn test:sidecar
- name: Run unit tests
run: yarn test:unit
- name: Run integration tests
Expand Down
23 changes: 23 additions & 0 deletions .github/workflows/test-sidecar.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Test Sidecar Container
on:
pull_request:
types:
- opened
- reopened
- ready_for_review
- synchronize

jobs:
run-tests:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: 18.12.1
- name: Install dependencies
run: yarn install
- name: Run sidecar tests
run: yarn test:sidecar
30 changes: 30 additions & 0 deletions basic-auth-sidecar/Caddyfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
http_port {$NGINX_PORT}
admin off
auto_https off
persist_config off
servers {$NGINX_HOST}:{$NGINX_PORT} {
trusted_proxies static {$TRUSTED_PROXIES_IPS}
}
}

{$NGINX_HOST}:{$NGINX_PORT} {
log {
output stdout
format json
}
@basicauth not client_ip {$IP_BLOCK_MATCHER}

handle /healthcheck {
respond "OK" 200
}

handle /* {
basicauth @basicauth {
{$BASIC_AUTH_USERNAME} {$HASHED_PASSWORD}
}
reverse_proxy {$PROXY_PASS} {
header_up -Authorization
}
}
}
10 changes: 5 additions & 5 deletions basic-auth-sidecar/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
FROM nginx:alpine
FROM caddy:2.7-alpine

ENV NGINX_PORT=8080

RUN apk add --no-cache --update \
apache2-utils jq
RUN apk add --no-cache --update jq

COPY entrypoint.sh /entrypoint.sh
COPY nginx.conf /etc/nginx/templates/default.conf.template

CMD ["nginx", "-g", "daemon off;"]
COPY Caddyfile /etc/caddy/Caddyfile

CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]
ENTRYPOINT ["/entrypoint.sh"]
28 changes: 17 additions & 11 deletions basic-auth-sidecar/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -1,31 +1,37 @@
#!/bin/sh
set -euo

if [ -z "$BASIC_AUTH_USERNAME" ]; then
if [ -z "${BASIC_AUTH_USERNAME}" ]; then
echo >&2 "BASIC_AUTH_USERNAME must be set"
exit 1
fi

if [ -z "$BASIC_AUTH_PASSWORD" ]; then
if [ -z "${BASIC_AUTH_PASSWORD}" ]; then
echo >&2 "BASIC_AUTH_PASSWORD must be set"
exit 1
fi

if [ -z "$PROXY_PASS" ]; then
if [ -z "${PROXY_PASS}" ]; then
echo >&2 "PROXY_PASS must be set"
exit 1
fi

touch /etc/nginx/allow-list.conf
if [ -n "$IP_ALLOW_LIST" ]; then
echo "${IP_ALLOW_LIST}" | jq -r '"allow " + .[] + ";"' >>/etc/nginx/allow-list.conf
IP_BLOCK_MATCHER="private_ranges"
if [ -n "${IP_ALLOW_LIST:-}" ]; then
IP_BLOCK_MATCHER="$(echo "${IP_ALLOW_LIST}" | jq -r '. | join(" ")')"
fi
unset IP_ALLOW_LIST
export IP_BLOCK_MATCHER

touch /etc/nginx/trusted-proxies.conf
if [ -n "$TRUSTED_PROXIES" ]; then
echo "${TRUSTED_PROXIES}" | jq -r '"set_real_ip_from " + .[] + ";"' >>/etc/nginx/trusted-proxies.conf
TRUSTED_PROXIES_IPS=""
if [ -n "${TRUSTED_PROXIES:-}" ]; then
TRUSTED_PROXIES_IPS="$(echo "${TRUSTED_PROXIES}" | jq -r '. | join(" ")')"
fi
unset TRUSTED_PROXIES
export TRUSTED_PROXIES_IPS

htpasswd -bBc /etc/nginx/.htpasswd "${BASIC_AUTH_USERNAME}" "${BASIC_AUTH_PASSWORD}"
HASHED_PASSWORD="$(caddy hash-password --plaintext "${BASIC_AUTH_PASSWORD}")"
unset BASIC_AUTH_PASSWORD
export HASHED_PASSWORD

exec /docker-entrypoint.sh "$@"
exec "$@"
29 changes: 0 additions & 29 deletions basic-auth-sidecar/nginx.conf

This file was deleted.

22 changes: 17 additions & 5 deletions ci/terraform/ecs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@ locals {
application_port = var.basic_auth_password == "" ? var.app_port : local.nginx_port

frontend_container_definition = {
name = local.container_name
image = "${var.image_uri}:${var.image_tag}@${var.image_digest}"
name = local.container_name
image = "${var.image_uri}:${var.image_tag}@${var.image_digest}"

cpu = 0
mountpoints = []
systemControls = []
volumesFrom = []

essential = true
logConfiguration = {
logDriver = "awslogs"
Expand Down Expand Up @@ -179,8 +185,14 @@ locals {
}

sidecar_container_definition = {
name = "nginx-sidecar"
image = "${var.sidecar_image_uri}:${var.sidecar_image_tag}@${var.sidecar_image_digest}"
name = "nginx-sidecar"
image = "${var.sidecar_image_uri}:${var.sidecar_image_tag}@${var.sidecar_image_digest}"

cpu = 0
mountpoints = []
systemControls = []
volumesFrom = []

essential = true
logConfiguration = {
logDriver = "awslogs"
Expand Down Expand Up @@ -219,7 +231,7 @@ locals {
},
{
name = "IP_ALLOW_LIST"
value = length(var.basic_auth_bypass_cidr_blocks) == 0 ? "" : jsonencode(var.basic_auth_bypass_cidr_blocks)
value = length(var.basic_auth_bypass_cidr_blocks) == 0 ? "[]" : jsonencode(var.basic_auth_bypass_cidr_blocks)
},
{
name = "TRUSTED_PROXIES"
Expand Down
4 changes: 4 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,7 @@ services:

networks:
di-net:
ingress:
ipam:
config:
- subnet: 172.100.0.0/16
3 changes: 3 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
"test:integration": "rm -rf test/coverage && NODE_ENV=development nyc mocha -r dotenv/config \"src/**/*-integration.test.ts\"",
"test:integration-no-clear-cov": "NODE_ENV=development nyc --no-clean mocha -r dotenv/config \"src/**/*-integration.test.ts\"",
"test:integration-nocov": "NODE_ENV=development mocha -r dotenv/config \"src/**/*-integration.test.ts\"",
"test:sidecar": "mocha --exclude \"src/**/*-integration.test.ts\" \"test/basic-auth-sidecar/*.test.ts\"",
"test:unit": "rm -rf test/coverage && NODE_ENV=development nyc mocha --exclude \"src/**/*-integration.test.ts\" \"test/unit/**/*.test.ts\" --recursive \"src/**/*.test.ts\"",
"test:unit-nocov": "NODE_ENV=development mocha --exclude \"src/**/*-integration.test.ts\" \"test/unit/**/*.test.ts\" --recursive \"src/**/*.test.ts\"",
"test:u1": "rm -rf test/coverage && NODE_ENV=development nyc mocha --exclude \"src/**/*-integration.test.ts\" --recursive \"src/**/your-test*.test.ts\"",
Expand Down Expand Up @@ -117,6 +118,7 @@
"@typescript-eslint/parser": "^7.1.0",
"chai": "^4.3.6",
"chai-as-promised": "^7.1.1",
"chai-http": "^4.4.0",
"cheerio": "^1.0.0-rc.10",
"concurrently": "^8.2.2",
"copyfiles": "^2.4.1",
Expand All @@ -137,6 +139,7 @@
"sinon": "^13.0.1",
"sinon-chai": "^3.7.0",
"supertest": "^6.3.4",
"testcontainers": "^10.7.2",
"ts-node": "^10.5.0",
"typescript": "^4.5.4",
"uglify-js": "^3.14.5"
Expand Down
67 changes: 52 additions & 15 deletions scripts/dev_deploy_common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,16 @@ set -euo pipefail
exit 1
}

IMAGE_TAG=latest

REPO_NAME="frontend-image-repository"
REPO_URL="706615647326.dkr.ecr.eu-west-2.amazonaws.com/frontend-image-repository"
IMAGE_TAG=latest

SIDECAR_REPO_NAME="basic-auth-sidecar-image-repository"
SIDECAR_REPO_URL="706615647326.dkr.ecr.eu-west-2.amazonaws.com/basic-auth-sidecar-image-repository"
BASIC_AUTH_USERNAME="${BASIC_AUTH_USERNAME:-testuser}"
BASIC_AUTH_PASSWORD="${BASIC_AUTH_PASSWORD:-testpassword}"
BASIC_AUTH_BYPASS_CIDR_BLOCKS="${BASIC_AUTH_BYPASS_CIDR_BLOCKS:-[]}"

function usage() {
cat <<USAGE
Expand All @@ -20,6 +27,7 @@ function usage() {

Options:
-b, --build run docker build and push new version (default)
-s, --sidecar run docker build and push new sidecar version
-t, --terraform run terraform to deploy changes (default)
--destroy run terraform with the -destroy flag (destroys all managed resources)
-p, --prompt will prompt for plan review before applying any terraform
Expand All @@ -29,8 +37,9 @@ USAGE
}

BUILD=0
SIDECAR=0
TERRAFORM=0
TERRAFORM_OPTS="-auto-approve"
TERRAFORM_OPTS=("-auto-approve")
if [[ $# == 0 ]]; then
BUILD=1
TERRAFORM=1
Expand All @@ -45,10 +54,13 @@ while [[ $# -gt 0 ]]; do
TERRAFORM=1
;;
--destroy)
TERRAFORM_OPTS="-destroy"
TERRAFORM_OPTS=("-destroy")
;;
-p | --prompt)
TERRAFORM_OPTS=""
TERRAFORM_OPTS=()
;;
-s | --sidecar)
SIDECAR=1
;;
*)
usage
Expand All @@ -70,21 +82,35 @@ aws ecr get-login-password --region eu-west-2 |
docker login --username AWS --password-stdin "${REPO_URL}"

if [[ $BUILD == "1" ]]; then
echo "Building image..."
docker buildx build --platform=linux/amd64 --file sandpit.Dockerfile -t "${REPO_NAME}" .
echo "Tagging image..."
docker tag "${REPO_NAME}:latest" "${REPO_URL}:${IMAGE_TAG}"
echo "Building frontend image..."
docker buildx build --platform=linux/amd64 --file sandpit.Dockerfile \
-t "${REPO_NAME}:latest" \
-t "${REPO_URL}:${IMAGE_TAG}" \
.

echo "Pushing image..."
echo "Pushing frontend image..."
docker push "${REPO_URL}:${IMAGE_TAG}"
IMAGE_DIGEST="$(docker inspect "${REPO_URL}:${IMAGE_TAG}" | jq -r '.[0].RepoDigests[0] | split("@") | .[1]')"
echo "Digest = ${IMAGE_DIGEST}"
echo "Complete"

if [[ "${SIDECAR}" == "1" ]]; then
echo "Building sidecar image..."
docker buildx build --platform=linux/amd64 \
-t "${SIDECAR_REPO_NAME}:latest" \
-t "${SIDECAR_REPO_URL}:${IMAGE_TAG}" \
basic-auth-sidecar

echo "Pushing sidecar image..."
docker push "${SIDECAR_REPO_URL}:${IMAGE_TAG}"
echo "Complete"
fi
else
docker pull "${REPO_URL}:${IMAGE_TAG}"
IMAGE_DIGEST="$(docker inspect "${REPO_URL}:${IMAGE_TAG}" | jq -r '.[0].RepoDigests[0] | split("@") | .[1]')"
[[ "${SIDECAR}" == "1" ]] && docker pull "${SIDECAR_REPO_URL}:${IMAGE_TAG}"
fi

IMAGE_DIGEST="$(docker inspect "${REPO_URL}:${IMAGE_TAG}" | jq -r '.[0].RepoDigests[0] | split("@") | .[1]')"
[[ "${SIDECAR}" == "1" ]] && SIDECAR_IMAGE_DIGEST="$(docker inspect "${SIDECAR_REPO_URL}:${IMAGE_TAG}" | jq -r '.[].RepoDigests[0] | split("@") | .[1]')"

if [[ $TERRAFORM == "1" ]]; then
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
Expand All @@ -97,14 +123,25 @@ if [[ $TERRAFORM == "1" ]]; then
pushd "${DIR}/ci/terraform" >/dev/null
rm -rf .terraform/
terraform init -backend-config="${DEPLOY_ENV}.hcl"
terraform apply ${TERRAFORM_OPTS} -var-file "${DEPLOY_ENV}.tfvars" -var "image_uri=${REPO_URL}" -var "image_digest=${IMAGE_DIGEST}"

if [[ $TERRAFORM_OPTS != "-destroy" ]]; then
TERRAFORM_OPTS+=("-var-file" "${DEPLOY_ENV}.tfvars" "-var" "image_uri=${REPO_URL}" "-var" "image_digest=${IMAGE_DIGEST}")
[[ "${SIDECAR}" == "1" ]] &&
TERRAFORM_OPTS+=(
"-var" "sidecar_image_uri=${SIDECAR_REPO_URL}"
"-var" "sidecar_image_digest=${SIDECAR_IMAGE_DIGEST}"
"-var" "basic_auth_username=${BASIC_AUTH_USERNAME}"
"-var" "basic_auth_password=${BASIC_AUTH_PASSWORD}"
"-var" "basic_auth_bypass_cidr_blocks=${BASIC_AUTH_BYPASS_CIDR_BLOCKS:-[]}")

terraform apply "${TERRAFORM_OPTS[@]}"

if [[ "${TERRAFORM_OPTS[1]}" != "-destroy" ]]; then
echo -n "Waiting for ECS deployment to complete ... "
aws ecs wait services-stable --services "${DEPLOY_ENV}-frontend-ecs-service" --cluster "${DEPLOY_ENV}-app-cluster"
echo "done!"
fi
popd >/dev/null
fi

[[ "${SIDECAR}" == "1" ]] && echo "Basic auth credentials: testuser/testpassword"

echo "Deployment complete!"
Loading
Loading