Merge branch 'memory-allocation' into dev

.github/workflows/cd.yaml

@@ -103,6 +103,7 @@ jobs:
         ecr-role: ${{ secrets.STAGING_ECR_ROLE_TO_ASSUME }}
         ecr-region: ${{ secrets.STAGING_ECR_REGION }}
         ecr-repo: ${{ secrets.STAGING_ECR_REPO }}
+        domain: 'staging.websitebuilder.service.justice.gov.uk'        
         sentry-dsn: ${{ vars.PHP_DSN }}
         domain: 'staging.websitebuilder.service.justice.gov.uk'
         env-type: ${{ vars.ENV_TYPE }}

.github/workflows/rw-build-image.yaml

@@ -140,7 +140,6 @@ jobs:
             wordpress/wp-content/themes/hale/node_modules
             wordpress/wp-content/themes/hale-dash/node_modules
             wordpress/wp-content/themes/hale-showcase/node_modules
-            wordpress/wp-content/themes/brookhouse/node_modules
             wordpress/wp-content/themes/lawcom/node_modules
             wordpress/wp-content/themes/justicejobs/node_modules
             wordpress/wp-content/themes/ppo/node_modules
@@ -152,7 +151,7 @@ jobs:
 
       - name: Run NPM
         run: |
-          for theme in hale hale-dash hale-showcase brookhouse lawcom justicejobs ppo sifocc imbmembers; do
+          for theme in hale hale-dash hale-showcase lawcom justicejobs ppo sifocc imbmembers; do
             npm install --prefix ./wordpress/wp-content/themes/$theme
             npm run production --if-present --prefix ./wordpress/wp-content/themes/$theme
           done

bin/build.sh

@@ -58,8 +58,6 @@ while true; do
             echo -e '######################\n'
             npm install --prefix ./wordpress/wp-content/themes/hale
             npm run production --if-present --prefix ./wordpress/wp-content/themes/hale
-            npm install --prefix ./wordpress/wp-content/themes/brookhouse
-            npm run production --if-present --prefix ./wordpress/wp-content/themes/brookhouse
             npm install --prefix ./wordpress/wp-content/themes/lawcom
             npm run production --if-present --prefix ./wordpress/wp-content/themes/lawcom
             npm install --prefix ./wordpress/wp-content/themes/justicejobs

composer.json

@@ -46,7 +46,7 @@
         "ministryofjustice/footnotes-made-easy": "^2.0",
         "ministryofjustice/hale": "dev-latest-item-authorization",
         "ministryofjustice/hale-components": "1.3.2",
-        "ministryofjustice/hale-dash": "1.1.5",
+        "ministryofjustice/hale-dash": "1.1.7",
         "ministryofjustice/hale-showcase": "1.1.10",
         "ministryofjustice/imbmembers": "dev-main",
         "ministryofjustice/justicejobs": "dev-main",
@@ -69,6 +69,7 @@
         "wpackagist-plugin/duplicate-post": "^4.0",
         "wpackagist-plugin/ewww-image-optimizer": "^7.0",
         "wpackagist-plugin/expandable-menus": "^2.0",
+        "wpackagist-plugin/limit-login-attempts-reloaded": " ^2.26.0",
         "wpackagist-plugin/melapress-login-security": "^1.0",
         "wpackagist-plugin/option-tree": "^2.0",
         "wpackagist-plugin/query-monitor": "^3.0",

helm_deploy/wordpress/templates/deployment.yaml

@@ -36,6 +36,13 @@ spec:
         - image: {{ .Values.wp.image.repository }}
           imagePullPolicy: {{ .Values.wp.image.imagePullPolicy }}
           name: wordpress
+          resources:
+            requests:
+              cpu: {{ .Values.wp.resources.(.Values.configmap.envtype).requests.cpu }}
+              memory: {{ .Values.wp.resources.(.Values.configmap.envtype).requests.memory }}
+            limits:
+              cpu: {{ .Values.wp.resources.(.Values.configmap.envtype).limits.cpu }}
+              memory: {{ .Values.wp.resources.(.Values.configmap.envtype).limits.memory }}
           env:
             - name: PHP_INI_SCAN_DIR
               value: :/usr/local/etc/php/conf.custom
@@ -52,22 +59,6 @@ spec:
             - secretRef:
                 name: hale-wp-secrets-{{ .Release.Revision }}
 {{- if or (eq .Values.configmap.envtype "prod") (eq .Values.configmap.envtype "staging") }}
-          # livenessProbe:
-          #   exec:
-          #     command:
-          #     - sh
-          #     - -c
-          #     - |
-          #       if [ -f /var/www/html/wp-load.php ]; then
-          #         exit 0
-          #       else
-          #         exit 1
-          #       fi
-          #   initialDelaySeconds: 120
-          #   periodSeconds: 10
-          #   timeoutSeconds: 5
-          #   failureThreshold: 6
-          #   successThreshold: 1
           readinessProbe:
             exec:
               command:
@@ -89,6 +80,13 @@ spec:
         - name: nginx
           image: {{ .Values.nginx.image.repository }}
           imagePullPolicy: {{ .Values.nginx.image.imagePullPolicy }}
+          resources:
+            requests:
+              cpu: {{ .Values.nginx.resources.(.Values.configmap.envtype).requests.cpu }}
+              memory: {{ .Values.nginx.resources.(.Values.configmap.envtype).requests.memory }}
+            limits:
+              cpu: {{ .Values.nginx.resources.(.Values.configmap.envtype).limits.cpu }}
+              memory: {{ .Values.nginx.resources.(.Values.configmap.envtype).limits.memory }}
           ports:
             - containerPort: 8080
           volumeMounts:

helm_deploy/wordpress/templates/ingress.yaml

@@ -17,18 +17,27 @@ metadata:
         tag:github_team=hale-platform,\
         tag:environment=hale-platform-{{ .Values.configmap.envtype }}"
       # Limit ModSecurity excemptions to only the options page - these rules were breaking the hale components plugin
-      SecRule REQUEST_URI "@contains /wp-admin/options.php" \
+      SecRule REQUEST_URI "@contains /wp-admin/" \
         "id:1001,\
         phase:2,\
         pass,\
+        nolog,\
+         ctl:ruleRemoveById=932110,\
+         ctl:ruleRemoveById=932130,\
+         ctl:ruleRemoveById=941180
+      # Limit ModSecurity excemptions to only the options page - these rules were breaking the hale components plugin
+      SecRule REQUEST_URI "@contains /wp-admin/options.php" \
+        "id:1002,\
+        phase:2,\
+        pass,\
         nolog,\
          ctl:ruleRemoveById=921130,\
          ctl:ruleRemoveById=941100,\
          ctl:ruleRemoveById=941140,\
          ctl:ruleRemoveById=941160
       # Limit ModSecurity excemptions to only the WP API
       SecRule REQUEST_URI "@contains /wp-json/" \
-        "id:1000,\
+        "id:1003,\
         phase:2,\
         pass,\
         nolog,\
@@ -51,25 +60,27 @@ metadata:
         ctl:ruleRemoveById=942320"  
       # Limit ModSecurity excemptions to the wp-admin/post.php endpoint
       SecRule REQUEST_URI "@contains /wp-admin/post.php" \
-        "id:1002,\
+        "id:1004,\
         phase:2,\
         pass,\
         nolog,\
+        ctl:ruleRemoveById=921110,\
         ctl:ruleRemoveById=941100,\
         ctl:ruleRemoveById=941160"
       # Limit ModSecurity excemptions to the wp-admin/nav-menus.php endpoint
       SecRule REQUEST_URI "@contains /wp-admin/nav-menus.php" \
-        "id:1003,\
+        "id:1005,\
         phase:2,\
         pass,\
         nolog,\
         ctl:ruleRemoveById=921110"
       # Limit ModSecurity excemptions to the wp-admin/admin-ajax.php endpoint
       SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
-        "id:1004,\
+        "id:1006,\
         phase:2,\
         pass,\
         nolog,\
+        ctl:ruleRemoveById=921110,\
         ctl:ruleRemoveById=941100,\
         ctl:ruleRemoveById=941160"
     {{- if eq .Values.configmap.envtype "staging" }}
@@ -109,6 +120,18 @@ metadata:
       if ($host = 'www.advance-into-justice.service.justice.gov.uk') {
         return 301 https://prisonandprobationjobs.gov.uk/roles-at-hmpps/jobs-for-veterans;
       }
+      if ($host = 'iapondeathsincustody.org') {
+        return 301 https://iapdeathsincustody.independent.gov.uk;
+      }
+      if ($host = 'www.iapondeathsincustody.org') {
+        return 301 https://iapdeathsincustody.independent.gov.uk;
+      }
+      if ($host = 'brookhouseinquiry.org.uk') {
+        return 301 https://webarchive.nationalarchives.gov.uk/ukgwa/20241002135959/https://brookhouseinquiry.org.uk/;
+      }
+      if ($host = 'www.brookhouseinquiry.org.uk') {
+        return 301 https://webarchive.nationalarchives.gov.uk/ukgwa/20241002135959/https://brookhouseinquiry.org.uk/;
+      }
 spec:
   ingressClassName: modsec
   tls:

helm_deploy/wordpress/values.yaml

@@ -11,6 +11,37 @@ nginx:
   image:
     repository: ""
     imagePullPolicy: Always
+
+  # Apply pod level resource allocation
+  resources:
+    dev:
+      limits:
+        cpu: "300m"
+        memory: "200Mi" 
+      requests:
+        cpu: "50m"
+        memory: "100Mi"
+    demo:
+      limits:
+        cpu: "300m"
+        memory: "150Mi"
+      requests:
+        cpu: "50m"
+        memory: "100Mi"
+    staging:
+      limits:
+        cpu: "300m"
+        memory: "150Mi"
+      requests:
+        cpu: "50m"
+        memory: "150Mi"
+    prod:
+      requests:
+        cpu: "100m"
+        memory: "300Mi"
+      limits:
+        cpu: "200m"
+        memory: "500Mi"
 
 wp:
   image:
@@ -23,6 +54,37 @@ wp:
       staging: 2
       dev: 1
       demo: 2
+
+  # Apply pod level resource allocation
+  resources:
+    dev:
+      limits:
+        cpu: "700m"
+        memory: "1800Mi"
+      requests:
+        cpu: "150m"
+        memory: "1500Mi"
+    demo:
+      limits:
+        cpu: "700m"
+        memory: "1800Mi"
+      requests:
+        cpu: "150m"
+        memory: "1500Mi"
+    staging:
+      limits:
+        cpu: "700m"
+        memory: "1800Mi"
+      requests:
+        cpu: "150m"
+        memory: "1500Mi"
+    prod:
+      requests:
+        cpu: "500m"
+        memory: "1500Mi"
+      limits:
+        cpu: "1000m"
+        memory: "2500Mi"
 
 hpa:
   enabled: true
@@ -119,6 +181,14 @@ ingress:
       certName: andrewmalkinson-cert
     - name: www.andrewmalkinson.independent-inquiry.uk
       certName: andrewmalkinson-www-cert
+    - name: cjji.justiceinspectorates.gov.uk
+      certName: justiceinspectorates-cjji-cert
+    - name: www.cjji.justiceinspectorates.gov.uk
+      certName: justiceinspectorates-cjji-www-cert
+    - name: hmcpsi.justiceinspectorates.gov.uk
+      certName: justiceinspectorates-hmcpsi-cert
+    - name: www.hmcpsi.justiceinspectorates.gov.uk
+      certName: justiceinspectorates-hmcpsi-www-cert
     - name: hmiprisons.justiceinspectorates.gov.uk
       certName: justiceinspectorates-hmiprisons-cert
     - name: intranet.hmiprisons.justiceinspectorates.gov.uk
@@ -147,6 +217,10 @@ ingress:
       certName: iapdc-cert
     - name: www.iapondeathsincustody.org
       certName: iapdc-www-cert
+    - name: iapdeathsincustody.independent.gov.uk
+      certName: iapdci-cert
+    - name: www.iapdeathsincustody.independent.gov.uk
+      certName: iapdci-www-cert
     - name: legalaidlearning.justice.gov.uk
       certName: legalaidlearning-cert
     - name: www.legalaidlearning.justice.gov.uk