diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index 9999adb..1b26f65 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -103,6 +103,7 @@ jobs: ecr-role: ${{ secrets.STAGING_ECR_ROLE_TO_ASSUME }} ecr-region: ${{ secrets.STAGING_ECR_REGION }} ecr-repo: ${{ secrets.STAGING_ECR_REPO }} + domain: 'staging.websitebuilder.service.justice.gov.uk' sentry-dsn: ${{ vars.PHP_DSN }} domain: 'staging.websitebuilder.service.justice.gov.uk' env-type: ${{ vars.ENV_TYPE }} diff --git a/.github/workflows/rw-build-image.yaml b/.github/workflows/rw-build-image.yaml index 4871ff9..d1396a1 100644 --- a/.github/workflows/rw-build-image.yaml +++ b/.github/workflows/rw-build-image.yaml @@ -140,7 +140,6 @@ jobs: wordpress/wp-content/themes/hale/node_modules wordpress/wp-content/themes/hale-dash/node_modules wordpress/wp-content/themes/hale-showcase/node_modules - wordpress/wp-content/themes/brookhouse/node_modules wordpress/wp-content/themes/lawcom/node_modules wordpress/wp-content/themes/justicejobs/node_modules wordpress/wp-content/themes/ppo/node_modules @@ -152,7 +151,7 @@ jobs: - name: Run NPM run: | - for theme in hale hale-dash hale-showcase brookhouse lawcom justicejobs ppo sifocc imbmembers; do + for theme in hale hale-dash hale-showcase lawcom justicejobs ppo sifocc imbmembers; do npm install --prefix ./wordpress/wp-content/themes/$theme npm run production --if-present --prefix ./wordpress/wp-content/themes/$theme done diff --git a/bin/build.sh b/bin/build.sh index 4005a6e..afaf686 100755 --- a/bin/build.sh +++ b/bin/build.sh @@ -58,8 +58,6 @@ while true; do echo -e '######################\n' npm install --prefix ./wordpress/wp-content/themes/hale npm run production --if-present --prefix ./wordpress/wp-content/themes/hale - npm install --prefix ./wordpress/wp-content/themes/brookhouse - npm run production --if-present --prefix ./wordpress/wp-content/themes/brookhouse npm install --prefix ./wordpress/wp-content/themes/lawcom npm run production --if-present --prefix ./wordpress/wp-content/themes/lawcom npm install --prefix ./wordpress/wp-content/themes/justicejobs diff --git a/composer.json b/composer.json index c49ddd5..2deb646 100644 --- a/composer.json +++ b/composer.json @@ -46,7 +46,7 @@ "ministryofjustice/footnotes-made-easy": "^2.0", "ministryofjustice/hale": "dev-latest-item-authorization", "ministryofjustice/hale-components": "1.3.2", - "ministryofjustice/hale-dash": "1.1.5", + "ministryofjustice/hale-dash": "1.1.7", "ministryofjustice/hale-showcase": "1.1.10", "ministryofjustice/imbmembers": "dev-main", "ministryofjustice/justicejobs": "dev-main", @@ -69,6 +69,7 @@ "wpackagist-plugin/duplicate-post": "^4.0", "wpackagist-plugin/ewww-image-optimizer": "^7.0", "wpackagist-plugin/expandable-menus": "^2.0", + "wpackagist-plugin/limit-login-attempts-reloaded": " ^2.26.0", "wpackagist-plugin/melapress-login-security": "^1.0", "wpackagist-plugin/option-tree": "^2.0", "wpackagist-plugin/query-monitor": "^3.0", diff --git a/helm_deploy/wordpress/templates/deployment.yaml b/helm_deploy/wordpress/templates/deployment.yaml index efe14b7..c8d8308 100644 --- a/helm_deploy/wordpress/templates/deployment.yaml +++ b/helm_deploy/wordpress/templates/deployment.yaml @@ -36,6 +36,13 @@ spec: - image: {{ .Values.wp.image.repository }} imagePullPolicy: {{ .Values.wp.image.imagePullPolicy }} name: wordpress + resources: + requests: + cpu: {{ .Values.wp.resources.(.Values.configmap.envtype).requests.cpu }} + memory: {{ .Values.wp.resources.(.Values.configmap.envtype).requests.memory }} + limits: + cpu: {{ .Values.wp.resources.(.Values.configmap.envtype).limits.cpu }} + memory: {{ .Values.wp.resources.(.Values.configmap.envtype).limits.memory }} env: - name: PHP_INI_SCAN_DIR value: :/usr/local/etc/php/conf.custom @@ -52,22 +59,6 @@ spec: - secretRef: name: hale-wp-secrets-{{ .Release.Revision }} {{- if or (eq .Values.configmap.envtype "prod") (eq .Values.configmap.envtype "staging") }} - # livenessProbe: - # exec: - # command: - # - sh - # - -c - # - | - # if [ -f /var/www/html/wp-load.php ]; then - # exit 0 - # else - # exit 1 - # fi - # initialDelaySeconds: 120 - # periodSeconds: 10 - # timeoutSeconds: 5 - # failureThreshold: 6 - # successThreshold: 1 readinessProbe: exec: command: @@ -89,6 +80,13 @@ spec: - name: nginx image: {{ .Values.nginx.image.repository }} imagePullPolicy: {{ .Values.nginx.image.imagePullPolicy }} + resources: + requests: + cpu: {{ .Values.nginx.resources.(.Values.configmap.envtype).requests.cpu }} + memory: {{ .Values.nginx.resources.(.Values.configmap.envtype).requests.memory }} + limits: + cpu: {{ .Values.nginx.resources.(.Values.configmap.envtype).limits.cpu }} + memory: {{ .Values.nginx.resources.(.Values.configmap.envtype).limits.memory }} ports: - containerPort: 8080 volumeMounts: diff --git a/helm_deploy/wordpress/templates/ingress.yaml b/helm_deploy/wordpress/templates/ingress.yaml index b7d5aac..67e439a 100644 --- a/helm_deploy/wordpress/templates/ingress.yaml +++ b/helm_deploy/wordpress/templates/ingress.yaml @@ -17,10 +17,19 @@ metadata: tag:github_team=hale-platform,\ tag:environment=hale-platform-{{ .Values.configmap.envtype }}" # Limit ModSecurity excemptions to only the options page - these rules were breaking the hale components plugin - SecRule REQUEST_URI "@contains /wp-admin/options.php" \ + SecRule REQUEST_URI "@contains /wp-admin/" \ "id:1001,\ phase:2,\ pass,\ + nolog,\ + ctl:ruleRemoveById=932110,\ + ctl:ruleRemoveById=932130,\ + ctl:ruleRemoveById=941180 + # Limit ModSecurity excemptions to only the options page - these rules were breaking the hale components plugin + SecRule REQUEST_URI "@contains /wp-admin/options.php" \ + "id:1002,\ + phase:2,\ + pass,\ nolog,\ ctl:ruleRemoveById=921130,\ ctl:ruleRemoveById=941100,\ @@ -28,7 +37,7 @@ metadata: ctl:ruleRemoveById=941160 # Limit ModSecurity excemptions to only the WP API SecRule REQUEST_URI "@contains /wp-json/" \ - "id:1000,\ + "id:1003,\ phase:2,\ pass,\ nolog,\ @@ -51,25 +60,27 @@ metadata: ctl:ruleRemoveById=942320" # Limit ModSecurity excemptions to the wp-admin/post.php endpoint SecRule REQUEST_URI "@contains /wp-admin/post.php" \ - "id:1002,\ + "id:1004,\ phase:2,\ pass,\ nolog,\ + ctl:ruleRemoveById=921110,\ ctl:ruleRemoveById=941100,\ ctl:ruleRemoveById=941160" # Limit ModSecurity excemptions to the wp-admin/nav-menus.php endpoint SecRule REQUEST_URI "@contains /wp-admin/nav-menus.php" \ - "id:1003,\ + "id:1005,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveById=921110" # Limit ModSecurity excemptions to the wp-admin/admin-ajax.php endpoint SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \ - "id:1004,\ + "id:1006,\ phase:2,\ pass,\ nolog,\ + ctl:ruleRemoveById=921110,\ ctl:ruleRemoveById=941100,\ ctl:ruleRemoveById=941160" {{- if eq .Values.configmap.envtype "staging" }} @@ -109,6 +120,18 @@ metadata: if ($host = 'www.advance-into-justice.service.justice.gov.uk') { return 301 https://prisonandprobationjobs.gov.uk/roles-at-hmpps/jobs-for-veterans; } + if ($host = 'iapondeathsincustody.org') { + return 301 https://iapdeathsincustody.independent.gov.uk; + } + if ($host = 'www.iapondeathsincustody.org') { + return 301 https://iapdeathsincustody.independent.gov.uk; + } + if ($host = 'brookhouseinquiry.org.uk') { + return 301 https://webarchive.nationalarchives.gov.uk/ukgwa/20241002135959/https://brookhouseinquiry.org.uk/; + } + if ($host = 'www.brookhouseinquiry.org.uk') { + return 301 https://webarchive.nationalarchives.gov.uk/ukgwa/20241002135959/https://brookhouseinquiry.org.uk/; + } spec: ingressClassName: modsec tls: diff --git a/helm_deploy/wordpress/values.yaml b/helm_deploy/wordpress/values.yaml index 7efa443..1da4a36 100644 --- a/helm_deploy/wordpress/values.yaml +++ b/helm_deploy/wordpress/values.yaml @@ -11,6 +11,37 @@ nginx: image: repository: "" imagePullPolicy: Always + + # Apply pod level resource allocation + resources: + dev: + limits: + cpu: "300m" + memory: "200Mi" + requests: + cpu: "50m" + memory: "100Mi" + demo: + limits: + cpu: "300m" + memory: "150Mi" + requests: + cpu: "50m" + memory: "100Mi" + staging: + limits: + cpu: "300m" + memory: "150Mi" + requests: + cpu: "50m" + memory: "150Mi" + prod: + requests: + cpu: "100m" + memory: "300Mi" + limits: + cpu: "200m" + memory: "500Mi" wp: image: @@ -23,6 +54,37 @@ wp: staging: 2 dev: 1 demo: 2 + + # Apply pod level resource allocation + resources: + dev: + limits: + cpu: "700m" + memory: "1800Mi" + requests: + cpu: "150m" + memory: "1500Mi" + demo: + limits: + cpu: "700m" + memory: "1800Mi" + requests: + cpu: "150m" + memory: "1500Mi" + staging: + limits: + cpu: "700m" + memory: "1800Mi" + requests: + cpu: "150m" + memory: "1500Mi" + prod: + requests: + cpu: "500m" + memory: "1500Mi" + limits: + cpu: "1000m" + memory: "2500Mi" hpa: enabled: true @@ -119,6 +181,14 @@ ingress: certName: andrewmalkinson-cert - name: www.andrewmalkinson.independent-inquiry.uk certName: andrewmalkinson-www-cert + - name: cjji.justiceinspectorates.gov.uk + certName: justiceinspectorates-cjji-cert + - name: www.cjji.justiceinspectorates.gov.uk + certName: justiceinspectorates-cjji-www-cert + - name: hmcpsi.justiceinspectorates.gov.uk + certName: justiceinspectorates-hmcpsi-cert + - name: www.hmcpsi.justiceinspectorates.gov.uk + certName: justiceinspectorates-hmcpsi-www-cert - name: hmiprisons.justiceinspectorates.gov.uk certName: justiceinspectorates-hmiprisons-cert - name: intranet.hmiprisons.justiceinspectorates.gov.uk @@ -147,6 +217,10 @@ ingress: certName: iapdc-cert - name: www.iapondeathsincustody.org certName: iapdc-www-cert + - name: iapdeathsincustody.independent.gov.uk + certName: iapdci-cert + - name: www.iapdeathsincustody.independent.gov.uk + certName: iapdci-www-cert - name: legalaidlearning.justice.gov.uk certName: legalaidlearning-cert - name: www.legalaidlearning.justice.gov.uk