Sync branches - merge main into demo

.github/workflows/rw-build-image.yaml

@@ -6,7 +6,7 @@ on:
       environment:
         required: true
         type: string
-    secrets:    
+    secrets:
       ecr-role:
         required: true
       ecr-region:
@@ -88,13 +88,15 @@ jobs:
         - name: Login to ECR
           uses: aws-actions/amazon-ecr-login@v1
           id: login-ecr
+          with:
+            mask-password: true
         - name: Build and Push Nginx Image
           run: |
             docker build --pull --no-cache --tag $REGISTRY/$REPOSITORY:hale-platform_nginx-$IMAGE_TAG --file nginx.dockerfile .
-            docker push $REGISTRY/$REPOSITORY:hale-platform_nginx-$IMAGE_TAG 
+            docker push $REGISTRY/$REPOSITORY:hale-platform_nginx-$IMAGE_TAG
           env:
             REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-            REPOSITORY: ${{ secrets.ecr-repo }} 
+            REPOSITORY: ${{ secrets.ecr-repo }}
             IMAGE_TAG: ${{ github.sha }}
         - name: Run Composer
           run: |
@@ -106,13 +108,19 @@ jobs:
             npm run production --if-present --prefix ./wordpress/wp-content/themes/hale
             npm install --prefix ./wordpress/wp-content/themes/brookhouse
             npm run production --if-present --prefix ./wordpress/wp-content/themes/brookhouse
+            npm install --prefix ./wordpress/wp-content/themes/lawcom
+            npm run production --if-present --prefix ./wordpress/wp-content/themes/lawcom
+            npm install --prefix ./wordpress/wp-content/themes/justicejobs
+            npm run production --if-present --prefix ./wordpress/wp-content/themes/justicejobs
+            npm install --prefix ./wordpress/wp-content/themes/hale-dash
+            npm run production --if-present --prefix ./wordpress/wp-content/themes/hale-dash
         - name: Build and Push Wordpress Image
           run: |
             docker build --pull --no-cache --tag $REGISTRY/$REPOSITORY:hale-platform_wordpress-$IMAGE_TAG --file wp.dockerfile .
-            docker push $REGISTRY/$REPOSITORY:hale-platform_wordpress-$IMAGE_TAG 
+            docker push $REGISTRY/$REPOSITORY:hale-platform_wordpress-$IMAGE_TAG
           env:
             REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-            REPOSITORY: ${{ secrets.ecr-repo }} 
+            REPOSITORY: ${{ secrets.ecr-repo }}
             IMAGE_TAG: ${{ github.sha }}
 
   deployImage:
@@ -161,4 +169,4 @@ jobs:
           --set ingress.metadata.annotations.setidentifier=hale-platform-ingress-${{ secrets.kube-namespace }}-green \
           --set domain=${{ secrets.kube-namespace }}.apps.live.cloud-platform.service.justice.gov.uk \
           --set nginx.image.repository=754256621582.dkr.ecr.eu-west-2.amazonaws.com/${{ secrets.ecr-repo }}:hale-platform_nginx-${{ github.sha }} \
-          --set wp.image.repository=754256621582.dkr.ecr.eu-west-2.amazonaws.com/${{ secrets.ecr-repo }}:hale-platform_wordpress-${{ github.sha }}
+          --set wp.image.repository=754256621582.dkr.ecr.eu-west-2.amazonaws.com/${{ secrets.ecr-repo }}:hale-platform_wordpress-${{ github.sha }}

README.md

@@ -1,142 +1,19 @@
-# Hale Platform WordPress Multisite 
+[![Hale Platform Deployment](https://github.com/ministryofjustice/hale-platform/actions/workflows/cd.yaml/badge.svg?branch=main)](https://github.com/ministryofjustice/hale-platform/actions/workflows/cd.yaml)
 
-## Installation
+# Hale Platform
 
-This launches a working Wordpress site that pulls in the Hale theme.
-You can choose to launch the site in Docker or Kubernetes.
+This repository provides all the code required to run an instance of WordPress multisite in kubernetes. It uses the [WordPress official Alpine image](https://hub.docker.com/_/wordpress), and is modified to launch a multisite network. It uses PHP dependency manager Composer to pull in all the themes and plugins used by the multisite. 
 
-Currently only the Docker build works locally but for CloudPlatform
-environments you can use the kubernetes build.
+For further technical details around the architecture, visit our wiki [overview](https://github.com/ministryofjustice/hale-platform/wiki).
 
-## Required
+## Deploy to a kubernetes environment
 
-- [Docker](https://www.docker.com/) and kubernetes which can be turned on via the Docker-Desktop dashboard.
-- Have [Dory proxy](https://github.com/FreedomBen/dory) running for local install so you have a domain `hale.docker`
-  to work with.
-- Install [Helm](https://helm.sh/docs) - `brew install helm`
+We use [Helm charts](https://github.com/ministryofjustice/hale-platform/tree/main/helm_deploy/wordpress) to manage our kubernetes manifest files. These are configured to work in the CloudPlatforms kubernetes environment but could be modified to work in any kubernetes cluster. This repo is used to deploy infrastructure changes (ie helm chart/kubernetes changes) and changes to the application, as it pulls in the latest version of the Hale theme and plugins.
 
-## Nice to have
+To deploy to one of our environments, push a code change to one of the corresponding branches in this repo which will trigger GitActions that deploy the code into the kubernetes cluster.
 
--   [Kubens and Kubectx - to switch between namespace & clusters](https://github.com/ahmetb/kubectx)
--   [Stern - logging and debugging](https://github.com/wercker/stern)
--   [JQ - processing JSON](https://stedolan.github.io/jq)
+More information about our deployment process, is available in our [Deployment](https://github.com/ministryofjustice/hale-platform/wiki/Deployment) wiki.
 
-## Launch instructions
-
-### Kubernetes
-
-You will need an `.env.local` file in the root of this project with all the
-variables needed to run the app. Get this from Rob or Adam until we have
-a proper place for it.
-
-1. Run `dory up` to get dory running as you will need this to proxy the
-   hale.docker domain locally which WP multisite needs.
-2. Run `make build` to build all the Docker images you'll need locally for k8s to use.
-3. Run `make deploylocal` to run the helm command which launches the site. 
-3. If all is running, go to `http://hale.docker` in your browser. You will be greeted by a WP installation page.
-
-### Docker
-Make sure you have the `.env.local` file with correct .env vars in the root of 
-this repository.
-
-1. Create and install local TLS certs so the site runs on https.
-2. Run `Dory up` from within this repository.
-3. Run `make build`. This builds the images required and all assets.
-4. Run `make run` to launch the site on https://hale.docker
-
-## Create and install TLS certs (currently only setup for Docker not k8s)
-
-1. Run `brew install mkcert` to install the mkcert app.
-2. Run `mkdir -r /bin/certs` in the root of this repository, to create a new /certs folder in the bin/ directory.
-3. In the /certs folder run `mkcert hale.docker` to create the certificates.
-4. Run `mkcert -install` to apply certificates to your mac.
-5. Make sure Dory is running `Dory up`.
-6. Run `Make build`, to build the image and pull in the new cert pem files.
-7. Go to your browser at the URL https://hale.docker
-
-## Themes and Plugins.
-
-WordPress themes and plugins are loaded as part of the Docker image build. They
-are pulled into the build using PHP's Composer dependancy manager. To add or
-remove plugins, modify the composer.json file in the root of this directory.
-
-## Deployment
-Our deployment pipeline uses GitActions to deploy to our various environments
-
-Hale platform can be deployed to 4 environments:
-- Demonstration
-- Development
-- Staging
-- Production
-
-### Demonstration
-
-The Demo environment is for showcases features and site functions to
-stakeholders. A commit to the `demo` branch will trigger a build of the site to
-the demostration environment. 
-
-### Development
-
-The Dev environment is for developers. This can be used for testing and
-trailing features and functions in a CloudPlatform environment. A commit to the
-`dev` branch will trigger a build in the development environment.
-
-### Staging
-
-The Staging environment is the preprod environment, used to test code
-deployments before they reach production. A commit to the `main` branch will
-trigger a build to the staging environment.
-
-### Production
-
-The Prod environment is the live environment for the multisite. Once a code
-change has been tested on staging, you can trigger the build to move from
-staging to production via the `Review deployments` button on the GitAction run
-page. If you don't have a review deployments button you may not have the
-correct permissions to deploy to production.
-
-## DB Import/Export
-
-This has to be done in steps.
-
-First step, setup a pod in your k8s namespace. Use the following kubectl
-command (delete pod after you're done using):
-
-```
-kubectl \                                                                                                                :dev
-  -n <add namespace> \
-  run port-forward-pod \
-  --image=ministryofjustice/port-forward \
-  --port=5432 \
-  --env="REMOTE_HOST=<add in cloudplatform remote host aws address - port not needed>" \
-  --env="LOCAL_PORT=5432" \
-  --env="REMOTE_PORT=3306"
-```
-
-Second, step, setup port-forwarding pod with the following command:
-
-```
-kubectl \                                                                                                                :dev
-  -n hale-platform-dev \
-  port-forward \
-  port-forward-pod 5432:5432
-```
-
-Third, once portforwarding is running, in a new tab, you can import and export using the
-scripts db-import.sh and db-export.sh in the /bin directory. They will ask
-for the db secrets, which you will need to get via the CloudPlatform brew
-tool. 
-
-Note: to import you will need to have the `mysql` & `mysqldump` program installed running on your local
-machine
-
-### Connect using MySQL Pro
-
-Using the CloudPlatform secrets tool, fill in the fields as following:
-
-Host: 127.0.0.1
-Username: <db username>
-Password: <db password>
-Database: <db database name>
-Port: 5432
+## Deploy locally on a Mac using Docker
 
+To run this WordPress instance locally, follow our guidance on [local development](https://github.com/ministryofjustice/hale-platform/wiki/Local-development).

composer.json

@@ -35,8 +35,11 @@
         "vlucas/phpdotenv": "^3.0.0",
         "oscarotero/env": "^1.1.0",
         "acf/advanced-custom-fields-pro": "*",
-        "ministryofjustice/wp-hale": "dev-job-listing-page-filters",
+        "ministryofjustice/wp-hale": "*",
         "ministryofjustice/brookhouse": "dev-main",
+        "ministryofjustice/lawcom": "dev-main",
+        "ministryofjustice/justicejobs": "dev-main",
+        "ministryofjustice/hale-dash": "dev-main",
         "wpackagist-plugin/wordpress-seo": "*",
         "wpackagist-plugin/footnotes-made-easy": "*",
         "wpackagist-plugin/simple-301-redirects": "*",
@@ -46,9 +49,11 @@
         "wpackagist-plugin/wp-force-login": "*",
         "wpackagist-plugin/safe-svg":"*",
         "wpackagist-plugin/redirection": "*",
-        "wpackagist-plugin/limit-login-attempts-reloaded": "*",
         "wpackagist-plugin/wps-hide-login": "*",
-        "wpackagist-plugin/wps-limit-login": "*",
+        "wpackagist-plugin/classic-editor":"1.6.3",
+        "wpackagist-plugin/duplicate-post":"4.5",
+        "wpackagist-plugin/wp-accessibility":"2.0.1",
+        "wpackagist-plugin/advanced-custom-fields-table-field":"1.3.20",
         "relevanssi/relevanssi-premium": "*",
         "ministryofjustice/wp-moj-components": "dev-hale-platform",
         "ministryofjustice/wp-user-roles": "*",

helm_deploy/wordpress/templates/cron-feedparser.yaml

@@ -13,8 +13,8 @@ spec:
           serviceAccountName: hale-platform-{{ .Values.configmap.envtype }}-service
           containers:
           - name: feedparser-cron
-            image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/jotw-content-devs/hale-platform-{{ .Values.configmap.envtype }}-feed-parser-ecr:feedparser
-            imagePullPolicy: IfNotPresent
+            image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/jotw-content-devs/hale-platform-{{ .Values.configmap.envtype }}-feed-parser-ecr:latest
+            imagePullPolicy: Always
             envFrom:
               - configMapRef:
                   name: hale-wp-config-{{ .Release.Revision }}

helm_deploy/wordpress/templates/hpa-wordpress.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.hpa.enabled }}
-apiVersion: autoscaling/v1
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: hale-platform-hpa
@@ -11,7 +11,7 @@ spec:
     name: wordpress
   {{- if eq .Values.configmap.envtype "prod" }}
   minReplicas: 3
-  maxReplicas: 8
+  maxReplicas: 12
   {{- else if eq .Values.configmap.envtype "staging" }}
   minReplicas: 2
   maxReplicas: 4
@@ -22,5 +22,11 @@ spec:
   minReplicas: 1
   maxReplicas: 1
   {{- end }}
-  targetCPUUtilizationPercentage: 95
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 95
 {{- end }}

helm_deploy/wordpress/templates/ingress.yaml

@@ -12,6 +12,11 @@ metadata:
         SecRuleEngine On
         SecDefaultAction "phase:2,pass,log,tag:github_team=hale-platform"
         SecRuleRemoveById 949110
+    nginx.ingress.kubernetes.io/server-snippet: |
+        location = /.well-known/security.txt {
+        auth_basic off;
+        return 301 https://raw.githubusercontent.com/ministryofjustice/security-guidance/main/contact/vulnerability-disclosure-security.txt;
+        }
 spec:
   ingressClassName: modsec
   tls:
@@ -48,6 +53,18 @@ spec:
   - hosts:
     - www.imb.org.uk
     secretName: imb-www-cert
+  - hosts:
+    - brookhouseinquiry.org.uk
+    secretName: brookhouse-cert
+  - hosts:
+    - www.brookhouseinquiry.org.uk
+    secretName: brookhouse-www-cert
+  - hosts:
+    - prisonandprobationjobs.gov.uk
+    secretName: ppj-cert
+  - hosts:
+    - www.prisonandprobationjobs.gov.uk
+    secretName: ppj-www-cert
     {{- end }}
   rules:
   - host: {{ .Values.domain }}
@@ -161,5 +178,45 @@ spec:
             name: wordpress
             port:
               number: 8080
+  - host: brookhouseinquiry.org.uk
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: wordpress
+            port:
+              number: 8080
+  - host: www.brookhouseinquiry.org.uk
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: wordpress
+            port:
+              number: 8080
+  - host: prisonandprobationjobs.gov.uk
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: wordpress
+            port:
+              number: 8080
+  - host: www.prisonandprobationjobs.gov.uk
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: wordpress
+            port:
+              number: 8080
    {{- end }}
 {{- end }}