diff --git a/.bumpversion.cfg b/.bumpversion.cfg new file mode 100644 index 00000000..adf7078e --- /dev/null +++ b/.bumpversion.cfg @@ -0,0 +1,12 @@ +[bumpversion] +current_version = 1.2.0 +commit = False +tag = False + +[bumpversion:file:version.yml] +search = version: "{current_version}" +replace = version: "{new_version}" + +[bumpversion:file:docker-compose.yml] +search = RELEASE_TAG:-{current_version} +replace = RELEASE_TAG:-{new_version} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c45b894d..34e9c91b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,9 +1,19 @@ on: schedule: - - cron: '30 5,17 * * *' + - cron: '30 2 * * 1' pull_request: jobs: + versiontag: + runs-on: ubuntu-latest + if: github.ref != 'ref/head/main' + steps: + - uses: actions/checkout@v4 + - name: Check version tag + run: | + curl -f https://raw.githubusercontent.com/pvarki/docker-rasenmaeher-integration/main/version.yml -o /tmp/main_version.yml || touch /tmp/main_version.yml + diff /tmp/main_version.yml ./version.yml && exit 1 || exit 0 + apiunits: runs-on: ubuntu-latest permissions: @@ -14,7 +24,7 @@ jobs: matrix: python-version: ["3.11"] # , "3.12"] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: Set up Python ${{ matrix.python-version }} @@ -45,6 +55,7 @@ jobs: report_paths: 'api/pytest*.xml' detailed_summary: true check_name: 'api unit tests' + rmlocal: runs-on: ubuntu-latest permissions: @@ -52,7 +63,7 @@ jobs: pull-requests: write checks: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: install dependencies @@ -133,7 +144,7 @@ jobs: pull-requests: write checks: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: install dependencies @@ -204,3 +215,37 @@ jobs: shopt -s expand_aliases alias dcdev="docker compose -p rmdev -f docker-compose-local.yml -f docker-compose-dev.yml" dcdev down -v || true + + build_and_publish: + runs-on: ubuntu-latest + needs: [apiunits, rmlocal] + strategy: + matrix: + extra_env: ["none", "date"] + steps: + - name: Log in to Docker Hub + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - uses: actions/checkout@v4 + with: + submodules: recursive + - name: Fix ref slashes + run: | + echo REF_NO_SLASHES=$(echo "${{ github.ref_name }}" | sed 's/\//-/g') >> ${GITHUB_ENV} + - name: Set DOCKER_TAG_EXTRA if date + run: | + test "${{ matrix.extra_env }}" = "date" && echo "DOCKER_TAG_EXTRA=-$(date +%Y%m%d)" >> ${GITHUB_ENV} || true + test "${{ github.ref }}" = "refs/heads/main" || echo "DOCKER_TAG_EXTRA=-$REF_NO_SLASHES" >> ${GITHUB_ENV} + cat ${GITHUB_ENV} + - name: Build and push takinit + run: | + source example_env.sh + docker compose build takinit + docker compose push takinit + - name: Build and push main composition + run: | + source example_env.sh + docker compose build + docker compose push diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 801a2e5b..16faa0b1 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -17,7 +17,7 @@ jobs: timeout-minutes: 5 steps: - name: Checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: true - name: Set up Python 3.x diff --git a/.github/workflows/openapijson.yml b/.github/workflows/openapijson.yml index 1c21f877..2a901559 100644 --- a/.github/workflows/openapijson.yml +++ b/.github/workflows/openapijson.yml @@ -17,7 +17,7 @@ jobs: timeout-minutes: 5 steps: - name: Checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: true - name: Build openapi.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..0c5ba842 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,28 @@ +name: Create tag for release + +on: + pull_request: + branches: + - main + types: + - closed + workflow_dispatch: # Allow manual triggering + +jobs: + sphinx_docs_to_gh-pages: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout source code + uses: actions/checkout@v4 + - name: Parse tag to ENV + run: | + echo RELEASE_TAG=$(docker run --rm -v ${PWD}:/workdir mikefarah/yq .version version.yml ) >> ${GITHUB_ENV} + cat ${GITHUB_ENV} + - uses: rickstaa/action-create-tag@v1 + id: "tag_create" + with: + tag: ${{ env.RELEASE_TAG }} + tag_exists_error: false diff --git a/README.rst b/README.rst index 69df855f..d032d620 100644 --- a/README.rst +++ b/README.rst @@ -10,6 +10,14 @@ RASENMAEHER integrations Docker compositions, helpers etc to bring it all together into something resembling grand old ones. +WTF is RASENMAEHER anyway ? +--------------------------- + +This `Disobey24 talk`_ explains a lot. + +.. _`Disobey24 talk`: https://www.youtube.com/watch?v=m3xd7uygpaY&list=PLLvAhAn5sGfiB9AlEt2KD7H9Dnr6kbd64&index=23 + + Git submodules -------------- diff --git a/api b/api index 9604c066..239fac13 160000 --- a/api +++ b/api @@ -1 +1 @@ -Subproject commit 9604c0661f06ae92b8d5e0018d9048c4430c2917 +Subproject commit 239fac130f1d842efdcd7f19f07907c00c883084 diff --git a/cfssl b/cfssl index 8e5188ff..0c5d4bf9 160000 --- a/cfssl +++ b/cfssl @@ -1 +1 @@ -Subproject commit 8e5188ff3b1bd02abfc3effa53f8337d1be886d8 +Subproject commit 0c5d4bf9d2e222e0bf099523138e41c2225c9c4f diff --git a/docker-compose-local.yml b/docker-compose-local.yml index b3c3955a..6b580538 100644 --- a/docker-compose-local.yml +++ b/docker-compose-local.yml @@ -185,7 +185,7 @@ services: dockerfile: Dockerfile target: ocsprest networks: - - ocspnet + - canet environment: <<: *cfssl_env volumes: diff --git a/docker-compose.yml b/docker-compose.yml index acc60c6e..fa149b8e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,5 @@ version: '3.4' +# Use bump2version to bump the RELEASE_TAG default value x-kc_dbconfig_env: &kcdbconfig_env KEYCLOAK_DATABASE_NAME: &kcdbname ${KEYCLOAK_DATABASE_NAME:-keycloak} @@ -56,13 +57,13 @@ x-domains_env: OCSCP_RESPONDER: &publicocsp "https://${SERVER_DOMAIN:?domain must be defined}:${NGINX_HTTPS_PORT:-443}/ca/ocsp" # The public URL x-takbuilds: &takbuildinfo - image: &takimage "pvarki/takserver:${TAK_RELEASE:-4.10-RELEASE-12}-20240330${DOCKER_TAG_EXTRA:-}" + image: &takimage "pvarki/takserver:${TAK_RELEASE:-4.10-RELEASE-12}-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}" build: context: ./takserver dockerfile: Dockerfile x-nginxbuilds: &nginxbuildinfo - image: pvarki/nginx:1.25-20240302 + image: pvarki/nginx:1.25-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./nginx dockerfile: Dockerfile @@ -97,7 +98,7 @@ x-takserver_env: &takserver_env services: miniwerk: - image: pvarki/miniwerk:1.1.0 + image: pvarki/miniwerk:1.1.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./miniwerk dockerfile: Dockerfile @@ -122,7 +123,7 @@ services: - "80:80" cfssl: - image: pvarki/cfssl:api-1.2.0 + image: pvarki/cfssl:api-1.2.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./cfssl dockerfile: Dockerfile @@ -145,7 +146,7 @@ services: restart: unless-stopped ocsp: - image: pvarki/cfssl:ocsp-1.2.0 + image: pvarki/cfssl:ocsp-1.2.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./cfssl dockerfile: Dockerfile @@ -171,7 +172,7 @@ services: restart: unless-stopped ocsprest: - image: pvarki/cfssl:ocsprest-1.0.3 + image: pvarki/cfssl:ocsprest-1.0.4-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./cfssl dockerfile: Dockerfile @@ -179,7 +180,7 @@ services: labels: - "autoheal=true" networks: - - ocspnet + - canet environment: <<: *cfssl_env volumes: @@ -231,7 +232,7 @@ services: condition: service_completed_successfully openldap: - image: pvarki/openldap:1.0.0 + image: pvarki/openldap:1.0.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./openldap dockerfile: Dockerfile @@ -318,7 +319,7 @@ services: condition: service_healthy rmapi: - image: pvarki/rmapi:1.3.2 + image: pvarki/rmapi:1.4.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./api dockerfile: Dockerfile @@ -369,7 +370,7 @@ services: restart: unless-stopped rmui: - image: pvarki/rmui:1.2.0 + image: pvarki/rmui:1.2.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./ui dockerfile: Dockerfile @@ -426,7 +427,7 @@ services: restart: unless-stopped kwinit: # Mostly to make sure it's built - image: pvarki/kw_product_init:1.0.0 + image: pvarki/kw_product_init:1.0.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./kw_product_init dockerfile: Dockerfile @@ -563,7 +564,7 @@ services: restart: unless-stopped takrmapi: - image: pvarki/takrmapi:1.2.0-tak${TAK_RELEASE:-4.10-RELEASE-12} + image: pvarki/takrmapi:1.2.0-tak${TAK_RELEASE:-4.10-RELEASE-12}-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-} build: context: ./takintegration dockerfile: Dockerfile diff --git a/nginx/templates_rasenmaeher/default.conf.template b/nginx/templates_rasenmaeher/default.conf.template index 417155c3..60a75951 100644 --- a/nginx/templates_rasenmaeher/default.conf.template +++ b/nginx/templates_rasenmaeher/default.conf.template @@ -19,8 +19,14 @@ server { # HTTPS configuration listen ${NGINX_HTTPS_PORT} ssl; + location ~ ^/ca/public/(.*)$ { + autoindex on; + root /ca_public; + try_files /$1 =404; + } + location /ca/crl/ { - proxy_pass http://${OR_UPSTREAM}:${OR_PORT}/api/v1/crl/; + proxy_pass http://${NGINX_UPSTREAM}:${NGINX_UPSTREAM_PORT}/api/v1/utils/crl/; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; @@ -107,6 +113,9 @@ server { proxy_set_header X-ClientCert-Serial ssl_client_serial; } + # Even though users sees code 400 the code is 495 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors + error_page 495 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail; + location / { if ($ssl_client_verify != SUCCESS) { return 302 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail; diff --git a/tests/requirements.txt b/tests/requirements.txt index 42628f6f..18441691 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -12,3 +12,4 @@ types-urllib3==1.26.25.14 aiohttp==3.9.3 pytest-asyncio==0.23.4 libpvarki @ git+https://github.com/pvarki/python-libpvarki.git@1.9.0 +bump2version==1.0.1 diff --git a/version.yml b/version.yml new file mode 100644 index 00000000..f157ab4f --- /dev/null +++ b/version.yml @@ -0,0 +1 @@ +version: "1.2.0" # use bump2version to bump this