Fix OCSP refresh and missing redirect to nicer error on cert verification failure

.bumpversion.cfg

@@ -0,0 +1,12 @@
+[bumpversion]
+current_version = 1.2.0
+commit = False
+tag = False
+
+[bumpversion:file:version.yml]
+search = version: "{current_version}"
+replace = version: "{new_version}"
+
+[bumpversion:file:docker-compose.yml]
+search = RELEASE_TAG:-{current_version}
+replace = RELEASE_TAG:-{new_version}

.github/workflows/build.yml

@@ -1,9 +1,19 @@
 on:
   schedule:
-    - cron:  '30 5,17 * * *'
+    - cron:  '30 2 * * 1'
   pull_request:
 
 jobs:
+  versiontag:
+    runs-on: ubuntu-latest
+    if: github.ref != 'ref/head/main'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check version tag
+        run: |
+          curl -f https://raw.githubusercontent.com/pvarki/docker-rasenmaeher-integration/main/version.yml -o /tmp/main_version.yml || touch /tmp/main_version.yml
+          diff /tmp/main_version.yml ./version.yml && exit 1 || exit 0
+
   apiunits:
     runs-on: ubuntu-latest
     permissions:
@@ -14,7 +24,7 @@ jobs:
       matrix:
         python-version: ["3.11"] # , "3.12"]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Set up Python ${{ matrix.python-version }}
@@ -45,14 +55,15 @@ jobs:
           report_paths: 'api/pytest*.xml'
           detailed_summary: true
           check_name: 'api unit tests'
+
   rmlocal:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
       checks: write
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         submodules: recursive
     - name: install dependencies
@@ -133,7 +144,7 @@ jobs:
       pull-requests: write
       checks: write
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         submodules: recursive
     - name: install dependencies
@@ -204,3 +215,37 @@ jobs:
         shopt -s expand_aliases
         alias dcdev="docker compose -p rmdev -f docker-compose-local.yml -f docker-compose-dev.yml"
         dcdev down -v || true
+
+  build_and_publish:
+    runs-on: ubuntu-latest
+    needs: [apiunits, rmlocal]
+    strategy:
+      matrix:
+        extra_env: ["none", "date"]
+    steps:
+      - name: Log in to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Fix ref slashes
+        run: |
+          echo REF_NO_SLASHES=$(echo "${{ github.ref_name }}" | sed 's/\//-/g') >> ${GITHUB_ENV}
+      - name: Set DOCKER_TAG_EXTRA if date
+        run: |
+          test "${{ matrix.extra_env }}" = "date" && echo "DOCKER_TAG_EXTRA=-$(date +%Y%m%d)" >> ${GITHUB_ENV} || true
+          test "${{ github.ref }}" = "refs/heads/main" || echo "DOCKER_TAG_EXTRA=-$REF_NO_SLASHES" >> ${GITHUB_ENV}
+          cat ${GITHUB_ENV}
+      - name: Build and push takinit
+        run: |
+          source example_env.sh
+          docker compose build takinit
+          docker compose push takinit
+      - name: Build and push main composition
+        run: |
+          source example_env.sh
+          docker compose build
+          docker compose push

.github/workflows/docs.yml

@@ -17,7 +17,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: true
       - name: Set up Python 3.x

.github/workflows/openapijson.yml

@@ -17,7 +17,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: true
       - name: Build openapi.json

.github/workflows/release.yml

@@ -0,0 +1,28 @@
+name: Create tag for release
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - closed
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  sphinx_docs_to_gh-pages:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Parse tag to ENV
+        run: |
+          echo RELEASE_TAG=$(docker run --rm -v ${PWD}:/workdir mikefarah/yq .version version.yml ) >> ${GITHUB_ENV}
+          cat ${GITHUB_ENV}
+      - uses: rickstaa/action-create-tag@v1
+        id: "tag_create"
+        with:
+          tag: ${{ env.RELEASE_TAG }}
+          tag_exists_error: false

README.rst

@@ -10,6 +10,14 @@ RASENMAEHER integrations
 Docker compositions, helpers etc to bring it all together into something resembling grand old ones.
 
 
+WTF is RASENMAEHER anyway ?
+---------------------------
+
+This `Disobey24 talk`_ explains a lot.
+
+.. _`Disobey24 talk`: https://www.youtube.com/watch?v=m3xd7uygpaY&list=PLLvAhAn5sGfiB9AlEt2KD7H9Dnr6kbd64&index=23
+
+
 Git submodules
 --------------
 

docker-compose-local.yml

@@ -185,7 +185,7 @@ services:
       dockerfile: Dockerfile
       target: ocsprest
     networks:
-      - ocspnet
+      - canet
     environment:
       <<: *cfssl_env
     volumes:

docker-compose.yml

@@ -1,4 +1,5 @@
 version: '3.4'
+# Use bump2version to bump the RELEASE_TAG default value
 
 x-kc_dbconfig_env: &kcdbconfig_env
   KEYCLOAK_DATABASE_NAME: &kcdbname ${KEYCLOAK_DATABASE_NAME:-keycloak}
@@ -56,13 +57,13 @@ x-domains_env:
   OCSCP_RESPONDER:  &publicocsp "https://${SERVER_DOMAIN:?domain must be defined}:${NGINX_HTTPS_PORT:-443}/ca/ocsp"  # The public URL
 
 x-takbuilds: &takbuildinfo
-  image: &takimage "pvarki/takserver:${TAK_RELEASE:-4.10-RELEASE-12}-20240330${DOCKER_TAG_EXTRA:-}"
+  image: &takimage "pvarki/takserver:${TAK_RELEASE:-4.10-RELEASE-12}-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}"
   build:
     context: ./takserver
     dockerfile: Dockerfile
 
 x-nginxbuilds: &nginxbuildinfo
-  image: pvarki/nginx:1.25-20240302
+  image: pvarki/nginx:1.25-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
   build:
     context: ./nginx
     dockerfile: Dockerfile
@@ -97,7 +98,7 @@ x-takserver_env: &takserver_env
 
 services:
   miniwerk:
-    image: pvarki/miniwerk:1.1.0
+    image: pvarki/miniwerk:1.1.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./miniwerk
       dockerfile: Dockerfile
@@ -122,7 +123,7 @@ services:
       - "80:80"
 
   cfssl:
-    image: pvarki/cfssl:api-1.2.0
+    image: pvarki/cfssl:api-1.2.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./cfssl
       dockerfile: Dockerfile
@@ -145,7 +146,7 @@ services:
     restart: unless-stopped
 
   ocsp:
-    image: pvarki/cfssl:ocsp-1.2.0
+    image: pvarki/cfssl:ocsp-1.2.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./cfssl
       dockerfile: Dockerfile
@@ -171,15 +172,15 @@ services:
     restart: unless-stopped
 
   ocsprest:
-    image: pvarki/cfssl:ocsprest-1.0.3
+    image: pvarki/cfssl:ocsprest-1.0.4-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./cfssl
       dockerfile: Dockerfile
       target: ocsprest
     labels:
         - "autoheal=true"
     networks:
-      - ocspnet
+      - canet
     environment:
       <<: *cfssl_env
     volumes:
@@ -231,7 +232,7 @@ services:
         condition: service_completed_successfully
 
   openldap:
-    image: pvarki/openldap:1.0.0
+    image: pvarki/openldap:1.0.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./openldap
       dockerfile: Dockerfile
@@ -318,7 +319,7 @@ services:
         condition: service_healthy
 
   rmapi:
-    image: pvarki/rmapi:1.3.2
+    image: pvarki/rmapi:1.4.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./api
       dockerfile: Dockerfile
@@ -369,7 +370,7 @@ services:
     restart: unless-stopped
 
   rmui:
-    image: pvarki/rmui:1.2.0
+    image: pvarki/rmui:1.2.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./ui
       dockerfile: Dockerfile
@@ -426,7 +427,7 @@ services:
     restart: unless-stopped
 
   kwinit:  # Mostly to make sure it's built
-    image: pvarki/kw_product_init:1.0.0
+    image: pvarki/kw_product_init:1.0.0-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./kw_product_init
       dockerfile: Dockerfile
@@ -563,7 +564,7 @@ services:
     restart: unless-stopped
 
   takrmapi:
-    image: pvarki/takrmapi:1.2.0-tak${TAK_RELEASE:-4.10-RELEASE-12}
+    image: pvarki/takrmapi:1.2.0-tak${TAK_RELEASE:-4.10-RELEASE-12}-d${RELEASE_TAG:-1.2.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./takintegration
       dockerfile: Dockerfile

nginx/templates_rasenmaeher/default.conf.template

@@ -19,8 +19,14 @@ server {
     # HTTPS configuration
     listen ${NGINX_HTTPS_PORT} ssl;
 
+    location ~ ^/ca/public/(.*)$ {
+        autoindex on;
+        root /ca_public;
+        try_files /$1 =404;
+    }
+
     location /ca/crl/ {
-        proxy_pass  http://${OR_UPSTREAM}:${OR_PORT}/api/v1/crl/;
+        proxy_pass  http://${NGINX_UPSTREAM}:${NGINX_UPSTREAM_PORT}/api/v1/utils/crl/;
         proxy_redirect                      off;
         proxy_set_header  Host              $http_host;
         proxy_set_header  X-Real-IP         $remote_addr;
@@ -107,6 +113,9 @@ server {
         proxy_set_header  X-ClientCert-Serial   ssl_client_serial;
     }
 
+    # Even though users sees code 400 the code is 495 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors
+    error_page 495 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail;
+
     location / {
         if ($ssl_client_verify != SUCCESS) {
             return 302 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail;

tests/requirements.txt

@@ -12,3 +12,4 @@ types-urllib3==1.26.25.14
 aiohttp==3.9.3
 pytest-asyncio==0.23.4
 libpvarki @ git+https://github.com/pvarki/python-libpvarki.git@1.9.0
+bump2version==1.0.1

version.yml

@@ -0,0 +1 @@
+version: "1.2.0"  # use bump2version to bump this