From 5bd2e0da064a12479532c8fdc2fc28195530a0a3 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:09:24 +0200
Subject: [PATCH 01/19] Potentially this should build.
---
.actrc | 2 ++
.github/workflows/docker.build.yml | 13 ++++++-------
.gitignore | 2 ++
Dockerfile | 4 ++--
4 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/.actrc b/.actrc
index fc2d5a8..2a23273 100644
--- a/.actrc
+++ b/.actrc
@@ -9,3 +9,5 @@
--platform ubuntu-22.04=ghcr.io/catthehacker/ubuntu:act-22.04
--platform ubuntu-20.04=ghcr.io/catthehacker/ubuntu:act-20.04
--platform ubuntu-18.04=ghcr.io/catthehacker/ubuntu:act-18.04
+--secret-file=.act.secrets
+--var-file=.act.vars
diff --git a/.github/workflows/docker.build.yml b/.github/workflows/docker.build.yml
index a83faca..285804e 100644
--- a/.github/workflows/docker.build.yml
+++ b/.github/workflows/docker.build.yml
@@ -9,8 +9,7 @@ on:
workflow_dispatch:
env:
- PLATFORMS: linux/amd64,linux/arm64
- CANDIDATE_IMAGE: ghcr.io/benzine-framework/bouncer:build-${{ github.sha }}
+ PLATFORMS: ${{ var.PLATFORMS }}
jobs:
docker-build:
@@ -21,10 +20,8 @@ jobs:
- uses: benzine-framework/action-get-datetime@main
- uses: benzine-framework/action-setup-docker@main
with:
- ghcr_user: matthewbaggett
- ghcr_token: ${{ secrets.GITHUB_TOKEN }}
- docker_hub_user: matthewbaggett
- docker_hub_token: ${{ secrets.DOCKER_HUB_TOKEN }}
+ ghcr_user: ${{ vars.SERVICE_ACCOUNT_USERNAME }}
+ ghcr_token: ${{ secrets.SERVICE_ACCOUNT_TOKEN }}
- name: "Build & Push Candidate Image as ${{ env.CANDIDATE_IMAGE }}"
uses: docker/build-push-action@v5
with:
@@ -38,6 +35,8 @@ jobs:
platforms: ${{ github.actor != 'nektos/act' && env.PLATFORMS || 'linux/amd64' }}
pull: true
push: ${{ github.ref == 'refs/heads/main' }}
- tags: ${{ env.CANDIDATE_IMAGE }}
+ tags: |
+ ${{ vars.LOADBALANCER_DOCKER_IMAGE }}:latest
+ ${{ vars.LOADBALANCER_DOCKER_IMAGE }}:sha-${{ github.sha }}
cache-from: ${{ env.DOCKER_CACHE_FROM }}
cache-to: ${{ env.DOCKER_CACHE_TO }}
diff --git a/.gitignore b/.gitignore
index edcef9f..72dede8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,5 @@
/.php-cs-fixer.cache
/.github/cache
/.secrets
+/.act.secrets
+/.act.vars
diff --git a/Dockerfile b/Dockerfile
index d6ea36b..7d74f5a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -104,5 +104,5 @@ HEALTHCHECK --start-period=3s --interval=3s \
# checkov:skip=CKV_DOCKER_7 This is a test container.
# checkov:skip=CKV_DOCKER_3 This is a test container.
-FROM alpine as test-box
-RUN apk add --no-cache curl bash
\ No newline at end of file
+FROM alpine AS test-box
+RUN apk add --no-cache curl bash
From 07cc305cc7f5dfd1ee834da4dc46c5bb02e06d4d Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:12:29 +0200
Subject: [PATCH 02/19] Potentially this should build.
---
.github/workflows/docker.build.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.github/workflows/docker.build.yml b/.github/workflows/docker.build.yml
index 285804e..479eeb4 100644
--- a/.github/workflows/docker.build.yml
+++ b/.github/workflows/docker.build.yml
@@ -37,6 +37,7 @@ jobs:
push: ${{ github.ref == 'refs/heads/main' }}
tags: |
${{ vars.LOADBALANCER_DOCKER_IMAGE }}:latest
+ ${{ vars.LOADBALANCER_DOCKER_IMAGE }}:built-at-${{ env.ATOM }}
${{ vars.LOADBALANCER_DOCKER_IMAGE }}:sha-${{ github.sha }}
cache-from: ${{ env.DOCKER_CACHE_FROM }}
cache-to: ${{ env.DOCKER_CACHE_TO }}
From 5ddc39b9e9d2d113ec41f4c23e7de058d4c2ee4d Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:13:21 +0200
Subject: [PATCH 03/19] Potentially this should build.
---
.github/workflows/docker.build.yml | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/.github/workflows/docker.build.yml b/.github/workflows/docker.build.yml
index 479eeb4..ec48927 100644
--- a/.github/workflows/docker.build.yml
+++ b/.github/workflows/docker.build.yml
@@ -8,9 +8,6 @@ on:
workflow_call:
workflow_dispatch:
-env:
- PLATFORMS: ${{ var.PLATFORMS }}
-
jobs:
docker-build:
name: Build Swarm Load Balancer
@@ -32,7 +29,7 @@ jobs:
GIT_BUILD_ID=${{ github.ref_name }}
GIT_COMMIT_MESSAGE=${{ github.event.head_commit.message }}
BUILD_DATE=${{ env.ATOM }}
- platforms: ${{ github.actor != 'nektos/act' && env.PLATFORMS || 'linux/amd64' }}
+ platforms: ${{ github.actor != 'nektos/act' && vars.PLATFORMS || 'linux/amd64' }}
pull: true
push: ${{ github.ref == 'refs/heads/main' }}
tags: |
From f228f4adc2a66fa4e5981b9620e135ff50b81e3d Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:18:00 +0200
Subject: [PATCH 04/19] Potentially this should build.
---
.github/workflows/docker.build.yml | 12 ++++++++----
.github/workflows/docker.clean.yml | 4 ++--
Dockerfile | 2 +-
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/.github/workflows/docker.build.yml b/.github/workflows/docker.build.yml
index ec48927..56dbb7e 100644
--- a/.github/workflows/docker.build.yml
+++ b/.github/workflows/docker.build.yml
@@ -8,6 +8,10 @@ on:
workflow_call:
workflow_dispatch:
+env:
+ PLATFORMS: ${{ vars.PLATFORMS }}
+ DOCKER_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}
+
jobs:
docker-build:
name: Build Swarm Load Balancer
@@ -23,7 +27,7 @@ jobs:
uses: docker/build-push-action@v5
with:
context: .
- target: bouncer
+ target: loadbalancer
build-args: |
GIT_SHA=${{ github.sha }}
GIT_BUILD_ID=${{ github.ref_name }}
@@ -33,8 +37,8 @@ jobs:
pull: true
push: ${{ github.ref == 'refs/heads/main' }}
tags: |
- ${{ vars.LOADBALANCER_DOCKER_IMAGE }}:latest
- ${{ vars.LOADBALANCER_DOCKER_IMAGE }}:built-at-${{ env.ATOM }}
- ${{ vars.LOADBALANCER_DOCKER_IMAGE }}:sha-${{ github.sha }}
+ ${{ env.DOCKER_IMAGE }}:latest
+ ${{ env.DOCKER_IMAGE }}:date-${{ env.DATE }}
+ ${{ env.DOCKER_IMAGE }}:sha-${{ github.sha }}
cache-from: ${{ env.DOCKER_CACHE_FROM }}
cache-to: ${{ env.DOCKER_CACHE_TO }}
diff --git a/.github/workflows/docker.clean.yml b/.github/workflows/docker.clean.yml
index d31c9f1..b46911d 100644
--- a/.github/workflows/docker.clean.yml
+++ b/.github/workflows/docker.clean.yml
@@ -36,9 +36,9 @@ jobs:
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
- container: bouncer
+ container: ${{ github.repository_name }}
dry-run: true
- keep-younger-than: 30 # days
+ keep-younger-than: 90 # days
keep-last: 2
prune-untagged: true
keep-tags-regexes: |
diff --git a/Dockerfile b/Dockerfile
index 7d74f5a..6c12593 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
# checkov:skip=CKV_DOCKER_3 I don't have time for rootless
-FROM ghcr.io/benzine-framework/php:cli-8.2 AS bouncer
+FROM ghcr.io/benzine-framework/php:cli-8.2 AS loadbalancer
LABEL maintainer="Matthew Baggett <matthew@baggett.me>" \
org.label-schema.vcs-url="https://github.com/benzine-framework/docker-swarm-loadbalancer" \
From ba23c7393a9aa75257088d3c5a330fc52a0bd832 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:18:33 +0200
Subject: [PATCH 05/19] Allow cleanup task to fail.
---
.github/workflows/docker.clean.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.github/workflows/docker.clean.yml b/.github/workflows/docker.clean.yml
index b46911d..ecf091f 100644
--- a/.github/workflows/docker.clean.yml
+++ b/.github/workflows/docker.clean.yml
@@ -19,6 +19,7 @@ jobs:
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- uses: vlaurin/action-ghcr-prune@v0.6.0
+ continue-on-error: true
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
@@ -33,6 +34,7 @@ jobs:
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- uses: vlaurin/action-ghcr-prune@v0.6.0
+ continue-on-error: true
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
From 4695cba98cc1b0cde78aff22e08e92d649afc996 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:24:30 +0200
Subject: [PATCH 06/19] Potentially this should build.
---
.github/workflows/docker.build.yml | 3 +--
.github/workflows/docker.clean.yml | 6 +++---
.github/workflows/docker.release.yml | 22 ++++++----------------
.github/workflows/docker.validate.yml | 8 ++++----
.github/workflows/php.check.yml | 4 ++--
.github/workflows/tag.release.yml | 2 +-
.github/workflows/tests.yml | 2 +-
.github/workflows/trunk.cache.yml | 2 +-
.github/workflows/trunk.check.yml | 2 +-
.github/workflows/trunk.upgrade.yml | 2 +-
10 files changed, 21 insertions(+), 32 deletions(-)
diff --git a/.github/workflows/docker.build.yml b/.github/workflows/docker.build.yml
index 56dbb7e..8e348df 100644
--- a/.github/workflows/docker.build.yml
+++ b/.github/workflows/docker.build.yml
@@ -15,7 +15,7 @@ env:
jobs:
docker-build:
name: Build Swarm Load Balancer
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- uses: benzine-framework/action-setup-php@main
- uses: benzine-framework/action-get-datetime@main
@@ -37,7 +37,6 @@ jobs:
pull: true
push: ${{ github.ref == 'refs/heads/main' }}
tags: |
- ${{ env.DOCKER_IMAGE }}:latest
${{ env.DOCKER_IMAGE }}:date-${{ env.DATE }}
${{ env.DOCKER_IMAGE }}:sha-${{ github.sha }}
cache-from: ${{ env.DOCKER_CACHE_FROM }}
diff --git a/.github/workflows/docker.clean.yml b/.github/workflows/docker.clean.yml
index ecf091f..c4e3bfd 100644
--- a/.github/workflows/docker.clean.yml
+++ b/.github/workflows/docker.clean.yml
@@ -15,7 +15,7 @@ on:
jobs:
cleanup-delete-candidate-image:
name: Delete candidate image
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- uses: vlaurin/action-ghcr-prune@v0.6.0
@@ -23,14 +23,14 @@ jobs:
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
- container: bouncer
+ container: ${{ github.repository_name }}
dry-run: true
prune-tags-regexes: |
^build-${{ github.sha }}$
cleanup-untagged-images:
name: Delete untagged images
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- uses: vlaurin/action-ghcr-prune@v0.6.0
diff --git a/.github/workflows/docker.release.yml b/.github/workflows/docker.release.yml
index 5722175..8fcd192 100644
--- a/.github/workflows/docker.release.yml
+++ b/.github/workflows/docker.release.yml
@@ -9,26 +9,16 @@ on:
workflow_dispatch:
env:
- CANDIDATE_IMAGE: ghcr.io/benzine-framework/bouncer:build-${{ github.sha }}
- RELEASE_IMAGE_GHCR: ghcr.io/benzine-framework/bouncer:latest
- RELEASE_IMAGE_DOCKER: benzine/bouncer:latest
+ CANDIDATE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:sha-${{ github.sha }}
+ RELEASE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:latest
jobs:
release-ghcr:
name: GHCR
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- - run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
+ - run: docker login ghcr.io -u ${{ vars.SERVICE_ACCOUNT_USERNAME }} -p ${{ secrets.SERVICE_ACCOUNT_TOKEN }}
- run: docker pull ${{ env.CANDIDATE_IMAGE }}
- - run: docker tag ${{ env.CANDIDATE_IMAGE }} ${{ env.RELEASE_IMAGE_GHCR }}
- - run: docker push ${{ env.RELEASE_IMAGE_GHCR }}
+ - run: docker tag ${{ env.CANDIDATE_IMAGE }} ${{ env.RELEASE_IMAGE }}
+ - run: docker push ${{ env.RELEASE_IMAGE }}
- release-docker-hub:
- name: Docker Hub
- runs-on: ubuntu-latest
- steps:
- - run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- - run: docker login docker.io -u matthewbaggett -p ${{ secrets.DOCKER_HUB_TOKEN }}
- - run: docker pull ${{ env.CANDIDATE_IMAGE }}
- - run: docker tag ${{ env.CANDIDATE_IMAGE }} ${{ env.RELEASE_IMAGE_DOCKER }}
- - run: docker push ${{ env.RELEASE_IMAGE_DOCKER }}
diff --git a/.github/workflows/docker.validate.yml b/.github/workflows/docker.validate.yml
index b95d432..d1d49d5 100644
--- a/.github/workflows/docker.validate.yml
+++ b/.github/workflows/docker.validate.yml
@@ -13,12 +13,12 @@ on:
- completed
env:
- CANDIDATE_IMAGE: ghcr.io/benzine-framework/bouncer:build-${{ github.sha }}
+ CANDIDATE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:hash-${{ github.sha }}
jobs:
validate-install-report:
name: Run Install Report
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
@@ -27,7 +27,7 @@ jobs:
run: docker run --rm ${{ env.CANDIDATE_IMAGE }} /usr/bin/install-report
validate-dive-report:
name: Run Dive
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
@@ -48,7 +48,7 @@ jobs:
config-file: ${{ github.workspace }}/.dive-ci.yml
validate-vulnerability-report:
name: Run Trivy
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
diff --git a/.github/workflows/php.check.yml b/.github/workflows/php.check.yml
index 38442eb..da71cf1 100644
--- a/.github/workflows/php.check.yml
+++ b/.github/workflows/php.check.yml
@@ -10,7 +10,7 @@ on:
jobs:
php-stan:
name: PHPStan
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
checks: write # To post annotations
contents: read # For repo checkout
@@ -20,7 +20,7 @@ jobs:
php-cs-fixer:
name: PHP-CS-Fixer
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
checks: write # For trunk to post annotations
contents: read # For repo checkout
diff --git a/.github/workflows/tag.release.yml b/.github/workflows/tag.release.yml
index 2dc83cf..1a26043 100644
--- a/.github/workflows/tag.release.yml
+++ b/.github/workflows/tag.release.yml
@@ -17,7 +17,7 @@ env:
jobs:
build-tagged-release:
name: Build Swarm Load Balancer
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
if: startsWith(github.ref, 'refs/tags/v')
steps:
- run: echo "Building Tagged Release ${{ env.TAG_IMAGE_GHCR }} & ${{ env.TAG_IMAGE_DOCKER }}"
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 64204d7..67960e3 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -10,7 +10,7 @@ on:
jobs:
test-integration:
name: Integration Tests
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- uses: actions/checkout@v4
- name: Start Bouncer
diff --git a/.github/workflows/trunk.cache.yml b/.github/workflows/trunk.cache.yml
index 51ce2f6..8d25d9a 100644
--- a/.github/workflows/trunk.cache.yml
+++ b/.github/workflows/trunk.cache.yml
@@ -22,7 +22,7 @@ concurrency:
jobs:
trunk-cache:
name: Trunk Cache
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
actions: write
steps:
diff --git a/.github/workflows/trunk.check.yml b/.github/workflows/trunk.check.yml
index 564aeef..5e72b8c 100644
--- a/.github/workflows/trunk.check.yml
+++ b/.github/workflows/trunk.check.yml
@@ -10,7 +10,7 @@ on:
jobs:
trunk-check:
name: Trunk Check Runner
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
checks: write # For trunk to post annotations
contents: read # For repo checkout
diff --git a/.github/workflows/trunk.upgrade.yml b/.github/workflows/trunk.upgrade.yml
index c8093aa..a0f4dd4 100644
--- a/.github/workflows/trunk.upgrade.yml
+++ b/.github/workflows/trunk.upgrade.yml
@@ -20,7 +20,7 @@ concurrency:
jobs:
trunk-upgrade:
name: Upgrade Trunk
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
contents: write # For trunk to create PRs
pull-requests: write # For trunk to create PRs
From 32b18992eed5ee5d4d1e6110ac0fbff6a13d5652 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:36:56 +0200
Subject: [PATCH 07/19] Potentially this should build.
---
.github/workflows/docker.release.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/docker.release.yml b/.github/workflows/docker.release.yml
index 8fcd192..92d7bea 100644
--- a/.github/workflows/docker.release.yml
+++ b/.github/workflows/docker.release.yml
@@ -14,7 +14,7 @@ env:
jobs:
release-ghcr:
- name: GHCR
+ name: GitHub Container Registry
runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ vars.SERVICE_ACCOUNT_USERNAME }} -p ${{ secrets.SERVICE_ACCOUNT_TOKEN }}
From c0dc2dad38543479ca29538eaa2f618dd39828db Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:40:16 +0200
Subject: [PATCH 08/19] Potentially this should build.
---
.github/workflows/docker.release.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/docker.release.yml b/.github/workflows/docker.release.yml
index 92d7bea..f9c9c75 100644
--- a/.github/workflows/docker.release.yml
+++ b/.github/workflows/docker.release.yml
@@ -10,7 +10,7 @@ on:
env:
CANDIDATE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:sha-${{ github.sha }}
- RELEASE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:latest
+ RELEASE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:latest
jobs:
release-ghcr:
From 15fc1956994acaed0ec6a6820c8012395f06f56b Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 13:53:36 +0200
Subject: [PATCH 09/19] Potentially this should build.
---
.github/workflows/tests.yml | 4 ++--
docker-compose.yml | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 67960e3..ab1e11d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -13,10 +13,10 @@ jobs:
runs-on: ${{ vars.RUNS_ON }}
steps:
- uses: actions/checkout@v4
- - name: Start Bouncer
+ - name: Start Loadbalancer
run: |
rm -f docker-compose.override.yml
- docker compose up --build -d bouncer test-box
+ docker compose up --build -d loadbalancer test-box
- name: Give it a moment...
run: sleep 5
- name: No-SSL Connect to Web A
diff --git a/docker-compose.yml b/docker-compose.yml
index ff22836..010e8d7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,10 +2,10 @@ networks:
default:
services:
- bouncer:
+ loadbalancer:
build:
context: .
- target: bouncer
+ target: loadbalancer
additional_contexts:
- php:cli=docker-image://ghcr.io/benzine-framework/php:cli-8.2
volumes:
From 65326002633ee5a9dbc926da2ce53804d416dd95 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 14:00:02 +0200
Subject: [PATCH 10/19] Potentially this should build.
---
.github/workflows/docker.build.yml | 2 +-
.github/workflows/docker.clean.yml | 2 +-
.github/workflows/docker.release.yml | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/docker.build.yml b/.github/workflows/docker.build.yml
index 8e348df..ad38c8d 100644
--- a/.github/workflows/docker.build.yml
+++ b/.github/workflows/docker.build.yml
@@ -10,7 +10,7 @@ on:
env:
PLATFORMS: ${{ vars.PLATFORMS }}
- DOCKER_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}
+ DOCKER_IMAGE: ghcr.io/${{ github.repository }}
jobs:
docker-build:
diff --git a/.github/workflows/docker.clean.yml b/.github/workflows/docker.clean.yml
index c4e3bfd..b432a4e 100644
--- a/.github/workflows/docker.clean.yml
+++ b/.github/workflows/docker.clean.yml
@@ -38,7 +38,7 @@ jobs:
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
- container: ${{ github.repository_name }}
+ container: docker-swarm-loadbalancer
dry-run: true
keep-younger-than: 90 # days
keep-last: 2
diff --git a/.github/workflows/docker.release.yml b/.github/workflows/docker.release.yml
index f9c9c75..ec06fc6 100644
--- a/.github/workflows/docker.release.yml
+++ b/.github/workflows/docker.release.yml
@@ -9,8 +9,8 @@ on:
workflow_dispatch:
env:
- CANDIDATE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:sha-${{ github.sha }}
- RELEASE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:latest
+ CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
+ RELEASE_IMAGE: ghcr.io/${{ github.repository }}:latest
jobs:
release-ghcr:
From 4e684ef0fa24ec392981067cd26e7f2be645c375 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 16:20:55 +0200
Subject: [PATCH 11/19] Generate self-signed certs instead of pre-baked example
ones.
---
Dockerfile | 15 +++++++++++++--
self-signed-certificates/example.crt | 22 ----------------------
self-signed-certificates/example.key | 28 ----------------------------
3 files changed, 13 insertions(+), 52 deletions(-)
delete mode 100644 self-signed-certificates/example.crt
delete mode 100644 self-signed-certificates/example.key
diff --git a/Dockerfile b/Dockerfile
index 6c12593..6d405aa 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,6 +4,8 @@ FROM ghcr.io/benzine-framework/php:cli-8.2 AS loadbalancer
LABEL maintainer="Matthew Baggett <matthew@baggett.me>" \
org.label-schema.vcs-url="https://github.com/benzine-framework/docker-swarm-loadbalancer" \
org.opencontainers.image.source="https://github.com/benzine-framework/docker-swarm-loadbalancer"
+# Allow overriding the default SSL cert subject
+ARG DEFAULT_SSL_CERT_SUBJECT="/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -37,8 +39,17 @@ RUN apt-get -qq update && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/lib/dpkg/status.old /var/cache/debconf/templates.dat /var/log/dpkg.log /var/log/lastlog /var/log/apt/*.log
-# copy some default self-signed certs
-COPY self-signed-certificates /certs
+# Generate some default self-signed certs
+RUN mkdir /certs && \
+ openssl req \
+ -x509 \
+ -newkey rsa:4096 \
+ -keyout /certs/example.key \
+ -out /certs/example.crt \
+ -sha256 \
+ -days 3650 \
+ -nodes \
+ -subj "${DEFAULT_SSL_CERT_SUBJECT}"
# Install runits for services
COPY nginx.runit /etc/service/nginx/run
diff --git a/self-signed-certificates/example.crt b/self-signed-certificates/example.crt
deleted file mode 100644
index 58e206b..0000000
--- a/self-signed-certificates/example.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDnTCCAoWgAwIBAgIUJYUUmBQ2/ERZ7xinAJzVhiFWViYwDQYJKoZIhvcNAQEL
-BQAwXTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBU1p
-YW1pMRYwFAYDVQQKDA1FeGFtcGxlIEdyb3VwMRQwEgYDVQQDDAtleGFtcGxlLm9y
-ZzAgFw0yMTA1MzAxNzU4MzlaGA8yMTIxMDUwNjE3NTgzOVowXTELMAkGA1UEBhMC
-VVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBU1pYW1pMRYwFAYDVQQKDA1F
-eGFtcGxlIEdyb3VwMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANJa9OcoCW+mej8qDMCCTGnqMAuUqBIj1wZLgOdT
-4DHriq1vKi1JLsDZkYekrCq/sfWo97kDXsdK6YN4+mua5EN4cTG3mSpal+RgLTc2
-HMKHFfgzPzIN/n5AEqzdVZb5j0P3LoUNH687AlplW0BB+K64Gw//2KPx0Q8Fkhq2
-I97V8SRpqds78PJHzhfuZNs/AUFpFXnYHJyO2Q63Btq2aoTMQyoLDRBBxin70II2
-6Cjh3k6EhMY+HuYS1AjfI8cDQw289asJBLa6zPoD0VGaGNfCSrOzxrUqfhIoOkuY
-W7rOIsK6rSSu1neSKQIiOLVjQxifxrQIIKTQhRiSplgD9LUCAwEAAaNTMFEwHQYD
-VR0OBBYEFADK74w4AGeETK72k/htsnol9ye0MB8GA1UdIwQYMBaAFADK74w4AGeE
-TK72k/htsnol9ye0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AKElv0xx95lD2leXEOfD6DKakrzuE8lONmcrkfjehTOd7jbqblnj8u1DCWytwB8P
-gEr5FXve0iy7avGoNkU33MufbbQokAMoTs/IA+rwMfv0unupT1aYN8TTEXJJ100j
-MXBsq/PvNkBNwkBcXjYHHsVjdM3bptbaw9A4V9opfMjQXAY5wuk3rBBm8On2rJKy
-Qksh/uLoe8wbZ5dvLv9oc9sRpIilaSy8TcbrHkDIaWA5WCdVFfcayDGYdjhCYLGW
-tj/48g0THvJv6JvVYwFJqTM690YUSlxaOHQE2ZneLytocVyAdEL2MMldRezvtI1z
-1OXOia2G7koNYtS7cD8G1IM=
------END CERTIFICATE-----
diff --git a/self-signed-certificates/example.key b/self-signed-certificates/example.key
deleted file mode 100644
index 3c63e83..0000000
--- a/self-signed-certificates/example.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDSWvTnKAlvpno/
-KgzAgkxp6jALlKgSI9cGS4DnU+Ax64qtbyotSS7A2ZGHpKwqv7H1qPe5A17HSumD
-ePprmuRDeHExt5kqWpfkYC03NhzChxX4Mz8yDf5+QBKs3VWW+Y9D9y6FDR+vOwJa
-ZVtAQfiuuBsP/9ij8dEPBZIatiPe1fEkaanbO/DyR84X7mTbPwFBaRV52BycjtkO
-twbatmqEzEMqCw0QQcYp+9CCNugo4d5OhITGPh7mEtQI3yPHA0MNvPWrCQS2usz6
-A9FRmhjXwkqzs8a1Kn4SKDpLmFu6ziLCuq0krtZ3kikCIji1Y0MYn8a0CCCk0IUY
-kqZYA/S1AgMBAAECggEARqfQjPgwuzTi6OZ55AugGQ9VVf53uagaKH4h7RGKQ5pH
-OVwWgaGMN7CcpkAUqEM9RjOcCaPtKOmrp8Jx8sTTGSqScs2lf8lwLYB0j4/4dwqi
-wXyNJIX4znU9EJ1Di3OFwKF9Gam/077xWmWjEeFW43DpfiVEokSuIOqRGbHGOKlt
-2ygHJu+rmPapEPyYqSWQnAkYX0DW/KCAGiyIAqph/SgrCDTdsxbNOa2OwDygPC54
-7xW0yCduvgFLh9bxedF8iifzRkPw710cxyqVsYwHiwugDgxL4NiK1DlWbpBimab5
-ocye9+ElymMZ8DTjpA85cXny/TtoqJfqTs1YGYgrvQKBgQDwHnAcY0BjQ4o+ZneG
-oqBJeQ8KCMRU4pEIa5QOOeUr46gtiPIfcFh/BJUHQ61qk7gcJj5BV2GXNS7+m+sU
-RC3Usblm9twwxZn7mfoOk4z9NEfBI2MXmbB8ARjAQBCost+3KQAoSIL1AyDKiAlY
-2JfMt+73+kwUsg7b9g0pYIfn/wKBgQDgRJPlSIxJs2mbjzUwVBAeslct2W0dehrh
-V0sXPxEhJHWX6P343vLqRHRsKgqhbU/vy+3JrIS9ftwGKcmb+Y9EJgYrR+D3ZYzs
-idSOsunSspJgbCG5mHE1VQhr8IpHeCkuSt22aFErLfsjzXWZIewK2tqZN1QUjdc5
-EJHOD4UDSwKBgFYRYvgZ72NlOzFAw0kkE7YiSWy8Vbtjdr8A6JHs2KNRt9+Sfc8d
-Eut8dfqjnI5eIpkccCY1rwpnCtBCjRG3moHprl4k0Co/OgGAYKxG4TuFOM8W4xb7
-hNH+BqQqko4Vh7D8Zk0KKL6v/1n5RvhssoSzzVlfg1PLux3G5VLWggB7AoGAAP/N
-OORN27Y07kCBGCoHuFtLECU72znEDOT6rKvXQ7KJ45diKk2z/182tZSqX3XBOWxL
-Lu7Z2I5MJKri/xLplIAm3uJ/GhsVuagTjl81s36gMFXLAKyxNG+gjfqQYykh5dbn
-jfyBABRAXjR4JaqFBrda6fvZIA5RuytbuvNOwGkCgYAUs82tDGLiqyMPd2jgYS3k
-aL62f0TLKHjmTCmRca7IqXbqcMbAj+LgAHI2HfCfjc4KWd68ZGRLcpDlehMcis1f
-PQi3HW+2b9dAZX6+HAIGiVem//ckYXgUza4MMosh0hXquGs1yJ/VNWC+HPIHrj6X
-9tvvvHnGKav329q/Z/8K/A==
------END PRIVATE KEY-----
From 57c9ddd73e44acd8dffd0b3f09bc44c3da5dfefe Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 16:21:10 +0200
Subject: [PATCH 12/19] Fixup
---
.github/workflows/docker.build.yml | 2 ++
.github/workflows/docker.clean.yml | 2 +-
.github/workflows/docker.release.yml | 3 +--
.github/workflows/docker.validate.yml | 2 +-
Dockerfile | 27 ++++++++++++++-------------
docker-compose.override.yml | 2 +-
docker-compose.yml | 4 ++++
7 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/.github/workflows/docker.build.yml b/.github/workflows/docker.build.yml
index ad38c8d..07bd80e 100644
--- a/.github/workflows/docker.build.yml
+++ b/.github/workflows/docker.build.yml
@@ -29,6 +29,8 @@ jobs:
context: .
target: loadbalancer
build-args: |
+ MAINTAINER=${{ vars.PUBLIC_MAINTAINER || 'Matthew Baggett <matthew@baggett.me>' }}
+ SOURCE_URL="https://github.com/${{ github.repository }}"
GIT_SHA=${{ github.sha }}
GIT_BUILD_ID=${{ github.ref_name }}
GIT_COMMIT_MESSAGE=${{ github.event.head_commit.message }}
diff --git a/.github/workflows/docker.clean.yml b/.github/workflows/docker.clean.yml
index b432a4e..18cf19d 100644
--- a/.github/workflows/docker.clean.yml
+++ b/.github/workflows/docker.clean.yml
@@ -23,7 +23,7 @@ jobs:
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
- container: ${{ github.repository_name }}
+ container: docker-swarm-loadbalancer
dry-run: true
prune-tags-regexes: |
^build-${{ github.sha }}$
diff --git a/.github/workflows/docker.release.yml b/.github/workflows/docker.release.yml
index ec06fc6..dbec1e0 100644
--- a/.github/workflows/docker.release.yml
+++ b/.github/workflows/docker.release.yml
@@ -10,7 +10,7 @@ on:
env:
CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
- RELEASE_IMAGE: ghcr.io/${{ github.repository }}:latest
+ RELEASE_IMAGE: ghcr.io/${{ github.repository }}:latest
jobs:
release-ghcr:
@@ -21,4 +21,3 @@ jobs:
- run: docker pull ${{ env.CANDIDATE_IMAGE }}
- run: docker tag ${{ env.CANDIDATE_IMAGE }} ${{ env.RELEASE_IMAGE }}
- run: docker push ${{ env.RELEASE_IMAGE }}
-
diff --git a/.github/workflows/docker.validate.yml b/.github/workflows/docker.validate.yml
index d1d49d5..9855777 100644
--- a/.github/workflows/docker.validate.yml
+++ b/.github/workflows/docker.validate.yml
@@ -13,7 +13,7 @@ on:
- completed
env:
- CANDIDATE_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }}:hash-${{ github.sha }}
+ CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:hash-${{ github.sha }}
jobs:
validate-install-report:
diff --git a/Dockerfile b/Dockerfile
index 6d405aa..a2d7e2e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,22 @@
# checkov:skip=CKV_DOCKER_3 I don't have time for rootless
FROM ghcr.io/benzine-framework/php:cli-8.2 AS loadbalancer
-LABEL maintainer="Matthew Baggett <matthew@baggett.me>" \
- org.label-schema.vcs-url="https://github.com/benzine-framework/docker-swarm-loadbalancer" \
- org.opencontainers.image.source="https://github.com/benzine-framework/docker-swarm-loadbalancer"
# Allow overriding the default SSL cert subject
ARG DEFAULT_SSL_CERT_SUBJECT="/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
+ARG PUBLIC_MAINTAINER="Matthew Baggett <matthew@baggett.me>"
+ARG SOURCE_URL="https://github.com/benzine-framework/docker-swarm-loadbalancer"
+ARG BUILD_DATE
+ARG GIT_SHA
+ARG GIT_BUILD_ID
+ARG GIT_COMMIT_MESSAGE
+ENV BUILD_DATE=${BUILD_DATE} \
+ GIT_SHA=${GIT_SHA} \
+ GIT_BUILD_ID=${GIT_BUILD_ID} \
+ GIT_COMMIT_MESSAGE=${GIT_COMMIT_MESSAGE}
+
+LABEL maintainer="${PUBLIC_MAINTAINER}" \
+ org.label-schema.vcs-url="${SOURCE_URL}" \
+ org.opencontainers.image.source="${SOURCE_URL}"
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -83,16 +94,6 @@ COPY src /app/src
COPY templates /app/templates
RUN chmod +x /app/bin/bouncer
-# stuff some envs from build
-ARG BUILD_DATE
-ARG GIT_SHA
-ARG GIT_BUILD_ID
-ARG GIT_COMMIT_MESSAGE
-ENV BUILD_DATE=${BUILD_DATE} \
- GIT_SHA=${GIT_SHA} \
- GIT_BUILD_ID=${GIT_BUILD_ID} \
- GIT_COMMIT_MESSAGE=${GIT_COMMIT_MESSAGE}
-
# Create some volumes for logs and certs
VOLUME /etc/letsencrypt
VOLUME /var/log/bouncer
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index 30c611f..4a53ea2 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -1,5 +1,5 @@
services:
- bouncer:
+ loadbalancer:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./src:/app/src
diff --git a/docker-compose.yml b/docker-compose.yml
index 010e8d7..5062687 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,8 +8,12 @@ services:
target: loadbalancer
additional_contexts:
- php:cli=docker-image://ghcr.io/benzine-framework/php:cli-8.2
+ args:
+ PUBLIC_MAINTAINER: "Matthew Baggett <test@baggett.me>"
+ SOURCE_URL: "https://git.grey.ooo/Benzine/docker-swarm-loadbalancer"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
+ image: loadbalancer-test
networks:
default:
aliases:
From a29cd36b14382e074d22752268b5ac969b6df914 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 16:21:45 +0200
Subject: [PATCH 13/19] Fixup
---
docker-compose.yml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/docker-compose.yml b/docker-compose.yml
index 5062687..be2f945 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,9 +8,6 @@ services:
target: loadbalancer
additional_contexts:
- php:cli=docker-image://ghcr.io/benzine-framework/php:cli-8.2
- args:
- PUBLIC_MAINTAINER: "Matthew Baggett <test@baggett.me>"
- SOURCE_URL: "https://git.grey.ooo/Benzine/docker-swarm-loadbalancer"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
image: loadbalancer-test
From 30539244ae0f44d886534937fb7dca29ebdc262c Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Fri, 21 Jun 2024 16:28:15 +0200
Subject: [PATCH 14/19] Fixup
---
.github/workflows/docker.validate.yml | 2 +-
.github/workflows/tests.yml | 14 ++++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/docker.validate.yml b/.github/workflows/docker.validate.yml
index 9855777..fd2789e 100644
--- a/.github/workflows/docker.validate.yml
+++ b/.github/workflows/docker.validate.yml
@@ -13,7 +13,7 @@ on:
- completed
env:
- CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:hash-${{ github.sha }}
+ CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
jobs:
validate-install-report:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index ab1e11d..790466c 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -20,39 +20,53 @@ jobs:
- name: Give it a moment...
run: sleep 5
- name: No-SSL Connect to Web A
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -D - http://a.example.org > a.nossl.http
grep "HTTP/1.1 200 OK" a.nossl.http;
grep "<h1>Website A</h1>" a.nossl.http;
- name: SSL Connect to Web A
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -k -D - https://a.example.org 2>&1 > a.ssl.http;
grep "HTTP/1.1 200 OK" a.ssl.http;
grep "<h1>Website A</h1>" a.ssl.http;
- name: No-SSL Connect to Web B
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -D - http://b.example.org 2>&1 > b.nossl.http
grep "HTTP/1.1 200 OK" b.nossl.http
grep "<h1>Website B</h1>" b.nossl.http
- name: SSL Connect to Web B
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -k -D - https://b.example.org 2>&1 > b.ssl.http
grep "HTTP/1.1 200 OK" b.ssl.http
grep "<h1>Website B</h1>" b.ssl.http
- name: No-SSL Connect to SSL-redirect
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -D - http://redirect-to-ssl.example.org 2>&1 > redirect.nossl.http
# Validate its redirected
grep "HTTP/1.1 301 Moved Permanently" redirect.nossl.http
# And going to the right place
grep "Location: https://redirect-to-ssl.example.org" redirect.nossl.http
- name: SSL Connect to SSL-redirect
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -k -D - https://redirect-to-ssl.example.org 2>&1 > redirect.ssl.http
grep "HTTP/1.1 200 OK" redirect.ssl.http
grep "<h1>Website redirect-to-ssl</h1>" redirect.ssl.http
- name: Connect to Plural multiple times and verify it loadbalances
+ shell: bash
run: |
+ set -xeu
rm -f plural_requests
for i in {1..20}; do
docker compose exec test-box curl -s -k https://plural.example.org 2>&1 >> plural_requests
From fe3c695c9bb8bb4463165dbe06305f305de1317d Mon Sep 17 00:00:00 2001
From: matthewbaggett <943948+matthewbaggett@users.noreply.github.com>
Date: Mon, 24 Jun 2024 11:04:04 +0000
Subject: [PATCH 15/19] Upgrade trunk
---
.trunk/trunk.yaml | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
index f84a8e9..1ba1f50 100644
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -28,7 +28,7 @@ lint:
- markdownlint@0.41.0
- taplo@0.8.1
- actionlint@1.7.1
- - checkov@3.2.138
+ - checkov@3.2.144
- prettier@3.3.2
- yamllint@1.35.1
definitions:
@@ -47,16 +47,16 @@ tools:
enabled:
- tfupdate@0.8.2
- phpstan@1.10.58
- - gh@2.49.2
+ - gh@2.51.0
- jq@jq-1.7.1
- - yq@4.44.1
- - awscli@1.33.9
+ - yq@4.44.2
+ - awscli@1.33.13
- action-validator@0.6.0
- act@0.2.63
- shellcheck@0.10.0
- hadolint@2.12.0
- svgo@3.3.2
- - tofu@1.7.1
+ - tofu@1.7.2
- trunk-toolbox@0.3.1
- tflint@0.51.1
- terraform@1.1.4
From a909cba332094f0e6e3dc84c15952d753b916222 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Tue, 25 Jun 2024 15:19:09 +0200
Subject: [PATCH 16/19] Debuggin' whats wrong with service detection.
---
docker-compose.yml | 7 +++++++
src/Bouncer.php | 24 +++++++++++++++++++-----
2 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/docker-compose.yml b/docker-compose.yml
index be2f945..532a517 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,6 +6,13 @@ services:
build:
context: .
target: loadbalancer
+ args:
+ MAINTAINER: "Test <test@oneupsales.co.uk>"
+ SOURCE_URL: "https://github.com/doesntmatter"
+ GIT_SHA: "1234"
+ GIT_BUILD_ID: "test"
+ GIT_COMMIT_MESSAGE: "testy mctestface"
+ BUILD_DATE: "1970-01-01"
additional_contexts:
- php:cli=docker-image://ghcr.io/benzine-framework/php:cli-8.2
volumes:
diff --git a/src/Bouncer.php b/src/Bouncer.php
index ccbaf13..fdf068c 100644
--- a/src/Bouncer.php
+++ b/src/Bouncer.php
@@ -8,16 +8,19 @@ use AdamBrett\ShellWrapper\Command\Builder as CommandBuilder;
use AdamBrett\ShellWrapper\Runners\Exec;
use Aws\S3\S3Client;
use Bouncer\Logger\AbstractLogger;
+use Bouncer\Logger\Formatter;
+use Bouncer\Logger\Logger;
+use Bouncer\Settings\Settings;
use GuzzleHttp\Client as Guzzle;
use GuzzleHttp\Exception\ConnectException;
+use GuzzleHttp\Exception\GuzzleException;
use GuzzleHttp\Exception\ServerException;
use League\Flysystem\AwsS3V3\AwsS3V3Adapter;
use League\Flysystem\FileAttributes;
use League\Flysystem\Filesystem;
use League\Flysystem\FilesystemException;
use League\Flysystem\Local\LocalFilesystemAdapter;
-use Bouncer\Logger\Logger;
-use Bouncer\Logger\Formatter;
+use Monolog\Processor;
use Spatie\Emoji\Emoji;
use Symfony\Component\Yaml\Yaml;
use Twig\Environment as Twig;
@@ -25,9 +28,6 @@ use Twig\Error\LoaderError;
use Twig\Error\RuntimeError;
use Twig\Error\SyntaxError;
use Twig\Loader\FilesystemLoader as TwigLoader;
-use GuzzleHttp\Exception\GuzzleException;
-use Monolog\Processor;
-use Bouncer\Settings\Settings;
class Bouncer
{
@@ -186,6 +186,7 @@ class Bouncer
public function findContainersContainerMode(): array
{
$bouncerTargets = [];
+ $this->logger->warning('Interrogating CONTAINERS for BOUNCER_* environment variables.', ['emoji' => Emoji::magnifyingGlassTiltedLeft()]);
$containers = json_decode($this->docker->request('GET', 'containers/json')->getBody()->getContents(), true);
foreach ($containers as $container) {
@@ -262,11 +263,14 @@ class Bouncer
}
}
+ $this->logger->warning('Interrogating CONTAINERS for BOUNCER_* environment variables found {count} containers.', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'count' => count($validBouncerTargets)]);
+
return $validBouncerTargets;
}
public function findContainersSwarmMode(): array
{
+ $this->logger->warning('Interrogating SERVICES for BOUNCER_* environment variables.', ['emoji' => Emoji::magnifyingGlassTiltedLeft()]);
$bouncerTargets = [];
$services = json_decode($this->docker->request('GET', 'services')->getBody()->getContents(), true);
@@ -365,6 +369,8 @@ class Bouncer
}
}
+ $this->logger->warning('Interrogating SERVICES for BOUNCER_* environment variables found {count} containers.', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'count' => count($validBouncerTargets)]);
+
return $validBouncerTargets;
}
@@ -670,6 +676,7 @@ class Bouncer
$this->logger->debug(' > Swarm mode is {enabled}.', ['emoji' => Emoji::honeybee(), 'enabled' => $this->isSwarmMode() ? 'enabled' : 'disabled']);
+ /** @var Target[] $targets */
$targets = array_values(
array_merge(
$this->findContainersContainerMode(),
@@ -677,6 +684,13 @@ class Bouncer
)
);
+ foreach($targets as $target){
+ $this->logger->info('Found target {target}', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'target' => $target->getName()]);
+ \Kint::dump(
+ $target->getDomains(),
+ );
+ }
+
// Use some bs to sort the targets by domain from right to left.
$sortedTargets = [];
foreach ($targets as $target) {
From 42b3b4912b41f46c9e849037428c2cb8d00c3391 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Tue, 25 Jun 2024 15:27:42 +0200
Subject: [PATCH 17/19] Debuggin'
---
src/Bouncer.php | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/Bouncer.php b/src/Bouncer.php
index fdf068c..0a21e94 100644
--- a/src/Bouncer.php
+++ b/src/Bouncer.php
@@ -211,6 +211,7 @@ class Bouncer
}
// If BOUNCER_IGNORE is set, skip this service.
if (isset($envs['BOUNCER_IGNORE'])) {
+ $this->logger->warning('Container {container_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' Bouncer.php', 'container_name' => $container['Name']]);
continue;
}
@@ -294,13 +295,16 @@ class Bouncer
$envs[$envKey] = $envVal;
}
}
+ \Kint::dump($service['Spec']['TaskTemplate']['ContainerSpec']['Env']);
ksort($envs);
// If there are no BOUNCER_* environment variables, skip this service.
if (count($envs) == 0) {
+ $this->logger->debug('Service {service_name} has no BOUNCER_* environment variables, skipping.', ['emoji' => Emoji::warning() . ' Bouncer.php', 'service_name' => $service['Spec']['Name']]);
continue;
}
// if BOUNCER_IGNORE is set, skip this service.
if (isset($envs['BOUNCER_IGNORE'])) {
+ $this->logger->warning('Service {service_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' Bouncer.php', 'service_name' => $service['Spec']['Name']]);
continue;
}
From f7f269d685c23727977035e9f216d75b7fe9a031 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Wed, 26 Jun 2024 12:54:49 +0200
Subject: [PATCH 18/19] Fix bugs with loadbalancer
---
src/Bouncer.php | 54 ++++++++++++++++++++++++++-----------------------
1 file changed, 29 insertions(+), 25 deletions(-)
diff --git a/src/Bouncer.php b/src/Bouncer.php
index 0a21e94..d573234 100644
--- a/src/Bouncer.php
+++ b/src/Bouncer.php
@@ -211,7 +211,7 @@ class Bouncer
}
// If BOUNCER_IGNORE is set, skip this service.
if (isset($envs['BOUNCER_IGNORE'])) {
- $this->logger->warning('Container {container_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' Bouncer.php', 'container_name' => $container['Name']]);
+ $this->logger->warning('Container {container_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' ', 'container_name' => $container['Name']]);
continue;
}
@@ -276,7 +276,7 @@ class Bouncer
$services = json_decode($this->docker->request('GET', 'services')->getBody()->getContents(), true);
if (isset($services['message'])) {
- $this->logger->debug('Something happened while interrogating services.. This node is not a swarm node, cannot have services: {message}', ['emoji' => Emoji::warning() . ' Bouncer.php', 'message' => $services['message']]);
+ $this->logger->debug('Something happened while interrogating services.. This node is not a swarm node, cannot have services: {message}', ['emoji' => Emoji::warning() . ' ', 'message' => $services['message']]);
} else {
foreach ($services as $service) {
$envs = [];
@@ -288,6 +288,7 @@ class Bouncer
) {
continue;
}
+
// Parse all the environment variables and store them in an array.
foreach ($service['Spec']['TaskTemplate']['ContainerSpec']['Env'] as $env) {
[$envKey, $envVal] = explode('=', $env, 2);
@@ -295,16 +296,17 @@ class Bouncer
$envs[$envKey] = $envVal;
}
}
- \Kint::dump($service['Spec']['TaskTemplate']['ContainerSpec']['Env']);
ksort($envs);
+
// If there are no BOUNCER_* environment variables, skip this service.
if (count($envs) == 0) {
- $this->logger->debug('Service {service_name} has no BOUNCER_* environment variables, skipping.', ['emoji' => Emoji::warning() . ' Bouncer.php', 'service_name' => $service['Spec']['Name']]);
+ $this->logger->debug('Service {service_name} has no BOUNCER_* envs set, skipping.', ['emoji' => Emoji::ghost() . ' ', 'service_name' => $service['Spec']['Name']]);
continue;
}
+
// if BOUNCER_IGNORE is set, skip this service.
if (isset($envs['BOUNCER_IGNORE'])) {
- $this->logger->warning('Service {service_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' Bouncer.php', 'service_name' => $service['Spec']['Name']]);
+ $this->logger->debug('Service {service_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' ', 'service_name' => $service['Spec']['Name']]);
continue;
}
@@ -333,7 +335,7 @@ class Bouncer
$bouncerTarget->setEndpoints(['172.17.0.1']);
$bouncerTarget->setPort(intval($service['Endpoint']['Ports'][0]['PublishedPort']));
} else {
- $this->logger->warning('{label}: ports block missing for {target_name}. Try setting BOUNCER_TARGET_PORT.', ['emoji' => Emoji::warning() . ' Bouncer.php', 'label' => $bouncerTarget->getLabel(), 'target_name' => $bouncerTarget->getName()]);
+ $this->logger->warning('{label}: ports block missing for {target_name}. Try setting BOUNCER_TARGET_PORT.', ['emoji' => Emoji::warning() . ' ', 'label' => $bouncerTarget->getLabel(), 'target_name' => $bouncerTarget->getName()]);
\Kint::dump(
$bouncerTarget->getId(),
$bouncerTarget->getLabel(),
@@ -352,6 +354,10 @@ class Bouncer
unset($bouncerTarget);
}
}
+
+ if(isset($bouncerTarget)) {
+ $bouncerTargets[] = $bouncerTarget;
+ }
}
}
}
@@ -372,15 +378,16 @@ class Bouncer
);
}
}
+ $this->logger->debug("There are {count} bouncer targets, of which {validCount} are valid", ['count' => count($bouncerTargets), 'validCount' => count($validBouncerTargets)]);
- $this->logger->warning('Interrogating SERVICES for BOUNCER_* environment variables found {count} containers.', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'count' => count($validBouncerTargets)]);
+ $this->logger->warning('Interrogating SERVICES for BOUNCER_* environment variables found {count} services.', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'count' => count($validBouncerTargets)]);
return $validBouncerTargets;
}
public function run(): void
{
- $this->logger->info('Starting Bouncer. Built {build_id} on {build_date}, {build_ago}', ['emoji' => Emoji::redHeart() . ' Bouncer.php', 'build_id' => $this->settings->get('build/id'), 'build_date' => $this->settings->get('build/date')->toDateTimeString(), 'build_ago' => $this->settings->get('build/date')->ago()]);
+ $this->logger->info('Starting Bouncer. Built {build_id} on {build_date}, {build_ago}', ['emoji' => Emoji::redHeart() . ' ', 'build_id' => $this->settings->get('build/id'), 'build_date' => $this->settings->get('build/date')->toDateTimeString(), 'build_ago' => $this->settings->get('build/date')->ago()]);
$this->logger->info('Build #{git_sha}: "{build_message}"', ['emoji' => Emoji::memo(), 'git_sha' => $this->settings->get('build/sha_short'), 'build_message' => $this->settings->get('build/message')]);
$this->logger->debug(' > HTTPS Listener is on {https_port}', ['emoji' => Emoji::ship(), 'https_port' => $this->settings->get('bouncer/https_port')]);
$this->logger->debug(' > HTTP Listener is on {http_port}', ['emoji' => Emoji::ship(), 'http_port' => $this->settings->get('bouncer/http_port')]);
@@ -596,7 +603,7 @@ class Bouncer
$containerStateDiff = $this->diff($this->previousContainerState, $newContainerState);
if (!$isTainted && !empty($containerStateDiff)) {
if ($this->settings->if('logger/show_state_deltas')) {
- $this->logger->warning('Container state has changed', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->warning('Container state has changed', ['emoji' => Emoji::warning() . ' ']);
echo $containerStateDiff;
}
$isTainted = true;
@@ -608,7 +615,7 @@ class Bouncer
if ($this->isSwarmMode()) {
$services = json_decode($this->docker->request('GET', 'services')->getBody()->getContents(), true);
if (isset($services['message'])) {
- $this->logger->warning('Something happened while interrogating services.. This node is not a swarm node, cannot have services: {message}', ['emoji' => Emoji::warning() . ' Bouncer.php', 'message' => $services['message']]);
+ $this->logger->warning('Something happened while interrogating services.. This node is not a swarm node, cannot have services: {message}', ['emoji' => Emoji::warning() . ' ', 'message' => $services['message']]);
} else {
foreach ($services as $service) {
$name = $service['Spec']['Name'];
@@ -636,7 +643,7 @@ class Bouncer
$swarmStateDiff = $this->diff($this->previousSwarmState, $newSwarmState);
if ($this->isSwarmMode() && !$isTainted && !empty($swarmStateDiff)) {
if ($this->settings->if('logger/show_state_deltas')) {
- $this->logger->warning('Swarm state has changed', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->warning('Swarm state has changed', ['emoji' => Emoji::warning() . ' ']);
echo $swarmStateDiff;
}
$isTainted = true;
@@ -672,7 +679,7 @@ class Bouncer
} catch (ServerException $exception) {
$this->setSwarmMode(false);
} catch (ConnectException $exception) {
- $this->logger->critical('Unable to connect to docker socket!', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->critical('Unable to connect to docker socket!', ['emoji' => Emoji::warning() . ' ']);
$this->logger->critical($exception->getMessage());
exit(1);
@@ -690,9 +697,6 @@ class Bouncer
foreach($targets as $target){
$this->logger->info('Found target {target}', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'target' => $target->getName()]);
- \Kint::dump(
- $target->getDomains(),
- );
}
// Use some bs to sort the targets by domain from right to left.
@@ -720,7 +724,7 @@ class Bouncer
}
if ($this->isTestMode()) {
- $this->logger->info('Test mode enabled, not restarting nginx. Infact, I\'ll die now..', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->info('Test mode enabled, not restarting nginx. Infact, I\'ll die now..', ['emoji' => Emoji::warning() . ' ']);
$this->dumpConfigs();
exit(0);
@@ -836,15 +840,15 @@ class Bouncer
'file' => $target->getNginxConfigFileName(),
'config_dir' => Bouncer::FILESYSTEM_CONFIG_DIR,
];
- $this->logger->info('Created {label}', $context + ['emoji' => Emoji::pencil() . ' Bouncer.php']);
- $this->logger->debug(' -> {config_dir}/{file}', $context + ['emoji' => Emoji::pencil() . ' Bouncer.php']);
- $this->logger->debug(' -> {domain}', $context + ['emoji' => Emoji::pencil() . ' Bouncer.php']);
+ $this->logger->info('Created {label}', $context + ['emoji' => Emoji::pencil() . ' ']);
+ $this->logger->debug(' -> {config_dir}/{file}', $context + ['emoji' => Emoji::pencil() . ' ']);
+ $this->logger->debug(' -> {domain}', $context + ['emoji' => Emoji::pencil() . ' ']);
$this->logger->critical('{label} cert type is {cert_type}', $context + ['emoji' => Emoji::catFace(), 'cert_type' => $target->getTypeCertInUse()->name]);
}
} else {
- $this->logger->info('More than {num_max} Nginx configs generated.. Too many to show them all!', ['emoji' => Emoji::pencil() . ' Bouncer.php', 'num_max' => $this->getMaximumNginxConfigCreationNotices()]);
+ $this->logger->info('More than {num_max} Nginx configs generated.. Too many to show them all!', ['emoji' => Emoji::pencil() . ' ', 'num_max' => $this->getMaximumNginxConfigCreationNotices()]);
}
- $this->logger->info('Updated {num_created} Nginx configs, {num_changed} changed..', ['emoji' => Emoji::pencil() . ' Bouncer.php', 'num_created' => count($targets), 'num_changed' => count($changedTargets)]);
+ $this->logger->info('Updated {num_created} Nginx configs, {num_changed} changed..', ['emoji' => Emoji::pencil() . ' ', 'num_created' => count($targets), 'num_changed' => count($changedTargets)]);
$this->pruneNonExistentConfigs($targets);
}
@@ -967,13 +971,13 @@ class Bouncer
$command->addFlag('n');
$command->addFlag('m', $this->environment['BOUNCER_LETSENCRYPT_EMAIL']);
$command->addArgument('agree-tos');
- $this->logger->info('Generating letsencrypt for {target_name} - {command}', ['emoji' => Emoji::pencil() . ' Bouncer.php', 'target_name' => $target->getName(), 'command' => $command->__toString()]);
+ $this->logger->info('Generating letsencrypt for {target_name} - {command}', ['emoji' => Emoji::pencil() . ' ', 'target_name' => $target->getName(), 'command' => $command->__toString()]);
$shell->run($command);
if ($shell->getReturnValue() == 0) {
$this->logger->info('Generating successful', ['emoji' => Emoji::partyPopper()]);
} else {
- $this->logger->critical('Generating failed!', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->critical('Generating failed!', ['emoji' => Emoji::warning() . ' ']);
}
// Re-enable nginx tweaks
@@ -995,7 +999,7 @@ class Bouncer
$shell = new Exec();
$command = new CommandBuilder('/usr/sbin/nginx');
$command->addFlag('s', 'reload');
- $this->logger->info('Restarting nginx', ['emoji' => Emoji::timerClock() . ' Bouncer.php']);
+ $this->logger->info('Restarting nginx', ['emoji' => Emoji::timerClock() . ' ']);
$nginxRestartOutput = $shell->run($command);
$this->logger->debug('Nginx restarted {restart_output}', ['restart_output' => $nginxRestartOutput, 'emoji' => Emoji::partyPopper()]);
}
@@ -1008,7 +1012,7 @@ class Bouncer
if ($file['path'] == 'default.conf') {
continue;
}
- $this->logger->info('Dumping {file}', ['emoji' => Emoji::pencil() . ' Bouncer.php', 'file' => $file['path']]);
+ $this->logger->info('Dumping {file}', ['emoji' => Emoji::pencil() . ' ', 'file' => $file['path']]);
echo $this->configFilesystem->read($file['path']);
}
}
From 6d4e3b26f2590677870d8d05cbeed30c54fe0978 Mon Sep 17 00:00:00 2001
From: Matthew Baggett <matthew@baggett.me>
Date: Wed, 26 Jun 2024 13:02:36 +0200
Subject: [PATCH 19/19] php-cs-fixer
---
src/Bouncer.php | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/Bouncer.php b/src/Bouncer.php
index d573234..273f8d9 100644
--- a/src/Bouncer.php
+++ b/src/Bouncer.php
@@ -212,6 +212,7 @@ class Bouncer
// If BOUNCER_IGNORE is set, skip this service.
if (isset($envs['BOUNCER_IGNORE'])) {
$this->logger->warning('Container {container_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' ', 'container_name' => $container['Name']]);
+
continue;
}
@@ -301,12 +302,14 @@ class Bouncer
// If there are no BOUNCER_* environment variables, skip this service.
if (count($envs) == 0) {
$this->logger->debug('Service {service_name} has no BOUNCER_* envs set, skipping.', ['emoji' => Emoji::ghost() . ' ', 'service_name' => $service['Spec']['Name']]);
+
continue;
}
// if BOUNCER_IGNORE is set, skip this service.
if (isset($envs['BOUNCER_IGNORE'])) {
$this->logger->debug('Service {service_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' ', 'service_name' => $service['Spec']['Name']]);
+
continue;
}
@@ -355,7 +358,7 @@ class Bouncer
}
}
- if(isset($bouncerTarget)) {
+ if (isset($bouncerTarget)) {
$bouncerTargets[] = $bouncerTarget;
}
}
@@ -378,7 +381,7 @@ class Bouncer
);
}
}
- $this->logger->debug("There are {count} bouncer targets, of which {validCount} are valid", ['count' => count($bouncerTargets), 'validCount' => count($validBouncerTargets)]);
+ $this->logger->debug('There are {count} bouncer targets, of which {validCount} are valid', ['count' => count($bouncerTargets), 'validCount' => count($validBouncerTargets)]);
$this->logger->warning('Interrogating SERVICES for BOUNCER_* environment variables found {count} services.', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'count' => count($validBouncerTargets)]);
@@ -695,7 +698,7 @@ class Bouncer
)
);
- foreach($targets as $target){
+ foreach ($targets as $target) {
$this->logger->info('Found target {target}', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'target' => $target->getName()]);
}