From 811d264fe1474ea97412fe54ba4edd06186b1821 Mon Sep 17 00:00:00 2001 From: Kyle Gorak Date: Tue, 1 Jun 2021 11:49:31 -0700 Subject: [PATCH 1/2] Digital Ocean droplet configuration. Droplet#1: https://kc.tracked.events running keycloak standalone configuration Droplet#2: https://tracked.events nginx reverse proxy to dockerized postgres and application containers --- pipeline/build.sh | 1 + pipeline/do/Dockerfile | 9 ++++ pipeline/do/build.sh | 3 ++ pipeline/do/push.sh | 6 +++ .../server/:etc:nginx:sites-enabled:default | 51 +++++++++++++++++++ pipeline/do/server/nginx-conf:nginx.conf | 13 +++++ pipeline/do/server/tsr:Dockerfile | 10 ++++ pipeline/do/server/tsr:docker-entrypoint.sh | 22 ++++++++ src/main/resources/application.yml | 4 +- 9 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 pipeline/do/Dockerfile create mode 100755 pipeline/do/build.sh create mode 100755 pipeline/do/push.sh create mode 100644 pipeline/do/server/:etc:nginx:sites-enabled:default create mode 100644 pipeline/do/server/nginx-conf:nginx.conf create mode 100644 pipeline/do/server/tsr:Dockerfile create mode 100755 pipeline/do/server/tsr:docker-entrypoint.sh diff --git a/pipeline/build.sh b/pipeline/build.sh index ab429ddf..cce9f357 100755 --- a/pipeline/build.sh +++ b/pipeline/build.sh @@ -24,5 +24,6 @@ echo "******* Creating jar" ./gradlew bootJar cp ./build/libs/tsr*.jar ./pipeline/eb/tsr.jar +cp ./build/libs/tsr*.jar ./pipeline/do/tsr.jar exit 0 \ No newline at end of file diff --git a/pipeline/do/Dockerfile b/pipeline/do/Dockerfile new file mode 100644 index 00000000..171eceff --- /dev/null +++ b/pipeline/do/Dockerfile @@ -0,0 +1,9 @@ +FROM openjdk:15-alpine + +ENV SPRING_PROFILES_ACTIVE=default + +COPY tsr.jar /tsr.jar + +EXPOSE 8080 + +ENTRYPOINT ["/opt/openjdk-15/bin/java","-Djava.net.preferIPv4Stack=true", "-jar", "tsr.jar"] diff --git a/pipeline/do/build.sh b/pipeline/do/build.sh new file mode 100755 index 00000000..6b14bfd7 --- /dev/null +++ b/pipeline/do/build.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +docker build -t g0rak/tsr-app:latest . \ No newline at end of file diff --git a/pipeline/do/push.sh b/pipeline/do/push.sh new file mode 100755 index 00000000..da0529e4 --- /dev/null +++ b/pipeline/do/push.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +# push to docker.io +echo $DOCKER_ACCESS_TOKEN | docker login -u $DOCKER_USERNAME --password-stdin +docker push g0rak/tsr-app +docker logout \ No newline at end of file diff --git a/pipeline/do/server/:etc:nginx:sites-enabled:default b/pipeline/do/server/:etc:nginx:sites-enabled:default new file mode 100644 index 00000000..7b3f91e2 --- /dev/null +++ b/pipeline/do/server/:etc:nginx:sites-enabled:default @@ -0,0 +1,51 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +server { + if ($host = tracked.events) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name *.tracked.events; # managed by Certbot + + listen 443 ssl; # managed by Certbot + + ssl_certificate /etc/letsencrypt/live/tracked.events/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/tracked.events/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Host $host; + proxy_pass http://localhost:8080/; + } + + location /ws { + proxy_pass http://localhost:8080/ws; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Host $host; + } +} diff --git a/pipeline/do/server/nginx-conf:nginx.conf b/pipeline/do/server/nginx-conf:nginx.conf new file mode 100644 index 00000000..d42b4e92 --- /dev/null +++ b/pipeline/do/server/nginx-conf:nginx.conf @@ -0,0 +1,13 @@ +server { + listen 443; + + server_name *.tracked.events; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Host $host; + proxy_pass http://localhost:8080; + } +} diff --git a/pipeline/do/server/tsr:Dockerfile b/pipeline/do/server/tsr:Dockerfile new file mode 100644 index 00000000..e162e58b --- /dev/null +++ b/pipeline/do/server/tsr:Dockerfile @@ -0,0 +1,10 @@ +FROM openjdk:15-alpine + +ENV SPRING_PROFILES_ACTIVE=default +#RUN apk update; apk add curl #for debugging in entrypoint +COPY ./tsr/tsr.jar /tsr.jar +COPY ./tsr/docker-entrypoint.sh . +RUN chmod +x docker-entrypoint.sh + +ENTRYPOINT ["/bin/sh", "./docker-entrypoint.sh"] + diff --git a/pipeline/do/server/tsr:docker-entrypoint.sh b/pipeline/do/server/tsr:docker-entrypoint.sh new file mode 100755 index 00000000..ee09ac00 --- /dev/null +++ b/pipeline/do/server/tsr:docker-entrypoint.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +RDS_HOSTNAME="db" +RDS_PORT="5432" +RDS_DB_NAME="tsr" +RDS_JDBC_DATABASE_URL="jdbc:postgresql://$RDS_HOSTNAME:$RDS_PORT/$RDS_DB_NAME" + +RDS_USERNAME="XXXXX" +RDS_PASSWORD="XXXXX" +TSR_KEYCLOAK_SECRET_KEY="XXXXX" +TSR_KEYCLOAK_HOST="https://kc.tracked.events/auth/realms/tsr" +TSR_KEYCLOAK_JWK="$TSR_KEYCLOAK_HOST/protocol/openid-connect/certs" + +#curl -vvI https://kc.tracked.events #for debugging keycloak + +/opt/openjdk-15/bin/java -Djava.net.preferIPv4Stack=true -jar tsr.jar \ +--spring.datasource.url=$RDS_JDBC_DATABASE_URL \ +--spring.datasource.username=$RDS_USERNAME \ +--spring.datasource.password=$RDS_PASSWORD \ +--spring.security.oauth2.client.registration.keycloak.clientSecret=$TSR_KEYCLOAK_SECRET_KEY \ +--spring.security.oauth2.client.provider.keycloak.issuer-uri=$TSR_KEYCLOAK_HOST \ +--spring.security.oauth2.resourceserver.jwt.jwk-set-uri=$TSR_KEYCLOAK_JWK diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 03945578..14726603 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -57,6 +57,7 @@ logging: SQL: OFF type: OFF springframework: + security: error web: INFO ws: server: @@ -73,4 +74,5 @@ server: cookie: http-only: true secure: true - tracking-modes: COOKIE \ No newline at end of file + tracking-modes: COOKIE + forward-headers-strategy: native From 183c94437b73e1399eaaba95054361234e6cd33a Mon Sep 17 00:00:00 2001 From: Kyle Gorak Date: Fri, 4 Jun 2021 16:52:45 -0700 Subject: [PATCH 2/2] FIX: README --- pipeline/do/README.md | 7 +++++++ pipeline/eb/README.md | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 pipeline/do/README.md create mode 100644 pipeline/eb/README.md diff --git a/pipeline/do/README.md b/pipeline/do/README.md new file mode 100644 index 00000000..50d48321 --- /dev/null +++ b/pipeline/do/README.md @@ -0,0 +1,7 @@ +# Digital Ocean Droplets + + +## Setup +### Setting up Keycloak + +### Setting up App/Database Droplet \ No newline at end of file diff --git a/pipeline/eb/README.md b/pipeline/eb/README.md new file mode 100644 index 00000000..fc249d5e --- /dev/null +++ b/pipeline/eb/README.md @@ -0,0 +1,39 @@ +## AWS +#### **No longer deployed to AWS\** +### App +The Elastic Beanstalk (EB) setup is complete for _TSR_ in the `./pipeline/eb` directory with configuration and docker +files. If you need to deploy to elastic beanstalk locally, install the +[eb cli](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/eb-cli3-install.html). + +The application deploys to AWS during CI/CD pipeline on the `master` branch. Manual steps to deploy your +local changes: +1. build the application `./pipeline/build.sh` +1. `eb deploy tracked-events --label [name of deploy]` + +### Auth +A dev/testing keycloak environment deployed to EC2 at https://kc.tracked.events. Test user login test:password + +### Certificate +Route 53 for the domain alias mapping. Certificate Manager to create the TLS certificate. + +### AWS Initial Setup + +#### Configure ./pipeline/eb/.ebextensions + +Create Certificate in Certificate Manager. Copy Certificate Arn to `AWSEBV2LoadBalancerListenerHTTPS -> Certificates -> +CertificateArn` + +#### Using EB CLI +To initialize app through the CLI, run `eb init -p docker tsr` + +Additional environment configuration in `.ebextensions` which add the alb's HTTP redirect and configure the health path +to `/actuator/health`. + +To create EB environment with Postgresql RDS, run +``` +eb create tracked-events \ +--database.engine postgres --database.version 12.3 \ +--envvars TSR_KEYCLOAK_HOST=https://kc.tracked.events,TSR_KEYCLOAK_SECRET_KEY=random-password +``` + +Add the new RDS's security group to the elastic beanstalk application's security groups. \ No newline at end of file