diff --git a/VERSION b/VERSION index 18d34003..ccbccc3d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1.33 +2.2.0 diff --git a/docker-compose.deployment.prod.yml b/docker-compose.deployment.prod.yml index aef512e9..1a875da8 100644 --- a/docker-compose.deployment.prod.yml +++ b/docker-compose.deployment.prod.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: hubmap-auth: diff --git a/docker-compose.deployment.stage.yml b/docker-compose.deployment.stage.yml deleted file mode 100644 index 0347b7db..00000000 --- a/docker-compose.deployment.stage.yml +++ /dev/null @@ -1,17 +0,0 @@ -version: "3.7" - -services: - - hubmap-auth: - # Use the published image and tag from DockerHub - image: hubmap/hubmap-auth:${HUBMAP_AUTH_VERSION:?err} - environment: - - DEPLOY_MODE=stage - volumes: - # Mount the app config to container in order to keep it outside of the image - - "./hubmap-auth/src/instance:/usr/src/app/src/instance" - # Mount conf.d-stage to the nginx conf.d on container - - "./nginx/conf.d-stage:/etc/nginx/conf.d" - # Mount ssl certificates from host to container - - "/etc/letsencrypt:/etc/letsencrypt" - diff --git a/docker-compose.deployment.test.yml b/docker-compose.deployment.test.yml index d87c3432..777023a7 100644 --- a/docker-compose.deployment.test.yml +++ b/docker-compose.deployment.test.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: hubmap-auth: diff --git a/docker-compose.development.yml b/docker-compose.development.yml index d59013ce..b50d13df 100644 --- a/docker-compose.development.yml +++ b/docker-compose.development.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: hubmap-auth: diff --git a/docker-deployment.sh b/docker-deployment.sh index 9c7e02d5..eb2f6056 100755 --- a/docker-deployment.sh +++ b/docker-deployment.sh @@ -42,8 +42,8 @@ function get_dir_of_this_script () { } -if [[ "$1" != "test" && "$1" != "stage" && "$1" != "prod" ]]; then - echo "Unknown deployment environment '$1', specify one of the following: test|stage|prod" +if [[ "$1" != "test" && "$1" != "prod" ]]; then + echo "Unknown deployment environment '$1', specify one of the following: test|prod" else if [[ "$2" != "start" && "$2" != "stop" && "$2" != "down" ]]; then echo "Unknown command '$2', specify one of the following: start|stop|down" @@ -61,11 +61,11 @@ else echo if [ "$2" = "start" ]; then - docker-compose -f docker-compose.yml -f docker-compose.deployment.$1.yml -p gateway up -d + docker compose -f docker-compose.yml -f docker-compose.deployment.$1.yml -p gateway up -d elif [ "$2" = "stop" ]; then - docker-compose -f docker-compose.yml -f docker-compose.deployment.$1.yml -p gateway stop + docker compose -f docker-compose.yml -f docker-compose.deployment.$1.yml -p gateway stop elif [ "$2" = "down" ]; then - docker-compose -f docker-compose.yml -f docker-compose.deployment.$1.yml -p gateway down + docker compose -f docker-compose.yml -f docker-compose.deployment.$1.yml -p gateway down fi fi fi \ No newline at end of file diff --git a/docker-development.sh b/docker-development.sh index 431547ad..6257e59a 100755 --- a/docker-development.sh +++ b/docker-development.sh @@ -72,7 +72,7 @@ else echo 'Checks complete, all good :)' elif [ "$1" = "config" ]; then - docker-compose -f docker-compose.yml -f docker-compose.development.yml -p gateway config + docker compose -f docker-compose.yml -f docker-compose.development.yml -p gateway config elif [ "$1" = "build" ]; then # Delete old VERSION and BUILD files if found if [ -f "hubmap-auth/VERSION" ]; then @@ -87,13 +87,13 @@ else cp ./VERSION hubmap-auth cp ./BUILD hubmap-auth - docker-compose -f docker-compose.yml -f docker-compose.development.yml -p gateway build + docker compose -f docker-compose.yml -f docker-compose.development.yml -p gateway build elif [ "$1" = "start" ]; then - docker-compose -f docker-compose.yml -f docker-compose.development.yml -p gateway up -d + docker compose -f docker-compose.yml -f docker-compose.development.yml -p gateway up -d elif [ "$1" = "stop" ]; then - docker-compose -f docker-compose.yml -f docker-compose.development.yml -p gateway stop + docker compose -f docker-compose.yml -f docker-compose.development.yml -p gateway stop elif [ "$1" = "down" ]; then - docker-compose -f docker-compose.yml -f docker-compose.development.yml -p gateway down + docker compose -f docker-compose.yml -f docker-compose.development.yml -p gateway down fi fi diff --git a/hubmap-auth/Dockerfile b/hubmap-auth/Dockerfile index ff85fd6a..e89df405 100644 --- a/hubmap-auth/Dockerfile +++ b/hubmap-auth/Dockerfile @@ -1,5 +1,5 @@ # Parent image -FROM hubmap/api-base-image:1.0.0 +FROM hubmap/api-base-image:1.1.0 LABEL description="HuBMAP Authentication and Authorization Service" diff --git a/hubmap-auth/entrypoint.sh b/hubmap-auth/entrypoint.sh index bba66d27..b360bad7 100644 --- a/hubmap-auth/entrypoint.sh +++ b/hubmap-auth/entrypoint.sh @@ -34,7 +34,7 @@ if [ $DEPLOY_MODE != "localhost" ]; then chown -R hubmap:hubmap /etc/letsencrypt fi -# Lastly we use gosu to execute our process "$@" as that user +# Lastly we use su-exec to execute our process "$@" as that user # Remember CMD from a Dockerfile of child image gets passed to the entrypoint.sh as command line arguments # "$@" is a shell variable that means "all the arguments" -exec /usr/local/bin/gosu hubmap "$@" +exec /usr/local/bin/su-exec hubmap "$@" diff --git a/nginx/conf.d-stage/hubmap-auth.conf b/nginx/conf.d-stage/hubmap-auth.conf deleted file mode 100644 index fe980467..00000000 --- a/nginx/conf.d-stage/hubmap-auth.conf +++ /dev/null @@ -1,135 +0,0 @@ -# Define the upstream hubmap-auth-server to be used by other API (on the same machine) nginx configs -# This sever will be accessed via `http://hubmap-auth-server/api_auth` in other conf files -# We have to run the hubmap-auth service on a different local port to be used by other APIs -# when deployed with multiple sub-domains pointing to the same machine with same IP -upstream hubmap-auth-server { - server localhost:8000; -} - -# Port 80 on host maps to 8080 on container -server { - # Only root can listen on ports below 1024, we use higher-numbered ports - # since nginx is running under non-root user hubmap - listen 8080; - server_name gateway.stage.hubmapconsortium.org; - - location / { - return 301 https://$host$request_uri; - } -} - -# Port 443 on host maps to 4430 on container -server { - # Only root can listen on ports below 1024, we use higher-numbered ports - # since nginx is running under non-root user hubmap - listen 4430 ssl; # managed by Certbot - server_name gateway.stage.hubmapconsortium.org; - root /usr/share/nginx/html; - - ssl_certificate /etc/letsencrypt/live/gateway.stage.hubmapconsortium.org/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/gateway.stage.hubmapconsortium.org/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - # Logging to the mounted volume for outside container access - # Use the upstream_log log_format defiend in the main nginx.conf for better debugging - access_log /usr/src/app/log/nginx_access_gateway.log upstream_log; - error_log /usr/src/app/log/nginx_error_gateway.log warn; - - location = /favicon.ico { - alias /usr/share/nginx/html/favicon.ico; - } - - # Pass reqeusts to the uWSGI server using the "uwsgi" protocol on port 5000 - location / { - # Always enable CORS - # Response to preflight requests - if ($request_method = 'OPTIONS') { - # The directive `add_header` doesn't work when response status code is 401, 403 or 500 - # The `always` parameter is specified so the header field will be added regardless of the response code - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always; - - # Custom headers and headers various browsers should be OK with but aren't - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,Authorization, MAuthorization,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always; - - # Cache the response to this preflight request in browser for 24 hours (86400 seconds) - # without sending another preflight request - add_header 'Access-Control-Max-Age' 86400 always; - - add_header 'Content-Type' 'text/plain; charset=utf-8' always; - add_header 'Content-Length' 0 always; - return 204; - } - - # Response to the original requests (HTTP methods are case-sensitive) with CORS enabled - if ($request_method ~ (POST|GET|PUT)) { - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,Authorization, MAuthorization,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; - } - - include uwsgi_params; - # Use IP v4 "127.0.0.1" instead of "localhost" to avoid 502 error caused by DNS failure - uwsgi_pass uwsgi://127.0.0.1:5000; - } -} - -# Port 8443 on host maps to 8443 on container -# Port 8443 is used by ingest-api on another machine for auth_request -server { - # Only root can listen on ports below 1024, we use higher-numbered ports - # since nginx is running under non-root user hubmap - listen 8443 ssl; # managed by Certbot - server_name gateway.stage.hubmapconsortium.org; - root /usr/share/nginx/html; - - ssl_certificate /etc/letsencrypt/live/gateway.stage.hubmapconsortium.org/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/gateway.stage.hubmapconsortium.org/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - # Logging to the mounted volume for outside container access - # Use the upstream_log log_format defiend in the main nginx.conf for better debugging - access_log /usr/src/app/log/nginx_access_gateway_for_ingest-api_and_assets.log upstream_log; - error_log /usr/src/app/log/nginx_error_gateway_for_ingest-api_and_assets.log warn; - - location = /favicon.ico { - alias /usr/share/nginx/html/favicon.ico; - } - - # Pass reqeusts to the uWSGI server using the "uwsgi" protocol on port 5000 - location / { - include uwsgi_params; - # Use IP v4 "127.0.0.1" instead of "localhost" to avoid 502 error caused by DNS failure - uwsgi_pass uwsgi://127.0.0.1:5000; - } -} - -# hubmap-auth service -server { - # Only root can listen on ports below 1024, we use higher-numbered ports - # since nginx is running under non-root user hubmap - listen 8000; - - server_name localhost; - root /usr/share/nginx/html; - - # We need this logging for inspecting auth requests from other internal services - # Logging to the mounted volume for outside container access - access_log /usr/src/app/log/nginx_access_hubmap-auth-server.log; - error_log /usr/src/app/log/nginx_error_hubmap-auth-server.log warn; - - location = /favicon.ico { - alias /usr/share/nginx/html/favicon.ico; - } - - # Pass reqeusts to the uWSGI server using the "uwsgi" protocol on port 5000 - location / { - include uwsgi_params; - # Use IP v4 "127.0.0.1" instead of "localhost" to avoid 502 error caused by DNS failure - uwsgi_pass uwsgi://127.0.0.1:5000; - } - -} \ No newline at end of file diff --git a/nginx/conf.d-stage/portal-ui.conf b/nginx/conf.d-stage/portal-ui.conf deleted file mode 100644 index 49b2fb05..00000000 --- a/nginx/conf.d-stage/portal-ui.conf +++ /dev/null @@ -1,84 +0,0 @@ -# Port 80 on host maps to 8080 on container -server { - # Only root can listen on ports below 1024, we use higher-numbered ports - # since nginx is running under non-root user hubmap - listen 8080; - server_name portal.stage.hubmapconsortium.org; - - location / { - return 301 https://$host$request_uri; - } -} - -# Port 443 on host maps to 4430 on container -server { - # Only root can listen on ports below 1024, we use higher-numbered ports - # since nginx is running under non-root user hubmap - listen 4430 ssl; # managed by Certbot - server_name portal.stage.hubmapconsortium.org; - root /usr/share/nginx/html; - - ssl_certificate /etc/letsencrypt/live/gateway.stage.hubmapconsortium.org/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/gateway.stage.hubmapconsortium.org/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - # Logging to the mounted volume for outside container access - access_log /usr/src/app/log/nginx_access_portal-ui.log; - error_log /usr/src/app/log/nginx_error_portal-ui.log warn; - - location / { - # If the file named `maintenance.on` exitis under the target directory - # proxy all the requests to that port of this same container that serves the maintenance page - if (-f /usr/share/nginx/html/portal-ui-maintenance/maintenance.on) { - # Use IP v4 "127.0.0.1" instead of "localhost" to avoid 502 error caused by DNS failure - proxy_pass http://127.0.0.1:5031; - } - - proxy_pass http://portal-ui; - # If proxy_set_header is missing, - # the redirect url passed to Globus will use "portal-ui" instead. - # (Plain "$host" does not include port.) - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - - # gzip_http_version sets the minimum HTTP version of a request required to compress a response to 1.1 by default. - # proxy_http_version needs to be >= that, but is 1.0 by default. - proxy_http_version 1.1; - - # Due to cells-api slowness - # Increase timeout to 10 minutes until a real solution is ready - proxy_connect_timeout 600; - keepalive_timeout 600 600; - proxy_read_timeout 600; - proxy_send_timeout 600; - } - -} - - -# Port 5031 runs the portal-ui-maintenance static page index.html -# No need to public this port from the container to host -server { - # Only root can listen on ports below 1024, we use higher-numbered ports - # since nginx is running under non-root user hubmap - listen 5031; - - server_name localhost; - - root /usr/share/nginx/html/portal-ui-maintenance; - - # Direct all requests to maintenance index.html - # Except the static resources calls from within the maintenance index.html - location / { - # Must use /index.html rather than index.html - try_files $uri /index.html =404; - - # Disable cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } -} diff --git a/nginx/conf.d-stage/prod-portal-ui.conf b/nginx/conf.d-test/prod-portal-ui.conf similarity index 83% rename from nginx/conf.d-stage/prod-portal-ui.conf rename to nginx/conf.d-test/prod-portal-ui.conf index 0323395c..a10dc6ea 100644 --- a/nginx/conf.d-stage/prod-portal-ui.conf +++ b/nginx/conf.d-test/prod-portal-ui.conf @@ -3,7 +3,7 @@ server { # Only root can listen on ports below 1024, we use higher-numbered ports # since nginx is running under non-root user hubmap listen 8080; - server_name portal-prod.stage.hubmapconsortium.org; + server_name portal-prod.test.hubmapconsortium.org; location / { return 301 https://$host$request_uri; @@ -15,11 +15,11 @@ server { # Only root can listen on ports below 1024, we use higher-numbered ports # since nginx is running under non-root user hubmap listen 4430 ssl; # managed by Certbot - server_name portal-prod.stage.hubmapconsortium.org; + server_name portal-prod.test.hubmapconsortium.org; root /usr/share/nginx/html; - ssl_certificate /etc/letsencrypt/live/gateway.stage.hubmapconsortium.org/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/gateway.stage.hubmapconsortium.org/privkey.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/gateway.test.hubmapconsortium.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/gateway.test.hubmapconsortium.org/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot