diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0b59d7ed4dae42bf9e0795cbf3fbbd921d40c573..d712f27e366b6cd7df84a44557fcfb3d7b4d392e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,10 +1,9 @@
-# This file is a template, and might need editing before it works on your project.
-# Official docker image.
image: storm2/ngx-voms-build:latest
stages:
- build
- test
+ - docker-build
- deploy
build4c:
@@ -14,10 +13,10 @@ build4c:
- sh ${HOME}/build-install-ngx-voms.sh -d -c
- mv ${HOME}/local local
- mv ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6 nginx-1.13.6
+ - tar cvzf artifacts.tar.gz local nginx-1.13.6
artifacts:
paths:
- - local
- - nginx-1.13.6
+ - artifacts.tar.gz
test4c:
stage: test
@@ -26,6 +25,7 @@ test4c:
script:
- rm -rf ${HOME}/local/
- rm -rf ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6/
+ - tar xvzf artifacts.tar.gz
- mv local ${HOME}
- mv nginx-1.13.6 ${HOME}/openresty-1.13.6.1/build/
- sh test-ngx-voms.sh
@@ -37,6 +37,7 @@ test4c:
pages:
stage: deploy
+ image: docker:latest
dependencies:
- test4c
script:
@@ -45,3 +46,35 @@ pages:
paths:
- public
expire_in: 30 days
+
+docker-build:
+ stage: docker-build
+ image: docker:latest
+ services:
+ - docker:dind
+ dependencies:
+ - build4c
+ script:
+ - tar xvzf artifacts.tar.gz
+ - mv local ${HOME}
+ - cd ${HOME}/local && rm openresty/nginx/sbin/nginx.old && tar cvzf openresty.tar.gz openresty
+ - mv ${HOME}/local/openresty.tar.gz ${CI_PROJECT_DIR}/docker && cd ${CI_PROJECT_DIR}/docker && sh build-image.sh
+ - docker tag storm2/ngx-voms:latest ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
+ - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
+ - docker push ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
+
+dockerhub-push:
+ stage: docker-build
+ image: docker:latest
+ services:
+ - docker:dind
+ script:
+ - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
+ - docker pull ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
+ - docker tag ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8} storm2/ngx-voms:${CI_COMMIT_SHA:0:8}
+ - docker tag ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8} storm2/ngx-voms:latest
+ - docker login -u ${DOCKERHUB_USER} -p ${DOCKERHUB_PASSWORD}
+ - docker push storm2/ngx-voms:${CI_COMMIT_SHA:0:8}
+ - docker push storm2/ngx-voms:latest
+ only:
+ - master
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..89f33022678117a267ded5cbe5a5c9ae4f490468
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,33 @@
+FROM storm2/base:latest
+
+RUN sudo yum -y install voms zlib pcre readline gettext && \
+ sudo yum clean all && rm -rf /var/cache/yum && \
+ mkdir -p /etc/nginx/conf.d && \
+ mkdir -p /home/build/local && \
+ chown -R build:build /etc/nginx/conf.d /home/build/local
+
+USER build
+ADD openresty.tar.gz /home/build/local
+
+RUN ls -lR /home/build && sudo chown -R build:build /home/build
+
+RUN \
+ touch /home/build/local/openresty/nginx/logs/access.log && \
+ touch /home/build/local/openresty/nginx/logs/error.log && \
+ ln -sf /dev/stdout /home/build/local/openresty/nginx/logs/access.log && \
+ ln -sf /dev/stderr /home/build/local/openresty/nginx/logs/error.log
+
+COPY assets/nginx.conf /home/build/local/openresty/nginx/conf/nginx.conf
+COPY assets/srm.conf /etc/nginx/conf.d/
+
+USER root
+
+# Embed TINI since compose v3 syntax do not support the init
+# option to run docker --init
+#
+ENV TINI_VERSION v0.18.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+RUN chmod +x /tini
+ENTRYPOINT ["/tini", "--"]
+
+CMD ["/home/build/local/openresty/bin/openresty", "-g", "daemon off;"]
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..1689fc80e2afeaa220ab0a6b0872d607115e4c26
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,10 @@
+This folder contains a Dockerfile to run an instance of Openresty/NGINX
+compiled and linked against the ngx_voms_http_module.
+
+For more details see the [Dockerfile](./Dockerfile)
+
+The default configuration for NGINX is provided in [this conf file](
+./assets/nginx.conf).
+
+A configuration for the `/srm` endpoint useful for the storm docker compose
+file is provided in [this conf file](./assets/srm.conf).
diff --git a/docker/assets/nginx.conf b/docker/assets/nginx.conf
new file mode 100644
index 0000000000000000000000000000000000000000..505836971e8e57121f9b9f1c3c3d75370e1ebff9
--- /dev/null
+++ b/docker/assets/nginx.conf
@@ -0,0 +1,35 @@
+user build;
+worker_processes 1;
+
+env OPENSSL_ALLOW_PROXY_CERTS=1;
+env X509_VOMS_DIR=/vomsdir;
+
+error_log logs/error.log warn;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+
+ include mime.types;
+ default_type application/octet-stream;
+
+ log_format storm '$time_iso8601 [$request_id] $remote_addr - $remote_user "$request" <$upstream_response_time> '
+ '$ssl_protocol/$ssl_cipher '
+ '"$ssl_client_s_dn" '
+ '[$voms_fqans] '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log logs/access.log storm;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ #gzip on;
+
+ include /etc/nginx/conf.d/*.conf;
+}
diff --git a/docker/assets/srm.conf b/docker/assets/srm.conf
new file mode 100644
index 0000000000000000000000000000000000000000..19fd8b67e668873cb34cc17b2ad20256a09e27e6
--- /dev/null
+++ b/docker/assets/srm.conf
@@ -0,0 +1,45 @@
+server {
+
+ error_log logs/error.log debug;
+ access_log logs/access.log storm;
+
+ listen 443 ssl;
+ server_name storm.example;
+
+ ssl on;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+ ssl_certificate /certs/cert.pem;
+ ssl_certificate_key /certs/key.pem;
+ ssl_client_certificate /etc/pki/tls/certs/ca-bundle.crt;
+
+ ssl_verify_client optional;
+ ssl_verify_depth 100;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
+
+ location /srm {
+
+ proxy_pass http://fe:8080;
+
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+
+ # Simple tracing via request_id
+ proxy_set_header X-Request-Id $request_id;
+
+ # VOMS headers
+ proxy_set_header x-ssl_client_ee_s_dn $ssl_client_ee_s_dn;
+ proxy_set_header x-ssl_client_ee_i_dn $ssl_client_ee_i_dn;
+ proxy_set_header x-voms_fqans $voms_fqans;
+ proxy_set_header x-voms_user $voms_user;
+ proxy_set_header x-voms_user_ca $voms_user_ca;
+ proxy_set_header x-voms_vo $voms_vo;
+ proxy_set_header x-voms_not_before $voms_not_before;
+ proxy_set_header x-voms_not_after $voms_not_after;
+ proxy_set_header x-voms_generic_attributes $voms_generic_attributes;
+ proxy_set_header x-voms_serial $voms_serial;
+ }
+}
diff --git a/docker/build-image.sh b/docker/build-image.sh
new file mode 100644
index 0000000000000000000000000000000000000000..f75aa7ed7ea381f0b1cfb458618e0508603ab287
--- /dev/null
+++ b/docker/build-image.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+NGINX_VOMS_IMAGE=${NGINX_VOMS_IMAGE:-storm2/ngx-voms:latest}
+
+docker build -t ${NGINX_VOMS_IMAGE} .