docker: ngx-voms docker image

This commit introduces the ngx-voms docker image, and modifies the CI
configuration to build the image.

.gitlab-ci.yml

-# This file is a template, and might need editing before it works on your project.
-# Official docker image.
 image: storm2/ngx-voms-build:latest
 
 stages:
   - build
   - test
+  - docker-build
   - deploy
 
 build4c:
@@ -14,10 +13,10 @@ build4c:
     - sh ${HOME}/build-install-ngx-voms.sh -d -c
     - mv ${HOME}/local local
     - mv ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6 nginx-1.13.6
+    - tar cvzf artifacts.tar.gz local nginx-1.13.6
   artifacts:
     paths:
-      - local
-      - nginx-1.13.6
+      - artifacts.tar.gz
 
 test4c:
   stage: test
@@ -26,6 +25,7 @@ test4c:
   script:
     - rm -rf ${HOME}/local/
     - rm -rf ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6/
+    - tar xvzf artifacts.tar.gz
     - mv local ${HOME}
     - mv nginx-1.13.6 ${HOME}/openresty-1.13.6.1/build/
     - sh test-ngx-voms.sh
@@ -37,6 +37,7 @@ test4c:
 
 pages:
   stage: deploy
+  image: docker:latest
   dependencies:
     - test4c
   script:
@@ -45,3 +46,35 @@ pages:
     paths:
       - public
     expire_in: 30 days
+
+docker-build:
+  stage: docker-build
+  image: docker:latest
+  services:
+    - docker:dind
+  dependencies:
+    - build4c
+  script:
+    - tar xvzf artifacts.tar.gz
+    - mv local ${HOME}
+    - cd ${HOME}/local && rm openresty/nginx/sbin/nginx.old && tar cvzf openresty.tar.gz openresty
+    - mv ${HOME}/local/openresty.tar.gz ${CI_PROJECT_DIR}/docker && cd ${CI_PROJECT_DIR}/docker && sh build-image.sh
+    - docker tag storm2/ngx-voms:latest ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
+    - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
+    - docker push ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
+
+dockerhub-push:
+  stage: docker-build
+  image: docker:latest
+  services:
+    - docker:dind
+  script:
+    - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
+    - docker pull ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
+    - docker tag ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8} storm2/ngx-voms:${CI_COMMIT_SHA:0:8}
+    - docker tag ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8} storm2/ngx-voms:latest
+    - docker login -u ${DOCKERHUB_USER} -p ${DOCKERHUB_PASSWORD}
+    - docker push storm2/ngx-voms:${CI_COMMIT_SHA:0:8}
+    - docker push storm2/ngx-voms:latest
+  only:
+    - master

docker/Dockerfile

+FROM storm2/base:latest
+
+RUN sudo yum -y install voms zlib pcre readline gettext && \
+      sudo yum clean all && rm -rf /var/cache/yum && \
+      mkdir -p /etc/nginx/conf.d && \
+      mkdir -p /home/build/local && \
+      chown -R build:build /etc/nginx/conf.d /home/build/local
+
+USER build
+ADD openresty.tar.gz /home/build/local
+
+RUN ls -lR /home/build && sudo chown -R build:build /home/build
+
+RUN \
+      touch /home/build/local/openresty/nginx/logs/access.log && \
+      touch /home/build/local/openresty/nginx/logs/error.log && \
+      ln -sf /dev/stdout /home/build/local/openresty/nginx/logs/access.log && \
+      ln -sf /dev/stderr /home/build/local/openresty/nginx/logs/error.log
+
+COPY assets/nginx.conf /home/build/local/openresty/nginx/conf/nginx.conf
+COPY assets/srm.conf /etc/nginx/conf.d/
+
+USER root
+
+# Embed TINI since compose v3 syntax do not support the init
+# option to run docker --init
+#
+ENV TINI_VERSION v0.18.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+RUN chmod +x /tini
+ENTRYPOINT ["/tini", "--"]
+
+CMD ["/home/build/local/openresty/bin/openresty", "-g", "daemon off;"]

docker/README.md

+This folder contains docker files for the VOMS ngx_http_voms_module.

docker/assets/nginx.conf

+user build;
+worker_processes  1;
+
+env OPENSSL_ALLOW_PROXY_CERTS=1;
+env X509_VOMS_DIR=/vomsdir;
+
+error_log logs/error.log  warn;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    log_format storm '$time_iso8601 [$request_id] $remote_addr - $remote_user "$request" <$upstream_response_time> '
+                    '$ssl_protocol/$ssl_cipher '
+                    '"$ssl_client_s_dn" '
+                    '[$voms_fqans] '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log logs/access.log  storm;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

docker/assets/srm.conf

+server {
+
+  error_log logs/error.log debug;
+  access_log logs/access.log storm;
+
+  listen 443 ssl;
+  server_name storm.example;
+
+  ssl on;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  ssl_certificate      /certs/cert.pem;
+  ssl_certificate_key  /certs/key.pem;
+  ssl_client_certificate  /etc/pki/tls/certs/ca-bundle.crt;
+
+  ssl_verify_client optional;
+  ssl_verify_depth 100;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
+
+  location /srm {
+
+    proxy_pass              http://fe:8080;
+
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto https;
+    proxy_set_header        Host $http_host;
+
+    # Simple tracing via request_id
+    proxy_set_header        X-Request-Id $request_id;
+
+    # VOMS headers
+    proxy_set_header        x-voms_fqans $voms_fqans;
+    proxy_set_header        x-voms_user $voms_user;
+    proxy_set_header        x-voms_user_ca $voms_user_ca;
+    proxy_set_header        x-voms_vo $voms_vo;
+    proxy_set_header        x-voms_not_before $voms_not_before;
+    proxy_set_header        x-voms_not_after $voms_not_after;
+    proxy_set_header        x-voms_generic_attributes $voms_generic_attributes;
+    proxy_set_header        x-voms_serial $voms_serial;
+  }
+}

docker/build-image.sh

+#!/bin/bash
+set -e
+
+NGINX_VOMS_IMAGE=${NGINX_VOMS_IMAGE:-storm2/ngx-voms:latest}
+
+docker build -t ${NGINX_VOMS_IMAGE} .