DM-11547: dockerize apache https proxy.

- use letsencrypt for public site, and self-signed for development
- add support for authentication via mod_auth_openidc
- expand build script to exposes configurable global variables to javascript

Author: loitly

buildScript/depends.gincl

@@ -184,13 +184,16 @@ task dockerImage (dependsOn: loadConfig) {
   ext.docker_repo = "ipac/firefly"
   ext.docker_registry = ''
   ext.docker_tag = 'latest'
+  ext.copy_res = true
 
   doLast {
     // copy artifacts to staging directory
-    copy {
-      from ("${project.distDir}") { include '*.war' }
-      from ("${fireflyPath}/docker/base") { include '*' }
-      into "${buildDir}/docker"
+    if (copy_res) {
+      copy {
+        from ("${project.distDir}") { include '*.war' }
+        from ("${fireflyPath}/docker/base") { include '*' }
+        into "${buildDir}/docker"
+      }
     }
 
     try {
@@ -286,6 +289,13 @@ ext.NODE = { ...cmd ->
     environment 'WP_BUILD_DIR': wpBuildDir
     environment 'NODE_ENV': (project.env == 'local' ? 'development' : 'production')
     commandLine cmd
+    for (String key : project.appConfigProps.keySet()) {
+      if (key.startsWith('__$')) {
+        environment (key, project.appConfigProps[key])
+        println ">>   " + key + " = " + project.appConfigProps[key]
+      }
+    }
+
   }
   return res;
 }

buildScript/gwt.gincl

@@ -25,7 +25,7 @@ task gwtCompile (type: JavaExec, dependsOn: [gwt, loadConfig]) {
   group = "Build"
 
   outputs.upToDateWhen { false }
-  inputs.source sourceSets.main.java.srcDirs
+  inputs.file sourceSets.main.java.srcDirs
   inputs.dir sourceSets.main.output.resourcesDir
   outputs.dir gwt.buildDir
 
@@ -90,7 +90,7 @@ task gwtRun (type: JavaExec, dependsOn: [gwt, loadConfig]) {
   description= 'GWT DevMode'
   group = MISC_GROUP
 
-  inputs.source sourceSets.main.java.srcDirs
+  inputs.file sourceSets.main.java.srcDirs
   inputs.dir sourceSets.main.output.resourcesDir
 
   main = 'com.google.gwt.dev.DevMode'
@@ -134,7 +134,7 @@ task gwtSuperDev (type: JavaExec, dependsOn: [gwt, loadConfig]) {
   description= 'GWT SuperDev Mode'
   group = MISC_GROUP
 
-  inputs.source sourceSets.main.java.srcDirs
+  inputs.file sourceSets.main.java.srcDirs
   inputs.dir sourceSets.main.output.resourcesDir
 
   main = 'com.google.gwt.dev.codeserver.CodeServer'

buildScript/gwt_webapp.gincl

@@ -30,12 +30,14 @@ configurations {
   }
 }
 
-task jsTest (dependsOn: [loadConfig]) << {
-  if (file("package.json").exists()) {
-    println ">> running JavaScript test..."
-    def res = project.ext.NODE 'yarn', 'run', 'test-unit'
-    if (res.getExitValue() != 0) {
-      throw new GradleException("JavaScript test fail.")
+task jsTest (dependsOn: [loadConfig]) {
+  doLast {
+    if (file("package.json").exists()) {
+      println ">> running JavaScript test..."
+      def res = project.ext.NODE 'yarn', 'run', 'test-unit'
+      if (res.getExitValue() != 0) {
+        throw new GradleException("JavaScript test fail.")
+      }
     }
   }
 }
@@ -177,23 +179,25 @@ clean {
   delete "${war.destinationDir}/${webapp.baseWarName}.war"
 }
 
-task deploy (dependsOn: [loadConfig, webapp]) << {
+task deploy (dependsOn: [loadConfig, webapp]) {
   description= 'Deploy webapp(war file) to Tomcat.  Require ${tomcat_home} property'
   group = MAIN_GROUP
 
-  if (!project.hasProperty("tomcat_home")) {
-    throw ProjectConfigurationException("tomcat_home property is not found.")
-  }
-  if (!file("$war.destinationDir/${webapp.baseWarName}.war").exists()) {
-    println ">> ${webapp.baseWarName}.war not found.  Skipping deploy."
-    throw new StopExecutionException("${webapp.baseWarName}.war not found.  Skipping deploy.")
-  }
+  doLast {
+    if (!project.hasProperty("tomcat_home")) {
+      throw ProjectConfigurationException("tomcat_home property is not found.")
+    }
+    if (!file("$war.destinationDir/${webapp.baseWarName}.war").exists()) {
+      println ">> ${webapp.baseWarName}.war not found.  Skipping deploy."
+      throw new StopExecutionException("${webapp.baseWarName}.war not found.  Skipping deploy.")
+    }
 
-  copy {
-    println ">> deploying file:$war.destinationDir/${webapp.baseWarName}.war"
-    delete("$tomcat_home/webapps/${webapp.baseWarName}")
-    from("$war.destinationDir/${webapp.baseWarName}.war")
-    into "$tomcat_home/webapps/"
+    copy {
+      println ">> deploying file:$war.destinationDir/${webapp.baseWarName}.war"
+      delete("$tomcat_home/webapps/${webapp.baseWarName}")
+      from("$war.destinationDir/${webapp.baseWarName}.war")
+      into "$tomcat_home/webapps/"
+    }
   }
 }
 

config/common.prop

@@ -42,6 +42,7 @@ [email protected]@
 [email protected]@
 
 [email protected]@
+[email protected]@
 
 
 

docker/proxy-dev/Dockerfile

@@ -0,0 +1,26 @@
+FROM birgerk/apache-letsencrypt
+
+RUN apt-get update && \
+    apt-get -f --assume-yes install libapache2-mod-auth-openidc && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY ./others/*.conf /etc/apache2/conf-enabled/
+
+RUN   a2enmod proxy; \
+      a2enmod proxy_http; \
+      a2enmod proxy_wstunnel; \
+      a2enmod auth_openidc
+
+RUN   mkdir /etc/apache2/certs; \
+      openssl req \
+            -new \
+            -newkey rsa:4096 \
+            -days 365 \
+            -nodes \
+            -x509 \
+            -subj "/C=US/ST=CA/L=dev/O=dev/CN=localhost" \
+            -keyout /etc/apache2/certs/localhost.key \
+            -out /etc/apache2/certs/localhost.cert
+
+
+EXPOSE 80 443

docker/proxy-dev/build.gradle

@@ -0,0 +1,17 @@
+
+dockerImage {
+
+  docker_repo = "ipac/proxy-dev"
+  docker_registry = ''
+  docker_tag = 'latest'
+  copy_res = false
+
+  doFirst {
+    // copy artifacts to staging directory
+    copy {
+      from (projectDir) include '**/*'
+      into "${buildDir}/docker"
+      filter(org.apache.tools.ant.filters.ReplaceTokens, tokens: project.appConfigProps)
+    }
+  }
+}

docker/proxy-dev/others/openid.conf

@@ -0,0 +1,14 @@
+OIDCProviderMetadataURL https://test.cilogon.org/.well-known/openid-configuration
+OIDCClientID @oidc_client_id@
+OIDCClientSecret @oidc_client_secret@
+
+OIDCRedirectURI @oidc_redirect_uri@
+OIDCCryptoPassphrase pass357code
+
+OIDCScope "openid profile email org.cilogon.userinfo edu.uiuc.ncsa.myproxy.getcert"
+OIDCAuthNHeader X-Forwarded-User
+
+<Location /suit/>
+   AuthType openid-connect
+   Require claim "isMemberOf~.cn=lsst_users|cn=lsst_pdac"
+</Location>

docker/proxy-dev/others/proxy.conf

@@ -0,0 +1,35 @@
+# Load these modules if not already loaded
+<IfModule !proxy_module>
+    LoadModule proxy_module modules/mod_proxy.so
+</IfModule>
+<IfModule !proxy_http_module>
+    LoadModule proxy_http_module modules/mod_proxy_http.so
+</IfModule>
+<IfModule !proxy_wstunnel_module>
+    LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
+</IfModule>
+<IfModule !rewrite_module>
+    LoadModule rewrite_module modules/mod_rewrite.so
+</IfModule>
+
+
+ProxyRequests Off
+ProxyPreserveHost On
+ProxyStatus On
+
+
+## Hydra app for firefly
+ProxyPass         /firefly/sticky/firefly/events  ws://${docker_host}:8080/firefly/sticky/firefly/events
+ProxyPass         /firefly http://${docker_host}:8080/firefly
+ProxyPassReverse  /firefly http://${docker_host}:8080/firefly
+
+## Hydra app for suit
+ProxyPass         /suit/sticky/firefly/events  ws://${docker_host}:8080/suit/sticky/firefly/events
+ProxyPass         /suit http://${docker_host}:8080/suit
+ProxyPassReverse  /suit http://${docker_host}:8080/suit
+
+
+## end proxy config for Hydra support
+
+
+

docker/proxy-dev/others/site.conf

@@ -0,0 +1,20 @@
+<VirtualHost *:80>
+  ServerName localhost
+
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName localhost
+
+  SSLEngine on
+
+  SSLCertificateFile /etc/apache2/certs/localhost.cert
+  SSLCertificateKeyFile /etc/apache2/certs/localhost.key
+
+  RequestHeader set X-Forwarded-Proto "https"
+  RequestHeader set X-Forwarded-Port "443"
+  <FilesMatch "\.(cgi|shtml|phtml|php)$">
+     SSLOptions +StdEnvVars
+  </FilesMatch>
+
+</VirtualHost>

docker/proxy-dev/proxyctl.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+case "$1" in
+  start)
+        docker start proxy-dev
+        ;;
+  stop)
+        docker stop proxy-dev
+        ;;
+  shell)
+        docker exec -it proxy-dev /bin/bash
+        ;;
+  clean)
+        docker rmi $(docker images --filter "dangling=true" -q --no-trunc)
+        ;;
+  update)
+        cd /hydra/cm/firefly
+        gradle proxyDev:dockerImage
+        docker stop proxy-dev
+        docker container rm proxy-dev
+
+        docker run -d \
+                   -p 80:80 \
+                   -p 443:443 \
+                   -e "docker_host=`ifconfig | grep "inet " | grep -Fv 127.0.0.1 | awk '{print $2}'  | tail -1`" \
+                   --name proxy-dev ipac/proxy-dev
+
+#           -e "DOMAINS=`hostname`" \
+#           -e "[email protected]" \
+#           -e "STAGING=proxy" \
+
+        ;;
+  *)
+        echo $"Usage: proxyctl.sh [start|stop|shell|clean|update]"
+        exit
+esac
+

docker/proxy/Dockerfile

@@ -0,0 +1,17 @@
+FROM birgerk/apache-letsencrypt
+
+
+#RUN apt-get update && \
+#    apt-get -f stretch install libapache2-mod-auth-openidc && \
+#    rm -rf /var/lib/apt/lists/*
+
+#RUN ln -s /usr/lib/apache2/modules/mod_auth_openidc.so modules/mod_auth_openidc.so
+COPY ./others/*.conf /etc/apache2/conf-enabled/
+
+RUN   a2enmod proxy; \
+      a2enmod proxy_http; \
+      a2enmod proxy_wstunnel
+
+EXPOSE 80 443
+
+ENTRYPOINT ["httpd-foreground"]

docker/proxy/build.gradle

@@ -0,0 +1,16 @@
+
+dockerImage {
+
+  docker_repo = "ipac/proxy"
+  docker_registry = ''
+  docker_tag = 'latest'
+  copy_res = false
+
+  doFirst {
+    // copy artifacts to staging directory
+    copy {
+      from (projectDir) include '**/*'
+      into "${buildDir}/docker"
+    }
+  }
+}

docker/proxy/others/proxy.conf

@@ -0,0 +1,35 @@
+# Load these modules if not already loaded
+<IfModule !proxy_module>
+    LoadModule proxy_module modules/mod_proxy.so
+</IfModule>
+<IfModule !proxy_http_module>
+    LoadModule proxy_http_module modules/mod_proxy_http.so
+</IfModule>
+<IfModule !proxy_wstunnel_module>
+    LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
+</IfModule>
+<IfModule !rewrite_module>
+    LoadModule rewrite_module modules/mod_rewrite.so
+</IfModule>
+
+
+ProxyRequests Off
+ProxyPreserveHost On
+ProxyStatus On
+
+
+## Hydra app for firefly
+ProxyPass         /firefly/sticky/firefly/events  ws://firefly:8080/firefly/sticky/firefly/events
+ProxyPass         /firefly http://firefly:8080/firefly
+ProxyPassReverse  /firefly http://firefly:8080/firefly
+
+## Hydra app for suit
+ProxyPass         /suit/sticky/firefly/events  ws://firefly:8080/suit/sticky/firefly/events
+ProxyPass         /suit http://firefly:8080/suit
+ProxyPassReverse  /suit http://firefly:8080/suit
+
+
+## end proxy config for Hydra support
+
+
+

docker/proxy/proxyctl.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+case "$1" in
+  start)
+        docker start proxy
+        ;;
+  stop)
+        docker stop proxy
+        ;;
+  shell)
+        docker exec -it proxy /bin/bash
+        ;;
+  update)
+        docker stop proxy
+        docker container rm proxy
+
+        docker pull ipac/proxy
+        docker run -d \
+                   -p 80:80 \
+                   -p 443:443 \
+                   -e "DOMAINS=`hostname`" \
+                   -e "[email protected]" \
+                   --network=local_nw \
+                   --restart=unless-stopped \
+                   --name proxy ipac/proxy
+
+#               -e "DOMAINS=`hostname`" \
+#               -e "STAGING=proxy" \
+        ;;
+  *)
+        echo $"Usage: proxyctl.sh [start|stop|shell|update]"
+        exit
+esac
+