feat: nginx reverse proxy; fix: image tag

* Adds a second container to the deploy with an nginx reverse proxy that provides HTTP basic auth to the Prometheus metrics exporter. * Fixes the container image names so as to include the Github commit sha
IATI · Jul 18, 2024 · f36882b · f36882b
1 parent 5609ae1
commit f36882b
Show file tree

Hide file tree

Showing 10 changed files with 97 additions and 9 deletions.
diff --git a/.github/workflows/build-and-deploy-job.yml b/.github/workflows/build-and-deploy-job.yml
@@ -14,7 +14,6 @@ on:
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
-
     env:
       APP_NAME: ${{ inputs.APP_NAME }}
       TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }}
@@ -67,9 +66,15 @@ jobs:
           docker build . -f Dockerfile -t $IMAGE_NAME
           docker push $IMAGE_NAME
 
-      - name: 'Print IMAGE_NAME'
+      - name: 'Print IMAGE_NAME for Bulk Data Service image'
         run: echo $IMAGE_NAME
 
+      - name: 'Create htpasswd file for nginx reverse proxy'
+        run: |
+          htpasswd -c -b ./azure-deployment/nginx-reverse-proxy/htpasswd prom "${{ secrets.PROM_NGINX_REVERSE_PROXY_PASSWORD }}"
+          docker build ./azure-deployment/nginx-reverse-proxy -t criati.azurecr.io/bds-prom-nginx-reverse-proxy-$TARGET_ENVIRONMENT:$DOCKER_IMAGE_TAG
+          docker push criati.azurecr.io/bds-prom-nginx-reverse-proxy-$TARGET_ENVIRONMENT:$DOCKER_IMAGE_TAG
+
       - name: 'Delete existing container group'
         uses: 'azure/CLI@v2'
         with:

diff --git a/.github/workflows/deploy-to-dev.yml b/.github/workflows/deploy-to-dev.yml
@@ -11,7 +11,10 @@ on:
 
 
 jobs:
+  run-tests:
+    uses: ./.github/workflows/test.yml
   call-build-and-deploy:
+    needs: run-tests
     uses: ./.github/workflows/build-and-deploy-job.yml
     secrets: inherit
     with:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,10 +1,13 @@
 name: Run Automated Tests
 
 on:
+  workflow_call:
   workflow_dispatch:
   push:
     branches:
-      develop
+      - '**'
+      - '!develop'
+      - '!main'
 
 jobs:
   run-tests:

diff --git a/.gitignore b/.gitignore
@@ -9,7 +9,9 @@ __pycache__
 
 /.env
 
-/web/index.html
 /azure-deployment/azure-resource-manager-deployment-manifest.yml
 /azure-deployment/manual-azure-deploy-secrets.env
 /azure-deployment/manual-azure-deploy-variables.env
+/azure-deployment/nginx-reverse-proxy/htpasswd
+
+/web/index.html
diff --git a/azure-deployment/azure-resource-manager-deployment-template.yml b/azure-deployment/azure-resource-manager-deployment-template.yml
@@ -19,7 +19,7 @@ properties: # Properties of container group
           requests:
             memoryInGB: 4
             cpu: 1
-        image: "#ACR_LOGIN_SERVER#/#APP_NAME#-#TARGET_ENVIRONMENT#"
+        image: "#ACR_LOGIN_SERVER#/#APP_NAME#-#TARGET_ENVIRONMENT#:#DOCKER_IMAGE_TAG#"
         ports:
           - port: 9090
         command:
@@ -65,9 +65,18 @@ properties: # Properties of container group
             secureValue: "#DB_SSL_MODE#"
           - name: DB_CONNECTION_TIMEOUT
             secureValue: "#DB_CONNECTION_TIMEOUT#"
-
+    - name: nginx-proxy-for-prometheus
+      properties:
+        image: "#ACR_LOGIN_SERVER#/bds-prom-nginx-reverse-proxy-#TARGET_ENVIRONMENT#:#DOCKER_IMAGE_TAG#"
+        ports:
+          - port: 9158
+            protocol: TCP
+        resources:
+          requests:
+            cpu: 1.0
+            memoryInGB: 0.5
   ipAddress:
     type: "public"
     dnsNameLabel: "#APP_NAME#-#TARGET_ENVIRONMENT#"
     ports:
-      - port: 9090
+      - port: 9158
diff --git a/azure-deployment/generate-manifest-from-template.sh b/azure-deployment/generate-manifest-from-template.sh
@@ -19,6 +19,7 @@ cp -f ./azure-deployment/azure-resource-manager-deployment-template.yml ./azure-
 
 sed -i "s^#APP_NAME#^$APP_NAME^g" ./azure-deployment/azure-resource-manager-deployment-manifest.yml
 sed -i "s^#TARGET_ENVIRONMENT#^$TARGET_ENVIRONMENT^g" ./azure-deployment/azure-resource-manager-deployment-manifest.yml
+sed -i "s^#DOCKER_IMAGE_TAG#^$DOCKER_IMAGE_TAG^g" ./azure-deployment/azure-resource-manager-deployment-manifest.yml
 
 sed -i ''s^#ACR_LOGIN_SERVER#^$ACR_LOGIN_SERVER^g'' ./azure-deployment/azure-resource-manager-deployment-manifest.yml
 sed -i ''s^#ACR_USERNAME#^$ACR_USERNAME^g'' ./azure-deployment/azure-resource-manager-deployment-manifest.yml

diff --git a/azure-deployment/manual-azure-deploy-from-local.sh b/azure-deployment/manual-azure-deploy-from-local.sh
@@ -20,6 +20,8 @@ if [ "$?" != 0 ]; then
     exit 1
 fi
 
+. ./manual-azure-deploy-secrets.env
+
 TARGET_ENVIRONMENT=$1
 
 APP_NAME=bulk-data-service
@@ -33,12 +35,24 @@ LOCAL_DEPLOY=true
 echo "Generating Azure ARM deployment manifest from template"
 . ./azure-deployment/generate-manifest-from-template.sh
 
-# build the docker image
+# build the docker image for the Bulk Data Service
 docker build . -t criati.azurecr.io/bulk-data-service-$TARGET_ENVIRONMENT
 
-# push image to Azure
+# push Bulk Data Service image to Azure
 docker push criati.azurecr.io/bulk-data-service-$TARGET_ENVIRONMENT
 
+# now configure, build and push the docker image for the nginx reverse proxy
+
+# create password file
+htpasswd -c -b ./azure-deployment/nginx-reverse-proxy/htpasswd prom $PROM_NGINX_REVERSE_PROXY_PASSWORD
+
+# make the image for the nginx reverse proxy (for putting HTTP basic auth on the
+# prom client)
+docker build ./azure-deployment/nginx-reverse-proxy -t criati.azurecr.io/bds-prom-nginx-reverse-proxy-$TARGET_ENVIRONMENT
+
+docker push criati.azurecr.io/bds-prom-nginx-reverse-proxy-$TARGET_ENVIRONMENT
+
+
 echo az container delete \
     --resource-group "$RESOURCE_GROUP_NAME" \
     --name "$CONTAINER_GROUP_INSTANCE_NAME"

diff --git a/azure-deployment/manual-azure-deploy-secrets-example.env b/azure-deployment/manual-azure-deploy-secrets-example.env
@@ -20,3 +20,5 @@ DB_PORT=
 DB_NAME=
 DB_SSL_MODE=require
 DB_CONNECTION_TIMEOUT=30
+
+PROM_NGINX_REVERSE_PROXY_PASSWORD=
diff --git a/azure-deployment/nginx-reverse-proxy/Dockerfile b/azure-deployment/nginx-reverse-proxy/Dockerfile
@@ -0,0 +1,3 @@
+FROM nginx
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY htpasswd /etc/nginx/htpasswd
diff --git a/azure-deployment/nginx-reverse-proxy/nginx.conf b/azure-deployment/nginx-reverse-proxy/nginx.conf
@@ -0,0 +1,46 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    keepalive_timeout  65;
+
+    gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+            listen 9158 default_server;
+            listen [::]:9158 default_server;
+
+            root /var/www/html;
+
+            server_name _;
+
+            location / {
+                proxy_pass http://localhost:9090;
+            }
+
+            auth_basic           "IATI Bulk Data Service Metrics Exporter";
+            auth_basic_user_file htpasswd;
+
+            access_log /var/log/nginx/prometheus-bulk-data-service-exporter-access.log;
+            error_log /var/log/nginx/prometheus-bulk-data-service-exporter-error.log;
+    }
+}
+