Merge pull request #48 from dod-ccpo/cibuild

CIbuild and publish

.dockerignore

@@ -0,0 +1,27 @@
+# Files to exclude from COPY and ADD commands when 
+# building a docker image from this directory
+
+# Exclude Docker build related files
+Dockerfile
+.dockerignore
+
+# Exclude the git directory and gitignore file
+.git
+.gitignore
+
+# Skip any existing logs
+log/*
+
+# Skip LICENSE, README, etc.
+LICENSE
+*.md
+
+# Skip pipenv/virtualenv related things
+.envrc
+.venv
+
+# Skip ansible-container stuff
+ansible*
+container.yml
+meta.yml
+requirements.yml

.travis.yml

@@ -1,10 +1,29 @@
+sudo: required
 language: python
-python:
+python: "3.6"
-  - "3.6"
+services: docker
+env:
+  global:
+    - TESTER_IMAGE_NAME=atst-tester
+    - PROD_IMAGE_NAME=atst-prod
+
 before_install:
-  - pip install pipenv
+  - docker login -u $ATAT_DOCKER_REGISTRY_USERNAME -p $ATAT_DOCKER_REGISTRY_PASSWORD $ATAT_DOCKER_REGISTRY_URL
-  - pipenv install --dev --skip-lock
+  - docker build --tag "${TESTER_IMAGE_NAME}" . -f docker/tester/Dockerfile
-  - gem install sass
+
-  - npm install
 script:
-  - python -m pytest
+  - docker run "${TESTER_IMAGE_NAME}"
+
+before_deploy:
+  - docker build --tag "${PROD_IMAGE_NAME}" . -f docker/prod/Dockerfile
+  - git_sha="$(git rev-parse --short HEAD)"
+  - remote_image_name="${ATAT_DOCKER_REGISTRY_URL}/${PROD_IMAGE_NAME}:${git_sha}"
+  - docker tag "${PROD_IMAGE_NAME}" "${remote_image_name}"
+  - docker images
+  - docker push "${remote_image_name}"
+
+deploy:
+  provider: script
+  script: echo "** Image push only for now... stay tuned! **"
+  on:
+    branch: master

Pipfile

@@ -12,6 +12,7 @@ pendulum = "*"
 redis = "*"
 
 [dev-packages]
+bandit = "*"
 pytest = "==3.6.0"
 pytest-tornado = "==0.5.0"
 ipython = "*"

docker/prod/Dockerfile

@@ -0,0 +1,46 @@
+FROM python:3.6.5-alpine
+
+### Very low chance of changing
+###############################
+# Overridable default config
+ARG APP_USER=atst
+ARG APP_GROUP=atat
+ARG APP_DIR=/opt/atat/atst
+ARG APP_PORT=8000
+ARG SITE_PACKAGES_DIR=/usr/local/lib/python3.6/site-packages
+
+ENV APP_USER "${APP_USER}"
+ENV APP_GROUP "${APP_GROUP}"
+ENV APP_DIR "${APP_DIR}"
+ENV SKIP_PIPENV true
+
+# Set port to open
+EXPOSE "${APP_PORT}"
+
+# Use dumb-init for proper signal handling
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+
+# Default command is to launch the server
+CMD ["bash", "-c", "${APP_DIR}/script/server"]
+
+### Items that will change almost every build
+#############################################
+# Copy installed python packages from the tester image
+COPY --from=atst-tester:latest "${SITE_PACKAGES_DIR}" "${SITE_PACKAGES_DIR}"
+
+# Copy the app directory contents from the tester image (includes node modules)
+COPY --from=atst-tester:latest "${APP_DIR}" "${APP_DIR}"
+
+# Set working dir
+WORKDIR ${APP_DIR}
+
+# Add required system packages and app user
+RUN set -x ; \
+  script/alpine_setup "${APP_USER}" "${APP_GROUP}"
+
+# Update file ownership
+RUN set -x ; \
+  for subdir in $(find . -type d -maxdepth 1 | grep -Ee '.[^/]' | grep -Fve 'node_modules'); do chown atst:atat -R ${subdir}; done
+
+# Run as the unprivileged APP user
+USER "${APP_USER}"

docker/tester/Dockerfile

@@ -0,0 +1,40 @@
+FROM registry.atat.codes:443/atat-app-builder:latest
+
+### Very low chance of changing
+###############################
+ARG APP_USER=atst
+ARG APP_GROUP=atat
+ARG APP_DIR=/opt/atat/atst
+ARG CIBUILD=true
+
+ENV APP_DIR "${APP_DIR}"
+ENV SKIP_PIPENV true
+
+# Use dumb-init for proper signal handling
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+
+# Default command is to run all the tests
+CMD ["bash", "-c", "${APP_DIR}/script/cibuild"]
+
+# Create application directory
+RUN set -x ; \
+  mkdir -p ${APP_DIR}
+
+# Set working dir
+WORKDIR ${APP_DIR}
+
+# Copy over alpine setup script
+COPY script/alpine_setup ./script/
+
+# Add required system packages and app user
+RUN set -x ; \
+  script/alpine_setup "${APP_USER}" "${APP_GROUP}"
+
+### Items that will change almost every build
+#############################################
+# Copy over the rest of the app source
+COPY . .
+
+# Install app dependencies
+RUN set -x ; \
+  script/setup

script/alpine_setup

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# script/alpine_setup: Adds all the system packages, directors, users, etc.
+#                      required to run the application on Alpine
+
+# If a command fails, exit the script
+set -e
+
+# Ensure we are in the app root directory (not the /script directory)
+cd "$(dirname "${0}")/.."
+
+APP_USER=${1}
+APP_GROUP=${2}
+
+apk update
+apk upgrade
+
+apk add bash
+apk add dumb-init
+
+addgroup -g 8000 -S "${APP_GROUP}"
+adduser -u 8010 -D -S -G "${APP_GROUP}" "${APP_USER}"

script/bootstrap

@@ -28,5 +28,9 @@ pipenv install ${PIPENV_INSTALL_FLAGS}
 # Install uswds node module and dependencies
 npm install
 
+# Relink uswds fonts into the /static directory
+rm -f ./static/fonts
+ln -s ../node_modules/uswds/src/fonts ./static/fonts
+
 # Precompile assets for deployment
 ${WEBASSETS_CMD} -m atst.assets build

script/cibuild

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# script/cibuild: Run CI related checks and tests
+
+# If a command fails, exit the script
+set -e
+
+# Ensure we are in the app root directory (not the /script directory)
+cd "$(dirname "${0}")/.."
+
+# Run lint/style checks and unit tests
+script/test
+
+# Run static code analysis security checks
+# (excluding the tests and node_modules subdirs)
+bandit -r . -x node_modules,tests

script/setup

@@ -23,7 +23,3 @@ fi
 
 # Install application dependencies
 script/bootstrap
-
-# Symlink uswds fonts into the /static directory
-rm -f ./static/fonts
-ln -s ../node_modules/uswds/src/fonts ./static/fonts