Apply config changes for CSP file uploads.
This applies configuration changes for the Flask app and adds changes to the Dockerfile so that the build can make a CSP-specific JS bundle. It adds `write_dotenv` script that creates the appropriate `.env` file for the `parcel` bundler depending on how the `CSP` environment variable is set. - Configure K8s environment variables for Flask CSP usage - Supply default CSP config setting to Flask app - Declare the CSP arg in the Dockerfile - Supply extra Docker build args to CD - Fix top-level reference to boto3 in file_upload module - Add back missing sample NGINX config for docker-compose build
This commit is contained in:
dandds
parent
a941cca5e6
commit
485f578c78
@ -129,6 +129,7 @@ workflows:
|
|||||||
requires:
|
requires:
|
||||||
- app_setup
|
- app_setup
|
||||||
- azure-acr/build_and_push_image:
|
- azure-acr/build_and_push_image:
|
||||||
|
extra-build-args: "--build-arg CSP=azure"
|
||||||
login-server-name: "${AZURE_SERVER_NAME}"
|
login-server-name: "${AZURE_SERVER_NAME}"
|
||||||
registry-name: pwatat
|
registry-name: pwatat
|
||||||
repo: atat
|
repo: atat
|
||||||
@ -175,6 +176,7 @@ workflows:
|
|||||||
only:
|
only:
|
||||||
- master
|
- master
|
||||||
- aws-ecr/build_and_push_image:
|
- aws-ecr/build_and_push_image:
|
||||||
|
extra-build-args: "--build-arg CSP=aws"
|
||||||
repo: atat
|
repo: atat
|
||||||
tag: "${CIRCLE_SHA1}"
|
tag: "${CIRCLE_SHA1}"
|
||||||
requires:
|
requires:
|
||||||
|
|||||||
@ -1,5 +1,7 @@
|
|||||||
FROM python:3.7.3-alpine3.9 AS builder
|
FROM python:3.7.3-alpine3.9 AS builder
|
||||||
|
|
||||||
|
ARG CSP
|
||||||
|
|
||||||
RUN mkdir -p /install/.venv
|
RUN mkdir -p /install/.venv
|
||||||
WORKDIR /install
|
WORKDIR /install
|
||||||
|
|
||||||
@ -32,10 +34,11 @@ RUN apk update && \
|
|||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
# Install app dependencies
|
# Install app dependencies
|
||||||
RUN pip install pipenv uwsgi && \
|
RUN ./script/write_dotenv && \
|
||||||
|
pip install pipenv uwsgi && \
|
||||||
PIPENV_VENV_IN_PROJECT=1 pipenv install && \
|
PIPENV_VENV_IN_PROJECT=1 pipenv install && \
|
||||||
yarn install && \
|
yarn install && \
|
||||||
cp -r ./node_modules/uswds/src/fonts ./static/ && \
|
cp -rf ./node_modules/uswds/src/fonts ./static/ && \
|
||||||
yarn build
|
yarn build
|
||||||
|
|
||||||
## NEW IMAGE
|
## NEW IMAGE
|
||||||
|
|||||||
@ -79,7 +79,7 @@ class AwsUploader(Uploader):
|
|||||||
"s3",
|
"s3",
|
||||||
aws_access_key_id=self.access_key_id,
|
aws_access_key_id=self.access_key_id,
|
||||||
aws_secret_access_key=self.secret_key,
|
aws_secret_access_key=self.secret_key,
|
||||||
config=boto3.session.Config(
|
config=self.boto3.session.Config(
|
||||||
signature_version="s3v4", region_name=self.region_name
|
signature_version="s3v4", region_name=self.region_name
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
|
|||||||
@ -6,6 +6,7 @@ COOKIE_SECRET = some-secret-please-replace
|
|||||||
DISABLE_CRL_CHECK = false
|
DISABLE_CRL_CHECK = false
|
||||||
CRL_FAIL_OPEN = false
|
CRL_FAIL_OPEN = false
|
||||||
CRL_STORAGE_CONTAINER = crls
|
CRL_STORAGE_CONTAINER = crls
|
||||||
|
CSP=mock
|
||||||
DEBUG = true
|
DEBUG = true
|
||||||
ENVIRONMENT = dev
|
ENVIRONMENT = dev
|
||||||
LOG_JSON = false
|
LOG_JSON = false
|
||||||
|
|||||||
@ -11,3 +11,4 @@ data:
|
|||||||
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
|
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
|
||||||
CRL_STORAGE_PROVIDER: CLOUDFILES
|
CRL_STORAGE_PROVIDER: CLOUDFILES
|
||||||
LOG_JSON: "true"
|
LOG_JSON: "true"
|
||||||
|
CSP: aws
|
||||||
|
|||||||
@ -11,3 +11,4 @@ data:
|
|||||||
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
|
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
|
||||||
CRL_STORAGE_PROVIDER: CLOUDFILES
|
CRL_STORAGE_PROVIDER: CLOUDFILES
|
||||||
LOG_JSON: "true"
|
LOG_JSON: "true"
|
||||||
|
CSP: azure
|
||||||
|
|||||||
24
deploy/docker/sample.nginx.conf
Normal file
24
deploy/docker/sample.nginx.conf
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name localhost;
|
||||||
|
|
||||||
|
#charset koi8-r;
|
||||||
|
#access_log /var/log/nginx/host.access.log main;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri @app;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @app {
|
||||||
|
include uwsgi_params;
|
||||||
|
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
|
||||||
|
uwsgi_param HTTP_X_REQUEST_ID $request_id;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
13
script/write_dotenv
Executable file
13
script/write_dotenv
Executable file
@ -0,0 +1,13 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if [ -z "${CSP+is_set}" ]; then
|
||||||
|
CSP=mock
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $CSP = "aws" ]; then
|
||||||
|
echo "CLOUD_PROVIDER=aws" > .env
|
||||||
|
elif [ $CSP = "azure" ]; then
|
||||||
|
echo "CLOUD_PROVIDER=azure\nAZURE_ACCOUNT_NAME=atat\nAZURE_CONTAINER_NAME=task-order-pdfs" > .env
|
||||||
|
else
|
||||||
|
echo "CLOUD_PROVIDER=mock" > .env
|
||||||
|
fi
|
||||||
Loading…
x
Reference in New Issue
Block a user