Add docker build configuration

.env.docker

@@ -0,0 +1,2 @@
+APP_ENV=prod
+APP_SECRET=secret

.github/workflows/build-push-docker-image.yml

@@ -0,0 +1,51 @@
+name: build-push-docker-image
+
+on: 
+  push:
+    branches:
+      - feature/docker_configs
+
+  workflow_dispatch:
+
+
+
+jobs:
+  build-push-docker-image:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Get the latest release
+        id: release
+        uses: robinraju/release-downloader@v1.7
+        with:
+          latest: true
+          fileName: "*.tar.bz2"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push the Production image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: docker/Dockerfile.prod
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/openconext/stepup-gssp-example/stepup-gssp-example:prod
+            ghcr.io/openconext/stepup-gssp-example/stepup-gssp-example:${{ github.sha }}
+            ghcr.io/openconext/stepup-gssp-example/stepup-gssp-example:${{ steps.release.outputs.tag_name }}

.github/workflows/tag-release.yml

@@ -63,4 +63,13 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           release_id: ${{ steps.create_release.outputs.id }}
+
+  after_build:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Docker container build
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: build-push-docker-image.yml
 

.travis.yml

@@ -48,7 +48,7 @@ before_script:
 
   # Install dependencies
   - cp .env.ci .env
-  - cp config/packages/parameters.yaml.dist config/packages/parameters.yaml
+  - cp config/packages/parameters.yaml.ci config/packages/parameters.yaml
   - composer install
   - yarn install
   - yarn encore dev

composer.json

@@ -27,6 +27,7 @@
     "surfnet/stepup-gssp-bundle": "^4.0",
     "surfnet/stepup-saml-bundle": "^5.0",
     "symfony/asset": "^4.3",
+    "symfony/console": "4.4.*",
     "symfony/dotenv": "4.4.*",
     "symfony/flex": "^1.4",
     "symfony/form": "^4.3",

config/packages/parameters.yaml.ci

@@ -0,0 +1,12 @@
+# This file is a "template" of what your parameters.yml file should look like
+# Set parameters here that may be different on each deployment target of the app, e.g. development, staging, production.
+# https://symfony.com/doc/current/best_practices/configuration.html#infrastructure-related-configuration
+parameters:
+    saml_idp_publickey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer'
+    saml_idp_privatekey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem'
+    saml_metadata_publickey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer'
+    saml_metadata_privatekey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem'
+    saml_remote_sp_entity_id: 'https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/metadata.php/default-sp'
+    saml_remote_sp_sso_url: '"https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"'
+    saml_remote_sp_certificate: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-gssp-bundle/src/Resources/keys/pieter.aai.surfnet.nl.pem'
+    saml_remote_sp_acs: 'https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp'

config/packages/parameters.yaml.dist

@@ -2,12 +2,11 @@
 # Set parameters here that may be different on each deployment target of the app, e.g. development, staging, production.
 # https://symfony.com/doc/current/best_practices/configuration.html#infrastructure-related-configuration
 parameters:
-    saml_idp_publickey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer'
-    saml_idp_privatekey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem'
-    saml_metadata_publickey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer'
-    saml_metadata_privatekey: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem'
-    saml_remote_sp_entity_id: 'https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/metadata.php/default-sp'
-    saml_remote_sp_sso_url: '"https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"'
-    saml_remote_sp_certificate: '%kernel.root_dir%/../../../../vendor/surfnet/stepup-gssp-bundle/src/Resources/keys/pieter.aai.surfnet.nl.pem'
-    saml_remote_sp_acs: 'https://pieter.aai.surfnet.nl/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp'
+    saml_idp_publickey: '/config/demogssp/demo_gssp_idp.crt'
+    saml_idp_privatekey: '/config/demogssp/demo_gssp_idp.key'
+    saml_metadata_publickey: '/config/demogssp/demo_gssp_idp.crt'
+    saml_metadata_privatekey: '/config/demogssp/demo_gssp_idp.key'
+    saml_remote_sp_entity_id: 'https://gateway.dev.openconext.local/gssp/demo_gssp/metadata'
+    saml_remote_sp_certificate: '/config/gateway/gateway_gssp_sp.crt'
+    saml_remote_sp_acs: 'https://gateway.dev.openconext.local/gssp/demo_gssp/consume-assertion'
 

config/packages/prod/monolog.yaml.docker

@@ -0,0 +1,13 @@
+monolog:
+    handlers:
+        main:
+            type: fingers_crossed
+            action_level: error
+            handler: nested
+        nested:
+            type: stream
+            path: 'php://stderr'
+            level: debug
+        console:
+            type: console
+            process_psr_3_messages: false

docker/Dockerfile.prod

@@ -0,0 +1,21 @@
+FROM ghcr.io/openconext/openconext-basecontainers/php72-apache2:latest AS php-build
+COPY *.tar.bz2 /tmp/
+RUN tar -xvjf /tmp/*.tar.bz2 -C /var/www/html/ && \
+  rm -rf /tmp/*.tar.bz2
+
+# Add the application configuration files
+COPY config/packages/parameters.yaml.dist config/packages/parameters.yaml
+COPY config/packages/prod/monolog.yaml.docker config/packages/prod/monolog.yaml
+COPY .env.docker .env
+
+# Add the config files for Apache2
+RUN rm -rf /etc/apache2/sites-enabled/*
+COPY ./docker/conf/apache2.conf /etc/apache2/sites-enabled/apache2.conf
+RUN mkdir -p /var/www/html/var && \
+  rm -rf /var/www/html/var/cache/prod && \
+  chown -R www-data /var/www/html/var
+
+# Set the default workdir
+WORKDIR /var/www/html
+
+CMD ["apache2-foreground"]

docker/conf/apache2.conf

@@ -0,0 +1,35 @@
+<Virtualhost *:80>
+    ServerName  demogssp
+    ServerAdmin admin@dev.openconext.local
+
+    DocumentRoot /var/www/html/public
+
+    SetEnv HTTPS on
+    SetEnv APP_ENV prod
+    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+
+    <Directory "/var/www/html/public">
+        Require all granted
+
+        Options -MultiViews
+        RewriteEngine On
+        RewriteCond %{REQUEST_FILENAME} !-f
+        RewriteRule ^(.*)$ index.php [QSA,L]
+    </Directory>
+    <Location />
+        Require all granted
+    </Location>
+
+    Header always set X-Content-Type-Options "nosniff"
+
+    # Set the php application handler so mod_php interpets the files
+    <FilesMatch \.php$>
+        SetHandler application/x-httpd-php
+    </FilesMatch>
+
+    ExpiresActive on
+    ExpiresByType font/* "access plus 1 year"
+    ExpiresByType image/* "access plus 6 months"
+    ExpiresByType text/css "access plus 1 year"
+    ExpiresByType text/js "access plus 1 year"
+</VirtualHost>