diff --git a/.github/workflows/deploy-cloud.yaml b/.github/workflows/deploy-cloud.yaml index d54e6c9c68..399467c87d 100644 --- a/.github/workflows/deploy-cloud.yaml +++ b/.github/workflows/deploy-cloud.yaml @@ -38,6 +38,17 @@ jobs: fi echo "RELEASE_VERSION=$release_version" >> $GITHUB_ENV + - name: Tag and release Proxy service docker image + run: | + docker login -u $DOCKER_USER -p $DOCKER_PASSWORD + yarn build:docker:proxy:prod + docker tag budibase/proxy:$release_tag budibase/proxy:$PROD_TAG + docker push budibase/proxy:$PROD_TAG + env: + DOCKER_USER: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_API_KEY }} + PREPROD_TAG: k8s + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: diff --git a/.github/workflows/deploy-preprod.yml b/.github/workflows/deploy-preprod.yml index 10fadc36c5..7abe3bd533 100644 --- a/.github/workflows/deploy-preprod.yml +++ b/.github/workflows/deploy-preprod.yml @@ -23,12 +23,24 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: eu-west-1 + - name: Get the latest budibase release version id: version run: | release_version=$(cat lerna.json | jq -r '.version') echo "RELEASE_VERSION=$release_version" >> $GITHUB_ENV + - name: Tag and release Proxy service docker image + run: | + docker login -u $DOCKER_USER -p $DOCKER_PASSWORD + yarn build:docker:proxy:preprod + docker tag budibase/proxy:$release_tag budibase/proxy:$PREPROD_TAG + docker push budibase/proxy:$PREPROD_TAG + env: + DOCKER_USER: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_API_KEY }} + PREPROD_TAG: k8s-preprod + - name: Pull values.yaml from budibase-infra run: | curl -H "Authorization: token ${{ secrets.GH_PERSONAL_TOKEN }}" \ diff --git a/hosting/nginx.prod.conf.hbs b/hosting/nginx.prod.conf.hbs index f446c928fb..dace27a57f 100644 --- a/hosting/nginx.prod.conf.hbs +++ b/hosting/nginx.prod.conf.hbs @@ -19,13 +19,7 @@ http { tcp_nodelay on; server_tokens off; types_hash_max_size 2048; - {{#if compose}} - resolver 127.0.0.11 ipv6=off; - {{/if}} - {{#if k8s}} - resolver kube-dns.kube-system.svc.cluster.local valid=10s; - {{/if}} - + resolver {{ resolver }} valid=10s ipv6=off; # buffering client_body_buffer_size 1K; diff --git a/hosting/proxy/nginx.conf b/hosting/proxy/nginx.conf deleted file mode 100644 index 95b06d4fff..0000000000 --- a/hosting/proxy/nginx.conf +++ /dev/null @@ -1,145 +0,0 @@ -user nginx; -error_log /var/log/nginx/error.log debug; -pid /var/run/nginx.pid; -worker_processes auto; -worker_rlimit_nofile 33282; - -events { - worker_connections 1024; -} - -http { - limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=20r/s; - include /etc/nginx/mime.types; - default_type application/octet-stream; - charset utf-8; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - server_tokens off; - types_hash_max_size 2048; - - # buffering - client_body_buffer_size 1K; - client_header_buffer_size 1k; - client_max_body_size 1k; - ignore_invalid_headers off; - - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - map $http_upgrade $connection_upgrade { - default "upgrade"; - } - - server { - listen 10000 default_server; - listen [::]:10000 default_server; - server_name _; - client_max_body_size 1000m; - ignore_invalid_headers off; - proxy_buffering off; - port_in_redirect off; - - # Security Headers - add_header X-Frame-Options SAMEORIGIN always; - add_header X-Content-Type-Options nosniff always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src http: https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; - - location /app { - proxy_pass http://app-service:4002; - rewrite ^/app/(.*)$ /$1 break; - } - - location = / { - port_in_redirect off; - proxy_pass http://app-service:4002; - } - - location = /v1/update { - proxy_pass http://watchtower-service:8080; - } - - location /builder/ { - port_in_redirect off; - proxy_http_version 1.1; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://app-service:4002; - } - - location ~ ^/(builder|app_) { - port_in_redirect off; - proxy_http_version 1.1; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://app-service:4002; - } - - location ~ ^/api/(system|admin|global)/ { - proxy_pass http://worker-service:4003; - } - - location /worker/ { - proxy_pass http://worker-service:4003; - rewrite ^/worker/(.*)$ /$1 break; - } - - location /api/ { - # calls to the API are rate limited with bursting - limit_req zone=ratelimit burst=20 nodelay; - - # 120s timeout on API requests - proxy_read_timeout 120s; - proxy_connect_timeout 120s; - proxy_send_timeout 120s; - - proxy_http_version 1.1; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_pass http://app-service:4002; - } - - location /db/ { - proxy_pass http://couchdb-service:5984; - rewrite ^/db/(.*)$ /$1 break; - } - - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - - proxy_connect_timeout 300; - proxy_http_version 1.1; - proxy_set_header Connection ""; - chunked_transfer_encoding off; - proxy_pass http://minio-service:9000; - } - - client_header_timeout 60; - client_body_timeout 60; - keepalive_timeout 60; - - # gzip - gzip on; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; - } -} \ No newline at end of file diff --git a/package.json b/package.json index 5111ad204f..f7e9f92080 100644 --- a/package.json +++ b/package.json @@ -46,9 +46,9 @@ "test:e2e:ci": "lerna run cy:ci", "build:docker": "lerna run build:docker && npm run build:docker:proxy:compose && cd hosting/scripts/linux/ && ./release-to-docker-hub.sh $BUDIBASE_RELEASE_VERSION && cd -", "build:docker:proxy": "docker build hosting/proxy -t proxy-service", - "build:docker:proxy:compose": "lerna run generate:proxy:compose && npm run build:docker:proxy", - "build:docker:proxy:preprod": "lerna run generate:proxy:preprod && npm run build:docker:proxy", - "build:docker:proxy:prod": "lerna run generate:proxy:prod && npm run build:docker:proxy", + "build:docker:proxy:compose": "node scripts/proxy/generateProxyConfig compose && npm run build:docker:proxy", + "build:docker:proxy:preprod": "node scripts/proxy/generateProxyConfig preprod && npm run build:docker:proxy", + "build:docker:proxy:prod": "node scripts/proxy/generateProxyConfig prod && npm run build:docker:proxy", "build:docker:selfhost": "lerna run build:docker && cd hosting/scripts/linux/ && ./release-to-docker-hub.sh latest && cd -", "build:docker:develop": "node scripts/pinVersions && lerna run build:docker && npm run build:docker:proxy:compose && cd hosting/scripts/linux/ && ./release-to-docker-hub.sh develop && cd -", "build:docker:airgap": "node hosting/scripts/airgapped/airgappedDockerBuild", diff --git a/packages/server/package.json b/packages/server/package.json index 9bff5a6998..1d4325f195 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -21,9 +21,6 @@ "dev:stack:down": "node scripts/dev/manage.js down", "dev:stack:nuke": "node scripts/dev/manage.js nuke", "dev:builder": "yarn run dev:stack:up && nodemon", - "generate:proxy:compose": "node scripts/proxy/generateProxyConfig compose", - "generate:proxy:preprod": "node scripts/proxy/generateProxyConfig preprod", - "generate:proxy:prod": "node scripts/proxy/generateProxyConfig prod", "format": "prettier --config ../../.prettierrc.json 'src/**/*.ts' --write", "lint": "eslint --fix src/", "lint:fix": "yarn run format && yarn run lint", diff --git a/packages/server/scripts/proxy/generateProxyConfig.js b/scripts/proxy/generateProxyConfig.js similarity index 65% rename from packages/server/scripts/proxy/generateProxyConfig.js rename to scripts/proxy/generateProxyConfig.js index 591b320c70..1abc6240a1 100644 --- a/packages/server/scripts/proxy/generateProxyConfig.js +++ b/scripts/proxy/generateProxyConfig.js @@ -1,30 +1,63 @@ #!/usr/bin/env node const path = require("path") const fs = require("fs") -const { processStringSync } = require("@budibase/string-templates") + +function processStringSync(string, env) { + let output = "" + + // process if statements + let removal = false + for (let line of string.split("\n")) { + if (new RegExp(`{{\/if}}`, "g").test(line)) { + removal = false + continue + } + + if (!removal) { + const match = line.match(new RegExp(`{{#if (.*)}}`)) + if (match) { + const key = match[1] + // check the if statement is true + if (!env[key]) { + removal = true + } + continue + } + output += line + "\n" + } + } + + for (let key in env) { + // replace variables + const rgx = new RegExp(`{{\\s*${key}\\s*}}`, "g") + output = output.replace(rgx, env[key]) + } + + return output +} const Configs = { prod: { - k8s: true, apps: "app-service.budibase.svc.cluster.local", worker: "worker-service.budibase.svc.cluster.local", minio: "minio-service.budibase.svc.cluster.local", couchdb: "budibase-prod-svc-couchdb", + resolver: "kube-dns.kube-system.svc.cluster.local" }, preprod: { - k8s: true, apps: "app-service.budibase.svc.cluster.local", worker: "worker-service.budibase.svc.cluster.local", minio: "minio-service.budibase.svc.cluster.local", couchdb: "budibase-preprod-svc-couchdb", + resolver: "kube-dns.kube-system.svc.cluster.local" }, compose: { - compose: true, apps: "app-service", worker: "worker-service", minio: "minio-service", couchdb: "couchdb-service", watchtower: "watchtower-service", + resolver: "127.0.0.11" }, } @@ -36,7 +69,7 @@ const Commands = { async function init(managementCommand) { const config = Configs[managementCommand] - const hostingPath = path.join(process.cwd(), "..", "..", "hosting") + const hostingPath = path.join(process.cwd(), "hosting") const nginxHbsPath = path.join(hostingPath, "nginx.prod.conf.hbs") const nginxOutputPath = path.join( hostingPath,