Merge pull request #528 from kiloutyg/511-add-the-finishing-touch-for…

…-prod-ready-podman-infrastructure added init containers and scripts to secure certificates and correctl…
kiloutyg · Jan 29, 2025 · 866e8e4 · 866e8e4
2 parents 8aea289 + 678c600
commit 866e8e4
Show file tree

Hide file tree

Showing 6 changed files with 121 additions and 66 deletions.
diff --git a/env_create_docker.sh b/env_create_docker.sh
@@ -192,9 +192,6 @@ MESSENGER_TRANSPORT_DSN=doctrine://default?auto_setup=0
 ###> doctrine/doctrine-bundle ###
 # Format described at https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url
 # IMPORTANT: You MUST configure your server version, either here or in config/packages/doctrine.yaml
-#
-# DATABASE_URL="sqlite:///%kernel.project_dir%/var/data.db"
-# DATABASE_URL="mysql://app:[email protected]:3306/app?serverVersion=8&charset=utf8mb4"
 
 DATABASE_URL=mysql://root:\${MYSQL_ROOT_PASSWORD}@database/\${MYSQL_DATABASE}?charset=utf8mb4&serverVersion=MariaDB-11.6.2&sslmode=verify_ca&sslrootcert=/etc/ssl/certs/ca-cert.pem
 

diff --git a/env_create_podman.sh b/env_create_podman.sh
@@ -180,9 +180,6 @@ MESSENGER_TRANSPORT_DSN=doctrine://default?auto_setup=0
 ###> doctrine/doctrine-bundle ###
 # Format described at https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url
 # IMPORTANT: You MUST configure your server version, either here or in config/packages/doctrine.yaml
-#
-# DATABASE_URL="sqlite:///%kernel.project_dir%/var/data.db"
-# DATABASE_URL="mysql://app:[email protected]:3306/app?serverVersion=8&charset=utf8mb4"
 
 DATABASE_URL=mysql://root:\${MYSQL_ROOT_PASSWORD}@database/\${MYSQL_DATABASE}?charset=utf8mb4&serverVersion=MariaDB-11.6.2&sslmode=verify_ca&sslrootcert=/etc/ssl/certs/ca-cert.pem
 

diff --git a/fix-permissions-dap.sh b/fix-permissions-dap.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Set permissions and ownership
+chmod 750 /var/www/public/doc
+chown -R www-data:www-data /var/www/public/doc
+chmod 640 /var/www/.env
+chown www-data:www-data /var/www/.env
+chmod 644 /dap-certs/ca-cert.pem /dap-certs/server-cert.pem
+chmod 644 /dap-certs/server-key.pem
+chown www-data:www-data /dap-certs/*.pem
diff --git a/fix-permissions-db.sh b/fix-permissions-db.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+   # Set ownership to mysql user
+   chown mysql:mysql /db-certs/*.pem
+
+   # Set permissions for certificate files
+   chmod 644 /db-certs/ca-cert.pem /db-certs/server-cert.pem
+
+   # Set secure permissions for private key
+   chmod 644 /db-certs/server-key.pem
diff --git a/src/Controller/BaseController.php b/src/Controller/BaseController.php
@@ -9,7 +9,7 @@
 
 class BaseController extends AbstractController
 {
-
-
-    private function __construct() {}
+    private function __construct() {
+        // Empty construct function here for static.
+    }
 }
diff --git a/template.yml b/template.yml
@@ -30,17 +30,40 @@ metadata:
     app: docauposte-database
 spec:
   restartPolicy: Always
+  initContainers:
+    - name: copy-certificates-and-fix-permission-for-db
+      image: docker.io/library/busybox:stable
+      command: ["/bin/sh", "-c"]
+      args:
+        - |
+          cp /source/ca-cert.pem /db-certs/;
+          cp /source/server-cert.pem /db-certs/;
+          cp /source/server-key.pem /db-certs/;
+          chmod +x fix-permissions-db.sh;
+          sh /tmp/fix-permissions-db.sh;
+      volumeMounts:
+        - mountPath: /source/ca-cert.pem
+          name: ca-cert
+        - mountPath: /source/server-cert.pem
+          name: server-cert
+        - mountPath: /source/server-key.pem
+          name: server-key
+        - mountPath: /db-certs
+          name: db-certs
+        - mountPath: /tmp/fix-permissions-db.sh
+          name: fix-permissions-db-script
+          readOnly: true
   containers:
     - name: database
       image: docker.io/library/mariadb:latest
       env:
-        - name: MARIADB_ROOT_PASSWORD_FILE
+        - name: MARIADB_ROOT_PASSWORD_File
           value: run/secrets/root_password
-        - name: MARIADB_DATABASE_FILE
+        - name: MARIADB_DATABASE_File
           value: run/secrets/database_name
-        - name: MARIADB_USER_FILE
+        - name: MARIADB_USER_File
           value: run/secrets/database_user
-        - name: MARIADB_PASSWORD_FILE
+        - name: MARIADB_PASSWORD_File
           value: run/secrets/database_password
       ports:
         - containerPort: 3306
@@ -62,18 +85,12 @@ spec:
         - mountPath: /etc/localtime
           name: localtime-settings
           readOnly: true
-        - mountPath: /etc/mysql/ssl/ca-cert.pem
-          name: ca-cert
-          readOnly: true
-        - mountPath: /etc/mysql/ssl/server-cert.pem
-          name: server-cert
-          readOnly: true
-        - mountPath: /etc/mysql/ssl/server-key.pem
-          name: server-key
-          readOnly: true
         - mountPath: /etc/mysql/my.cnf
           readOnly: true
           name: mysql-config
+        - mountPath: /etc/mysql/ssl
+          name: db-certs
+          readOnly: true
       resources:
         limits:
           memory: 4000Mi
@@ -83,44 +100,50 @@ spec:
   dnsPolicy: Default
   volumes:
     - hostPath:
-        path: ./secrets/root_password
+        path: ${PWD}/secrets/root_password
         type: File
       name: root_password
     - hostPath:
-        path: ./secrets/database_name
+        path: ${PWD}/secrets/database_name
         type: File
       name: database_name
     - hostPath:
-        path: ./secrets/database_user
+        path: ${PWD}/secrets/database_user
         type: File
       name: database_user
     - hostPath:
-        path: ./secrets/database_password
+        path: ${PWD}/secrets/database_password
         type: File
       name: database_password
     - hostPath:
-        path: ./database_data
-        type: DirectoryOrCreate
+        path: ${PWD}/database_data
+        type: Directory
       name: database-data
     - hostPath:
         path: /etc/localtime
       name: localtime-settings
     - hostPath:
-        path: ./secrets/ssl/ca-cert.pem
+        path: ${PWD}/secrets/ssl/ca-cert.pem
         type: File
       name: ca-cert
     - hostPath:
-        path: ./secrets/ssl/server-cert.pem
+        path: ${PWD}/secrets/ssl/server-cert.pem
         type: File
       name: server-cert
     - hostPath:
-        path: ./secrets/ssl/server-key.pem
+        path: ${PWD}/secrets/ssl/server-key.pem
         type: File
       name: server-key
     - hostPath:
-        path: ./my.cnf
+        path: ${PWD}/my.cnf
         type: File
       name: mysql-config
+    - hostPath:
+        path: ${PWD}/fix-permissions-db.sh
+        type: File
+      name: fix-permissions-db-script
+    - name: db-certs
+      emptyDir: {}
 ---
 apiVersion: v1
 kind: LimitRange
@@ -143,7 +166,7 @@ metadata:
   labels:
     app: docauposte-phpmyadmin
     traefik.enable: true
-    traefik.http.routers.docauposte-phpmyadmin.rule: "Host(`${HOSTNAME}`) && PathPrefix(`/dappma`)"
+    traefik.http.routers.docauposte-phpmyadmin.rule: "Host(`${DOMAIN_NAME}`) && PathPrefix(`/dappma`) || Host(`${HOSTNAME}`) && PathPrefix(`/dappma`)"
     traefik.http.routers.docauposte-phpmyadmin.entrypoints: websecure
     traefik.http.routers.docauposte-phpmyadmin.tls: true
     # Remove or comment out the certresolver if using dedicated certificate files
@@ -184,14 +207,14 @@ spec:
   dnsPolicy: Default
   volumes:
     - hostPath:
-        path: ./config.user.inc.php
+        path: ${PWD}/config.user.inc.php
         type: File
       name: phpmyadmin-config
     - hostPath:
         path: /etc/localtime
       name: localtime-settings
     - hostPath:
-        path: ./secrets/ssl/ca-cert.pem
+        path: ${PWD}/secrets/ssl/ca-cert.pem
         type: File
       name: ca-cert
 ---
@@ -216,7 +239,7 @@ metadata:
   labels:
     app: docauposte-web
     traefik.enable: true
-    traefik.http.routers.docauposte-web.rule: "Host(`${HOSTNAME}`) && PathPrefix(`/docauposte`)"
+    traefik.http.routers.docauposte-web.rule: "Host(`${HOSTNAME}`) && PathPrefix(`/docauposte`) || Host(`${HOSTNAME}`) && PathPrefix(`/docauposte`)"
     traefik.http.routers.docauposte-web.entrypoints: websecure
     traefik.http.routers.docauposte-web.tls: true
     # Remove or comment out the certresolver if using dedicated certificate files
@@ -225,15 +248,38 @@ metadata:
     traefik.http.services.docauposte-web.loadbalancer.server.port: 80
     traefik.http.middlewares.strip-docauposte-web-prefix.stripPrefix.prefixes: /docauposte
 spec:
-  securityContext:
-    runAsUser: 0
-    runAsGroup: 0
-    fsGroup: 1129600513
   restartPolicy: Always
+  initContainers:
+  - name: copy-certificates-and-fix-permission-for-dap
+    image: docker.io/library/busybox:stable
+    command: ["/bin/sh", "-c"]
+    args:
+      - |
+        cp /source/ca-cert.pem /dap-certs/;
+        cp /source/server-cert.pem /dap-certs/;
+        cp /source/server-key.pem /dap-certs/;
+        chmod +x fix-permissions-dap.sh;
+        sh /tmp/fix-permissions-dap.sh;
+    volumeMounts:
+      - mountPath: /source/ca-cert.pem
+        name: ca-cert
+      - mountPath: /source/server-cert.pem
+        name: server-cert
+      - mountPath: /source/server-key.pem
+        name: server-key
+      - mountPath: /dap-certs
+        name: dap-certs
+      - mountPath: /var/www/public/doc
+        name: doc
+      - mountPath: /var/www/.env
+        name: dotenv
+      - mountPath: /tmp/fix-permissions-dap.sh
+        name: fix-permissions-dap-script
+        readOnly: true
   containers:
     - name: web
       image: ghcr.io/${GITHUB_USER}/docauposte2:${APP_CONTEXT}-latest
-      command: ["./${APP_CONTEXT}-entrypoint.sh"]
+      # command: ["./dev-entrypoint.sh"]
       env:
         - name: no_proxy
           value: .ponet
@@ -244,23 +290,15 @@ spec:
         - name: https_proxy
           value: ${PROXY_ENV}
       volumeMounts:
-        - mountPath: /var/www
-          name: web-data
+        # - mountPath: /var/www
+        #   name: web-data
         - mountPath: /var/www/public/doc
           name: doc
         - mountPath: /var/www/.env
           name: dotenv
-        - mountPath: /etc/localtime
-          name: localtime-settings
-          readOnly: true
-        - mountPath: /etc/ssl/certs/ca-cert.pem
-          name: ca-certificates
           readOnly: true
-        - mountPath: /etc/ssl/certs/server-cert.pem
-          name: server-certificates
-          readOnly: true
-        - mountPath: /etc/ssl/certs/server-key.pem
-          name: server-key
+        - mountPath: /etc/ssl/my-certs
+          name: dap-certs
           readOnly: true
       resources:
         limits:
@@ -270,30 +308,33 @@ spec:
           cpu: 4
   dnsPolicy: Default
   volumes:
+    # - hostPath:
+    #     path: ${PWD}/
+    #     type: Directory
+    #   name: web-data
     - hostPath:
-        path: ./
-        type: Directory
-      name: web-data
-    - hostPath:
-        path: ./public/doc
+        path: ${PWD}/public/doc
         type: Directory
       name: doc
     - hostPath:
-        path: .env
+        path: ${PWD}/.env
         type: File
       name: dotenv
     - hostPath:
-        path: /etc/localtime
-      name: localtime-settings
+        path: ${PWD}/fix-permissions-dap.sh
+        type: File
+      name: fix-permissions-dap-script
     - hostPath:
-        path: ./secrets/ssl/ca-cert.pem
+        path: ${PWD}/secrets/ssl/ca-cert.pem
         type: File
-      name: ca-certificates
+      name: ca-cert
     - hostPath:
-        path: ./secrets/ssl/server-cert.pem
+        path: ${PWD}/secrets/ssl/server-cert.pem
         type: File
-      name: server-certificates
+      name: server-cert
     - hostPath:
-        path: ./secrets/ssl/server-key.pem
+        path: ${PWD}/secrets/ssl/server-key.pem
         type: File
       name: server-key
+    - name: dap-certs
+      emptyDir: {}