Merge branch 'main' into hpa-increase

.github/workflows/codeql.yml

@@ -13,7 +13,7 @@ name: "CodeQL"
 
 on:
   pull_request:
-    branches: [ "main", "develop" ]
+    branches: [ "main" ]
   schedule:
     - cron: '12 8 * * 2'
 

.github/workflows/integration.yml

@@ -4,8 +4,7 @@ on:
   workflow_dispatch:
   push:
     branches:
-      # - 'main' # protect main during initial development
-      - 'develop'
+      - 'main'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,25 +13,25 @@ concurrency:
 jobs:
   image:
     name: "Image"
-    if: github.event.ref == 'refs/heads/develop'
+    if: github.event.ref == 'refs/heads/main'
     uses: ./.github/workflows/build.yml
     secrets: inherit
 
   get_ip_ranges:
     name: "IP Ranges"
-    if: github.event.ref == 'refs/heads/develop'
+    if: github.event.ref == 'refs/heads/main'
     uses: ./.github/workflows/ip-ranges-configure.yml
     secrets: inherit
 
   modsec_config:
     name: "Modsec"
-    if: github.event.ref == 'refs/heads/develop'
+    if: github.event.ref == 'refs/heads/main'
     uses: ./.github/workflows/modsec-config.yml
     secrets: inherit
 
   deploy_dev:
     name: "Development"
-    if: github.event.ref == 'refs/heads/develop'
+    if: github.event.ref == 'refs/heads/main'
     uses: ./.github/workflows/deploy.yml
     needs: [image, get_ip_ranges, modsec_config]
     with:
@@ -45,7 +44,7 @@ jobs:
   deploy_staging:
     name: "Staging"
     needs: [image, deploy_dev, get_ip_ranges, modsec_config]
-    if: github.event.ref == 'refs/heads/develop'
+    if: github.event.ref == 'refs/heads/main'
     uses: ./.github/workflows/deploy.yml
     with:
       environment: staging
@@ -57,7 +56,7 @@ jobs:
   deploy_demo:
     name: "Demo"
     needs: [image, deploy_dev, get_ip_ranges, modsec_config]
-    if: github.event.ref == 'refs/heads/develop'
+    if: github.event.ref == 'refs/heads/main'
     uses: ./.github/workflows/deploy.yml
     with:
       environment: demo
@@ -69,7 +68,7 @@ jobs:
   deploy_production:
     name: "Production"
     needs: [image, deploy_staging, get_ip_ranges, modsec_config]
-    if: github.event.ref == 'refs/heads/develop'
+    if: github.event.ref == 'refs/heads/main'
     uses: ./.github/workflows/deploy.yml
     with:
       environment: production

.github/workflows/snyk-security.yml

@@ -5,7 +5,7 @@ name: Snyk Security
 
 on:
   pull_request:
-    branches: [ "main", "develop" ]
+    branches: [ "main" ]
   schedule:
     - cron: '12 8 * * 2'
 

Dockerfile

@@ -22,6 +22,9 @@ ARG version_cron_alpine=3.19.1
 
 FROM ministryofjustice/wordpress-base-fpm:latest AS base-fpm
 
+RUN apk update && \
+    apk add strace
+
 # Make the Nginx user available in this container
 RUN addgroup -g 101 -S nginx; adduser -u 101 -S -D -G nginx nginx
 

bin/composer-post-install.sh

@@ -43,3 +43,22 @@ if [ -f "$MOJ_COMPONENTS_FILE" ] ; then
   MOJ_COMPONENTS_CONTENT=$(perl -0777pe 's/'"$MOJ_COMPONENTS_SEARCH_PARAGRAPH"'/'"$MOJ_COMPONENTS_REPLACE_PARAGRAPH"'/s' "$MOJ_COMPONENTS_FILE")
   echo "$MOJ_COMPONENTS_CONTENT" > "$MOJ_COMPONENTS_FILE"
 fi
+
+
+NOTIFY_FILE=/var/www/html/public/app/plugins/notify-for-wordpress/inc/admin/class-dashboard-table.php
+NOTIFY_SEARCH="public function get_columns"
+NOTIFY_REPLACE='private \$plugin_text_domain;
+
+	public function __construct(string \$plugin_text_domain)
+	{ 
+		parent::__construct();
+		\$this->plugin_text_domain = \$plugin_text_domain;
+	}
+
+	public function get_columns'
+
+if [ -f "$NOTIFY_FILE" ] ; then
+  echo "Adding code blocke to notify-for-wordpress plugin"
+  NOTIFY_CONTENT=$(perl -0777pe 's/'"$NOTIFY_SEARCH"'/'"$NOTIFY_REPLACE"'/s' "$NOTIFY_FILE")
+  echo "$NOTIFY_CONTENT" > "$NOTIFY_FILE"
+fi

deploy/config/php-pool.conf

@@ -7,8 +7,8 @@ listen.owner = nginx;
 listen.group = nginx;
 listen.mode = 0660;
 
-ping.path=/ping
-ping.response=pong
+ping.path = /ping
+ping.response = pong
 
 pm = dynamic;
 pm.start_servers = 10;
@@ -18,6 +18,10 @@ pm.max_requests = 500;
 pm.max_children = 20;
 pm.status_path = /status;
 
+; Log a stack trace to stderr for slow queries.
+request_slowlog_timeout = 10s;
+slowlog = /proc/self/fd/2;
+
 [global]
 daemonize = no
 emergency_restart_threshold = 10;

deploy/development/deployment.tpl.yml

@@ -62,6 +62,167 @@ spec:
                   name: ${KUBE_NAMESPACE}-base64-secrets
                   key: IPS_FORMATTED
 
+        - name: fpm
+          image: ${ECR_URL}:${IMAGE_TAG_FPM}
+          resources:
+            limits:
+              # If a pod exceeds its CPU limit, Kubernetes will simply throttle the pod.
+              cpu: "4"
+              # If a pod exceeds its memory limit, Kubernetes will kill the pod.
+              memory: 2000Mi
+            requests:
+              cpu: 500m
+              memory: 600Mi
+          volumeMounts:
+            - name: uploads
+              mountPath: /var/www/html/public/app/uploads
+            - name: php-socket
+              mountPath: /sock
+          securityContext:
+            runAsUser: 101
+          # Check frequently during startup, so that scaling up can happen as fast as possible.
+          startupProbe:
+            exec:
+              command:
+              - /usr/local/bin/fpm-health/fpm-readiness.sh
+            failureThreshold: 20
+            periodSeconds: 5
+          # Don't route traffic to this pod if the container is not ready.
+          readinessProbe:
+            exec:
+              command:
+              - /usr/local/bin/fpm-health/fpm-readiness.sh
+            periodSeconds: 10
+            failureThreshold: 1
+          # Restart the container if it fails liveness script.
+          livenessProbe:
+            exec:
+              command:
+              - /usr/local/bin/fpm-health/fpm-liveness.sh
+            periodSeconds: 10
+          env:
+            - name: AWS_S3_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: s3-bucket-output
+                  key: bucket_name
+            - name: AWS_CLOUDFRONT_PUBLIC_KEYS_OBJECT
+              valueFrom:
+                secretKeyRef:
+                  name: cloudfront-output
+                  key: cloudfront_public_keys
+            - name: DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: rds-output
+                  key: rds_instance_address
+            - name: DB_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: rds-output
+                  key: database_name
+            - name: DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: rds-output
+                  key: database_username
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: rds-output
+                  key: database_password
+            - name: OPENSEARCH_URL
+              valueFrom:
+                secretKeyRef:
+                  name: central-digital-product-team-opensearch-proxy-url
+                  key: proxy_url
+            - name: BASIC_AUTH
+              valueFrom:
+                secretKeyRef:
+                  name: basic-auth-secret
+                  key: auth
+            - name: CACHE_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: elasticache-output
+                  key: primary_endpoint_address
+            - name: CACHE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: elasticache-output
+                  key: auth_token
+          envFrom:
+            - configMapRef:
+                name: ${KUBE_NAMESPACE}
+            - secretRef:
+                name: ${KUBE_NAMESPACE}-secrets
+            - secretRef:
+                name: ${KUBE_NAMESPACE}-base64-secrets
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${KUBE_NAMESPACE}-cron
+  namespace: ${KUBE_NAMESPACE}
+  labels:
+    app: ${KUBE_NAMESPACE}-cron
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 100%
+  selector:
+    matchLabels:
+      app: ${KUBE_NAMESPACE}-cron
+  template:
+    metadata:
+      labels:
+        app: ${KUBE_NAMESPACE}-cron
+    spec:
+      volumes:
+        - name: uploads
+          emptyDir: { }
+        - name: php-socket
+          emptyDir: { }
+      terminationGracePeriodSeconds: 35
+      serviceAccountName: ${KUBE_NAMESPACE}-service
+      containers:
+        - name: nginx
+          image: ${ECR_URL}:${IMAGE_TAG_NGINX}
+          resources:
+            limits:
+              cpu: 500m
+              memory: 250Mi
+            requests:
+              cpu: 50m
+              memory: 100Mi
+          ports:
+            - containerPort: 8080
+              name: http
+          volumeMounts:
+            - name: uploads
+              mountPath: /var/www/html/public/app/uploads
+            - name: php-socket
+              mountPath: /sock
+          securityContext:
+            runAsUser: 101
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 8080
+          livenessProbe:
+            httpGet:
+              path: /liveness
+              port: 8080
+          env:
+            - name: IPS_FORMATTED
+              valueFrom:
+                secretKeyRef:
+                  name: ${KUBE_NAMESPACE}-base64-secrets
+                  key: IPS_FORMATTED
+
         - name: cron
           image: ${ECR_URL}:${IMAGE_TAG_CRON}
           resources: