From 8b9b4404f7f4ed0d35fe3bee9e041c6a01339347 Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Tue, 5 Nov 2024 10:53:31 +0000 Subject: [PATCH 1/5] CDPT-2229 Update workflows, as main is now the trunk branch. (#771) --- .github/workflows/codeql.yml | 2 +- .github/workflows/integration.yml | 17 ++++++++--------- .github/workflows/snyk-security.yml | 2 +- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 49278433d..dfb82117e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,7 +13,7 @@ name: "CodeQL" on: pull_request: - branches: [ "main", "develop" ] + branches: [ "main" ] schedule: - cron: '12 8 * * 2' diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 3e0594dfe..89120d56e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -4,8 +4,7 @@ on: workflow_dispatch: push: branches: - # - 'main' # protect main during initial development - - 'develop' + - 'main' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,25 +13,25 @@ concurrency: jobs: image: name: "Image" - if: github.event.ref == 'refs/heads/develop' + if: github.event.ref == 'refs/heads/main' uses: ./.github/workflows/build.yml secrets: inherit get_ip_ranges: name: "IP Ranges" - if: github.event.ref == 'refs/heads/develop' + if: github.event.ref == 'refs/heads/main' uses: ./.github/workflows/ip-ranges-configure.yml secrets: inherit modsec_config: name: "Modsec" - if: github.event.ref == 'refs/heads/develop' + if: github.event.ref == 'refs/heads/main' uses: ./.github/workflows/modsec-config.yml secrets: inherit deploy_dev: name: "Development" - if: github.event.ref == 'refs/heads/develop' + if: github.event.ref == 'refs/heads/main' uses: ./.github/workflows/deploy.yml needs: [image, get_ip_ranges, modsec_config] with: @@ -45,7 +44,7 @@ jobs: deploy_staging: name: "Staging" needs: [image, deploy_dev, get_ip_ranges, modsec_config] - if: github.event.ref == 'refs/heads/develop' + if: github.event.ref == 'refs/heads/main' uses: ./.github/workflows/deploy.yml with: environment: staging @@ -57,7 +56,7 @@ jobs: deploy_demo: name: "Demo" needs: [image, deploy_dev, get_ip_ranges, modsec_config] - if: github.event.ref == 'refs/heads/develop' + if: github.event.ref == 'refs/heads/main' uses: ./.github/workflows/deploy.yml with: environment: demo @@ -69,7 +68,7 @@ jobs: deploy_production: name: "Production" needs: [image, deploy_staging, get_ip_ranges, modsec_config] - if: github.event.ref == 'refs/heads/develop' + if: github.event.ref == 'refs/heads/main' uses: ./.github/workflows/deploy.yml with: environment: production diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 7c1480fbd..37c606575 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -5,7 +5,7 @@ name: Snyk Security on: pull_request: - branches: [ "main", "develop" ] + branches: [ "main" ] schedule: - cron: '12 8 * * 2' From 4fab7dbc6bc85cb47031afdaba4dffde350d7c53 Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Tue, 5 Nov 2024 10:55:09 +0000 Subject: [PATCH 2/5] Bug/CDPT-2258 Handle empty post and text domain. Add constructor to notify-for-wordpress (#770) Handle empty post and text_domain variables. Add constructor to notify-for-wordpress --- bin/composer-post-install.sh | 19 +++++++++++++++++++ .../inc/admin/plugins/co-authors-plus.php | 6 +++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/bin/composer-post-install.sh b/bin/composer-post-install.sh index 62c2ddd9a..2065defd9 100755 --- a/bin/composer-post-install.sh +++ b/bin/composer-post-install.sh @@ -43,3 +43,22 @@ if [ -f "$MOJ_COMPONENTS_FILE" ] ; then MOJ_COMPONENTS_CONTENT=$(perl -0777pe 's/'"$MOJ_COMPONENTS_SEARCH_PARAGRAPH"'/'"$MOJ_COMPONENTS_REPLACE_PARAGRAPH"'/s' "$MOJ_COMPONENTS_FILE") echo "$MOJ_COMPONENTS_CONTENT" > "$MOJ_COMPONENTS_FILE" fi + + +NOTIFY_FILE=/var/www/html/public/app/plugins/notify-for-wordpress/inc/admin/class-dashboard-table.php +NOTIFY_SEARCH="public function get_columns" +NOTIFY_REPLACE='private \$plugin_text_domain; + + public function __construct(string \$plugin_text_domain) + { + parent::__construct(); + \$this->plugin_text_domain = \$plugin_text_domain; + } + + public function get_columns' + +if [ -f "$NOTIFY_FILE" ] ; then + echo "Adding code blocke to notify-for-wordpress plugin" + NOTIFY_CONTENT=$(perl -0777pe 's/'"$NOTIFY_SEARCH"'/'"$NOTIFY_REPLACE"'/s' "$NOTIFY_FILE") + echo "$NOTIFY_CONTENT" > "$NOTIFY_FILE" +fi diff --git a/public/app/themes/clarity/inc/admin/plugins/co-authors-plus.php b/public/app/themes/clarity/inc/admin/plugins/co-authors-plus.php index 55ceddc73..8e3329799 100644 --- a/public/app/themes/clarity/inc/admin/plugins/co-authors-plus.php +++ b/public/app/themes/clarity/inc/admin/plugins/co-authors-plus.php @@ -156,7 +156,7 @@ function coauthors_filter_wp_die_handler(string $handler): string global $post; // If the post does not have an error and is a guest-author post type. - if (!is_wp_error($post) && $post->post_type === 'guest-author') { + if (!is_wp_error($post) && $post?->post_type === 'guest-author') { return 'coauthors_wp_die_handler'; } @@ -173,11 +173,11 @@ function coauthors_filter_wp_die_handler(string $handler): string * * @param string $translated_text The translated text * @param string $text The original text - * @param string $domain The text domain + * @param ?string $domain The text domain * @return string The modified text */ - function coauthors_filter_text(string $translated_text, string $text, string $domain): string + function coauthors_filter_text(string $translated_text, string $text, ?string $domain): string { if ($domain === 'co-authors-plus') { // Remove the string 'WordPress' from the plugin's text. From 4f1fdc47f08afa8eb0324702d0aad0366579491a Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Tue, 5 Nov 2024 12:01:53 +0000 Subject: [PATCH 3/5] Create a new deployment that handles cron tasks (#772) --- deploy/development/deployment.tpl.yml | 161 ++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) diff --git a/deploy/development/deployment.tpl.yml b/deploy/development/deployment.tpl.yml index 0c72976a6..56b2e465d 100644 --- a/deploy/development/deployment.tpl.yml +++ b/deploy/development/deployment.tpl.yml @@ -62,6 +62,167 @@ spec: name: ${KUBE_NAMESPACE}-base64-secrets key: IPS_FORMATTED + - name: fpm + image: ${ECR_URL}:${IMAGE_TAG_FPM} + resources: + limits: + # If a pod exceeds its CPU limit, Kubernetes will simply throttle the pod. + cpu: "4" + # If a pod exceeds its memory limit, Kubernetes will kill the pod. + memory: 2000Mi + requests: + cpu: 500m + memory: 600Mi + volumeMounts: + - name: uploads + mountPath: /var/www/html/public/app/uploads + - name: php-socket + mountPath: /sock + securityContext: + runAsUser: 101 + # Check frequently during startup, so that scaling up can happen as fast as possible. + startupProbe: + exec: + command: + - /usr/local/bin/fpm-health/fpm-readiness.sh + failureThreshold: 20 + periodSeconds: 5 + # Don't route traffic to this pod if the container is not ready. + readinessProbe: + exec: + command: + - /usr/local/bin/fpm-health/fpm-readiness.sh + periodSeconds: 10 + failureThreshold: 1 + # Restart the container if it fails liveness script. + livenessProbe: + exec: + command: + - /usr/local/bin/fpm-health/fpm-liveness.sh + periodSeconds: 10 + env: + - name: AWS_S3_BUCKET + valueFrom: + secretKeyRef: + name: s3-bucket-output + key: bucket_name + - name: AWS_CLOUDFRONT_PUBLIC_KEYS_OBJECT + valueFrom: + secretKeyRef: + name: cloudfront-output + key: cloudfront_public_keys + - name: DB_HOST + valueFrom: + secretKeyRef: + name: rds-output + key: rds_instance_address + - name: DB_NAME + valueFrom: + secretKeyRef: + name: rds-output + key: database_name + - name: DB_USER + valueFrom: + secretKeyRef: + name: rds-output + key: database_username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: rds-output + key: database_password + - name: OPENSEARCH_URL + valueFrom: + secretKeyRef: + name: central-digital-product-team-opensearch-proxy-url + key: proxy_url + - name: BASIC_AUTH + valueFrom: + secretKeyRef: + name: basic-auth-secret + key: auth + - name: CACHE_HOST + valueFrom: + secretKeyRef: + name: elasticache-output + key: primary_endpoint_address + - name: CACHE_PASSWORD + valueFrom: + secretKeyRef: + name: elasticache-output + key: auth_token + envFrom: + - configMapRef: + name: ${KUBE_NAMESPACE} + - secretRef: + name: ${KUBE_NAMESPACE}-secrets + - secretRef: + name: ${KUBE_NAMESPACE}-base64-secrets +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ${KUBE_NAMESPACE}-cron + namespace: ${KUBE_NAMESPACE} + labels: + app: ${KUBE_NAMESPACE}-cron +spec: + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 100% + selector: + matchLabels: + app: ${KUBE_NAMESPACE}-cron + template: + metadata: + labels: + app: ${KUBE_NAMESPACE}-cron + spec: + volumes: + - name: uploads + emptyDir: { } + - name: php-socket + emptyDir: { } + terminationGracePeriodSeconds: 35 + serviceAccountName: ${KUBE_NAMESPACE}-service + containers: + - name: nginx + image: ${ECR_URL}:${IMAGE_TAG_NGINX} + resources: + limits: + cpu: 500m + memory: 250Mi + requests: + cpu: 50m + memory: 100Mi + ports: + - containerPort: 8080 + name: http + volumeMounts: + - name: uploads + mountPath: /var/www/html/public/app/uploads + - name: php-socket + mountPath: /sock + securityContext: + runAsUser: 101 + readinessProbe: + httpGet: + path: /readiness + port: 8080 + livenessProbe: + httpGet: + path: /liveness + port: 8080 + env: + - name: IPS_FORMATTED + valueFrom: + secretKeyRef: + name: ${KUBE_NAMESPACE}-base64-secrets + key: IPS_FORMATTED + - name: cron image: ${ECR_URL}:${IMAGE_TAG_CRON} resources: From 3768853e236af80ff28851d27a899fbb3ba113e6 Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Tue, 5 Nov 2024 16:33:35 +0000 Subject: [PATCH 4/5] Create a new deployment that handles cron tasks - production (#773) Update deployment.tpl.yml --- deploy/production/deployment.tpl.yml | 161 +++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) diff --git a/deploy/production/deployment.tpl.yml b/deploy/production/deployment.tpl.yml index 9b2266ff7..6960c3817 100644 --- a/deploy/production/deployment.tpl.yml +++ b/deploy/production/deployment.tpl.yml @@ -62,6 +62,167 @@ spec: name: ${KUBE_NAMESPACE}-base64-secrets key: IPS_FORMATTED + - name: fpm + image: ${ECR_URL}:${IMAGE_TAG_FPM} + resources: + limits: + # If a pod exceeds its CPU limit, Kubernetes will simply throttle the pod. + cpu: "4" + # If a pod exceeds its memory limit, Kubernetes will kill the pod. + memory: 2000Mi + requests: + cpu: 500m + memory: 600Mi + volumeMounts: + - name: uploads + mountPath: /var/www/html/public/app/uploads + - name: php-socket + mountPath: /sock + securityContext: + runAsUser: 101 + # Check frequently during startup, so that scaling up can happen as fast as possible. + startupProbe: + exec: + command: + - /usr/local/bin/fpm-health/fpm-readiness.sh + failureThreshold: 20 + periodSeconds: 5 + # Don't route traffic to this pod if the container is not ready. + readinessProbe: + exec: + command: + - /usr/local/bin/fpm-health/fpm-readiness.sh + periodSeconds: 10 + failureThreshold: 1 + # Restart the container if it fails liveness script. + livenessProbe: + exec: + command: + - /usr/local/bin/fpm-health/fpm-liveness.sh + periodSeconds: 10 + env: + - name: AWS_S3_BUCKET + valueFrom: + secretKeyRef: + name: s3-bucket-output + key: bucket_name + - name: AWS_CLOUDFRONT_PUBLIC_KEYS_OBJECT + valueFrom: + secretKeyRef: + name: cloudfront-output + key: cloudfront_public_keys + - name: DB_HOST + valueFrom: + secretKeyRef: + name: rds-output + key: rds_instance_address + - name: DB_NAME + valueFrom: + secretKeyRef: + name: rds-output + key: database_name + - name: DB_USER + valueFrom: + secretKeyRef: + name: rds-output + key: database_username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: rds-output + key: database_password + - name: OPENSEARCH_URL + valueFrom: + secretKeyRef: + name: opensearch-output + key: proxy_url + - name: BASIC_AUTH + valueFrom: + secretKeyRef: + name: basic-auth-secret + key: auth + - name: CACHE_HOST + valueFrom: + secretKeyRef: + name: elasticache-output + key: primary_endpoint_address + - name: CACHE_PASSWORD + valueFrom: + secretKeyRef: + name: elasticache-output + key: auth_token + envFrom: + - configMapRef: + name: ${KUBE_NAMESPACE} + - secretRef: + name: ${KUBE_NAMESPACE}-secrets + - secretRef: + name: ${KUBE_NAMESPACE}-base64-secrets +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ${KUBE_NAMESPACE}-cron + namespace: ${KUBE_NAMESPACE} + labels: + app: ${KUBE_NAMESPACE}-cron +spec: + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 100% + selector: + matchLabels: + app: ${KUBE_NAMESPACE}-cron + template: + metadata: + labels: + app: ${KUBE_NAMESPACE}-cron + spec: + volumes: + - name: uploads + emptyDir: { } + - name: php-socket + emptyDir: { } + terminationGracePeriodSeconds: 35 + serviceAccountName: ${KUBE_NAMESPACE}-service + containers: + - name: nginx + image: ${ECR_URL}:${IMAGE_TAG_NGINX} + resources: + limits: + cpu: 500m + memory: 250Mi + requests: + cpu: 50m + memory: 100Mi + ports: + - containerPort: 8080 + name: http + volumeMounts: + - name: uploads + mountPath: /var/www/html/public/app/uploads + - name: php-socket + mountPath: /sock + securityContext: + runAsUser: 101 + readinessProbe: + httpGet: + path: /readiness + port: 8080 + livenessProbe: + httpGet: + path: /liveness + port: 8080 + env: + - name: IPS_FORMATTED + valueFrom: + secretKeyRef: + name: ${KUBE_NAMESPACE}-base64-secrets + key: IPS_FORMATTED + - name: cron image: ${ECR_URL}:${IMAGE_TAG_CRON} resources: From 0b256f0f2f63753229efa8d3e5b5a0809b8340dc Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Tue, 5 Nov 2024 17:00:47 +0000 Subject: [PATCH 5/5] fpm log slow queries and install `strace` on fpm containers. (#774) --- Dockerfile | 3 +++ deploy/config/php-pool.conf | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 297d54366..1caa351c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,6 +22,9 @@ ARG version_cron_alpine=3.19.1 FROM ministryofjustice/wordpress-base-fpm:latest AS base-fpm +RUN apk update && \ + apk add strace + # Make the Nginx user available in this container RUN addgroup -g 101 -S nginx; adduser -u 101 -S -D -G nginx nginx diff --git a/deploy/config/php-pool.conf b/deploy/config/php-pool.conf index 10753aaa8..47e3cc3fd 100644 --- a/deploy/config/php-pool.conf +++ b/deploy/config/php-pool.conf @@ -7,8 +7,8 @@ listen.owner = nginx; listen.group = nginx; listen.mode = 0660; -ping.path=/ping -ping.response=pong +ping.path = /ping +ping.response = pong pm = dynamic; pm.start_servers = 10; @@ -18,6 +18,10 @@ pm.max_requests = 500; pm.max_children = 20; pm.status_path = /status; +; Log a stack trace to stderr for slow queries. +request_slowlog_timeout = 10s; +slowlog = /proc/self/fd/2; + [global] daemonize = no emergency_restart_threshold = 10;