From 429f6fdb9ecfa950329a6b813a612e7555c2fc2e Mon Sep 17 00:00:00 2001
From: Damien Wilson <damien.wilson@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 18:09:52 +0000
Subject: [PATCH] Cp build actions (#471)

* Update build scripts

* Attach basic auth to ingress

* Change wording

* Update image name to intranet
---
 .github/workflows/build.yml         |  6 +++---
 .github/workflows/deploy.yml        |  2 +-
 .github/workflows/integration.yml   |  3 ++-
 .github/workflows/snyk-security.yml |  8 ++++----
 Makefile                            |  6 +++---
 deploy/development/ingress.yml      | 24 ++++--------------------
 deploy/local/deployment.yml         |  4 ++--
 7 files changed, 19 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8a536fb2a..4e3dcf557 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,8 +23,8 @@ jobs:
       - name: "Configuring AWS credentials"
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.PRODUCTION_ECR_ROLE_TO_ASSUME }}
-          aws-region: ${{ vars.PRODUCTION_ECR_REGION }}
+          role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.ECR_REGION }}
 
       - name: "Logging into ECR"
         uses: aws-actions/amazon-ecr-login@v2
@@ -38,5 +38,5 @@ jobs:
           docker push $REGISTRY/$REPOSITORY:nginx-$IMAGE_TAG
         env:
           REGISTRY: ${{ steps.ecr-login.outputs.registry }}
-          REPOSITORY: ${{ vars.PRODUCTION_ECR_REPOSITORY }}
+          REPOSITORY: ${{ vars.ECR_REPOSITORY }}
           IMAGE_TAG: ${{ github.sha }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 1e596ecad..d2e458426 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -25,7 +25,7 @@ jobs:
       - name: "Inject environment variables"
         env:
           TPL_PATH: "deploy/${{ inputs.environment }}"
-          ECR_URL: ${{ inputs.registry }}/${{ vars.PRODUCTION_ECR_REPOSITORY }}
+          ECR_URL: ${{ inputs.registry }}/${{ vars.ECR_REPOSITORY }}
           IMAGE_TAG_NGINX: "nginx-${{ github.sha }}"
           IMAGE_TAG_FPM: "fpm-${{ github.sha }}"
           GOV_NOTIFY_API_KEY: ${{ secrets.GOV_NOTIFY_API_KEY }}
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 3b7b6641a..12e4527ff 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -4,7 +4,8 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - 'main'
+      # - 'main' # protect main during initial development
+      - 'develop'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
index c267d3080..334e9a4b6 100644
--- a/.github/workflows/snyk-security.yml
+++ b/.github/workflows/snyk-security.yml
@@ -46,8 +46,8 @@ jobs:
         # Build the docker images for testing
       - name: Container monitor ~ build FPM & Nginx Docker images
         run: |
-          docker image build --build-arg COMPOSER_USER="$COMPOSER_USER" --build-arg COMPOSER_PASS="$COMPOSER_PASS" -t justice-fpm:snyk --target build-fpm .
-          docker image build --build-arg COMPOSER_USER="$COMPOSER_USER" --build-arg COMPOSER_PASS="$COMPOSER_PASS" -t justice-nginx:snyk --target build-nginx .
+          docker image build --build-arg COMPOSER_USER="$COMPOSER_USER" --build-arg COMPOSER_PASS="$COMPOSER_PASS" -t intranet-fpm:snyk --target build-fpm .
+          docker image build --build-arg COMPOSER_USER="$COMPOSER_USER" --build-arg COMPOSER_PASS="$COMPOSER_PASS" -t intranet-nginx:snyk --target build-nginx .
         env:
           COMPOSER_USER: ${{ secrets.COMPOSER_USER }}
           COMPOSER_PASS: ${{ secrets.COMPOSER_PASS }}
@@ -55,8 +55,8 @@ jobs:
         # Runs Snyk Container (Container and SCA) analysis.
       - name: Container monitor ~ analyse
         run: |
-          snyk container monitor justice-fpm:snyk --file=Dockerfile
-          snyk container monitor justice-nginx:snyk --file=Dockerfile
+          snyk container monitor intranet-fpm:snyk --file=Dockerfile
+          snyk container monitor intranet-nginx:snyk --file=Dockerfile
 
         # Push the Snyk Code results into GitHub Code Scanning tab
       - name: Upload result to GitHub Code Scanning
diff --git a/Makefile b/Makefile
index a11ba588a..c9cfe70f9 100644
--- a/Makefile
+++ b/Makefile
@@ -91,17 +91,17 @@ test-fixes:
 #####
 build-nginx:
 	@echo "\n-->  Building local Nginx  <---------------------------|\n"; sleep 3;
-	docker image build -t justice-nginx:latest --target build-nginx .
+	docker image build -t intranet-nginx:latest --target build-nginx .
 
 # FastCGI Process Manager for PHP
 # https://www.php.net/manual/en/install.fpm.php
 # https://www.plesk.com/blog/various/php-fpm-the-future-of-php-handling/
 build-fpm:
 	@echo "\n-->  Building local FPM  <---------------------------|\n"; sleep 3;
-	docker image build -t justice-fpm:latest --target build-fpm .
+	docker image build -t intranet-fpm:latest --target build-fpm .
 
 build: build-fpm build-nginx
-	@if [ ${kube} == 'kind' ]; then kind load docker-image justice-fpm:latest; kind load docker-image justice-nginx:latest; fi
+	@if [ ${kube} == 'kind' ]; then kind load docker-image intranet-fpm:latest; kind load docker-image intranet-nginx:latest; fi
 	@echo "\n-->  Done.\n"
 
 deploy: clear
diff --git a/deploy/development/ingress.yml b/deploy/development/ingress.yml
index 025f2e628..fd68726be 100644
--- a/deploy/development/ingress.yml
+++ b/deploy/development/ingress.yml
@@ -7,12 +7,9 @@ metadata:
     external-dns.alpha.kubernetes.io/set-identifier: intranet-dev-ingress-intranet-dev-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
     nginx.ingress.kubernetes.io/auth-type: basic
-    nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
-    nginx.ingress.kubernetes.io/auth-realm: 'Development User | Authentication Required'
+    nginx.ingress.kubernetes.io/auth-secret: intranet-basic-auth
+    nginx.ingress.kubernetes.io/auth-realm: 'Development Access | Authentication Required'
     nginx.ingress.kubernetes.io/server-snippet: |
-      if ($host = 'intranet-dev.apps.live.cloud-platform.service.justice.gov.uk') {
-        return 301 https://dev.justice.gov.uk;
-      }
       location = /health {
         auth_basic off;
         access_log off;
@@ -28,22 +25,9 @@ spec:
   ingressClassName: default
   tls:
   - hosts:
-    - intranet-dev.apps.live.cloud-platform.service.justice.gov.uk
-  - hosts:
-    - dev.justice.gov.uk
-    secretName: intranet-dev-cert-secret
+    - dev-intranet.apps.live.cloud-platform.service.justice.gov.uk
   rules:
-  - host: intranet-dev.apps.live.cloud-platform.service.justice.gov.uk
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: nginx-service
-            port:
-              number: 8080
-  - host: dev.justice.gov.uk
+  - host: dev-intranet.apps.live.cloud-platform.service.justice.gov.uk
     http:
       paths:
       - path: /
diff --git a/deploy/local/deployment.yml b/deploy/local/deployment.yml
index 6b5dd8745..149abf7df 100644
--- a/deploy/local/deployment.yml
+++ b/deploy/local/deployment.yml
@@ -25,7 +25,7 @@ spec:
       terminationGracePeriodSeconds: 35
       containers:
         - name: nginx
-          image: justice-nginx:latest
+          image: intranet-nginx:latest
           imagePullPolicy: Never
           resources: {}
           ports:
@@ -35,7 +35,7 @@ spec:
               mountPath: /var/run/nginx-cache
 
         - name: fpm
-          image: justice-fpm:latest
+          image: intranet-fpm:latest
           imagePullPolicy: Never
           envFrom:
             - configMapRef: