From 6eec6c462718f11745022fe2971f28cb599a263b Mon Sep 17 00:00:00 2001 From: Andrew Hosgood Date: Mon, 4 Dec 2023 14:37:33 +0000 Subject: [PATCH] Remove Flask image, enforce SECRET_KEY --- .github/workflows/branch-cleanup.yml | 2 +- .github/workflows/publish.yml | 10 --------- .github/workflows/remove-untagged.yml | 2 +- .github/workflows/test.yml | 12 +---------- docker/tna-python-flask/Dockerfile | 24 ---------------------- docker/tna-python-flask/README.md | 23 --------------------- docker/tna-python-flask/bin/tna-run | 11 ---------- docker/tna-python/README.md | 29 +++++++++++++++++---------- docker/tna-python/bin/tna-run | 6 ++++++ 9 files changed, 27 insertions(+), 92 deletions(-) delete mode 100644 docker/tna-python-flask/Dockerfile delete mode 100644 docker/tna-python-flask/README.md delete mode 100755 docker/tna-python-flask/bin/tna-run diff --git a/.github/workflows/branch-cleanup.yml b/.github/workflows/branch-cleanup.yml index da173a0..233f244 100644 --- a/.github/workflows/branch-cleanup.yml +++ b/.github/workflows/branch-cleanup.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - image-name: [tna-python, tna-python-flask, tna-python-django] + image-name: [tna-python, tna-python-django] steps: - name: Prepare image tag run: | diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 14c04ba..64ab6c3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -34,16 +34,6 @@ jobs: publish: true ignore-linting-rules: DL3002 - python-flask: - name: Python Flask - needs: python - uses: ./.github/workflows/_docker-build-deploy.yml - with: - image-name: tna-python-flask - docker-context: docker/tna-python-flask - dockerfile: Dockerfile - publish: true - python-django: name: Python Django needs: python diff --git a/.github/workflows/remove-untagged.yml b/.github/workflows/remove-untagged.yml index 70f0d8b..4c054f0 100644 --- a/.github/workflows/remove-untagged.yml +++ b/.github/workflows/remove-untagged.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - image-name: [tna-python, tna-python-root, tna-python-flask, tna-python-django, tna-python-django-root] + image-name: [tna-python, tna-python-root, tna-python-django, tna-python-django-root] env: PER_PAGE: 100 steps: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1d6de2b..b875a42 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -31,17 +31,7 @@ jobs: publish: false ignore-linting-rules: DL3002 - python-flask: - name: Python Flask - needs: python - uses: ./.github/workflows/_docker-build-deploy.yml - with: - image-name: tna-python-flask - docker-context: docker/tna-python-flask - dockerfile: Dockerfile - publish: false - - python-django: + python-django: name: Python Django needs: python uses: ./.github/workflows/_docker-build-deploy.yml diff --git a/docker/tna-python-flask/Dockerfile b/docker/tna-python-flask/Dockerfile deleted file mode 100644 index 2d6ef87..0000000 --- a/docker/tna-python-flask/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -ARG BASE_IMAGE_TAG=latest -FROM ghcr.io/nationalarchives/tna-python:"$BASE_IMAGE_TAG" - -# ========================================== -# Move the existing build and run scripts to -# a -common suffix so that we can keep using -# the base tna-build and tna-run commands -# ========================================== -RUN set -eux; \ - \ - mv /home/app/.local/bin/tna-run /home/app/.local/bin/tna-run-common - -# ========================================== -# These new commands are just proxies to the -# renamed tna-build/tna-run scripts included -# in the parent Docker image, but with extra -# Django-specific commands -# ========================================== -COPY --chown=app bin/tna-run /home/app/.local/bin/ - -# ========================================== -# Allow all our scripts to be executable -# ========================================== -RUN chmod +x /home/app/.local/bin/tna-run diff --git a/docker/tna-python-flask/README.md b/docker/tna-python-flask/README.md deleted file mode 100644 index cc43073..0000000 --- a/docker/tna-python-flask/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# tna-python-flask - -This image extends `tna-python` but adds checks for environment variables specific to Flask. - -This image assumes you have a version of Flask added to you project's `pyproject.toml` file. - -## Environment variables - -All environment variables defined in [tna-python](../tna-python/README.md) as well as: - -| Variable | Description | Default | -| ------------ | ----------------------------------------------- | ------- | -| `SECRET_KEY` | A random key used to secure client session data | [None] | - -A secret key can be generated using: - -```sh -python -c 'import secrets; print(secrets.token_hex())' -``` - -## Commands for the Dockerfile - -The command `tna-run` is moved to `tna-run-common` and a new and `tna-run` command is added. diff --git a/docker/tna-python-flask/bin/tna-run b/docker/tna-python-flask/bin/tna-run deleted file mode 100755 index da83649..0000000 --- a/docker/tna-python-flask/bin/tna-run +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -set -e - -if [[ -z $SECRET_KEY ]] -then - echo -e "Error: Environment variable SECRET_KEY not set"; - exit 1 -fi - -tna-run-common "$1" diff --git a/docker/tna-python/README.md b/docker/tna-python/README.md index f18dea8..f3f710e 100644 --- a/docker/tna-python/README.md +++ b/docker/tna-python/README.md @@ -14,17 +14,18 @@ This image requires you have the following files in the root of your project: ## Environment variables -| Variable | Description | Default | -| ---------------------- | ------------------------------------------------------------------------- | -------------------------------------------------------------- | -| `ENVIRONMENT` | The current environment[^1] | `production` | -| `WORKERS` | Number of worker processes[^2] | `3` on `develop`, `(cpu * 2) + 1` elsewhere | -| `THREADS` | Number of threads[^3] | `3` on `develop`, `(cpu * 2) + 1` elsewhere | -| `LOG_LEVEL` | The log level to stream to the console[^4] | `warn` on `production`, `debug` on `develop`, `info` elsewhere | -| `NODE_ENV` | The node environment which could affect the build[^5] | Copied from `ENVIRONMENT` | -| `NPM_BUILD_COMMAND` | The npm script to run to build static assets | [None] - don't build anything by default | -| `NPM_DEVELOP_COMMAND` | The npm script to run in development environments | [None] - don't build and watch anything by default | -| `TIMEOUT` | The number of seconds before a request is terminated[^6] | `30` on `production`, `600` on `develop`, `30` elsewhere | -| `KEEP_ALIVE` | The number of seconds to wait for requests on a keep-alive connection[^7] | `30` on `production`, `5` on `develop`, `5` elsewhere | +| Variable | Description | Default | +| ----------------------- | ------------------------------------------------------------------------- | -------------------------------------------------------------- | +| `SECRET_KEY` (required) | A random key used to secure client session data | [None] | +| `ENVIRONMENT` | The current environment[^1] | `production` | +| `WORKERS` | Number of worker processes[^2] | `3` on `develop`, `(cpu * 2) + 1` elsewhere | +| `THREADS` | Number of threads[^3] | `3` on `develop`, `(cpu * 2) + 1` elsewhere | +| `LOG_LEVEL` | The log level to stream to the console[^4] | `warn` on `production`, `debug` on `develop`, `info` elsewhere | +| `NODE_ENV` | The node environment[^5] | Copied from `ENVIRONMENT` | +| `NPM_BUILD_COMMAND` | The npm script to run to build static assets | [None] - don't build anything by default | +| `NPM_DEVELOP_COMMAND` | The npm script to run in development environments | [None] - don't build and watch anything by default | +| `TIMEOUT` | The number of seconds before a request is terminated[^6] | `30` on `production`, `600` on `develop`, `30` elsewhere | +| `KEEP_ALIVE` | The number of seconds to wait for requests on a keep-alive connection[^7] | `30` on `production`, `5` on `develop`, `5` elsewhere | [^1]: Predefined values are `production` and `develop` but any alphanumeric string is valid [^2]: [Gunicorn docs - How Many Workers?](https://docs.gunicorn.org/en/latest/design.html#how-many-workers) @@ -34,6 +35,12 @@ This image requires you have the following files in the root of your project: [^6]: [Gunicorn docs - timeout](https://docs.gunicorn.org/en/stable/settings.html#timeout) [^7]: [Gunicorn docs - keepalive](https://docs.gunicorn.org/en/stable/settings.html#keepalive) +A secret key (for `SECRET_KEY`) can be generated using: + +```sh +python -c 'import secrets; print(secrets.token_hex())' +``` + ## Commands for the Dockerfile There are two commands to use within your `Dockerfile`: diff --git a/docker/tna-python/bin/tna-run b/docker/tna-python/bin/tna-run index 50c59a0..8bb88b5 100755 --- a/docker/tna-python/bin/tna-run +++ b/docker/tna-python/bin/tna-run @@ -11,6 +11,12 @@ then exit 1 fi +if [[ -z $SECRET_KEY ]] +then + echo -e "Error: Environment variable SECRET_KEY not set"; + exit 1 +fi + if [ "$ENVIRONMENT" == 'develop' ] && [ -n "$NPM_DEVELOP_COMMAND" ] then tna-node "$NPM_DEVELOP_COMMAND"