changes for caddy to nginx migration (#2)

appointment-frontend/.dockerignore

@@ -0,0 +1,2 @@
+**/node_modules
+**/dist

appointment-frontend/Dockerfile

@@ -0,0 +1,15 @@
+FROM docker-remote.artifacts.developer.gov.bc.ca/node:10 as build-stage
+ENV NODE_ENV=prod
+ENV VUE_APP_PATH=/
+WORKDIR /app
+COPY ./package*.json ./
+RUN npm install
+COPY . .
+RUN npm run build
+
+FROM docker-remote.artifacts.developer.gov.bc.ca/nginx:1.18.0 as production-stage
+COPY nginx.conf /etc/nginx/nginx.conf
+RUN mkdir /app
+COPY --from=build-stage /app/dist /app
+EXPOSE 8080:8080
+CMD ["nginx", "-g", "daemon off;"]

appointment-frontend/nginx.conf

@@ -0,0 +1,81 @@
+# nginx.conf
+worker_processes auto;
+error_log  /var/log/nginx/error.log;
+
+pid /tmp/nginx.pid;
+
+
+events {
+ worker_connections 4096;
+}
+
+http {
+ include       /etc/nginx/mime.types;
+ client_body_temp_path /tmp/client_temp;
+ proxy_temp_path       /tmp/proxy_temp_path;
+ fastcgi_temp_path     /tmp/fastcgi_temp;
+ uwsgi_temp_path       /tmp/uwsgi_temp;
+ scgi_temp_path        /tmp/scgi_temp;
+ default_type  application/octet-stream;
+ server_tokens off;
+ underscores_in_headers on;
+
+ # Use a w3c standard log format
+ log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log  /var/log/nginx/access.log  main;
+
+ server {
+
+   # Enable HTTP Strict Transport Security (HSTS) to force clients to always
+   # connect via HTTPS (do not use if only testing)
+   add_header Strict-Transport-Security "max-age=31536000;";
+
+   # Enable cross-site filter (XSS) and tell browser to block detected attacks
+   add_header X-XSS-Protection "1; mode=block";
+
+   # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+   add_header X-Content-Type-Options "nosniff";
+
+   # Disallow the site to be rendered within a frame (clickjacking protection)
+   add_header X-Frame-Options "DENY";
+
+    # Turn off all caddy caching
+   add_header Cache-Control "no-cache,no-store,must-revalidate";
+   add_header Pragma "no-cache";
+
+   # Content Security Policy
+   add_header Content-Security-Policy "default-src 'none';frame-src 'self' *.gov.bc.ca; script-src 'self' 'sha256-YaRF5VNtISs/hr8ATuoP3elKspUwWe/m1uAve9Sbxuk=' 'sha256-jz1UoDQhFYj7qWX/RHHnCdXPMP5++pxLOljIpiaXsPE=' *.gov.bc.ca https://maps.googleapis.com; style-src 'self' 'unsafe-inline'; font-src 'self' *.gov.bc.ca; img-src 'self' *.gov.bc.ca data:  https://maps.googleapis.com ; connect-src 'self' *.gov.bc.ca; manifest-src 'self';";
+
+
+   listen 8080;
+   server_name _;
+
+   index index.html;
+   error_log /dev/stdout info;
+   access_log /dev/stdout;
+
+   location / {
+     root /app;
+     index  index.html;
+     try_files $uri $uri/ /index.html;
+   }
+
+   # For status of ngnix service, OpenShift is configured to call this
+    location /nginx_status {
+      # Enable Nginx stats
+      stub_status on;
+
+      # Only allow access from localhost
+      allow all;
+
+      # Other request should be denied
+      # deny all;
+
+      # No need to log this request, its just noise
+      access_log off;
+   }
+ }
+}

frontend/.dockerignore

@@ -0,0 +1,2 @@
+**/node_modules
+**/dist

frontend/Dockerfile

@@ -0,0 +1,15 @@
+FROM docker-remote.artifacts.developer.gov.bc.ca/node:10 as build-stage
+ENV NODE_ENV=prod
+ENV VUE_APP_PATH=/
+WORKDIR /app
+COPY ./package*.json ./
+RUN npm install
+COPY . .
+RUN npm run build
+
+FROM docker-remote.artifacts.developer.gov.bc.ca/nginx:1.18.0 as production-stage
+COPY nginx.conf /etc/nginx/nginx.conf
+RUN mkdir /app
+COPY --from=build-stage /app/dist /app
+EXPOSE 8080:8080
+CMD ["nginx", "-g", "daemon off;"]

frontend/nginx.conf

@@ -0,0 +1,77 @@
+# nginx.conf
+worker_processes auto;
+error_log  /var/log/nginx/error.log;
+
+pid /tmp/nginx.pid;
+
+
+events {
+ worker_connections 4096;
+}
+
+http {
+ include       /etc/nginx/mime.types;
+ client_body_temp_path /tmp/client_temp;
+ proxy_temp_path       /tmp/proxy_temp_path;
+ fastcgi_temp_path     /tmp/fastcgi_temp;
+ uwsgi_temp_path       /tmp/uwsgi_temp;
+ scgi_temp_path        /tmp/scgi_temp;
+ default_type  application/octet-stream;
+ server_tokens off;
+ underscores_in_headers on;
+
+ # Use a w3c standard log format
+ log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log  /var/log/nginx/access.log  main;
+
+ server {
+
+   # Enable HTTP Strict Transport Security (HSTS) to force clients to always
+   # connect via HTTPS (do not use if only testing)
+   add_header Strict-Transport-Security "max-age=31536000;";
+
+   # Enable cross-site filter (XSS) and tell browser to block detected attacks
+   add_header X-XSS-Protection "1; mode=block";
+
+   # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+   add_header X-Content-Type-Options "nosniff";
+
+   # Disallow the site to be rendered within a frame (clickjacking protection)
+   add_header X-Frame-Options "DENY";
+
+    # Turn off all caddy caching
+   add_header Cache-Control "no-cache,no-store,must-revalidate";
+   add_header Pragma "no-cache";
+
+   listen 8080;
+   server_name _;
+
+   index index.html;
+   error_log /dev/stdout info;
+   access_log /dev/stdout;
+
+   location / {
+     root /app;
+     index  index.html;
+     try_files $uri $uri/ /index.html;
+   }
+
+   # For status of ngnix service, OpenShift is configured to call this
+    location /nginx_status {
+      # Enable Nginx stats
+      stub_status on;
+
+      # Only allow access from localhost
+      allow all;
+
+      # Other request should be denied
+      # deny all;
+
+      # No need to log this request, its just noise
+      access_log off;
+   }
+ }
+}

openshift/templates/appointment-nginx-frontend-build.yaml

@@ -0,0 +1,109 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  labels:
+    app: ${NAME}
+  name: ${NAME}-build
+  annotations:
+    description: ""
+    tags: appointment,python
+    iconClass: icon-python
+objects:
+  - apiVersion: v1
+    kind: ImageStream
+    metadata:
+      name: ${NAME}
+      labels:
+        app: ${NAME}
+  - apiVersion: v1
+    kind: BuildConfig
+    metadata:
+      name: ${NAME}
+      labels:
+        app: ${NAME}
+    spec:
+      output:
+        to:
+          kind: ImageStreamTag
+          name: ${NAME}:${OUTPUT_IMAGE_TAG}
+      resources:
+        limits:
+          cpu: ${CPU_LIMIT}
+          memory: ${MEMORY_LIMIT}
+        requests:
+          cpu: ${CPU_REQUEST}
+          memory: ${MEMORY_REQUEST}
+      runPolicy: Serial
+      source:
+        contextDir: ${SOURCE_CONTEXT_DIR}
+        git:
+          ref: ${GIT_REF}
+          uri: ${GIT_REPO_URL}
+        type: Git
+      strategy:
+        type: Docker
+        dockerStrategy:
+          "dockerfilePath": "${DOCKER_FILE_PATH}"
+          pullSecret:
+            name: artifactory-creds
+      postCommit: { }
+      nodeSelector:
+      successfulBuildsHistoryLimit: 10
+      failedBuildsHistoryLimit: 2
+      triggers:
+        - type: ConfigChange
+parameters:
+  - description: |
+      The name assigned to all of the objects defined in this template.
+      You should keep this as default unless your know what your doing.
+    displayName: Name
+    name: NAME
+    required: true
+    value: appointment-nginx-frontend
+  - description: |
+      The URL to your GIT repo, don't use the this default unless
+      your just experimenting.
+    displayName: Git Repo URL
+    name: GIT_REPO_URL
+    required: true
+    value: https://github.com/bcgov/queue-management
+  - description: The git reference or branch.
+    displayName: Git Reference
+    name: GIT_REF
+    required: true
+    value: master
+  - description: The source context directory.
+    displayName: Source Context Directory
+    name: SOURCE_CONTEXT_DIR
+    required: false
+    value: appointment-frontend
+  - description: The tag given to the built image.
+    displayName: Output Image Tag
+    name: OUTPUT_IMAGE_TAG
+    required: true
+    value: latest
+  - description: The resources CPU limit (in cores) for this build.
+    displayName: Resources CPU Limit
+    name: CPU_LIMIT
+    required: true
+    value: "2"
+  - description: The resources Memory limit (in Mi, Gi, etc) for this build.
+    displayName: Resources Memory Limit
+    name: MEMORY_LIMIT
+    required: true
+    value: 4Gi
+  - description: The resources CPU request (in cores) for this build.
+    displayName: Resources CPU Request
+    name: CPU_REQUEST
+    required: true
+    value: "1"
+  - description: The resources Memory request (in Mi, Gi, etc) for this build.
+    displayName: Resources Memory Request
+    name: MEMORY_REQUEST
+    required: true
+    value: 4Gi
+  - description: The path and file of the docker file defining the build.
+    displayName: DockferFile
+    name: DOCKER_FILE_PATH
+    required: true
+    value: Dockerfile