passing nginx.conf vals as part of deploy, + pre-built backend/frontend containers

Author: HardMax71

.github/workflows/docker.yml

@@ -1,35 +1,182 @@
-name: Docker Build & Scan
+name: Docker Build, Scan & Publish
 
 on:
   push:
-    branches: [ main, dev ]
+    branches: [ main ]
+    tags: [ 'v*' ]
   pull_request:
-    branches: [ main, dev ]
+    branches: [ main ]
   workflow_dispatch:
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_PREFIX: ${{ github.repository_owner }}/integr8scode
+
 jobs:
-  docker:
-    name: Docker Build & Scan
+  build-and-scan:
+    name: Build & Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+
+    outputs:
+      backend_tag: ${{ steps.meta-backend.outputs.tags }}
+      frontend_tag: ${{ steps.meta-frontend.outputs.tags }}
+
     steps:
       - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # =========================================================================
+      # BASE IMAGE
+      # =========================================================================
+      - name: Extract metadata for base image
+        id: meta-base
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/base
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix=sha-
+            type=raw,value=latest,enable={{is_default_branch}}
+
       - name: Build base image
-        run: |
-          docker build -f ./backend/Dockerfile.base -t integr8scode-base:latest ./backend
+        uses: docker/build-push-action@v5
+        with:
+          context: ./backend
+          file: ./backend/Dockerfile.base
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta-base.outputs.tags }}
+          labels: ${{ steps.meta-base.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          # Also build locally for dependent images
+          load: true
 
-      - name: Build Docker image
-        run: |
-          DOCKER_BUILDKIT=1 docker build \
-            --build-context base=docker-image://integr8scode-base:latest \
-            -t integr8scode:test \
-            ./backend
-      - name: Run Trivy vulnerability scanner
+      # =========================================================================
+      # BACKEND IMAGE
+      # =========================================================================
+      - name: Extract metadata for backend image
+        id: meta-backend
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/backend
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix=sha-
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build backend image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./backend
+          file: ./backend/Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta-backend.outputs.tags }}
+          labels: ${{ steps.meta-backend.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-contexts: |
+            base=docker-image://${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/base:${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || 'latest' }}
+          load: true
+
+      - name: Run Trivy vulnerability scanner on backend
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'integr8scode:test'
-          format: 'table'
-          exit-code: '1'
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/backend:${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || 'latest' }}
+          format: 'sarif'
+          output: 'trivy-backend-results.sarif'
           ignore-unfixed: true
           severity: 'CRITICAL,HIGH'
           timeout: '5m0s'
-          trivyignores: 'backend/.trivyignore'
+          trivyignores: 'backend/.trivyignore'
+
+      - name: Upload Trivy scan results to GitHub Security
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-backend-results.sarif'
+          category: 'trivy-backend'
+
+      # =========================================================================
+      # FRONTEND IMAGE
+      # =========================================================================
+      - name: Extract metadata for frontend image
+        id: meta-frontend
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix=sha-
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build frontend image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./frontend
+          file: ./frontend/Dockerfile.prod
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta-frontend.outputs.tags }}
+          labels: ${{ steps.meta-frontend.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+
+      - name: Run Trivy vulnerability scanner on frontend
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || 'latest' }}
+          format: 'sarif'
+          output: 'trivy-frontend-results.sarif'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+          timeout: '5m0s'
+
+      - name: Upload Trivy frontend scan results
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-frontend-results.sarif'
+          category: 'trivy-frontend'
+
+      # =========================================================================
+      # SUMMARY
+      # =========================================================================
+      - name: Summary
+        if: github.event_name != 'pull_request'
+        run: |
+          echo "## Docker Images Published" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Image | Tags |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Base | \`${{ steps.meta-base.outputs.tags }}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Backend | \`${{ steps.meta-backend.outputs.tags }}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Frontend | \`${{ steps.meta-frontend.outputs.tags }}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Usage" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/backend:latest" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:latest" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

deploy.sh

@@ -7,9 +7,9 @@
 #   ./deploy.sh dev                 # Start local development (docker-compose)
 #   ./deploy.sh dev --build         # Rebuild and start local development
 #   ./deploy.sh down                # Stop local development
-#   ./deploy.sh prod                # Deploy to K8s with Helm (production values)
+#   ./deploy.sh prod                # Deploy to K8s (builds images locally)
+#   ./deploy.sh prod --prod         # Deploy with production values (uses registry)
 #   ./deploy.sh prod --dry-run      # Test Helm deployment without applying
-#   ./deploy.sh staging             # Deploy to K8s with Helm (default values)
 #   ./deploy.sh check               # Run local quality checks (lint, type, security)
 #   ./deploy.sh test                # Run full test suite locally
 #   ./deploy.sh logs [service]      # View logs (dev mode)
@@ -55,18 +55,27 @@ show_help() {
     echo "Commands:"
     echo "  dev [--build]      Start local development environment (docker-compose)"
     echo "  down               Stop local development environment"
-    echo "  prod [--dry-run]   Deploy to Kubernetes with Helm"
+    echo "  prod [options]     Deploy to Kubernetes with Helm"
     echo "  check              Run quality checks (ruff, mypy, bandit)"
     echo "  test               Run full test suite with docker-compose"
     echo "  logs [service]     View logs (defaults to all services)"
     echo "  status             Show status of running services"
     echo "  help               Show this help message"
     echo ""
+    echo "Prod options:"
+    echo "  --dry-run          Validate templates without applying"
+    echo "  --prod             Use production values (ghcr.io images, no local build)"
+    echo "  --local            Force local build even with --prod values"
+    echo "  --set key=value    Override Helm values"
+    echo ""
     echo "Examples:"
-    echo "  ./deploy.sh dev              # Start dev environment (auto-seeds users)"
-    echo "  ./deploy.sh dev --build      # Rebuild and start"
-    echo "  ./deploy.sh prod             # Deploy to K8s (requires password args)"
-    echo "  ./deploy.sh logs backend     # View backend logs"
+    echo "  ./deploy.sh dev                    # Start dev environment"
+    echo "  ./deploy.sh dev --build            # Rebuild and start"
+    echo "  ./deploy.sh prod                   # Deploy with local images"
+    echo "  ./deploy.sh prod --prod            # Deploy with registry images (no build)"
+    echo "  ./deploy.sh prod --prod --local    # Deploy prod values but build locally"
+    echo "  ./deploy.sh prod --set mongodb.auth.rootPassword=secret"
+    echo "  ./deploy.sh logs backend           # View backend logs"
 }
 
 # =============================================================================
@@ -237,6 +246,8 @@ cmd_prod() {
     local DRY_RUN=""
     local VALUES_FILE="values.yaml"
     local EXTRA_ARGS=""
+    local USE_REGISTRY=false
+    local FORCE_LOCAL=false
 
     # Parse arguments
     while [[ $# -gt 0 ]]; do
@@ -247,7 +258,12 @@ cmd_prod() {
                 ;;
             --prod)
                 VALUES_FILE="values-prod.yaml"
-                print_info "Using production values"
+                USE_REGISTRY=true
+                print_info "Using production values (ghcr.io images)"
+                ;;
+            --local)
+                FORCE_LOCAL=true
+                print_info "Forcing local image build"
                 ;;
             --set)
                 shift
@@ -261,17 +277,25 @@ cmd_prod() {
         shift
     done
 
-    deploy_helm "$VALUES_FILE" "$DRY_RUN" "$EXTRA_ARGS"
+    deploy_helm "$VALUES_FILE" "$DRY_RUN" "$EXTRA_ARGS" "$USE_REGISTRY" "$FORCE_LOCAL"
 }
 
 deploy_helm() {
     local VALUES_FILE="$1"
     local DRY_RUN="$2"
     local EXTRA_ARGS="$3"
+    local USE_REGISTRY="$4"
+    local FORCE_LOCAL="$5"
 
-    # Build images (skip for dry-run)
+    # Build images if:
+    # - Not dry-run AND
+    # - Not using registry OR force local build
     if [[ -z "$DRY_RUN" ]]; then
-        build_and_import_images
+        if [[ "$USE_REGISTRY" != "true" ]] || [[ "$FORCE_LOCAL" == "true" ]]; then
+            build_and_import_images
+        else
+            print_info "Using pre-built images from ghcr.io (skipping local build)"
+        fi
     fi
 
     print_info "Updating Helm dependencies..."
@@ -301,7 +325,11 @@ deploy_helm() {
         echo "Services:"
         kubectl get services -n "$NAMESPACE"
         echo ""
-        echo "Default credentials: user/user123, admin/admin123"
+        if [[ "$VALUES_FILE" == "values-prod.yaml" ]]; then
+            echo "Note: Passwords must be set via --set flags for production"
+        else
+            echo "Default credentials: user/user123, admin/admin123"
+        fi
         echo ""
         echo "Commands:"
         echo "  kubectl logs -n $NAMESPACE -l app.kubernetes.io/component=backend"

docs/operations/deployment.md

@@ -264,8 +264,8 @@ variables like `KAFKA_PORT=tcp://...` override the expected numeric values. The
 ### Image pull failures
 
 If pods stay in ImagePullBackOff, the images aren't available to the cluster. For K3s, the deploy script imports images
-automatically. For other distributions, push images to your registry and update `values.yaml` with the correct
-repository and tag.
+automatically. For other distributions, use the pre-built images from GitHub Container Registry (see below) or push to
+your own registry and update `values.yaml` with the correct repository and tag.
 
 ```yaml
 images:
@@ -301,3 +301,57 @@ workers:
 ```
 
 Monitor resource usage with kubectl top or your cluster's metrics solution to right-size the limits.
+
+## Pre-built images
+
+For production deployments, you can skip the local build step entirely by using pre-built images from GitHub Container
+Registry. The CI pipeline automatically builds and pushes images on every merge to main.
+
+### Using registry images
+
+The `--prod` flag configures the deployment to pull images from `ghcr.io/hardmax71/integr8scode/`:
+
+```bash
+./deploy.sh prod --prod \
+    --set userSeed.defaultUserPassword=secure-pass \
+    --set userSeed.adminUserPassword=secure-admin
+```
+
+This skips the local Docker build and tells Kubernetes to pull images from the registry. The `values-prod.yaml` file
+sets `imagePullPolicy: IfNotPresent`, so images are cached locally after the first pull.
+
+### Available tags
+
+Each push to main produces multiple tags:
+
+| Tag           | Description                        |
+|---------------|------------------------------------|
+| `latest`      | Most recent build from main branch |
+| `sha-abc1234` | Specific commit SHA                |
+| `v1.0.0`      | Release version (from git tags)    |
+
+For production, pin to a specific SHA or version rather than `latest`:
+
+```yaml
+images:
+  backend:
+    repository: ghcr.io/hardmax71/integr8scode/backend
+    tag: sha-abc1234
+```
+
+### Hybrid approach
+
+If you need production resource limits but want to build locally (for testing changes before pushing):
+
+```bash
+./deploy.sh prod --prod --local
+```
+
+The `--local` flag forces a local build even when using `values-prod.yaml`.
+
+### CI/CD integration
+
+The GitHub Actions workflow in `.github/workflows/docker.yml` handles image building and publishing. On every push to
+main, it builds the base, backend, and frontend images, scans them with Trivy for vulnerabilities, and pushes to
+ghcr.io.
+Pull requests build and scan but don't push, ensuring only tested code reaches the registry.