Merge pull request #10 from nsidc/re-add-nginx

Re-add nginx

Author: trey-stafford

.github/workflows/publish-docker.yml .github/workflows/publish-api-image.yml.github/workflows/publish-docker.yml renamed to .github/workflows/publish-api-image.yml

@@ -0,0 +1,41 @@
+name: "Build and publish container image"
+
+on:
+  push:
+    branches:
+      - "main"
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+*"
+
+jobs:
+  build-and-release-server-image:
+    name: "Build and release server container image"
+    runs-on: "ubuntu-latest"
+    env:
+      IMAGE_NAME: "data-access-tool-server"
+      # GitHub Actions expressions don't have great conditional support, so
+      # writing a ternary expression looks a lot like bash. In Python, this
+      # would read as:
+      #     github.ref_name if github.ref_type == 'tag' else 'latest'
+      #     https://docs.github.com/en/actions/learn-github-actions/expressions
+      IMAGE_TAG:
+        "${{ github.ref_type == 'tag' && github.ref_name || 'latest' }}"
+    steps:
+      - name: "Check out repository"
+        uses: "actions/checkout@v4"
+
+      - name: "Build container image"
+        run: |
+          docker build --tag "ghcr.io/nsidc/${IMAGE_NAME}:${IMAGE_TAG}" nginx/
+
+      - name: "GHCR login"
+        uses: "docker/login-action@v3"
+        with:
+          registry: "ghcr.io"
+          username: "${{ github.repository_owner }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: "Push to image registries (DockerHub, GHCR)"
+        run: |
+          # Push to GHCR
+          docker push "ghcr.io/nsidc/${IMAGE_NAME}:${IMAGE_TAG}"

.github/workflows/publish-server-image.yml

@@ -1,2 +1,3 @@
 **/__pycache__/
+nginx/logs/*
 docker-compose.override.yml

.gitignore

@@ -1,3 +1,7 @@
+# v0.2.0
+
+- Include nginx image build and configuration.
+
 # v0.1.0
 
 - Initial release. This consititues an MVP for the DAT backend and includes

CHANGELOG.md

@@ -14,8 +14,8 @@ This repository provides:
   service required for DAT integration with the
   [NASA Earthdata Downloader](https://github.com/nasa/earthdata-download).
 
-- Docker compose configuration for the DAT backend, which includes the
-  [data-access-tool-server](https://github.com/nsidc/data-access-tool-ui).
+- Docker compose configuration for the DAT backend, which includes
+  [nginx server configuration](./nginx).
 
 ## Background
 
@@ -98,3 +98,17 @@ following query parameters:
 
 > [!WARNING] As of this writing, the CMR query parameters are hard-coded to
 > always return a small subset of ATL06 v6 data.
+
+## Releasing
+
+To release a new version:
+
+- Make changes on a branch
+- Update CHANGELOG for next release
+- Run `bump-my-version bump {major|minor|patch}`
+- Open a PR and have it merged to `main` after review
+- Tag latest commit on `main` with the version, and push. This will trigger a
+  build of the `data-access-tool-api` and `data-access-tool-server` images with
+  the given version tag.
+- Deploy the latest change with the
+  [data-access-tool-vm](https://github.com/nsidc/data-access-tool-vm).

README.md

@@ -6,7 +6,7 @@ services:
     command: '/bin/bash -c "PYTHONPATH=./ python dat_backend/app.py"'
 
   server:
-    build: ../data-access-tool-server/
+    build: ./nginx
     volumes:
-      - ../data-access-tool-server/logs:/var/log/nginx/
+      - ./nginx/logs:/var/log/nginx/
       - ./nginx/edd_release/:/var/www/edd_release/

docker-compose.dev.yml

@@ -1,5 +1,5 @@
 services:
   api:
-    image: "ghcr.io/nsidc/data-access-tool-api:v0.1.0"
+    image: "ghcr.io/nsidc/data-access-tool-api:v0.2.0"
   server:
-    image: "ghcr.io/nsidc/data-access-tool-server:v0.1.0"
+    image: "ghcr.io/nsidc/data-access-tool-server:v0.2.0"

docker-compose.production.yml

@@ -17,3 +17,4 @@ dependencies:
   - pyopenssl # required for test server w/ ssl
   - pre-commit ~=4.1
   - mypy ~=1.15
+  - bump-my-version ~=1.1

environment.yml

@@ -0,0 +1,21 @@
+FROM nginx:1.27.4
+
+RUN apt-get update && apt-get install -y openssl
+
+RUN rm /etc/nginx/conf.d/default.conf
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY dat.conf /etc/nginx/conf.d/
+
+# TODO: remove when OBE. This allows exposing a pre-release of the EDD with the
+# trusted sources json file updated. Once
+# https://github.com/nasa/earthdata-download/pull/56 is merged, this can go
+# away.
+RUN mkdir -p /var/www/edd_release
+
+RUN mkdir /etc/nginx/ssl && openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/CN=nsidc"
+
+RUN useradd --uid 1000 --user-group vagrant && \
+    touch /var/run/nginx.pid && \
+    chown -R vagrant:vagrant /var/run/nginx.pid && \
+    chown -R vagrant:vagrant /var/cache/nginx && \
+    chown -R vagrant:vagrant /etc/nginx

nginx/Dockerfile

@@ -0,0 +1,58 @@
+upstream api {
+  server api:5000;
+}
+
+server {
+  listen   80;
+  listen   [::]:80;
+  listen   443 default ssl;
+  server_name           dat;
+
+  ssl_certificate /etc/nginx/ssl/nginx.crt;
+  ssl_certificate_key /etc/nginx/ssl/nginx.key;
+
+  if ($scheme = http) {
+    return 301 https://$host$http_x_script_name;
+  }
+
+  set $maintenance "off";
+  if ($maintenance = "on") {
+      return 503;
+  }
+
+  set $env_host $host;
+  if ($host = "localhost") {
+    set $env_host "integration.nsidc.org";
+  }
+
+  # index  index.html index.htm index.php;
+
+  access_log            /var/log/nginx/dat.access.log combined;
+  error_log             /var/log/nginx/dat.error.log debug;
+
+  sendfile off;
+
+  location "/" {
+    proxy_pass            https://api;
+    proxy_read_timeout    90;
+    proxy_connect_timeout 90;
+    proxy_redirect        off;
+    client_max_body_size 500M;
+
+    proxy_set_header      Host $host;
+    proxy_set_header      X-Real-IP $remote_addr;
+    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header      X-Forwarded-Proto $scheme;
+    proxy_set_header      X-Script-Name $http_x_script_name;
+  }
+
+  # TODO: remove when OBE. This allows exposing a pre-release of the EDD with
+  # the trusted sources json file updated. Once
+  # https://github.com/nasa/earthdata-download/pull/56 is merged, this can go
+  # away.
+  location "/earthdata-download-release" {
+    alias /var/www/edd_release/;
+    autoindex on;  # Enables directory listing
+    autoindex_exact_size off;  # Show file sizes in a human-readable format
+  }
+}