diff --git a/CHANGELOG.md b/CHANGELOG.md index d1a3297..c9d62a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Add instructions on how to create a new App repo. +## [0.10.2] - 2023-10-13 + +- Fix secret templates and values + +## [0.10.1] - 2023-10-11 + +### Added + +- Encode secret values using base64 encoding + +## [0.10.0] - 2023-10-10 + +### Added + +- Static CMS configuration (secret) + +## [0.9.0] - 2023-10-08 + +### Added + +- Add customized Static CMS setup (editor) + ## [0.8.0] - 2023-10-05 ### Added @@ -213,7 +235,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Initial docsy setup. -[Unreleased]: https://github.com/giantswarm/handbook/compare/v0.8.0...HEAD +[Unreleased]: https://github.com/giantswarm/handbook/compare/v0.10.2...HEAD +[0.10.2]: https://github.com/giantswarm/handbook/compare/v0.10.1...v0.10.2 +[0.10.1]: https://github.com/giantswarm/handbook/compare/v0.10.0...v0.10.1 +[0.10.0]: https://github.com/giantswarm/handbook/compare/v0.9.0...v0.10.0 +[0.9.0]: https://github.com/giantswarm/handbook/compare/v0.8.0...v0.9.0 [0.8.0]: https://github.com/giantswarm/handbook/compare/v0.7.1...v0.8.0 [0.7.1]: https://github.com/giantswarm/handbook/compare/v0.7.0...v0.7.1 [0.7.0]: https://github.com/giantswarm/handbook/compare/v0.6.0...v0.7.0 diff --git a/Dockerfile b/Dockerfile index 18ca176..2f6744d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,14 +5,17 @@ COPY . /src RUN cd themes/docsy && npm install # build static site RUN hugo --verbose --gc --minify --enableGitInfo --cleanDestinationDir --destination /src/public +RUN mkdir -p /src/public/admin && cp /src/cms/cms-config.yaml /src/public/admin/config.yml # use minimal nginx alpine image for serving static html FROM quay.io/giantswarm/nginx-unprivileged:1.21-alpine EXPOSE 8080 USER 0 + # enable relative 301 redirects to fix invalid redirects on missing trailing slash # (a downstream server doesn't necessarily know the public name and port) RUN sed -i 's/location \/ {/location \/ {\n absolute_redirect off;/' /etc/nginx/conf.d/default.conf + # copy in staticly built hugo site from build step above COPY --from=build /src/public /usr/share/nginx/html USER 101 diff --git a/cms/Dockerfile.cms b/cms/Dockerfile.cms new file mode 100644 index 0000000..df62290 --- /dev/null +++ b/cms/Dockerfile.cms @@ -0,0 +1,5 @@ +# use minimal nginx alpine image for proxying to hugo and decap-cms containers +FROM staticjscms-hugo:latest + +# add customized Decap CMS config for handbook +COPY cms-config.yaml /app/config.yml diff --git a/cms/cms-config-dev.yaml b/cms/cms-config-dev.yaml new file mode 100644 index 0000000..2ebde29 --- /dev/null +++ b/cms/cms-config-dev.yaml @@ -0,0 +1,52 @@ +backend: + name: github + repo: giantswarm/handbook + base_url: http://localhost:8081 + branch: main + commit_messages: + create: "Create {{collection}} “{{path}}”" + update: "Update {{collection}} “{{path}}”" + delete: "Delete {{collection}} “{{path}}”" + uploadMedia: "Upload “{{path}}”" + deleteMedia: "Delete “{{path}}”" + openAuthoring: '{{message}}' + +site_url: http://localhost:8081/docs +logo_url: http://localhost:8081/tile70x70.png +publish_mode: editorial_workflow +media_folder: "content/docs" +media_library: { folder_support: true, max_file_size: 1024000 } + +collections: + - folder: content/docs + label: "Pages" + label_singular: "Page" + name: "pages" + media_folder: "" + public_folder: "" + media_library: { folder_support: true } + create: true + format: frontmatter + extension: md + index_file: '_index' + editor: + size: half + frame: true + preview: true + nested: + depth: 6 + summary: "{{name}}" + path: + index_file: '_index' + branch_bundle: true + # path property meta object allows editing the path of entries + # moving an existing entry will move the entire subtree of the entry to the new location + meta: { path: { widget: string, label: 'Path', index_file: '_index' } } + fields: + - { label: "Title", name: title, widget: "string" } + - { label: "Description", name: description, widget: "string" } + - label: "Confidentiality" + name: confidentiality + widget: "select" + options: ["public", "operational", "private"] + - { label: "Body", name: body, widget: "markdown" } diff --git a/cms/cms-config.yaml b/cms/cms-config.yaml new file mode 100644 index 0000000..029a518 --- /dev/null +++ b/cms/cms-config.yaml @@ -0,0 +1,52 @@ +backend: + name: github + repo: giantswarm/handbook + base_url: https://handbook.giantswarm.io + branch: main + commit_messages: + create: "Create {{collection}} “{{path}}”" + update: "Update {{collection}} “{{path}}”" + delete: "Delete {{collection}} “{{path}}”" + uploadMedia: "Upload “{{path}}”" + deleteMedia: "Delete “{{path}}”" + openAuthoring: '{{message}}' + +site_url: https://handbook.giantswarm.io/docs +logo_url: https://handbook.giantswarm.io/tile70x70.png +publish_mode: editorial_workflow +media_folder: "content/docs" +media_library: { folder_support: true, max_file_size: 1024000 } + +collections: + - folder: content/docs + label: "Pages" + label_singular: "Page" + name: "pages" + media_folder: "" + public_folder: "" + media_library: { folder_support: true } + create: true + format: frontmatter + extension: md + index_file: '_index' + editor: + size: half + frame: true + preview: true + nested: + depth: 6 + summary: "{{name}}" + path: + index_file: '_index' + branch_bundle: true + # path property meta object allows editing the path of entries + # moving an existing entry will move the entire subtree of the entry to the new location + meta: { path: { widget: string, label: 'Path', index_file: '_index' } } + fields: + - { label: "Title", name: title, widget: "string" } + - { label: "Description", name: description, widget: "string" } + - label: "Confidentiality" + name: confidentiality + widget: "select" + options: ["public", "operational", "private"] + - { label: "Body", name: body, widget: "markdown" } diff --git a/content/docs/dev-and-releng/releases/how-to-release-a-project/_index.md b/content/docs/dev-and-releng/releases/how-to-release-a-project/_index.md index e7e811a..6d73fc7 100644 --- a/content/docs/dev-and-releng/releases/how-to-release-a-project/_index.md +++ b/content/docs/dev-and-releng/releases/how-to-release-a-project/_index.md @@ -36,14 +36,14 @@ Once workflows are ready, it is time to create release branch. The name of the branch is important and it must follow this convention: ``` -${BASE}#release#v${VERSION} +${BASE}#release#${VERSION} ``` Where: - `BASE` - is the name of the base branch for release PR. Usually it is `master` or `main`. -- `VERSION` - either `major`, `minor`, `patch` or a specific version that is going to be created for the release. +- `VERSION` - either `major`, `minor`, `patch` or a specific version `v1.2.3` that is going to be created for the release. Example: diff --git a/docker-compose.yaml b/docker-compose.yaml index b2ebc16..31f8e2c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,13 +1,21 @@ version: '3.4' services: + handbook-proxy: + container_name: handbook-proxy + build: + context: proxy + dockerfile: Dockerfile.handbook-proxy + ports: + - "8081:8081" + depends_on: + - hugo + - static-cms hugo: container_name: hugo build: context: . target: build - ports: - - 1313:1313 volumes: - ${PWD}/content:/src/content - ${PWD}/layouts:/src/layouts @@ -16,3 +24,18 @@ services: - --enableGitInfo - --bind=0.0.0.0 - --buildDrafts + static-cms: + container_name: static-cms + build: + context: cms + dockerfile: Dockerfile.cms + restart: always + volumes: + - ${PWD}/../static-cms/packages/app:/app/staticcms/app + environment: + ORIGIN: "${ORIGIN}" + OAUTH_CLIENT_ID: "${OAUTH_CLIENT_ID}" + OAUTH_CLIENT_SECRET: "${OAUTH_CLIENT_SECRET}" + GIT_HOSTNAME: "${GIT_HOSTNAME}" + #volumes: + # - ${PWD}/cms-config.yaml:/app/config.yml:ro diff --git a/helm/handbook/templates/deployment.yaml b/helm/handbook/templates/handbook-deployment.yaml similarity index 99% rename from helm/handbook/templates/deployment.yaml rename to helm/handbook/templates/handbook-deployment.yaml index 6273d35..f12778c 100644 --- a/helm/handbook/templates/deployment.yaml +++ b/helm/handbook/templates/handbook-deployment.yaml @@ -19,7 +19,6 @@ spec: spec: securityContext: runAsUser: 1000 - affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/helm/handbook/templates/service.yaml b/helm/handbook/templates/handbook-service.yaml similarity index 100% rename from helm/handbook/templates/service.yaml rename to helm/handbook/templates/handbook-service.yaml diff --git a/helm/handbook/templates/ingress.yaml b/helm/handbook/templates/ingress.yaml index 56b0c86..4a57e94 100644 --- a/helm/handbook/templates/ingress.yaml +++ b/helm/handbook/templates/ingress.yaml @@ -22,6 +22,34 @@ spec: name: handbook port: number: 8080 + - path: /admin/config.yml + pathType: Prefix + backend: + service: + name: handbook + port: + number: 8080 + - path: /admin/ + pathType: Prefix + backend: + service: + name: staticjscms-hugo-standalone + port: + number: 8080 + - path: /auth + pathType: Prefix + backend: + service: + name: staticjscms-hugo-standalone + port: + number: 8080 + - path: /callback + pathType: Prefix + backend: + service: + name: staticjscms-hugo-standalone + port: + number: 8080 tls: - hosts: - handbook.giantswarm.io diff --git a/helm/handbook/templates/secrets.yaml b/helm/handbook/templates/secrets.yaml new file mode 100644 index 0000000..cee7bce --- /dev/null +++ b/helm/handbook/templates/secrets.yaml @@ -0,0 +1,19 @@ +{{ $this := . }} +{{ range $index, $secret := .Values.secrets }} +apiVersion: v1 +kind: Secret +{{- if eq (index $secret.data 0).key ".dockerconfigjson" }} +type: kubernetes.io/dockerconfigjson +{{- else }} +type: Opaque +{{- end }} +metadata: + name: {{ $secret.name }} + namespace: {{ include "resource.default.namespace" $this }} + labels: + {{- include "labels.common" $this | nindent 4 }} +data: + {{- range $idx, $datum := $secret.data }} + {{ $datum.key }}: {{ $datum.value }} + {{- end }} +{{- end }} diff --git a/helm/handbook/templates/staticjscms-deployment.yaml b/helm/handbook/templates/staticjscms-deployment.yaml new file mode 100644 index 0000000..90cf0da --- /dev/null +++ b/helm/handbook/templates/staticjscms-deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: intranet + name: staticjscms-hugo-standalone + labels: + app: staticjscms-hugo-standalone +spec: + replicas: 2 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: staticjscms-hugo-standalone + template: + metadata: + name: staticjscms-hugo-standalone + labels: + app: staticjscms-hugo-standalone + spec: + securityContext: + runAsUser: 1000 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: staticjscms-hugo-standalone + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - name: staticjscms-hugo-standalone + image: ghcr.io/giantswarm/staticjscms-hugo-standalone:{{ .Values.staticJsCmsHugoStandaloneVersion }} + imagePullPolicy: Always + env: + - name: ORIGIN + valueFrom: + secretKeyRef: + name: staticjscms-secret + key: ORIGIN + - name: OAUTH_CLIENT_ID + valueFrom: + secretKeyRef: + name: staticjscms-secret + key: OAUTH_CLIENT_ID + - name: OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: staticjscms-secret + key: OAUTH_CLIENT_SECRET + - name: GIT_HOSTNAME + valueFrom: + secretKeyRef: + name: staticjscms-secret + key: GIT_HOSTNAME + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 100m + memory: 100M + limits: + cpu: 300m + memory: 100M + livenessProbe: + httpGet: + path: / + port: 8080 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 2 + serviceAccount: handbook + serviceAccountName: handbook + imagePullSecrets: + - name: staticjscms-hugo-standalone-pull-secret diff --git a/helm/handbook/templates/staticjscms-service.yaml b/helm/handbook/templates/staticjscms-service.yaml new file mode 100644 index 0000000..eaa2979 --- /dev/null +++ b/helm/handbook/templates/staticjscms-service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + namespace: intranet + name: staticjscms-hugo-standalone + labels: + app: staticjscms-hugo-standalone +spec: + ports: + - port: 8080 + targetPort: http + selector: + app: staticjscms-hugo-standalone diff --git a/helm/handbook/values.schema.json b/helm/handbook/values.schema.json index 13ce38d..b21d445 100644 --- a/helm/handbook/values.schema.json +++ b/helm/handbook/values.schema.json @@ -1,4 +1,34 @@ { "$schema": "http://json-schema.org/schema#", - "type": "object" + "type": "object", + "properties": { + "staticJsCmsHugoStandaloneVersion": { + "type": "string" + }, + "secrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "data": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "type": "string" + }, + "value": { + "type": "string" + } + } + } + }, + "name": { + "type": "string" + } + } + } + } + } } diff --git a/helm/handbook/values.yaml b/helm/handbook/values.yaml index 0967ef4..59248b3 100644 --- a/helm/handbook/values.yaml +++ b/helm/handbook/values.yaml @@ -1 +1,18 @@ -{} +staticJsCmsHugoStandaloneVersion: v0.0.1 + +secrets: + # Information for staticjscms-hugo-standalone and its OAuth proxy component + - name: staticjscms-secret + data: + - key: ORIGIN + value: aHR0cHM6Ly9oYW5kYm9vay5naWFudHN3YXJtLmlv + - key: OAUTH_CLIENT_ID + value: MjE5OTEyMzk5MWFzZGVhZGJlZWY= + - key: OAUTH_CLIENT_SECRET + value: YWFkc3NhZGFkYWRhZGFkMTIzMTIzMTIzMWFkYWRhZDEyMzEyM2FiYw== + - key: GIT_HOSTNAME + value: "" + - name: staticjscms-hugo-standalone-pull-secret + data: + - key: .dockerconfigjson + value: ewogICAgICAgICAgICAiYXV0aHMiOiB7CiAgICAgICAgICAgICAgImdoY3IuaW8iOiB7CiAgICAgICAgICAgICAgICAiYXV0aCI6ICJZbXhoWW14aE9tSnNZV0pzWVFvPSIKICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0KICAgICAgICAgIH0= diff --git a/layouts/partials/page-meta-links.html b/layouts/partials/page-meta-links.html index 1c6a6a7..2e99f4b 100644 --- a/layouts/partials/page-meta-links.html +++ b/layouts/partials/page-meta-links.html @@ -1,13 +1,17 @@ {{ if .Path }} -{{ $pathFormatted := replace .Path "\\" "/" }} +{{ $pathFormatted := "" }} +{{ if eq .Path "docs" }} +{{ else }} +{{ $pathFormatted = replace ( replace ( replace .Path "\\" "/" ) "docs/" "/" ) ".md" "" }} +{{ end }} {{ $gh_repo := ($.Param "github_repo") }} {{ $gh_subdir := ($.Param "github_subdir") }} {{ $gh_project_repo := ($.Param "github_project_repo") }} {{ $gh_branch := (default "master" ($.Param "github_branch")) }} {{ if $gh_repo }}
-{{ $editURL := printf "%s/edit/%s/content/%s" $gh_repo $gh_branch $pathFormatted }} -{{ $issuesURL := printf "%s/issues/new?title=%s" $gh_repo (htmlEscape $.Title )}} +{{ $editURL := printf "/admin/#/collections/pages/entries%s" $pathFormatted }} +{{ $issuesURL := printf "%s/issues/new?title=%s" $gh_repo (htmlEscape $.Title ) }} {{ T "post_edit_this" }} {{ T "post_create_issue" }} {{ if $gh_project_repo }} diff --git a/proxy/Dockerfile.handbook-proxy b/proxy/Dockerfile.handbook-proxy new file mode 100644 index 0000000..fb0d543 --- /dev/null +++ b/proxy/Dockerfile.handbook-proxy @@ -0,0 +1,11 @@ +# use minimal nginx alpine image for proxying to hugo and decap-cms containers +FROM quay.io/giantswarm/nginx-unprivileged:1.21-alpine +EXPOSE 8081 +USER 0 + +# configure CMS redirect /admin /auth /callback -> decap, / -> hugo +COPY proxy-cms-admin.conf /etc/nginx/conf.d/proxy-cms-admin.conf + +# copy in staticly built hugo site from build step above +#VOLUME /usr/share/nginx/html +USER 101 diff --git a/proxy/proxy-cms-admin-dev.conf b/proxy/proxy-cms-admin-dev.conf new file mode 100644 index 0000000..e16c068 --- /dev/null +++ b/proxy/proxy-cms-admin-dev.conf @@ -0,0 +1,66 @@ +# NGINX configuration to allow running static-cms in live-reload mode with real GitHub OAuth backend +# +# This is for local development only! +# +# USAGE: +# 1. handbook: run a local nginx container with this config listening on http://localhost:8081 +# - podman run -it -p 8081:8081 --network slirp4netns:allow_host_loopback=true --mount type=bind,src=proxy/proxy-cms-admin-dev.conf,target=/etc/nginx/conf.d/default.conf quay.io/giantswarm/nginx-unprivileged:1.21-alpine +# 2. staticjscms-standalone: run OAuth reverse proxy listening on http://localhost:8082 (also holds a static-cms build, but we don't use it) +# - make sure an .env file with the following variables exists +# - ORIGIN=http://localhost:8081 +# - OAUTH_CLIENT_ID={YOUR GITHUB CLIENT ID, See GitHub Settings->Developer Options->OAuth Apps} +# - OAUTH_CLIENT_SECRET={YOUR GITHUB CLIENT SECRET, See GitHub Settings->Developer Options->OAuth Apps} +# - GIT_HOSTNAME= +# - podman build -f Dockerfile -t staticjscms-standalone:latest +# - podman run -it -p 8082:80 --env-file .env staticjscms-standalone:latest +# 3. static-cms: run in live-reload "dev mode" listening on http://localhost:8080 +# - copy handbook/cms/cms-config-dev.yml to static-cms/core/dev-test/config.yml (must have GitHub backend with "base_url: http://localhost:8081") +# - Empty static-cms/core/dev-test/index.js and insert only `CMS.init();` +# - OPTIONAL: change the "repo: giantswarm/handbook" to a fork for testing or development purposes +# - run: yarn dev +# 4. visit http://localhost:8081/admin/ +# +server { + listen 8081 default_server; + server_name _; + access_log /dev/stderr combined; + error_log /dev/stderr warn; + + # let hugo handle requests by default + # (a possible webhook for updates also goes here) + location / { + proxy_pass https://handbook.giantswarm.io; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Early-Data $ssl_early_data; + } + + # proxy /admin, /auth and /callback to the docker-decap-cms-standalone container + location /admin/ { + proxy_pass http://host.containers.internal:8080/; # target: static-cms dev server (live reload), modify for docker + proxy_pass_request_headers on; + proxy_set_header Host localhost:8081; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Early-Data $ssl_early_data; + } + + location /auth { + proxy_pass http://host.containers.internal:8082; + proxy_pass_request_headers on; + #proxy_set_header Host localhost:8081; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Early-Data $ssl_early_data; + } + + location /callback { + proxy_pass http://host.containers.internal:8082; + proxy_pass_request_headers on; + #proxy_set_header Host localhost:8081; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Early-Data $ssl_early_data; + } +} diff --git a/proxy/proxy-cms-admin.conf b/proxy/proxy-cms-admin.conf new file mode 100644 index 0000000..4bb5760 --- /dev/null +++ b/proxy/proxy-cms-admin.conf @@ -0,0 +1,42 @@ +# NGINX configuration +server { + listen 8081 default_server; + server_name _; + access_log /dev/stderr combined; + error_log /dev/stderr warn; + + # let hugo handle requests by default + # (a possible webhook for updates also goes here) + location / { + proxy_pass http://hugo:1313; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Early-Data $ssl_early_data; + } + + # proxy /admin, /auth and /callback to the docker-decap-cms-standalone container + location /admin/ { + proxy_pass http://static-cms:80/; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Early-Data $ssl_early_data; + } + + location /auth { + proxy_pass http://static-cms:80; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Early-Data $ssl_early_data; + } + + location /callback { + proxy_pass http://static-cms:80; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Early-Data $ssl_early_data; + } +}