feat(docker): setup github stuff to be parity with efs (#1067)

**NOTE: Setup changes required after this PR is merged!!!** ## Problem Docker setup previously couldn't push to github due to lacking ssh creds + git config. This PR solves that issue. Closes [insert issue #] ## Solution - copy over stuff from a local `.ssh` folder into docker - add git + ssh clients - add github to trusted hosts ## Setup instructions - This assumes that your `git.config` is **global**; if this isn't so, remedy by following the instructions [here](https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup) - Copy over your `ssh` creds for github into a `.ssh` folder **rooted inside our workdir** (that's `isomercms-backend/`). Name the public key `github.pub` and hte private key `github` - ensure that your local `DB_URI` is `postgres://isomer:password@postgres:5432/isomercms_dev` (updated alr in 1pw)
isomerpages · Dec 20, 2023 · 53f6769 · 53f6769
1 parent 9d33108
commit 53f6769
Show file tree

Hide file tree

Showing 8 changed files with 70 additions and 23 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -86,7 +86,7 @@ jobs:
           path: ~/.npm
           key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
       - run: npm ci
-      - run: npm run dev:services
+      - run: docker compose -f docker-compose.test.yml up
       - run: . .env.test && npx jest --runInBand
       - run: docker compose down
 

diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,4 @@ build/
 .step-functions-local/
 .serverless/
 .cache_ggshield
+.ssh/
diff --git a/Dockerfile b/Dockerfile
diff --git a/Dockerfile.develop b/Dockerfile.develop
@@ -0,0 +1,22 @@
+FROM node:18-alpine AS base
+WORKDIR /opt/isomercms-backend
+RUN mkdir /root/.ssh
+COPY . .
+COPY ./.ssh /root/.ssh
+RUN chmod 600 /root/.ssh/github.pub
+RUN chmod 600 /root/.ssh/github
+RUN apk update
+RUN apk add git
+RUN apk add openssh-client
+RUN npm ci
+RUN cat <<EOF >/root/.ssh/config 
+Host github.com
+  IdentityFile /root/.ssh/github
+  User git
+EOF
+
+RUN chmod +x ./scripts/04_add_github_to_known_hosts.sh
+RUN sh ./scripts/04_add_github_to_known_hosts.sh
+
+EXPOSE "8081"
+CMD ["npm", "run", "dev:server"] 
diff --git a/docker-compose.yml → docker-compose.dev.yml b/docker-compose.yml → docker-compose.dev.yml
@@ -1,20 +1,20 @@
 version: "3"
 services:
   web:
-    build: .
+    build:
+      context: .
+      dockerfile: Dockerfile.develop
     ports:
       - "8081:8081"
     depends_on:
       - postgres
     env_file:
       - .env
-    environment:
-      # postgres://user:pass@hostname:port/database
-      - DB_URI=postgres://isomer:password@postgres:5432/isomercms_dev
     volumes:
       - ./:/opt/isomercms-backend
       - /opt/isomercms-backend/node_modules
       - ${EFS_VOL_PATH}:${EFS_VOL_PATH}
+      - "~/.gitconfig:/etc/gitconfig"
 
   postgres:
     image: "postgres:13-alpine"
@@ -27,14 +27,5 @@ services:
     volumes:
       - isomercms_data:/var/lib/postgresql/data
 
-  postgres_test:
-    image: "postgres:13-alpine"
-    environment:
-      POSTGRES_USER: isomer
-      POSTGRES_PASSWORD: password
-      POSTGRES_DB: isomercms_test
-    ports:
-      # use a different port to avoid blocking dev environment when running tests
-      - "54321:5432"
 volumes:
   isomercms_data:
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
@@ -0,0 +1,13 @@
+version: "3"
+services:
+  postgres_test:
+    image: "postgres:13-alpine"
+    environment:
+      POSTGRES_USER: isomer
+      POSTGRES_PASSWORD: password
+      POSTGRES_DB: isomercms_test
+    ports:
+      # use a different port to avoid blocking dev environment when running tests
+      - "54321:5432"
+volumes:
+  isomercms_data:
diff --git a/package.json b/package.json
@@ -6,7 +6,7 @@
     "build": "tsc -p tsconfig.build.json",
     "start": "node --unhandled-rejections=warn -r ts-node/register/transpile-only -r tsconfig-paths/register -r dotenv/config build/server.js dotenv_config_path=/efs/isomer/.isomer.env",
     "dev:server": "source .env && ts-node-dev --unhandled-rejections=warn --respawn src/server.js",
-    "dev": "docker compose up",
+    "dev": "docker compose -f docker-compose.dev.yml up",
     "test": "source .env.test && jest --runInBand",
     "release": "npm version $npm_config_isomer_update && git push --tags",
     "lint": "npx eslint .",

diff --git a/scripts/04_add_github_to_known_hosts.sh b/scripts/04_add_github_to_known_hosts.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Get the server's public key
+ssh-keyscan -t rsa github.com >github_rsa.pub
+
+# Generate the key's fingerprint
+SERVER_FINGERPRINT=$(ssh-keygen -lf github_rsa.pub | awk '{print $2}')
+echo "SERVER_FINGERPRINT: $SERVER_FINGERPRINT" >/tmp/setup-github-known-hosts.txt
+
+# The official GitHub RSA fingerprint
+# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
+OFFICIAL_FINGERPRINT="SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s"
+
+# Check if the server's fingerprint matches the official fingerprint
+# Note: This check is important to prevent any MITM attacks
+if [ "$SERVER_FINGERPRINT" = "$OFFICIAL_FINGERPRINT" ]; then
+    # If the fingerprints match, add the public key to the known_hosts file
+    cat github_rsa.pub >/root/.ssh/known_hosts
+    echo "GitHub's public key added to known_hosts." >>/tmp/setup-github-known-hosts.txt
+else
+    # If the fingerprints don't match, output a warning and exit with an error
+    echo "WARNING: The server's SSH key fingerprint doesn't match the official GitHub fingerprint." >>/tmp/setup-github-known-hosts.txt
+    rm github_rsa.pub
+    exit 1
+fi
+
+# Remove the temporary public key file
+rm github_rsa.pub