Merge pull request #3 from Datawheel/canon-cms

Canon cms

.dockerignore

@@ -1,9 +1,9 @@
 *.md
-*.env
+*.env.local
 *.gcp.json
 *.gcp.encoded
 .github
 node_modules
 Dockerfile
 index.js
-npm-debug.log
+npm-debug.log

.github/workflows/google-registry-gke-develop.yml

@@ -0,0 +1,148 @@
+# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the "develop" branch
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled in the project:
+#
+#    Cloud Build          cloudbuild.googleapis.com
+#    Cloud Run            run.googleapis.com
+#    Artifact Registry    artifactregistry.googleapis.com
+#
+# 2. Create a service account (if you don't have one) with the following fields:
+#
+#    Service Account Name     <PROJECT-NAME>-github-actions
+#    Service Account ID       <PROJECT-NAME>-github-actions
+#
+# 3. Ensure the service account have the required IAM permissions granted:
+#
+#    Cloud Build
+#      roles/cloudbuild.builds.editor    (cloud build editor)
+#      roles/cloudbuild.builds.builder   (cloud build service account)
+#
+#    Cloud Run
+#      roles/run.admin                   (cloud run admin)
+#
+#    Artifact Registry
+#      roles/artifactregistry.repoAdmin  (artifact registry repository administrator)
+#      roles/artifactregistry.admin      (artifact registry administrator)
+#
+#    Service Account
+#      roles/iam.serviceAccountUser      (act as the Cloud Run runtime service account)
+#
+#    Basic Roles
+#      roles/viewer                      (viewer)
+#
+#    NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Ensure you have the following GitHub Secrets and Variables:
+#
+#    GitHub Secrets
+#      GCP_SA_KEY                        (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets
+#
+#    GitHub Variables
+#      GCP_PROJECT_ID                    (Google Cloud Project ID)
+#      GCP_ARTIFACT_REGISTRY_NAME        (Google Cloud Articaft Registry Repository Name)
+#      GCP_ARTIFACT_REGISTRY_LOCATION    (Google Cloud Artifact Registry Reposotiry Location)
+#
+# 5. Ensure you have the following GitHub Vatiables for each environment that you will set up:
+#
+#    GitHub Secrets
+#      CANON_CMS_DB                      (Canon CMD DB String)
+#      FLICKR_API_KEY                    (Flickr API Key)
+#      GOOGLE_APPLICATION_CREDENTIALS    (Google Credential)
+#
+#    GitHub Variables
+#      GCP_CLOUDRUN_SERVICE              (CloudRun Service Name of the environment)
+#      GCP_CLOUDRUN_REGION               (CloudRun Service Region of the environment)
+#      CANON_API                         (Canon API Endpoint)
+#      CANON_CMS_CUBES                   (Canon Tesseract API Cubes Endpoint)
+#      CANON_CMS_ENABLE                  (Canon CMS Enable CMS)
+#      CANON_CMS_FORCE_HTTPS             (Canon CMS Force HTTPS)
+#      CANON_CMS_LOGGING                 (Canon CMS Logging)
+#      CANON_CONST_STORAGE_BUCKET        (Google Storage Bucket)
+#      CANON_GOOGLE_ANALYTICS            (Google Analytics Code)
+#      CANON_LANGUAGES                   (Canon Languages)
+#      CANON_LANGUAGE_DEFAULT            (Canon Language Default)
+#      CANON_LOGINS                      (Canon CMS Logins)
+#
+# Further reading:
+#   Cloud Run IAM permissions                 - https://cloud.google.com/run/docs/deploying
+#   Artifact Registry IAM permissions         - https://cloud.google.com/artifact-registry/docs/access-control#roles
+#   Container Registry vs Artifact Registry   - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
+#   Principle of least privilege              - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+#   Deploy CloudRun Github Actions            - https://github.com/google-github-actions/deploy-cloudrun
+name: Build to Artifact Registry and Deploy to GKE
+
+on:
+  push:
+    branches: [ "develop" ]
+
+env:
+  GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
+  GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }}
+  GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }}
+  GCP_CLOUDRUN_SERVICE: ${{ vars.GCP_CLOUDRUN_SERVICE }}
+  GCP_CLOUDRUN_REGION: ${{ vars.GCP_CLOUDRUN_REGION }}
+  GKE_APP_NAME: ${{ vars.GKE_APP_NAME }}
+  GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }}
+  GKE_CLUSTER: ${{ vars.GKE_CLUSTER }}
+  GKE_ZONE: ${{ vars.GKE_ZONE }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: develop
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Authentication via credentials json
+      - name: Google Auth
+        id: auth
+        uses: 'google-github-actions/auth@v0'
+        with:
+          project_id: '${{ env.GCP_PROJECT_ID }}'
+          credentials_json: '${{ secrets.GCP_SA_KEY }}'
+
+      # Build image on Google Cloud Artifact Registry
+      - name: Build Docker Image
+        run: |-
+          gcloud builds submit \
+            --quiet \
+            --timeout=20m \
+            --tag ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }}
+
+      # Uncomment for adding the latest tag to the latest image created
+      - name: Add 'Latest' Tag to Development Environments
+        run: |-
+          gcloud beta artifacts docker tags add \
+            --quiet \
+            ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }} \
+            ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:latest
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: develop
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Authentication via credentials json
+      - name: Google Auth
+        id: auth
+        uses: 'google-github-actions/auth@v0'
+        with:
+          project_id: '${{ vars.GCP_PROJECT_ID }}'
+          credentials_json: '${{ secrets.GCP_SA_KEY }}'
+
+      # Get google kubernetes engine credentials
+      - name: Get GKE Credentials
+        uses: google-github-actions/get-gke-credentials@v0
+        with:
+          cluster_name: ${{ env.GKE_CLUSTER }}
+          location: ${{ env.GKE_ZONE }}
+
+      # Restart deployment by deleting old pod
+      - name: Restart Deployment
+        run: kubectl delete pod -n ${{ env.GKE_APP_NAMESPACE }} -l app=${{ env.GKE_APP_NAME }}

.github/workflows/google-registry-gke.yml

@@ -0,0 +1,148 @@
+# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the "main" branch
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled in the project:
+#
+#    Cloud Build          cloudbuild.googleapis.com
+#    Cloud Run            run.googleapis.com
+#    Artifact Registry    artifactregistry.googleapis.com
+#
+# 2. Create a service account (if you don't have one) with the following fields:
+#
+#    Service Account Name     <PROJECT-NAME>-github-actions
+#    Service Account ID       <PROJECT-NAME>-github-actions
+#
+# 3. Ensure the service account have the required IAM permissions granted:
+#
+#    Cloud Build
+#      roles/cloudbuild.builds.editor    (cloud build editor)
+#      roles/cloudbuild.builds.builder   (cloud build service account)
+#
+#    Cloud Run
+#      roles/run.admin                   (cloud run admin)
+#
+#    Artifact Registry
+#      roles/artifactregistry.repoAdmin  (artifact registry repository administrator)
+#      roles/artifactregistry.admin      (artifact registry administrator)
+#
+#    Service Account
+#      roles/iam.serviceAccountUser      (act as the Cloud Run runtime service account)
+#
+#    Basic Roles
+#      roles/viewer                      (viewer)
+#
+#    NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Ensure you have the following GitHub Secrets and Variables:
+#
+#    GitHub Secrets
+#      GCP_SA_KEY                        (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets
+#
+#    GitHub Variables
+#      GCP_PROJECT_ID                    (Google Cloud Project ID)
+#      GCP_ARTIFACT_REGISTRY_NAME        (Google Cloud Articaft Registry Repository Name)
+#      GCP_ARTIFACT_REGISTRY_LOCATION    (Google Cloud Artifact Registry Reposotiry Location)
+#
+# 5. Ensure you have the following GitHub Vatiables for each environment that you will set up:
+#
+#    GitHub Secrets
+#      CANON_CMS_DB                      (Canon CMD DB String)
+#      FLICKR_API_KEY                    (Flickr API Key)
+#      GOOGLE_APPLICATION_CREDENTIALS    (Google Credential)
+#
+#    GitHub Variables
+#      GCP_CLOUDRUN_SERVICE              (CloudRun Service Name of the environment)
+#      GCP_CLOUDRUN_REGION               (CloudRun Service Region of the environment)
+#      CANON_API                         (Canon API Endpoint)
+#      CANON_CMS_CUBES                   (Canon Tesseract API Cubes Endpoint)
+#      CANON_CMS_ENABLE                  (Canon CMS Enable CMS)
+#      CANON_CMS_FORCE_HTTPS             (Canon CMS Force HTTPS)
+#      CANON_CMS_LOGGING                 (Canon CMS Logging)
+#      CANON_CONST_STORAGE_BUCKET        (Google Storage Bucket)
+#      CANON_GOOGLE_ANALYTICS            (Google Analytics Code)
+#      CANON_LANGUAGES                   (Canon Languages)
+#      CANON_LANGUAGE_DEFAULT            (Canon Language Default)
+#      CANON_LOGINS                      (Canon CMS Logins)
+#
+# Further reading:
+#   Cloud Run IAM permissions                 - https://cloud.google.com/run/docs/deploying
+#   Artifact Registry IAM permissions         - https://cloud.google.com/artifact-registry/docs/access-control#roles
+#   Container Registry vs Artifact Registry   - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
+#   Principle of least privilege              - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+#   Deploy CloudRun Github Actions            - https://github.com/google-github-actions/deploy-cloudrun
+name: Build to Artifact Registry and Deploy to GKE
+
+on:
+  push:
+    branches: [ "main" ]
+
+env:
+  GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
+  GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }}
+  GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }}
+  GCP_CLOUDRUN_SERVICE: ${{ vars.GCP_CLOUDRUN_SERVICE }}
+  GCP_CLOUDRUN_REGION: ${{ vars.GCP_CLOUDRUN_REGION }}
+  GKE_APP_NAME: ${{ vars.GKE_APP_NAME }}
+  GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }}
+  GKE_CLUSTER: ${{ vars.GKE_CLUSTER }}
+  GKE_ZONE: ${{ vars.GKE_ZONE }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: staging
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Authentication via credentials json
+      - name: Google Auth
+        id: auth
+        uses: 'google-github-actions/auth@v0'
+        with:
+          project_id: '${{ env.GCP_PROJECT_ID }}'
+          credentials_json: '${{ secrets.GCP_SA_KEY }}'
+
+      # Build image on Google Cloud Artifact Registry
+      - name: Build Docker Image
+        run: |-
+          gcloud builds submit \
+            --quiet \
+            --timeout=20m \
+            --tag ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }}
+
+      # Uncomment for adding the latest tag to the latest image created
+      - name: Add 'Latest' Tag to Development Environments
+        run: |-
+          gcloud beta artifacts docker tags add \
+            --quiet \
+            ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }} \
+            ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:latest
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: staging
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Authentication via credentials json
+      - name: Google Auth
+        id: auth
+        uses: 'google-github-actions/auth@v0'
+        with:
+          project_id: '${{ vars.GCP_PROJECT_ID }}'
+          credentials_json: '${{ secrets.GCP_SA_KEY }}'
+
+      # Get google kubernetes engine credentials
+      - name: Get GKE Credentials
+        uses: google-github-actions/get-gke-credentials@v0
+        with:
+          cluster_name: ${{ env.GKE_CLUSTER }}
+          location: ${{ env.GKE_ZONE }}
+
+      # Restart deployment by deleting old pod
+      - name: Restart Deployment
+        run: kubectl delete pod -n ${{ env.GKE_APP_NAMESPACE }} -l app=${{ env.GKE_APP_NAME }}

.gitignore

@@ -10,16 +10,12 @@ node_modules
 **/*.bundle.js
 
 # environment variable files for autoenv and direnv
+.env
 .envrc
-.env.local
 
 # docker files
 dockerfiles/nginx/certs/*
 dockerfiles/nginx/conf.d/default.conf
 
 # pm2 ecosystem config
 ecosystem.config.js
-
-# gcp private keys
-*.gcp.json
-*.gcp.encoded

Dockerfile

@@ -1,24 +1,22 @@
+# starting point: an image of node-12
 FROM node:12-alpine
 
-# create the app directory inside the image and use it as working directory
+# create the app directory inside the image and use it as root from now on
 WORKDIR /usr/src/app
-COPY --chown=node:node . /usr/src/app
 
-# copy package files on the image
+# install app dependencies from the files package.json and package-lock.json
+# installing before transfering the app files allows us to take advantage of cached Docker layers
 COPY package*.json ./
+# RUN npm install
 
-# install node packages. if you are building a production image, uncomment the ci installation
-RUN npm install
-#RUN npm ci --only=production
+# If you are building your code for production
+RUN npm ci --only=production
 
-# transfer the app files
+# transfer the app codebase files to the root directory of the app
 COPY ./ ./
 
 # build the app
 RUN npm run build
 
-# change user to node
-USER node
-
 # start the app on image startup
 CMD ["npm", "run", "start"]

README.md

@@ -1,4 +1,4 @@
-# Canon-Site Template
+# Canon CMS Template for NextJS
 
 This is a Canon-Site template for projects using [canon](https://github.com/Datawheel/canon) as main react environment. To start using this template, just create a new repository from this template and start coding 🎉
 

api/customAttributes.js

@@ -0,0 +1,12 @@
+const {CANON_CMS_CUBES} = process.env;
+
+module.exports = function(app) {
+
+  app.post("/api/cms/customAttributes/:pid", async(req, res) => {
+
+    return res.json({
+      tesseract: CANON_CMS_CUBES
+    });
+
+  });
+};