Merge pull request #699 from maykinmedia/feature/dev-docker-image

[#697] Dev docker image to disable 2FA in docker compose

Author: SilviaAmAm

.github/workflows/build-image.yaml

@@ -0,0 +1,89 @@
+name: Build the target Docker image
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string 
+        description: Image name without tag, e.g. 'repo/app'
+      image_tag_suffix:
+        required: true
+        type: string
+        default: ''
+      target_env:
+        required: true
+        type: string
+        default: 'production'
+        # options:
+        # - production
+        # - dev
+      settings_module:
+        required: true
+        type: string
+        default: 'docker'
+        # options:
+        # - docker
+        # - dev
+    outputs:
+      image_name:
+        description: Image name + tag of the built image
+        value: ${{ jobs.image_build.outputs.image_name }}
+      artifact_name:
+        description: Artifact name for the built image
+        value: ${{ jobs.image_build.outputs.artifact_name }}
+
+jobs:
+  image_build:
+    name: Build image
+    runs-on: ubuntu-latest
+
+    env:
+      COMPOSE_DOCKER_CLI_BUILD: 1
+      DOCKER_BUILDKIT: 1
+
+    outputs:
+      image_name: ${{ steps.build-args.outputs.image_name }}
+      artifact_name: ${{ steps.build-args.outputs.artifact_name }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract build args
+        id: build-args
+        run: |
+          # Strip git ref prefix from version
+          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+
+          # Strip "v" prefix from tag name (if present at all)
+          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
+
+          # Use Docker `latest` tag convention
+          [ "$VERSION" == "main" ] && VERSION=latest
+
+          # PRs result in version 'merge' -> transform that into 'latest'
+          [ "$VERSION" == "merge" ] && VERSION=latest
+
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "image_name=${{ inputs.image_name }}:${VERSION}${{ inputs.image_tag_suffix }}" >> $GITHUB_OUTPUT
+          echo "artifact_name=docker-image-${VERSION}${{ inputs.image_tag_suffix }}" >> $GITHUB_OUTPUT
+          echo "git_hash=${GITHUB_SHA}" >> $GITHUB_OUTPUT
+
+      - name: Build the Docker image
+        run: |
+          docker build . \
+            --tag ${{ steps.build-args.outputs.image_name }} \
+            --build-arg COMMIT_HASH=${{ steps.build-args.outputs.git_hash }} \
+            --build-arg RELEASE=${{ steps.build-args.outputs.version }} \
+            --build-arg TARGET_ENVIRONMENT=${{ inputs.target_env }} \
+            --build-arg SETTINGS_MODULE=${{ inputs.settings_module }}
+
+      - name: Dump image to file
+        run: docker image save -o image.tar ${{ steps.build-args.outputs.image_name }}
+
+      - name: Store image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.build-args.outputs.artifact_name }}
+          path: image.tar
+          retention-days: 1

.github/workflows/ci.yml

@@ -286,45 +286,24 @@ jobs:
        working-directory: open-archiefbeheer/backend/docs
 
   docker_build:
-    name: Build Docker image
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set tag
-        id: vars
-        run: |
-          # Strip git ref prefix from version
-          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-
-          # Strip "v" prefix from tag name (if present at all)
-          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
-
-          # Use Docker `latest` tag convention
-          [ "$VERSION" == "main" ] && VERSION=latest
-
-          # PRs result in version 'merge' -> transform that into 'latest'
-          [ "$VERSION" == "merge" ] && VERSION=latest
-
-          echo "tag=${VERSION}" >> $GITHUB_OUTPUT
-          echo "git_hash=${GITHUB_SHA}" >> $GITHUB_OUTPUT
-
-      - name: Build the production Docker image
-        run: |
-          docker build . \
-            --tag $IMAGE_NAME:$RELEASE_VERSION \
-            --build-arg COMMIT_HASH=${{ steps.vars.outputs.git_hash }} \
-            --build-arg RELEASE=${{ steps.vars.outputs.tag }} \
-        env:
-          RELEASE_VERSION: ${{ steps.vars.outputs.tag }}
-
-      - run: docker image save -o image.tar $IMAGE_NAME:${{ steps.vars.outputs.tag }}
-      - name: Store image artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: docker-image
-          path: image.tar
-          retention-days: 1
+    name: Build docker image
+    strategy:
+      matrix:
+        # KEEP IN SYNC WITH docker_push JOB
+        target:
+          - target_env: production
+            image_tag_suffix: ''
+            settings_module: docker
+          - target_env: dev
+            image_tag_suffix: '-dev'
+            settings_module: dev
+
+    uses: ./.github/workflows/build-image.yaml
+    with:
+      image_name: maykinmedia/open-archiefbeheer
+      image_tag_suffix: ${{ matrix.target.image_tag_suffix }}
+      target_env: ${{ matrix.target.target_env }}
+      settings_module: ${{ matrix.target.settings_module }}
 
   docker_push:
     needs:
@@ -336,28 +315,22 @@ jobs:
     name: Push Docker image
     runs-on: ubuntu-latest
     if: github.event_name == 'push' # Exclude PRs
+    strategy:
+      matrix:
+        # KEEP IN SYNC WITH docker_build JOB
+        target:
+          - target_env: production
+            image_tag_suffix: ''
+          - target_env: dev
+            image_tag_suffix: '-dev'
 
     steps:
       - uses: actions/checkout@v4
 
       - name: Download built image
         uses: actions/download-artifact@v4
         with:
-          name: docker-image
-
-      - name: Set tag
-        id: vars
-        run: |
-          # Strip git ref prefix from version
-          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-
-          # Strip "v" prefix from tag name (if present at all)
-          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
-
-          # Use Docker `latest` tag convention
-          [ "$VERSION" == "main" ] && VERSION=latest
-
-          echo "tag=${VERSION}" >> $GITHUB_OUTPUT
+          name: docker-image-${{ needs.docker_build.outputs.version }}${{ matrix.target.image_tag_suffix }}
 
       - name: Load image
         run: |
@@ -369,6 +342,4 @@ jobs:
           --password-stdin
 
       - name: Push the Docker image (production)
-        run: docker push $IMAGE_NAME:$RELEASE_VERSION
-        env:
-          RELEASE_VERSION: ${{ steps.vars.outputs.tag }}
+        run: docker push $IMAGE_NAME:${{ needs.docker_build.outputs.version }}${{ matrix.target.image_tag_suffix }}

Dockerfile

@@ -12,9 +12,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 WORKDIR /app
 RUN mkdir /app/src
 
+ARG ENVIRONMENT=production
+
 RUN pip install uv -U
 COPY ./backend/requirements /app/requirements
-RUN uv pip install --system -r requirements/production.txt
+RUN uv pip install --system -r requirements/${ENVIRONMENT}.txt
 
 # Stage 2 - Build the Front end
 FROM node:20-bullseye-slim AS frontend-build
@@ -82,12 +84,14 @@ USER maykin
 
 ARG COMMIT_HASH
 ARG RELEASE=latest
+ARG DJANGO_SETTINGS=docker
 
 ENV RELEASE=${RELEASE} \
     GIT_SHA=${COMMIT_HASH} \
     PYTHONUNBUFFERED=1 \
-    DJANGO_SETTINGS_MODULE=openarchiefbeheer.conf.docker
-
+    DJANGO_SETTINGS_MODULE=openarchiefbeheer.conf.${DJANGO_SETTINGS} 
+    
+# Needed otherwise the call to collectstatic fails
 ARG SECRET_KEY=dummy
 
 LABEL org.label-schema.vcs-ref=$COMMIT_HASH \

backend/docs/developers/setup-local-env.rst

@@ -85,4 +85,18 @@ To check test coverage:
 
 
 The ``coverage.xml`` file can then, for example, be used in IDEs 
-like VSCode with extension ``Coverage Gutters`` with ``ctrl+shift+7``.
+like VSCode with extension ``Coverage Gutters`` with ``ctrl+shift+7``.
+
+Docker
+======
+
+It is possible to start up a development docker environment with the file ``docker-compose.dev.yaml`` file.
+This does not support autoreload yet.
+
+To start the environment:
+
+.. code:: bash
+
+   docker compose -f docker-compose.dev.yaml up
+
+   

docker-compose.dev.yml

@@ -0,0 +1,115 @@
+#
+# DISCLAIMER: THIS IS FOR DEVELOPMENT PURPOSES ONLY AND NOT SUITABLE FOR PRODUCTION.
+#
+# You can use this docker-compose to spin up a local stack for demo/try-out
+# purposes, or to get some insight in the various components involved (e.g. to build
+# your Helm charts from). Note that various environment variables are UNSAFE and merely
+# specified so that you can get up and running with the least amount of friction.
+
+services:
+  db:
+    # NOTE: No persistence storage configured.
+    # See: https://hub.docker.com/_/postgres/
+    image: postgis/postgis:14-3.4
+    environment:
+      - POSTGRES_HOST_AUTH_METHOD=trust
+      - POSTGRES_USER=openarchiefbeheer
+      - POSTGRES_PASSWORD=openarchiefbeheer
+    networks:
+      - open-archiefbeheer-dev
+
+  redis:
+    # NOTE: No persistence storage configured.
+    image: redis:6
+    command: [ "redis-server", "--appendonly", "yes" ]
+    networks:
+      - open-archiefbeheer-dev
+
+  web:
+    image: oab-web-dev
+    build: 
+      context: .
+      args:
+        ENVIRONMENT: dev
+        DJANGO_SETTINGS: dev
+    environment: &web_env
+      - DJANGO_SETTINGS_MODULE=openarchiefbeheer.conf.dev
+      - DB_NAME=openarchiefbeheer
+      - DB_USER=openarchiefbeheer
+      - DB_HOST=db
+      - CACHE_DEFAULT=redis:6379/0
+      - CACHE_AXES=redis:6379/0
+      - CORS_ALLOWED_ORIGINS=http://localhost:9000,http://localhost:8000
+      - CSRF_TRUSTED_ORIGINS=http://localhost:9000,http://localhost:8000
+      - CSRF_COOKIE_SAMESITE=Lax
+      - CSRF_COOKIE_SECURE=False
+      - SESSION_COOKIE_SAMESITE=Lax
+      - SESSION_COOKIE_SECURE=False
+      - TWO_FACTOR_FORCE_OTP_ADMIN=False
+      - TWO_FACTOR_PATCH_ADMIN=False
+      - CELERY_BROKER_URL=redis://redis:6379/0
+      - CELERY_RESULT_BACKEND=redis://redis:6379/0
+      - CELERY_LOGLEVEL=DEBUG
+      - REACT_APP_API_URL=http://localhost:8000
+      - REACT_APP_API_PATH=/api/v1
+      - REACT_APP_ZAAK_URL_TEMPLATE=https://www.example.com/zaken/{identificatie}
+      - REQUESTS_READ_TIMEOUT=5000
+      - DISABLE_2FA=yes
+    ports:
+      - 8000:8000
+    depends_on:
+      - db
+      - redis
+    networks:
+      - open-archiefbeheer-dev
+
+  celery:
+    image: oab-celery-dev
+    build: 
+      context: .
+      args:
+        ENVIRONMENT: dev
+        DJANGO_SETTINGS: dev
+    command: /celery_worker.sh
+    environment: *web_env
+    healthcheck:
+      test: [ "CMD", "python", "/app/bin/check_celery_worker_liveness.py" ]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    depends_on:
+      - db
+      - redis
+    networks:
+      - open-archiefbeheer-dev
+
+  celery-beat:
+    image: oab-celery-beat-dev
+    build: 
+      context: .
+      args:
+        ENVIRONMENT: dev
+        DJANGO_SETTINGS: dev
+    command: /celery_beat.sh
+    environment: *web_env
+    depends_on:
+      - db
+      - redis
+    networks:
+      - open-archiefbeheer-dev
+
+  nginx:
+    image: nginx
+    volumes:
+      - ./docker-nginx-default.conf:/etc/nginx/conf.d/default.conf
+    ports:
+      - '9000:80'
+    depends_on:
+      - web
+    networks:
+      - open-archiefbeheer-dev
+
+networks:
+  open-archiefbeheer-dev:
+    name: open-archiefbeheer-dev