diff --git a/deploy/dockerfiles/blog/auth-requirements.in b/deploy/dockerfiles/blog/auth-requirements.in deleted file mode 100644 index 68883a5c8..000000000 --- a/deploy/dockerfiles/blog/auth-requirements.in +++ /dev/null @@ -1,3 +0,0 @@ -Flask -requests-oauthlib -gunicorn diff --git a/deploy/dockerfiles/blog/auth-requirements.txt b/deploy/dockerfiles/blog/auth-requirements.txt deleted file mode 100644 index 68e57a147..000000000 --- a/deploy/dockerfiles/blog/auth-requirements.txt +++ /dev/null @@ -1,40 +0,0 @@ -# -# This file is autogenerated by pip-compile with Python 3.12 -# by the following command: -# -# pip-compile auth-requirements.in -# -blinker==1.7.0 - # via flask -certifi==2023.11.17 - # via requests -charset-normalizer==3.3.2 - # via requests -click==8.1.7 - # via flask -flask==3.0.0 - # via -r auth-requirements.in -gunicorn==22.0.0 - # via -r auth-requirements.in -idna==3.7 - # via requests -itsdangerous==2.1.2 - # via flask -jinja2==3.1.4 - # via flask -markupsafe==2.1.3 - # via - # jinja2 - # werkzeug -oauthlib==3.2.2 - # via requests-oauthlib -packaging==23.2 - # via gunicorn -requests==2.32.3 - # via requests-oauthlib -requests-oauthlib==1.3.1 - # via -r auth-requirements.in -urllib3==2.2.2 - # via requests -werkzeug==3.0.3 - # via flask diff --git a/deploy/dockerfiles/blog/auth.dockerfile b/deploy/dockerfiles/blog/auth.dockerfile deleted file mode 100644 index 3bc37d4c3..000000000 --- a/deploy/dockerfiles/blog/auth.dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -FROM python:3.12-alpine - -# Create app user and group -RUN addgroup -S app && adduser -S app -G app - -WORKDIR /app - -ENV PYTHONDONTWRITEBYTECODE=1 -ENV PYTHONUNBUFFERED=1 - -# Install dependencies -COPY deploy/dockerfiles/blog/auth-requirements.txt . -RUN pip install --no-cache-dir -r auth-requirements.txt - -# Copy code -COPY deploy/dockerfiles/blog/auth.py . - -# Run as app user -RUN chown -R app:app . -USER app - -# Run -CMD ["gunicorn", \ - "--bind", ":8000", \ - "--log-file", "-", \ - "--workers", "2", "--threads", "4", "--worker-class", "gthread", \ - "--worker-tmp-dir", "/dev/shm", \ - "auth:app"] diff --git a/deploy/dockerfiles/blog/auth.dockerfile.dockerignore b/deploy/dockerfiles/blog/auth.dockerfile.dockerignore deleted file mode 100644 index ce3b9f742..000000000 --- a/deploy/dockerfiles/blog/auth.dockerfile.dockerignore +++ /dev/null @@ -1,3 +0,0 @@ -* -!deploy/dockerfiles/blog/auth.py -!deploy/dockerfiles/blog/auth-requirements.txt diff --git a/deploy/dockerfiles/blog/auth.py b/deploy/dockerfiles/blog/auth.py deleted file mode 100644 index 7d05e6db9..000000000 --- a/deploy/dockerfiles/blog/auth.py +++ /dev/null @@ -1,69 +0,0 @@ -import json -import os - -from flask import Flask, request, redirect, render_template_string, session -from requests_oauthlib import OAuth2Session - - -CLIENT_ID = os.getenv("OAUTH_CLIENT_ID") -CLIENT_SECRET = os.getenv("OAUTH_CLIENT_SECRET") -SCOPE = os.getenv("OAUTH_SCOPE", "public_repo") - -AUTHORIZATION_BASE_URL = "https://github.com/login/oauth/authorize" -TOKEN_URL = "https://github.com/login/oauth/access_token" - - -app = Flask(__name__) - -app.config.update( - SESSION_COOKIE_SECURE=True, - SESSION_COOKIE_HTTPONLY=True, - SESSION_COOKIE_SAMESITE="Lax", -) - -app.secret_key = os.urandom(24) - - -@app.get("/") -def auth(): - github = OAuth2Session(CLIENT_ID, scope=SCOPE) - authorization_url, state = github.authorization_url(AUTHORIZATION_BASE_URL) - session["oauth_state"] = state - return redirect(authorization_url) - - -CALLBACK_TEMPLATE = """ - - - - - - -""" - - -@app.get("/callback") -def callback(): - try: - github = OAuth2Session(CLIENT_ID, state=session["oauth_state"], scope=SCOPE) - token = github.fetch_token(TOKEN_URL, client_secret=CLIENT_SECRET, authorization_response=request.url) - - message = "success" - content = json.dumps({"token": token.get("access_token", ""), "provider": "github"}) - except: # pylint: disable=bare-except - message = "error" - content = "Something went wrong" - - post_message = json.dumps(f"authorization:github:{message}:{content}") - - return render_template_string(CALLBACK_TEMPLATE, post_message=post_message) diff --git a/deploy/dockerfiles/blog/blog.dockerfile b/deploy/dockerfiles/blog/blog.dockerfile deleted file mode 100644 index 1cd809631..000000000 --- a/deploy/dockerfiles/blog/blog.dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM nginx:stable-alpine - -COPY deploy/dockerfiles/blog/gcs-proxy.conf /etc/nginx/gcs-proxy.conf -COPY deploy/dockerfiles/blog/blog.nginx.conf /etc/nginx/blog.conf.template - -CMD REAL_IP_CONFIG=$([ -z "${PROXY_IPS:-}" ] || echo "$PROXY_IPS" | awk 'BEGIN { RS="," } { print "set_real_ip_from " $1 ";" }') \ - envsubst "\$REAL_IP_CONFIG" < /etc/nginx/blog.conf.template > /etc/nginx/conf.d/default.conf && \ - nginx -g "daemon off;" diff --git a/deploy/dockerfiles/blog/blog.dockerfile.dockerignore b/deploy/dockerfiles/blog/blog.dockerfile.dockerignore deleted file mode 100644 index 4341535c7..000000000 --- a/deploy/dockerfiles/blog/blog.dockerfile.dockerignore +++ /dev/null @@ -1,3 +0,0 @@ -* -!deploy/dockerfiles/blog/blog.nginx.conf -!deploy/dockerfiles/blog/gcs-proxy.conf diff --git a/deploy/dockerfiles/blog/blog.nginx.conf b/deploy/dockerfiles/blog/blog.nginx.conf deleted file mode 100644 index 17032fe2b..000000000 --- a/deploy/dockerfiles/blog/blog.nginx.conf +++ /dev/null @@ -1,250 +0,0 @@ -# Log access information in JSON format so that individual fields can -# be queried in Stackdriver. -log_format json_combined escape=json -'{' -'"httpRequest":{' -'"requestMethod":"$request_method",' -'"requestUrl":"$scheme://$host$request_uri",' -'"status":"$status",' -'"responseSize":$bytes_sent,' -'"userAgent":"$http_user_agent",' -'"remoteIp":"$remote_addr",' -'"referer":"$http_referer",' -'"latency":"${request_time}s",' -'"protocol":"$server_protocol"' -'}' -'}'; - -upstream gcs { - server storage.googleapis.com:443; - keepalive 128; -} - -upstream auth { - server localhost:8000; -} - -server { - listen 80 default_server; - - access_log /var/log/nginx/access.log json_combined; - - # Use relative URLs for redirects - # Since requests come in through a load balancer, the host/port - # known to Nginx is not necessarily the same as what the client - # connects to - absolute_redirect off; - - # Set request's remote address to actual client IP - # The request is forwarded through a GCE load balancer and possibly - # other GKE nodes before reaching the blog pod - real_ip_header X-Forwarded-For; - real_ip_recursive on; - - $REAL_IP_CONFIG - - # https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/web_performance/compression.conf - gzip on; - gzip_comp_level 5; - gzip_min_length 256; - gzip_proxied any; # Required for gzip_static to work behind GCP load balancer - gzip_vary on; - - gzip_types - application/atom+xml - application/geo+json - application/javascript - application/x-javascript - application/json - application/ld+json - application/manifest+json - application/rdf+xml - application/rss+xml - application/vnd.ms-fontobject - application/wasm - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/eot - font/otf - font/ttf - image/bmp - image/svg+xml - text/cache-manifest - text/calendar - text/css - text/javascript - text/markdown - text/plain - text/xml - text/vcard - text/vnd.rim.location.xloc - text/vtt - text/x-component - text/x-cross-domain-policy; - - # Health check endpoints for GCP load balancer - location = /health/ready { - access_log off; - add_header Content-Type text/plain; - return 200 "ok"; - } - - location = /blog { - return 302 /news/; - } - - location ~ ^/blog/(.*) { - return 302 /news/$1; - } - - ############################################################ - # Auth provider - ############################################################ - - location /news/auth/ { - expires -1y; - add_header Pragma "no-cache"; - - proxy_set_header Host $host; - - proxy_pass http://auth/; - } - - ############################################################ - # Pull request previews - ############################################################ - - location ~ ^/news/preview/.*\.(?:css|js)$ { - # Include proxy configuration - include /etc/nginx/gcs-proxy.conf; - - # Do not cache PR previews - expires -1y; - add_header Pragma "no-cache"; - - # Remove URL prefix - rewrite ^/news/preview(/.*)$ $1 break; - - # Proxy requests to GCS - proxy_pass https://gcs/gnomad-blog/pulls$uri; - } - - location /news/preview/ { - # Include proxy configuration - include /etc/nginx/gcs-proxy.conf; - - # Do not cache PR previews - expires -1y; - add_header Pragma "no-cache"; - - # Add "index.html" to request paths ending in "/" - rewrite /$ ${uri}index.html; - - # If file is not found, try appending /index.html - error_page 404 = @blog_preview_slash_index; - - # Proxy requests to GCS - proxy_pass https://gcs/gnomad-blog/pulls/; - } - - location @blog_preview_slash_index { - # Include proxy configuration - include /etc/nginx/gcs-proxy.conf; - - # Do not cache PR previews - expires -1y; - add_header Pragma "no-cache"; - - # Remove URL prefix - rewrite ^/news/preview(/.*)$ $1 break; - - # Use custom 404 error page - error_page 404 /news/404/index.html; - - # Proxy requests to GCS - proxy_pass https://gcs/gnomad-blog/pulls$uri/index.html; - } - - ############################################################ - # Main content - ############################################################ - location /news/images/ { - # Include proxy configuration - include /etc/nginx/gcs-proxy.conf; - - # Cache images - expires 1w; - add_header Cache-Control "public, max-age=604800, immutable"; - - # Proxy requests to GCS - proxy_pass https://gcs/gnomad-blog/main/images/; - } - - location /news/static/ { - # Include proxy configuration - include /etc/nginx/gcs-proxy.conf; - - # Cache static content - # https://www.gatsbyjs.com/docs/caching/ - expires 1w; - add_header Cache-Control "public, max-age=604800, immutable"; - - # Proxy requests to GCS - proxy_pass https://gcs/gnomad-blog/main/static/; - } - - location ~ ^/news/.*\.(?:css|js)$ { - # Include proxy configuration - include /etc/nginx/gcs-proxy.conf; - - # Cache CSS and JavaScript - # https://www.gatsbyjs.com/docs/caching/ - expires 1w; - add_header Cache-Control "public, max-age=604800, immutable"; - - # Remove URL prefix - rewrite ^/news(/.*)$ $1 break; - - # Proxy requests to GCS - proxy_pass https://gcs/gnomad-blog/main$uri; - } - - location /news/ { - # Include proxy configuration - include /etc/nginx/gcs-proxy.conf; - - # Do not cache other content - # https://www.gatsbyjs.com/docs/caching/ - expires -1y; - add_header Pragma "no-cache"; - - # Add "index.html" to request paths ending in "/" - rewrite /$ ${uri}index.html; - - # If file is not found, try appending /index.html - error_page 404 = @blog_slash_index; - - # Proxy requests to GCS - proxy_pass https://gcs/gnomad-blog/main/; - } - - location @blog_slash_index { - # Include proxy configuration - include /etc/nginx/gcs-proxy.conf; - - # Do not cache HTML - # https://www.gatsbyjs.com/docs/caching/ - expires -1y; - add_header Pragma "no-cache"; - - # Remove URL prefix - rewrite ^/news(/.*)$ $1 break; - - # Use custom 404 error page - error_page 404 /news/404/index.html; - - # Proxy requests to GCS - proxy_pass https://gcs/gnomad-blog/main$uri/index.html; - } -} diff --git a/deploy/dockerfiles/blog/gcs-proxy.conf b/deploy/dockerfiles/blog/gcs-proxy.conf deleted file mode 100644 index 7c7e3bcfe..000000000 --- a/deploy/dockerfiles/blog/gcs-proxy.conf +++ /dev/null @@ -1,31 +0,0 @@ -# Configuration for proxying requests to GCS - -# Only allow GET and HEAD requests -if ( $request_method !~ "GET|HEAD" ) { - return 405; -} - -proxy_http_version 1.1; -proxy_intercept_errors on; - -proxy_hide_header accept-ranges; -proxy_hide_header alt-svc; -proxy_hide_header alternate-protocol; -proxy_hide_header x-goog-generation; -proxy_hide_header x-goog-hash; -proxy_hide_header x-goog-metageneration; -proxy_hide_header x-goog-meta-goog-reserved-file-mtime; -proxy_hide_header x-goog-storage-class; -proxy_hide_header x-goog-stored-content-encoding; -proxy_hide_header x-goog-stored-content-length; -proxy_hide_header X-GUploader-UploadID; -proxy_hide_header x-xss-protection; -proxy_hide_header Set-Cookie; - -proxy_ignore_headers Set-Cookie Expires Cache-Control; - -proxy_set_header Host storage.googleapis.com; -proxy_set_header Connection ""; -proxy_set_header Cookie ""; - -proxy_redirect off; diff --git a/deploy/manifests/blog/base/blog.deployment.yaml b/deploy/manifests/blog/base/blog.deployment.yaml deleted file mode 100644 index e8ca319fa..000000000 --- a/deploy/manifests/blog/base/blog.deployment.yaml +++ /dev/null @@ -1,59 +0,0 @@ ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - name: gnomad-blog - labels: - component: gnomad-blog -spec: - replicas: 1 - selector: - matchLabels: - name: gnomad-blog - template: - metadata: - labels: - name: gnomad-blog - component: gnomad-blog - spec: - containers: - - name: web - image: gnomad-blog - env: - - name: PROXY_IPS - valueFrom: - configMapKeyRef: - name: proxy-ips - key: ips - resources: - requests: - cpu: 100m - memory: 25Mi - readinessProbe: - httpGet: - path: /health/ready - port: http - initialDelaySeconds: 3 - periodSeconds: 30 - ports: - - name: http - containerPort: 80 - - name: auth - image: gnomad-blog-auth - env: - - name: OAUTH_CLIENT_ID - valueFrom: - secretKeyRef: - name: blog-oauth-secrets - key: client-id - - name: OAUTH_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: blog-oauth-secrets - key: client-secret - resources: - requests: - cpu: 100m - memory: 25Mi - nodeSelector: - cloud.google.com/gke-nodepool: 'main-pool' diff --git a/deploy/manifests/blog/base/blog.service.yaml b/deploy/manifests/blog/base/blog.service.yaml deleted file mode 100644 index f47a92d9b..000000000 --- a/deploy/manifests/blog/base/blog.service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: gnomad-blog - labels: - component: gnomad-blog -spec: - type: NodePort - selector: - name: gnomad-blog - ports: - - port: 80 - targetPort: 80 diff --git a/deploy/manifests/blog/base/kustomization.yaml b/deploy/manifests/blog/base/kustomization.yaml deleted file mode 100644 index 9ecfc3320..000000000 --- a/deploy/manifests/blog/base/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./blog.deployment.yaml - - ./blog.service.yaml