Merge pull request #391 from 18F/stages/rc-2023-08-29

Deploy RC 59 to Prod
18F · Aug 29, 2023 · 12783ea · 12783ea
2 parents 529bec9 + c894d78
commit 12783ea
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 18 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -80,10 +80,10 @@ review-app:
         {"name": "CLIENT_CERT_S3_BUCKET", "value": "login-gov-pivcac-public-cert-reviewapp.894947205914-us-west-2"},
         {"name": "POSTGRES_SSLMODE", "value": "prefer"},
         {"name": "POSTGRES_NAME", "value": "identity_pki_production"},
-        {"name": "POSTGRES_HOST","value": "$CI_ENVIRONMENT_SLUG-identity-idp-chart-pivcac-postgres.review-apps"},
+        {"name": "POSTGRES_HOST","value": "$CI_ENVIRONMENT_SLUG-login-chart-pivcac-pg.review-apps"},
         {"name": "POSTGRES_USERNAME", "value": "postgres"},
         {"name": "POSTGRES_PASSWORD", "value": "pivcac"},
-        {"name": "IDP_HOST", "value": "rails-app-test-identity-idp-chart-idp.review-apps"},
+        {"name": "IDP_HOST", "value": "rails-app-test-login-chart-idp.review-apps"},
         {"name": "DOMAIN_NAME", "value": "$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov"}
       ]
       EOF
@@ -105,7 +105,7 @@ review-app:
       $CI_ENVIRONMENT_SLUG ./identity-idp-helm-chart
     - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away"
     - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name review_app'"
-    - echo "Then run 'aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-identity-idp-chart-pivcac -n review-apps -- /app/bin/rails console'"
+    - echo "Then run 'aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-pivcac -n review-apps -- /app/bin/rails console'"
   after_script:
     - echo "Address of PIVCAC review app:"
     - echo https://$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov

diff --git a/Makefile b/Makefile
@@ -5,7 +5,7 @@
 # bin/ directory.
 
 CONFIG = config/application.yml
-PORT ?= 8443
+PORT ?= 8442
 
 all: check
 

diff --git a/Procfile b/Procfile
@@ -1 +1,2 @@
-web: bundle exec rackup config.ru --host "ssl://${HOST:-localhost}:${PORT:-8443}?key=config/local-certs/server.key&cert=config/local-certs/server.crt"
+web: bundle exec rails s -p 8442
+nginx: nginx -c config/nginx_server.conf.example -p "`pwd`"
diff --git a/README.md b/README.md
@@ -27,22 +27,28 @@ PIV/CAC support for login.gov.
   rbenv alias 3.0 3.0.6 # create the version alias
   ```
 
-2. Make sure Postgres is running.
+1. Make sure you have Nginx installed.
+
+  ```
+  $ brew install nginx
+  ```
+
+1. Make sure Postgres is running.
 
   For example, if you've installed the laptop script on OS X, you can start the services like this:
 
   ```
   $ brew services start postgresql
   ```
 
-3. Create the development and test databases:
+1. Create the development and test databases:
 
   ```
   $ psql -c "CREATE DATABASE identity_pki_dev;"
   $ psql -c "CREATE DATABASE identity_pki_test;"
   ```
 
-4. Run the following command to set up the environment
+1. Run the following command to set up the environment
 
   - The first time, it will prompt for a passphrase for the root certificate. You can put anything as long as you remember it, it's just for development. To keep it simple, try `salty pickles`.
 
@@ -55,7 +61,7 @@ PIV/CAC support for login.gov.
   This command copies sample configuration files, installs required gems
   and sets up the database.
 
-5. Run the app server with:
+1. Run the app server with:
 
   ```
   $ make run

diff --git a/config/application.yml.default b/config/application.yml.default
@@ -57,7 +57,7 @@ required_policies: |
 
 development:
   aws_region: 'us-east-1'
-  client_cert_escaped: 'false'
+  client_cert_escaped: 'true'
   database_name: 'identity_pki_dev'
   nonce_bloom_filter_server: 'redis://localhost:6379/2'
   nonce_bloom_filter_enabled: 'true'

diff --git a/config/environments/development.rb b/config/environments/development.rb
@@ -5,6 +5,8 @@
   # every request. This slows down response time but is perfect for development
   # since you don't have to restart the web server when you make code changes.
   config.cache_classes = false
+  # This allows nginx to make a request
+  config.hosts << 'rails_upstream'
 
   # Do not eager load code on boot.
   config.eager_load = false

diff --git a/config/nginx_server.conf.example b/config/nginx_server.conf.example
@@ -0,0 +1,31 @@
+# run in foreground instead of via daemon
+worker_processes 1;
+daemon off;
+
+events {}
+http {
+  upstream rails_upstream {
+    server 127.0.0.1:8442;
+  }
+
+  server {
+    listen  8443 ssl;
+    server_name identity_pki;
+
+    ssl_certificate      local-certs/server.crt;
+    ssl_certificate_key  local-certs/server.key;
+    ssl_verify_client optional_no_ca; # on;
+    ssl_verify_depth 10;
+
+    location / {
+      proxy_redirect off;
+      proxy_pass http://rails_upstream;
+      proxy_set_header X-Client-Verify $ssl_client_verify;
+      proxy_set_header X-Client-S-Dn $ssl_client_s_dn;
+      proxy_set_header X-Client-I-Dn $ssl_client_i_dn;
+      proxy_set_header X-Client-Serial $ssl_client_serial;
+      proxy_set_header X-Client-Fingerprint $ssl_client_fingerprint;
+      proxy_set_header X-Client-Cert $ssl_client_escaped_cert;
+    }
+  }
+}
diff --git a/config/puma.rb b/config/puma.rb
@@ -6,6 +6,7 @@
 #
 threads_count = ENV.fetch('RAILS_MAX_THREADS') { 5 }
 threads threads_count, threads_count
+workers Integer(ENV['PUMA_WORKERS'] || 1)
 
 # Specifies the `port` that Puma will listen on to receive requests; default is 3000.
 #
@@ -30,15 +31,16 @@
 # you need to make sure to reconnect any threads in the `on_worker_boot`
 # block.
 #
-# preload_app!
+preload_app!
 
 # If you are preloading your application and using Active Record, it's
 # recommended that you close any connections to the database before workers
 # are forked to prevent connection leakage.
 #
-# before_fork do
-#   ActiveRecord::Base.connection_pool.disconnect! if defined?(ActiveRecord)
-# end
+before_fork do
+  ActiveRecord::Base.connection_pool.disconnect! if defined?(ActiveRecord)
+end
+
 
 # The code in the `on_worker_boot` will be called if you are using
 # clustered mode by specifying a number of `workers`. After each worker
@@ -47,10 +49,11 @@
 # or connections that may have been created at application boot, as Ruby
 # cannot share connections between processes.
 #
-# on_worker_boot do
-#   ActiveRecord::Base.establish_connection if defined?(ActiveRecord)
-# end
-#
+on_worker_boot do
+  ActiveRecord::Base.establish_connection if defined?(ActiveRecord)
+
+  CertificateStore.instance.load_certs!
+end
 
 # Allow puma to be restarted by `rails restart` command.
 plugin :tmp_restart