From f5a94cbdbf4a1fc024d22367e56ad103ab81ef19 Mon Sep 17 00:00:00 2001
From: Jawad Qureshi <qureshi@uchicago.edu>
Date: Tue, 21 Nov 2023 10:40:13 -0600
Subject: [PATCH] Add nginx sidecar

---
 .../build_and_push_nginx_sidecar.yml          | 24 ++++++
 nginx-sidecar/Dockerfile                      | 48 +++++++++++
 nginx-sidecar/nginx.conf                      | 82 +++++++++++++++++++
 3 files changed, 154 insertions(+)
 create mode 100644 .github/workflows/build_and_push_nginx_sidecar.yml
 create mode 100644 nginx-sidecar/Dockerfile
 create mode 100644 nginx-sidecar/nginx.conf

diff --git a/.github/workflows/build_and_push_nginx_sidecar.yml b/.github/workflows/build_and_push_nginx_sidecar.yml
new file mode 100644
index 00000000..8443d2d8
--- /dev/null
+++ b/.github/workflows/build_and_push_nginx_sidecar.yml
@@ -0,0 +1,24 @@
+name: Build Python Images and Push to Quay and ECR
+
+on:
+  push:
+    paths:
+    - nginx-sidecar/*
+    - .github/workflows/build_and_push_nginx_sidecar.yml
+
+jobs:
+  nginx-sidecar:
+    name: nginx-sidecar Build and Push
+    uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@feat/docker-cache-repo
+    with:
+      DOCKERFILE_LOCATION: "./nginx-sidecar/Dockerfile"
+      DOCKERFILE_BUILD_CONTEXT: "./nginx-sidecar"
+      OVERRIDE_REPO_NAME: "nginx-sidecar"
+      OVERRIDE_TAG_NAME: "nginx-sidecar-$(echo ${GITHUB_REF#refs/*/} | tr / _)"
+      # BUILD_PLATFORMS: "linux/amd64"
+      USE_QUAY_ONLY: "true"
+    secrets:
+      ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
+      QUAY_ROBOT_TOKEN: ${{ secrets.QUAY_ROBOT_TOKEN }}
diff --git a/nginx-sidecar/Dockerfile b/nginx-sidecar/Dockerfile
new file mode 100644
index 00000000..3ce4b8c5
--- /dev/null
+++ b/nginx-sidecar/Dockerfile
@@ -0,0 +1,48 @@
+ARG AZLINUX_VERSION=2023
+
+FROM public.ecr.aws/amazonlinux/amazonlinux:${AZLINUX_VERSION}
+
+
+# install any available security and bugfix updates
+RUN dnf update \
+        --assumeyes \
+    && dnf update \
+        --security \
+        --bugfix \
+        --assumeyes \
+    && dnf clean all \
+    && rm -rf /var/cache/yum
+
+# install nginx
+RUN yum update -y && \
+    yum install -y nginx && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+# create nginx user/group for unprivileged execution. Give it uid/gid 1000 and guid 1000
+# Give it access to all nginx folders
+RUN groupadd --gid 1000 gen3 && \
+    useradd --uid 1000 --gid gen3 --shell /bin/bash --create-home gen3 && \
+    mkdir -p /var/cache/nginx && \
+    mkdir -p /var/log/nginx && \
+    mkdir -p /var/run/nginx && \
+    chown -R gen3:gen3 /var/cache/nginx && \
+    chown -R gen3:gen3 /var/log/nginx && \
+    chown -R gen3:gen3 /var/run/nginx && \
+    chown -R gen3:gen3 /var/cache/nginx/ && \
+    chown -R gen3:gen3 /var/lib/nginx/ && \
+    touch /run/nginx.pid && \
+    chown -R gen3:gen3 /run/nginx.pid && \
+    chown -R gen3:gen3 /etc/nginx/
+
+# Send logs to sdtout and stderr
+RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
+    ln -sf /dev/stderr /var/log/nginx/error.log
+
+COPY nginx.conf /etc/nginx/nginx.conf
+
+USER gen3
+
+EXPOSE 80
+STOPSIGNAL SIGTERM
+CMD nginx -g 'daemon off;'
diff --git a/nginx-sidecar/nginx.conf b/nginx-sidecar/nginx.conf
new file mode 100644
index 00000000..374ce2ad
--- /dev/null
+++ b/nginx-sidecar/nginx.conf
@@ -0,0 +1,82 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+# user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log notice;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       8081;
+        listen       [::]:8081;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+        location = /404.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2;
+#        listen       [::]:443 ssl http2;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers PROFILE=SYSTEM;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        error_page 404 /404.html;
+#        location = /404.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#        location = /50x.html {
+#        }
+#    }
+
+}