Merge pull request #1662 from BallAerospace/init_and_minio

Init and minio

.github/workflows/playwright.yml

@@ -13,22 +13,17 @@ on:
     branches: [master]
 
 jobs:
-  cosmos-build:
+  cosmos-build-test-scan:
     if: ${{ github.actor != 'dependabot[bot]' }}
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
     steps:
       - uses: actions/checkout@v3
       - name: cosmos-control.sh build
         # This `shell` line is required to get around a known issue: https://github.com/actions/runner/issues/241#issuecomment-745902718
         shell: 'script -q -e -c "bash {0}"'
         run: ./cosmos-control.sh build
-  playwright:
-    needs: cosmos-build
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-    steps:
-      - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
         with:
           node-version: "14"
@@ -65,37 +60,25 @@ jobs:
         with:
           name: playwright
           path: playwright/test-results
-  container-scan:
-    needs: cosmos-build
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        container:
-          [
-            base,
-            ruby,
-            node,
-            traefik,
-            operator,
-            cmd-tlm-api,
-            script-runner-api,
-            redis,
-            minio-init,
-          ]
-    steps:
       - uses: anchore/scan-action/download-grype@v3
         id: grype
-      - name: Run grype on the image
-        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-${{ matrix.container }}:latest
-      # - name: Run the Anchore scan action
-      #   uses: anchore/scan-action@v3
-      #   with:
-      #     image: "docker.io/ballaerospace/cosmosc2-${{ matrix.container }}:latest"
-      #     fail-build: false
-      #     severity-cutoff: critical # low, medium, high, critical
-      #     acs-report-enable: true
-      # - name: Upload Anchore Scan Report
-      #   uses: github/codeql-action/upload-sarif@v2
-      #   with:
-      #     sarif_file: results.sarif
-      #     category: ${{ matrix.container }}
+      - name: Run grype on the image ruby
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-ruby:latest
+      - name: Run grype on the image node
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-node:latest
+      - name: Run grype on the image base
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-base:latest
+      - name: Run grype on the image init
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-init:latest
+      - name: Run grype on the image redis
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-redis:latest
+      - name: Run grype on the image minio
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-minio:latest
+      - name: Run grype on the image operator
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-operator:latest
+      - name: Run grype on the image cmd-tlm-api
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-cmd-tlm-api:latest
+      - name: Run grype on the image script-runner-api
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-script-runner-api:latest
+      - name: Run grype on the image traefik
+        run: ${{steps.grype.outputs.cmd}} docker.io/ballaerospace/cosmosc2-traefik:latest

compose-build.yaml

@@ -54,9 +54,9 @@ services:
     depends_on:
       - "cosmos-ruby"
 
-  cosmos-minio-init:
+  cosmos-minio:
     build:
-      context: "cosmos-minio-init"
+      context: "cosmos-minio"
       network: host
       args:
         COSMOS_REGISTRY: ${COSMOS_REGISTRY}

compose.yaml

@@ -21,33 +21,45 @@ version: "3.5"
 
 services:
   cosmos-minio:
-    image: "${COSMOS_REGISTRY}/minio/minio:RELEASE.2021-06-17T00-10-46Z"
+    image: "${COSMOS_REGISTRY}/ballaerospace/cosmosc2-minio:${COSMOS_TAG}"
     volumes:
       - "cosmos-minio-v:/data"
+      - "${PWD}/cacert.pem:/devel/cacert.pem"
     command: ["server", "/data"]
     restart: "unless-stopped"
     environment:
       MINIO_ROOT_USER: "${COSMOS_MINIO_USERNAME}"
       MINIO_ROOT_PASSWORD: "${COSMOS_MINIO_PASSWORD}"
-
-  cosmos-minio-init:
-    image: "${COSMOS_REGISTRY}/ballaerospace/cosmosc2-minio-init:${COSMOS_TAG}"
-    restart: on-failure
-    depends_on:
-      - "cosmos-minio"
-    env_file:
-      - ".env"
+      SSL_CERT_FILE: "/devel/cacert.pem"
+      CURL_CA_BUNDLE: "/devel/cacert.pem"
+      REQUESTS_CA_BUNDLE: "/devel/cacert.pem"
+      NODE_EXTRA_CA_CERTS: "/devel/cacert.pem"
 
   cosmos-redis:
     image: "${COSMOS_REGISTRY}/ballaerospace/cosmosc2-redis:${COSMOS_TAG}"
     volumes:
       - "cosmos-redis-v:/data"
+      - "${PWD}/cacert.pem:/devel/cacert.pem"
+      - "${PWD}/cosmos-redis/users.acl:/config/users.acl"
     restart: "unless-stopped"
+    environment:
+      SSL_CERT_FILE: "/devel/cacert.pem"
+      CURL_CA_BUNDLE: "/devel/cacert.pem"
+      REQUESTS_CA_BUNDLE: "/devel/cacert.pem"
+      NODE_EXTRA_CA_CERTS: "/devel/cacert.pem"
 
   cosmos-redis-ephemeral:
     image: "${COSMOS_REGISTRY}/ballaerospace/cosmosc2-redis:${COSMOS_TAG}"
+    volumes:
+      - "${PWD}/cacert.pem:/devel/cacert.pem"
+      - "${PWD}/cosmos-redis/users.acl:/config/users.acl"
     restart: "unless-stopped"
-    command: [ "redis-server", "/config/redis_ephemeral.conf" ]
+    command: ["redis-server", "/config/redis_ephemeral.conf"]
+    environment:
+      SSL_CERT_FILE: "/devel/cacert.pem"
+      CURL_CA_BUNDLE: "/devel/cacert.pem"
+      REQUESTS_CA_BUNDLE: "/devel/cacert.pem"
+      NODE_EXTRA_CA_CERTS: "/devel/cacert.pem"
 
   cosmos-cmd-tlm-api:
     image: "${COSMOS_REGISTRY}/ballaerospace/cosmosc2-cmd-tlm-api:${COSMOS_TAG}"
@@ -58,6 +70,7 @@ services:
       - "cosmos-minio"
     volumes:
       - "cosmos-gems-v:/gems"
+      - "${PWD}/cacert.pem:/devel/cacert.pem"
     environment:
       - "RAILS_ENV=production"
       - "GEM_HOME=/gems"
@@ -73,6 +86,7 @@ services:
       - "cosmos-minio"
     volumes:
       - "cosmos-gems-v:/gems:ro"
+      - "${PWD}/cacert.pem:/devel/cacert.pem"
     environment:
       - "RAILS_ENV=production"
       - "GEM_HOME=/gems"
@@ -88,6 +102,7 @@ services:
       - "cosmos-minio"
     volumes:
       - "cosmos-gems-v:/gems:ro"
+      #- ${PWD}/cacert.pem:/devel/cacert.pem
     environment:
       - "GEM_HOME=/gems"
     env_file:
@@ -97,13 +112,29 @@ services:
 
   cosmos-traefik:
     image: "${COSMOS_REGISTRY}/ballaerospace/cosmosc2-traefik:${COSMOS_TAG}"
+    volumes:
+      - "${PWD}/cacert.pem:/devel/cacert.pem"
+      - "${PWD}/cosmos-traefik/traefik.yaml:/etc/traefik/traefik.yaml"
+      # - "${PWD}/cosmos-traefik/traefik-allow-http.yaml:/etc/traefik/traefik.yaml"
+      # - "${PWD}/cosmos-traefik/traefik-ssl.yaml:/etc/traefik/traefik.yaml"
+      # - "${PWD}/cosmos-traefik/traefik-letsencrypt.yaml:/etc/traefik/traefik.yaml"
+      # - "${PWD}/cosmos-traefik/cert.key:/etc/traefik/cert.key"
+      # - "${PWD}/cosmos-traefik/cert.crt:/etc/traefik/cert.crt"
     ports:
-      - "2900:80"
+      - "127.0.0.1:2900:80"
+      - "127.0.0.1:2943:443"
+      # - "80:80"
+      # - "443:443"
     restart: "unless-stopped"
     depends_on:
       - "cosmos-redis"
       - "cosmos-redis-ephemeral"
       - "cosmos-minio"
+    environment:
+      SSL_CERT_FILE: "/devel/cacert.pem"
+      CURL_CA_BUNDLE: "/devel/cacert.pem"
+      REQUESTS_CA_BUNDLE: "/devel/cacert.pem"
+      NODE_EXTRA_CA_CERTS: "/devel/cacert.pem"
 
   cosmos-init:
     image: "${COSMOS_REGISTRY}/ballaerospace/cosmosc2-init:${COSMOS_TAG}"
@@ -115,6 +146,7 @@ services:
       - "cosmos-minio"
     volumes:
       - "cosmos-gems-v:/gems"
+      - "${PWD}/cacert.pem:/devel/cacert.pem"
     environment:
       - "GEM_HOME=/gems"
     env_file:

cosmos-init/Dockerfile

@@ -1,6 +1,7 @@
 ARG COSMOS_REGISTRY=docker.io
 ARG COSMOS_TAG=latest
 
+FROM ${COSMOS_REGISTRY}/minio/mc:RELEASE.2021-12-10T00-14-28Z AS minio-mc
 FROM ${COSMOS_REGISTRY}/ballaerospace/cosmosc2-node:${COSMOS_TAG} AS cosmos-frontend-tmp
 
 WORKDIR /cosmos/plugins/
@@ -106,4 +107,7 @@ COPY --from=cosmos-frontend-base-tmp --chown=${IMAGE_USER}:${IMAGE_GROUP} /cosmo
 COPY --from=cosmos-frontend-base-tmp --chown=${IMAGE_USER}:${IMAGE_GROUP} /cosmos/plugins/yarn.lock /cosmos/plugins/yarn.lock
 COPY --chown=${IMAGE_USER}:${IMAGE_GROUP} ./init.sh /cosmos/
 
+COPY --from=minio-mc /bin/mc /bin/mc
+COPY ./script-runner.json /cosmos/minio/script-runner.json
+
 CMD [ "/cosmos/init.sh" ]

cosmos-init/init.sh

@@ -54,6 +54,17 @@ else
     done
 fi
 
+mc alias set cosmosminio "${COSMOS_S3_URL}" ${COSMOS_MINIO_USERNAME} ${COSMOS_MINIO_PASSWORD} || exit 1
+
+# Create new canned policy by name script using script-runner.json policy file.
+mc admin policy add cosmosminio script /cosmos/minio/script-runner.json || exit 1
+
+# Create a new user scriptrunner on MinIO use mc admin user.
+mc admin user add cosmosminio ${COSMOS_SR_MINIO_USERNAME} ${COSMOS_SR_MINIO_PASSWORD} || exit 1
+
+# Once the user is successfully created you can now apply the getonly policy for this user.
+mc admin policy set cosmosminio script user=${COSMOS_SR_MINIO_USERNAME} || exit 1
+
 ruby /cosmos/bin/cosmos load /cosmos/plugins/gems/cosmosc2-tool-base-*.gem || exit 1
 ruby /cosmos/bin/cosmos load /cosmos/plugins/gems/cosmosc2-tool-cmdtlmserver-*.gem || exit 1
 ruby /cosmos/bin/cosmos load /cosmos/plugins/gems/cosmosc2-tool-limitsmonitor-*.gem || exit 1

cosmos-init/plugins/cosmosc2-tool-base/Rakefile

@@ -20,7 +20,12 @@
 PLUGIN_NAME = Dir['*.gemspec'][0].split('.')[0..-2].join('.')
 
 task :require_version do
-  unless ENV['VERSION']
+  if ENV['VERSION']
+    if ENV['VERSION'] =~ /-/
+      # Add Timestamp to prerelease versions
+      ENV['VERSION'] = ENV['VERSION'] + "." + Time.now.utc.strftime("%Y%m%d%H%M%S")
+    end
+  else
     puts "VERSION is required: rake <task> VERSION=X.X.X"
     exit 1
   end

cosmos-init/plugins/cosmosc2-tool-base/src/index-allow-http.ejs

@@ -0,0 +1,99 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="ie=edge">
+  <title>COSMOS</title>
+
+  <link rel="stylesheet" href="/css/roboto.css" />
+  <link rel="stylesheet" href="/css/materialdesignicons-6.1.95.min.css" />
+  <!--
+    Update by downloading latest release from https://github.com/vuetifyjs/vuetify/releases
+    and putting the vuetify-vX.Y.Z.min.css in ../public/css (delete the old one)
+  -->
+  <link href="/css/vuetify-v2.6.4.min.css" rel="stylesheet" />
+  <!-- COSMOSEE KEYCLOAK PLACEHOLDER -->
+
+  <!--
+    Remove this if you only support browsers that support async/await.
+    This is needed by babel to share largeish helper code for compiling async/await in older
+    browsers. More information at https://github.com/single-spa/create-single-spa/issues/112
+  -->
+  <script src="/js/regenerator-runtime-0.13.9.min.js"></script>
+  <!--
+    This CSP allows any SSL-enabled host and for arbitrary eval(), but you should limit these directives further to increase your app's security.
+    Learn more about CSP policies at https://content-security-policy.com/#directive
+  -->
+  <meta http-equiv="Content-Security-Policy"
+    content="default-src 'self' blob: data: http: https:; script-src 'unsafe-inline' 'unsafe-eval' http: https: blob:; connect-src blob: http: https: wss: ws:; style-src 'unsafe-inline' http: https:; object-src 'none';">
+
+  <meta name="importmap-type" content="systemjs-importmap" />
+  <!-- If you wish to turn off import-map-overrides for specific environments (prod), uncomment the line below -->
+  <!-- More info at https://github.com/joeldenning/import-map-overrides/blob/master/docs/configuration.md#domain-list -->
+  <!-- <meta name="import-map-overrides-domains" content="denylist:prod.example.com" /> -->
+
+  <!-- Shared dependencies go into this import map. Your shared dependencies must be of one of the following formats:
+
+    1. System.register (preferred when possible) - https://github.com/systemjs/systemjs/blob/master/docs/system-register.md
+    2. UMD - https://github.com/umdjs/umd
+    3. Global variable
+
+    More information about shared dependencies can be found at https://single-spa.js.org/docs/recommended-setup#sharing-with-import-maps.
+
+    Update by downloading latest release from https://github.com/vuetifyjs/vuetify/releases (for example)
+    and putting the vuetify-vX.Y.Z.min.js in ../public/js (delete the old one)
+  -->
+  <script type="systemjs-importmap">
+    {
+      "imports": {
+        "single-spa": "/js/single-spa-5.9.3.min.js",
+        "vue": "/js/vue-2.6.14.min.js",
+        "vuetify": "/js/vuetify-v2.6.4.min.js",
+        "vue-router": "/js/vue-router-3.5.2.min.js",
+        "vuex": "/js/vuex-3.6.2.min.js",
+        "cosmosc2-tool-base": "/cosmosc2-tool-base.js"
+      }
+    }
+  </script>
+  <!-- See note above for how to update these -->
+  <link rel="preload" href="/js/single-spa-5.9.3.min.js" as="script" />
+  <link rel="preload" href="/js/vue-2.6.14.min.js" as="script" />
+  <link rel="preload" href="/js/vuetify-v2.6.4.min.js" as="script" />
+  <link rel="preload" href="/js/vue-router-3.5.2.min.js" as="script" />
+  <link rel="preload" href="/js/vuex-3.6.2.min.js" as="script" />
+  <script type="systemjs-importmap" src="/cosmos-api/map.json"></script>
+  <script src="/js/auth.js"></script>
+  <script src="/js/authConstants.js"></script>
+  <script src="/js/import-map-overrides-2.4.1.js"></script>
+  <!-- Get latest systemjs here: https://github.com/systemjs/systemjs/releases
+    We use system.js instead of s.js which includes global and module-types.
+    We also explictily use amd (asyncrhonous module definition) which uses named-register
+    Note that named-exports, transform and use-default are deprecated.
+  -->
+  <script src="/js/system-6.12.1.min.js"></script>
+  <!-- All the following belong to the system package -->
+  <script src="/js/amd.min.js"></script>
+  <script src="/js/named-register.min.js"></script>
+</head>
+
+<body>
+  <div id="cosmos-main"></div>
+  <import-map-overrides-full show-when-local-storage="devtools"></import-map-overrides-full>
+  <script>
+  (function() {
+    Promise.all([
+      System.import('single-spa'),
+      System.import('vue'),
+      System.import('vuetify'),
+      System.import('vue-router'),
+      System.import('vuex'),
+    ]).then(function (modules) {
+      System.import('cosmosc2-tool-base')
+    })
+  })()
+  </script>
+</body>
+
+</html>

cosmos-init/plugins/cosmosc2-tool-base/webpack.config.js

@@ -44,6 +44,15 @@ module.exports = (webpackConfigEnv, argv) => {
           orgName,
         },
       }),
+      new HtmlWebpackPlugin({
+        inject: false,
+        template: 'src/index-allow-http.ejs',
+        filename: 'index-allow-http.html',
+        templateParameters: {
+          isLocal: webpackConfigEnv && webpackConfigEnv.isLocal,
+          orgName,
+        },
+      }),
       new VueLoaderPlugin(),
       new CopyWebpackPlugin({ patterns: [{ from: 'public', to: '.' }] }),
       new webpack.DefinePlugin({

cosmos-init/plugins/packages/cosmosc2-demo/Rakefile

@@ -20,7 +20,12 @@
 PLUGIN_NAME = Dir['*.gemspec'][0].split('.')[0..-2].join('.')
 
 task :require_version do
-  unless ENV['VERSION']
+  if ENV['VERSION']
+    if ENV['VERSION'] =~ /-/
+      # Add Timestamp to prerelease versions
+      ENV['VERSION'] = ENV['VERSION'] + "." + Time.now.utc.strftime("%Y%m%d%H%M%S")
+    end
+  else
     puts "VERSION is required: rake <task> VERSION=X.X.X"
     exit 1
   end