chore: change from php-fpm to frankenphp

usu · May 4, 2024 · efa0150 · efa0150
1 parent 0cc208a
commit efa0150
Show file tree

Hide file tree

Showing 42 changed files with 568 additions and 1,156 deletions.
diff --git a/.caddy/config-cache/.gitkeep b/.caddy/config-cache/.gitkeep
diff --git a/.caddy/data/.gitkeep b/.caddy/data/.gitkeep
diff --git a/.caddy/php-socket/.gitkeep b/.caddy/php-socket/.gitkeep
diff --git a/.github/workflows/reusable-build-and-push.yml b/.github/workflows/reusable-build-and-push.yml
@@ -58,26 +58,13 @@ jobs:
           push: true
           file: api/Dockerfile
           tags: |
-            ${{ ((inputs.tag != '') && format('{0}/ecamp3-api-php:{1}', vars.DOCKER_HUB_USERNAME, inputs.tag) || '') }}
-            ${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api-php:${{ inputs.sha }}
+            ${{ ((inputs.tag != '') && format('{0}/ecamp3-api:{1}', vars.DOCKER_HUB_USERNAME, inputs.tag) || '') }}
+            ${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api:${{ inputs.sha }}
           context: './api'
-          target: api_platform_php
+          target: frankenphp_prod
           cache-from: type=gha,scope=api
           cache-to: type=gha,scope=api,mode=max
 
-      - name: Build and push caddy docker image
-        uses: docker/build-push-action@v5
-        with:
-          push: true
-          file: api/Dockerfile
-          tags: |
-            ${{ ((inputs.tag != '') && format('{0}/ecamp3-api-caddy:{1}', vars.DOCKER_HUB_USERNAME, inputs.tag) || '') }}
-            ${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api-caddy:${{ inputs.sha }}
-          context: './api'
-          target: api_platform_caddy_prod
-          cache-from: type=gha,scope=caddy
-          cache-to: type=gha,scope=caddy,mode=max
-
       - name: Build and push print docker image
         uses: docker/build-push-action@v5
         with:

diff --git a/.github/workflows/reusable-dev-deployment.yml b/.github/workflows/reusable-dev-deployment.yml
@@ -83,8 +83,7 @@ jobs:
             --set imageTag=${{ inputs.sha }} \
             --set frontend.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-frontend' \
             --set print.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-print' \
-            --set php.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api-php' \
-            --set caddy.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api-caddy' \
+            --set api.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api' \
             --set postgresql.dbBackupRestoreImage.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-db-backup-restore' \
             --set termsOfServiceLinkTemplate='https://ecamp3.ch/{lang}/tos' \
             --set newsLink='https://ecamp3.ch/blog' \
@@ -110,12 +109,12 @@ jobs:
             --set postgresql.restore.s3.accessKeyId='${{ secrets.RESTORE_S3_ACCESS_KEY_ID }}' \
             --set postgresql.restore.s3.accessKey='${{ secrets.RESTORE_S3_ACCESS_KEY }}' \
             --set postgresql.restore.encryptionKey=${{ secrets.RESTORE_ENCRYPTION_KEY != null && format('''{0}''', secrets.RESTORE_ENCRYPTION_KEY) || null }} \
-            --set php.dataMigrationsDir='${{ vars.DATA_MIGRATIONS_DIR }}' \
-            --set php.appSecret='${{ secrets.API_APP_SECRET }}' \
-            --set php.sentryDsn='${{ secrets.API_SENTRY_DSN }}' \
-            --set php.jwt.passphrase='${{ secrets.JWT_PASSPHRASE }}' \
-            --set php.jwt.publicKey='${{ secrets.JWT_PUBLIC_KEY }}' \
-            --set php.jwt.privateKey='${{ secrets.JWT_PRIVATE_KEY }}' \
+            --set api.dataMigrationsDir='${{ vars.DATA_MIGRATIONS_DIR }}' \
+            --set api.appSecret='${{ secrets.API_APP_SECRET }}' \
+            --set api.sentryDsn='${{ secrets.API_SENTRY_DSN }}' \
+            --set api.jwt.passphrase='${{ secrets.JWT_PASSPHRASE }}' \
+            --set api.jwt.publicKey='${{ secrets.JWT_PUBLIC_KEY }}' \
+            --set api.jwt.privateKey='${{ secrets.JWT_PRIVATE_KEY }}' \
             --set frontend.sentryDsn='${{ secrets.FRONTEND_SENTRY_DSN }}' \
             --set print.sentryDsn='${{ secrets.PRINT_SENTRY_DSN }}' \
             --set print.browserWsEndpoint='${{ secrets.BROWSER_WS_ENDPOINT }}' \

diff --git a/.github/workflows/reusable-e2e-tests-build.yml b/.github/workflows/reusable-e2e-tests-build.yml
@@ -23,27 +23,12 @@ jobs:
           context: './api'
           push: false
           load: true
-          target: api_platform_php_dev
+          target: frankenphp_dev
           builder: ${{ steps.buildx.outputs.name }}
-          tags: ecamp/ecamp3-dev-api-php
+          tags: ecamp/ecamp3-dev-api
           cache-from: type=gha,scope=api
           cache-to: type=gha,scope=api,mode=max
-          outputs: type=docker,dest=/tmp/ecamp3-dev-api-php.tar
-
-      # build caddy (using cache; provide image to docker compose)
-      - name: Build docker image (Caddy)
-        uses: docker/build-push-action@v5
-        with:
-          file: api/Dockerfile
-          context: './api'
-          push: false
-          load: true
-          target: api_platform_caddy
-          builder: ${{ steps.buildx.outputs.name }}
-          tags: ecamp/ecamp3-dev-api-caddy
-          cache-from: type=gha,scope=caddy
-          cache-to: type=gha,scope=caddy,mode=max
-          outputs: type=docker,dest=/tmp/ecamp3-dev-api-caddy.tar
+          outputs: type=docker,dest=/tmp/ecamp3-dev-api.tar
 
       - uses: actions/upload-artifact@v4
         with:

diff --git a/.github/workflows/reusable-e2e-tests-run.yml b/.github/workflows/reusable-e2e-tests-run.yml
@@ -36,8 +36,7 @@ jobs:
 
       - name: Load images
         run: |
-          docker load --input /tmp/ecamp3-dev-api-php.tar
-          docker load --input /tmp/ecamp3-dev-api-caddy.tar
+          docker load --input /tmp/ecamp3-dev-api.tar
           docker image ls -a --digests
 
       - name: Restore cache volumes (npm, composer)
@@ -49,7 +48,7 @@ jobs:
             docker-compose-
 
       # start necessary containers
-      - run: docker compose up -d php caddy frontend pdf print browserless database docker-host
+      - run: docker compose up -d api frontend pdf print browserless database docker-host
 
       - uses: cypress-io/github-action@v5
         with:

diff --git a/.github/workflows/reusable-stage-prod-deployment.yml b/.github/workflows/reusable-stage-prod-deployment.yml
@@ -42,8 +42,7 @@ jobs:
             --set imageTag=${{ github.sha }} \
             --set frontend.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-frontend' \
             --set print.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-print' \
-            --set php.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api-php' \
-            --set caddy.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api-caddy' \
+            --set api.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api' \
             --set postgresql.dbBackupRestoreImage.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-db-backup-restore' \
             --set termsOfServiceLinkTemplate='https://ecamp3.ch/{lang}/tos' \
             --set newsLink='https://ecamp3.ch/blog' \
@@ -69,23 +68,23 @@ jobs:
             --set postgresql.restore.s3.accessKey='${{ secrets.RESTORE_S3_ACCESS_KEY }}' \
             --set postgresql.restore.encryptionKey=${{ secrets.RESTORE_ENCRYPTION_KEY != null && format('''{0}''', secrets.RESTORE_ENCRYPTION_KEY) || null }} \
             --set postgresql.restore.inviteSupportAccountToInterestingCamps=${{ vars.RESTORE_INVITE_TO_INTERESTING_CAMPS != null && format('''{0}''', vars.RESTORE_INVITE_TO_INTERESTING_CAMPS) || false }} \
-            --set php.dataMigrationsDir='${{ vars.DATA_MIGRATIONS_DIR }}' \
-            --set php.appSecret='${{ secrets.API_APP_SECRET }}' \
-            --set php.sentryDsn='${{ secrets.API_SENTRY_DSN }}' \
-            --set php.jwt.passphrase='${{ secrets.JWT_PASSPHRASE }}' \
-            --set php.jwt.publicKey='${{ secrets.JWT_PUBLIC_KEY }}' \
-            --set php.jwt.privateKey='${{ secrets.JWT_PRIVATE_KEY }}' \
-            --set php.oauth.google.clientId='${{ secrets.OAUTH_GOOGLE_CLIENT_ID }}' \
-            --set php.oauth.google.clientSecret='${{ secrets.OAUTH_GOOGLE_CLIENT_SECRET }}' \
-            --set php.oauth.pbsmidata.clientId='${{ secrets.OAUTH_PBSMIDATA_CLIENT_ID }}' \
-            --set php.oauth.pbsmidata.clientSecret='${{ secrets.OAUTH_PBSMIDATA_CLIENT_SECRET }}' \
-            --set php.oauth.pbsmidata.baseUrl='${{ secrets.OAUTH_PBSMIDATA_BASE_URL }}' \
-            --set php.oauth.cevidb.clientId='${{ secrets.OAUTH_CEVIDB_CLIENT_ID }}' \
-            --set php.oauth.cevidb.clientSecret='${{ secrets.OAUTH_CEVIDB_CLIENT_SECRET }}' \
-            --set php.oauth.cevidb.baseUrl='${{ secrets.OAUTH_CEVIDB_BASE_URL }}' \
-            --set php.oauth.jubladb.clientId='${{ secrets.OAUTH_JUBLADB_CLIENT_ID }}' \
-            --set php.oauth.jubladb.clientSecret='${{ secrets.OAUTH_JUBLADB_CLIENT_SECRET }}' \
-            --set php.oauth.jubladb.baseUrl='${{ secrets.OAUTH_JUBLADB_BASE_URL }}' \
+            --set api.dataMigrationsDir='${{ vars.DATA_MIGRATIONS_DIR }}' \
+            --set api.appSecret='${{ secrets.API_APP_SECRET }}' \
+            --set api.sentryDsn='${{ secrets.API_SENTRY_DSN }}' \
+            --set api.jwt.passphrase='${{ secrets.JWT_PASSPHRASE }}' \
+            --set api.jwt.publicKey='${{ secrets.JWT_PUBLIC_KEY }}' \
+            --set api.jwt.privateKey='${{ secrets.JWT_PRIVATE_KEY }}' \
+            --set api.oauth.google.clientId='${{ secrets.OAUTH_GOOGLE_CLIENT_ID }}' \
+            --set api.oauth.google.clientSecret='${{ secrets.OAUTH_GOOGLE_CLIENT_SECRET }}' \
+            --set api.oauth.pbsmidata.clientId='${{ secrets.OAUTH_PBSMIDATA_CLIENT_ID }}' \
+            --set api.oauth.pbsmidata.clientSecret='${{ secrets.OAUTH_PBSMIDATA_CLIENT_SECRET }}' \
+            --set api.oauth.pbsmidata.baseUrl='${{ secrets.OAUTH_PBSMIDATA_BASE_URL }}' \
+            --set api.oauth.cevidb.clientId='${{ secrets.OAUTH_CEVIDB_CLIENT_ID }}' \
+            --set api.oauth.cevidb.clientSecret='${{ secrets.OAUTH_CEVIDB_CLIENT_SECRET }}' \
+            --set api.oauth.cevidb.baseUrl='${{ secrets.OAUTH_CEVIDB_BASE_URL }}' \
+            --set api.oauth.jubladb.clientId='${{ secrets.OAUTH_JUBLADB_CLIENT_ID }}' \
+            --set api.oauth.jubladb.clientSecret='${{ secrets.OAUTH_JUBLADB_CLIENT_SECRET }}' \
+            --set api.oauth.jubladb.baseUrl='${{ secrets.OAUTH_JUBLADB_BASE_URL }}' \
             --set frontend.sentryDsn='${{ secrets.FRONTEND_SENTRY_DSN }}' \
             --set print.sentryDsn='${{ secrets.PRINT_SENTRY_DSN }}' \
             --set print.ingress.readTimeoutSeconds='${{ vars.PRINT_INGRESS_READ_TIMEOUT_SECONDS }}' \
@@ -101,11 +100,9 @@ jobs:
             --set browserless.connectionTimeout=${{ vars.BROWSERLESS_CONNECTION_TIMEOUT_MS || '30000' }} \
             --set browserless.resources.requests.cpu=${{ vars.BROWSERLESS_CPU || '500m' }} \
             --set browserless.resources.requests.memory=${{ vars.BROWSERLESS_MEMORY || '800Mi' }} \
-            --set caddy.resources.requests.cpu=50m \
-            --set caddy.resources.limits.cpu=500m \
-            --set php.resources.requests.cpu=${{ vars.PHP_CPU || '1000m' }} \
-            --set php.resources.requests.memory=${{ vars.PHP_MEMORY || '500Mi' }} \
-            --set php.resources.limits.cpu=${{ vars.PHP_CPULIMIT || '1900m' }} \
+            --set api.resources.requests.cpu=${{ vars.PHP_CPU || '1000m' }} \
+            --set api.resources.requests.memory=${{ vars.PHP_MEMORY || '500Mi' }} \
+            --set api.resources.limits.cpu=${{ vars.PHP_CPULIMIT || '1900m' }} \
             --set frontend.resources.requests.cpu=50m \
             --set print.resources.requests.cpu=${{ vars.PRINT_CPU || '300m' }} \
             --set print.resources.requests.memory=${{ vars.PRINT_MEMORY || '150Mi' }} \

diff --git a/.helm/build-images.sh b/.helm/build-images.sh
@@ -25,14 +25,10 @@ frontend_image_tag="${docker_hub_account}/ecamp3-frontend:${version}"
 docker build "$REPO_DIR" -f "$REPO_DIR"/.docker-hub/frontend/Dockerfile $frontend_sentry_build_args -t "$frontend_image_tag"
 docker push "$frontend_image_tag"
 
-api_image_tag="${docker_hub_account}/ecamp3-api-php:${version}"
-docker build "$REPO_DIR"/api -f "$REPO_DIR"/api/Dockerfile -t "$api_image_tag" --target api_platform_php $sentry_build_args
+api_image_tag="${docker_hub_account}/ecamp3-api:${version}"
+docker build "$REPO_DIR"/api -f "$REPO_DIR"/api/Dockerfile -t "$api_image_tag" --target frankenphp_prod $sentry_build_args
 docker push "$api_image_tag"
 
-caddy_image_tag="${docker_hub_account}/ecamp3-api-caddy:${version}"
-docker build "$REPO_DIR"/api -f "$REPO_DIR"/api/Dockerfile -t "$caddy_image_tag" --target api_platform_caddy_prod
-docker push "$caddy_image_tag"
-
 print_sentry_build_args="$sentry_build_args --build-arg SENTRY_PRINT_PROJECT=$SENTRY_PRINT_PROJECT"
 
 print_image_tag="${docker_hub_account}/ecamp3-print:${version}"

diff --git a/.helm/deploy-to-cluster.sh b/.helm/deploy-to-cluster.sh
@@ -88,16 +88,11 @@ for i in 1; do
     values="$values --set postgresql.restore.inviteSupportAccountToInterestingCamps=$RESTORE_INVITE_TO_INTERESTING_CAMPS"
   fi
 
-  for imagespec in "frontend" "print"; do
+  for imagespec in "frontend" "print" "api"; do
     values="$values --set $imagespec.image.pullPolicy=$pull_policy"
     values="$values --set $imagespec.image.repository=docker.io/${docker_hub_account}/ecamp3-$imagespec"
   done
 
-  for imagespec in "php" "caddy"; do
-    values="$values --set $imagespec.image.pullPolicy=$pull_policy"
-    values="$values --set $imagespec.image.repository=docker.io/${docker_hub_account}/ecamp3-api-$imagespec"
-  done
-
   values="$values --set postgresql.dbBackupRestoreImage.pullPolicy=$pull_policy"
   values="$values --set postgresql.dbBackupRestoreImage.repository=docker.io/${docker_hub_account}/ecamp3-db-backup-restore"
 

diff --git a/.helm/ecamp3/templates/api_configmap.yaml b/.helm/ecamp3/templates/api_configmap.yaml
@@ -8,17 +8,18 @@ metadata:
 data:
   ADDITIONAL_TRUSTED_HOSTS: {{ .Values.domain | quote }}
   COOKIE_PREFIX: {{ include "api.cookiePrefix" . | quote }}
-  APP_ENV: {{ .Values.php.appEnv | quote }}
-  APP_DEBUG: {{ .Values.php.appDebug | quote }}
-  {{- if .Values.php.dataMigrationsDir }}
-  DATA_MIGRATIONS_DIR: {{ .Values.php.dataMigrationsDir | quote }}
+  APP_ENV: {{ .Values.api.appEnv | quote }}
+  APP_DEBUG: {{ .Values.api.appDebug | quote }}
+  {{- if .Values.api.dataMigrationsDir }}
+  DATA_MIGRATIONS_DIR: {{ .Values.api.dataMigrationsDir | quote }}
   {{- end }}
   CORS_ALLOW_ORIGIN: {{ include "frontend.url" . | quote }}
-  TRUSTED_PROXIES: "{{ join "," .Values.php.trustedProxies }}"
-  {{- if .Values.php.sentryDsn }}
-  SENTRY_API_DSN: {{ .Values.php.sentryDsn | quote }}
+  TRUSTED_PROXIES: "{{ join "," .Values.api.trustedProxies }}"
+  {{- if .Values.api.sentryDsn }}
+  SENTRY_API_DSN: {{ .Values.api.sentryDsn | quote }}
   SENTRY_ENVIRONMENT: {{ .Values.domain | quote }}
   {{- else }}
   SENTRY_API_DSN: {{ "" | quote }}
   {{- end }}
   FRONTEND_BASE_URL: {{ include "frontend.url" . | quote }}
+  CADDY_GLOBAL_OPTIONS: {{ .Values.api.caddyGlobalOptions | quote }}
diff --git a/.helm/ecamp3/templates/api_deployment.yaml b/.helm/ecamp3/templates/api_deployment.yaml
@@ -31,53 +31,26 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       enableServiceLinks: false
       containers:
-        - name: caddy
+        - name: name: {{ .Chart.Name }}-api
+          {{/* Define the api container as a template, so it can be reused in other places */}}
+          {{- define "api.container" }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.caddy.image.repository }}:{{ .Values.caddy.image.tag | default .Values.imageTag }}"
-          imagePullPolicy: {{ .Values.caddy.image.pullPolicy }}
-          env:
-            - name: SERVER_NAME
-              value: :3001
+          image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag | default .Values.imageTag }}"
+          imagePullPolicy: {{ .Values.api.image.pullPolicy }}
           ports:
             - name: api-http
               containerPort: {{ .Values.api.service.port }}
               protocol: TCP
             - name: api-metrics
               containerPort: {{ .Values.api.metrics.port }}
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /var/run/php
-              name: php-socket
-          lifecycle:
-            preStop:
-              exec:
-                command: ["curl", "-XPOST", "http://localhost:2019/stop"]
-          readinessProbe:
-            tcpSocket:
-              port: 3001
-            initialDelaySeconds: 3
-            periodSeconds: 10
-            timeoutSeconds: 5
-          livenessProbe:
-            tcpSocket:
-              port: 3001
-            initialDelaySeconds: 3
-            periodSeconds: 10
-            timeoutSeconds: 5
-          resources:
-            {{- toYaml .Values.caddy.resources | nindent 12 }}
-        - name: php
-          {{/* Define the php container as a template, so it can be reused in other places */}}
-          {{- define "api.phpContainer" }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.php.image.repository }}:{{ .Values.php.image.tag | default .Values.imageTag }}"
-          imagePullPolicy: {{ .Values.php.image.pullPolicy }}
+              protocol: TCP     
           envFrom:
             - configMapRef:
                 name: {{ include "api.name" . }}-configmap
           env:
+            - name: SERVER_NAME
+              value: :3001
             - name: APP_SECRET
               valueFrom:
                 secretKeyRef:
@@ -103,7 +76,7 @@ spec:
                 secretKeyRef:
                   name: {{ include "api.name" . }}
                   key: recaptcha-secret
-            {{- if .Values.php.oauth.google.clientId }}
+            {{- if .Values.api.oauth.google.clientId }}
             - name: OAUTH_GOOGLE_CLIENT_ID
               valueFrom:
                 secretKeyRef:
@@ -115,7 +88,7 @@ spec:
                   name: {{ include "api.name" . }}
                   key: oauth-google-client-secret
             {{- end }}
-            {{- if .Values.php.oauth.pbsmidata.clientId }}
+            {{- if .Values.api.oauth.pbsmidata.clientId }}
             - name: OAUTH_PBSMIDATA_CLIENT_ID
               valueFrom:
                 secretKeyRef:
@@ -132,7 +105,7 @@ spec:
                   name: {{ include "api.name" . }}
                   key: oauth-pbsmidata-base-url
             {{- end }}
-            {{- if .Values.php.oauth.cevidb.clientId }}
+            {{- if .Values.api.oauth.cevidb.clientId }}
             - name: OAUTH_CEVIDB_CLIENT_ID
               valueFrom:
                 secretKeyRef:
@@ -149,7 +122,7 @@ spec:
                   name: {{ include "api.name" . }}
                   key: oauth-cevidb-base-url
             {{- end }}
-            {{- if .Values.php.oauth.jubladb.clientId }}
+            {{- if .Values.api.oauth.jubladb.clientId }}
             - name: OAUTH_JUBLADB_CLIENT_ID
               valueFrom:
                 secretKeyRef:
@@ -167,12 +140,10 @@ spec:
                   key: oauth-jubladb-base-url
             {{- end }}
           volumeMounts:
-            - mountPath: /var/run/php
-              name: php-socket
-            - mountPath: /srv/api/config/jwt/public.pem
+            - mountPath: /app/config/jwt/public.pem
               name: jwt-keypair
               subPath: public.pem
-            - mountPath: /srv/api/config/jwt/private.pem
+            - mountPath: /app/config/jwt/private.pem
               name: jwt-keypair
               subPath: private.pem
           lifecycle:
@@ -182,23 +153,20 @@ spec:
           {{- end }}
           {{- template "api.phpContainer" . }}
           resources:
-            {{- toYaml .Values.php.resources | nindent 12 }}
+            {{- toYaml .Values.api.resources | nindent 12 }}
           readinessProbe:
-            exec:
-              command:
-                - docker-healthcheck
+            tcpSocket:
+              port: 3001
             periodSeconds: 10
             timeoutSeconds: 5
           livenessProbe:
-            exec:
-              command:
-                - docker-healthcheck
+            tcpSocket:
+              port: 3001
             periodSeconds: 10
             timeoutSeconds: 5
           startupProbe:
-            exec:
-              command:
-                - docker-healthcheck
+            tcpSocket:
+              port: 3001
             failureThreshold: 40
             periodSeconds: 3