Automated PR - merge 6.x into 7.x

.github/workflows/branch-sync.yml

@@ -0,0 +1,102 @@
+name: Merge 6.x into 7.x
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 23 * * 0'  # Run every Sunday at 11 PM UTC (Monday 9 AM AEST)
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  create-pull-request:
+    runs-on: ubuntu-latest
+    container: ghcr.io/dpc-sdp/bay/ci-builder:6.x
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          ref: 6.x
+
+      - name: Set ownership of the workspace
+        run: chown -R $(id -u):$(id -g) $PWD
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Create PR
+        id: create-pr
+        run: |
+          set +e
+          output=$(gh pr create --base 7.x --title "Automated PR - merge 6.x into 7.x" --body "This pull request syncs relevant changes from the 6.x branch into the 7.x branch. This PR was automatically generated by the CI workflow." --label "sync" --label "automated" 2>&1)
+          COMMAND_STATUS=$?
+
+          diff=$(echo $output | grep -q "No commits" && echo "false" || echo "true")
+
+          echo "stdout<<EOF" | tee "$GITHUB_OUTPUT"
+          echo $output | tee -a "$GITHUB_OUTPUT"
+          ( echo ; echo "EOF" ) | tee -a "$GITHUB_OUTPUT"
+
+          if [[ $diff == "false" ]]; then
+            echo "There are no commits between the base and HEAD branches." >> $GITHUB_STEP_SUMMARY
+            COMMAND_STATUS=0
+          fi
+
+          echo "diff=$diff" >> "$GITHUB_OUTPUT"
+
+          exit $COMMAND_STATUS
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: If successful set PR number to env var
+        if: steps.create-pr.conclusion == 'success' && steps.create-pr.outputs.diff == 'true'
+        run: |
+          output="${{ steps.create-pr.outputs.stdout }}"
+          pr_url=$(echo $output | grep -o "^https.*[0-9]")
+          pr=(echo $pr_url | cut -d "/" -f 7)
+
+          echo "PR_URL=$pr_url" >> GITHUB_ENV
+          echo "PR_NUMBER=$pr" >> $GITHUB_ENV
+
+      - name: Successful, check for conflicts
+        if: env.PR_NUMBER
+        run: |
+          conflicts=$(gh pr view ${{ env.PR_NUMBER }} --json mergeStateStatus --jq 'if .mergeStateStatus == "DIRTY" then true else false end')
+          echo "CONFLICTS=$conflicts" >> $GITHUB_ENV
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Send Slack notification if pr created but conflicts exist
+        id: notify_slack_conflicts
+        uses: slackapi/slack-github-action@v2.1.1
+        if: always() && env.CONFLICTS
+        env:
+          LINK: ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}
+        with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "GitHub Action - ${{ github.workflow }} requires manual intervention. \n${{ env.LINK }}"
+            blocks:
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: "${{ github.workflow }} needs conflicts resolved.\n${{ env.PR_URL }}" 
+
+      - name: Send Slack notification if PR creation failed for a reason other than "no commits"
+        id: notify_slack_failed
+        uses: slackapi/slack-github-action@v2.1.1
+        if: always() && (steps.create-pr.conclusion == 'failure' && steps.create-pr.outputs.diff == 'true')
+        env:
+          LINK: ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}
+        with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            channel: ${{ secrets.SLACK_CHANNEL_ID }}
+            text: "GitHub Action ${{ github.workflow }} failed. \n${{ env.LINK }}"

.github/workflows/build-deploy.yml

@@ -2,7 +2,7 @@ name: build-deploy-bay-images
 run-name: Build and deploy Bay images
 on:
   pull_request:
-    types:
+    types: 
       - closed
       - opened
       - synchronize
@@ -17,11 +17,11 @@ env:
   REGISTRY: ghcr.io
 jobs:
   buildx:
-    if: |-
+    if: |
       github.event.pull_request.merged == true || 
       contains(fromJson('["schedule", "workflow_dispatch"]'), github.event_name) || 
-      github.event_name == 'pull_request' && startsWith(github.head_ref,'build/') ||
-      ( github.event.issue.pull_request && contains(github.event.comment.body, '/build') )
+      (github.event_name == 'pull_request' && startsWith(github.head_ref,'build/')) ||
+      (github.event.issue.pull_request && contains(github.event.comment.body, '/build'))
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -33,35 +33,45 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - uses: actions/checkout@v3
-        if: |-
+      - uses: actions/checkout@v4
+        if: |
           github.event.pull_request.merged == true || 
           contains(fromJson('["schedule", "workflow_dispatch"]'), github.event_name) || 
-          github.event_name == 'pull_request' && startsWith(github.head_ref,'build/')
+          (github.event_name == 'pull_request' && startsWith(github.head_ref,'build/'))
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         if: ( github.event.issue.pull_request && contains(github.event.comment.body, '/build') )
         with:
           ref: refs/pull/${{ github.event.issue.number }}/head
 
       - name: Login to registry ${{ env.REGISTRY }}
-        uses: docker/login-action@v2.2.0
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4.6.0
+        uses: docker/metadata-action@v5
         with:
           images: |
             ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}
           tags: |
+            # PR images (not merged): pr-<num>
             type=ref,event=pr,enable=${{ github.event.pull_request.merged == false }}
+            # Tag with the PR base branch name on merge
             type=raw,value=${{ github.event.pull_request.base.ref }},enable=${{ github.event.pull_request.merged == true }}
+            # Manual/scheduled runs tag by branch ref (for whichever release branch the run targets)
             type=ref,event=branch,enable=${{ contains(fromJson('["schedule", "workflow_dispatch"]'), github.event_name) }}
+            # Comment-triggered builds: pr-<num>
             type=raw,event=default,value=pr-${{ github.event.issue.number }},enable=${{ github.event.issue.pull_request != null }}
+            # Supported release branches
+            type=raw,value=5.x,enable=${{ github.ref == 'refs/heads/5.x' || github.event.pull_request.base.ref == '5.x' }}
+            type=raw,value=6.x,enable=${{ github.ref == 'refs/heads/6.x' || github.event.pull_request.base.ref == '6.x' }}
+            type=raw,value=7.x,enable=${{ github.ref == 'refs/heads/7.x' || github.event.pull_request.base.ref == '7.x' }}
+            # Always add an immutable sha tag
+            type=raw,value=sha-${{ github.sha }}
           labels: |
             maintainer=Digital Victoria
             repository=${{ github.repositoryUrl }}
@@ -88,7 +98,7 @@ jobs:
           retention-days: 1
 
       - name: Build and push the images
-        uses: docker/bake-action@v3.1.0
+        uses: docker/bake-action@v5
         with:
           push: true
           files: |

.github/workflows/vulnerability-scan-schedule-7x.yml

@@ -0,0 +1,27 @@
+name: vulnerability-scan-schedule-7.x
+run-name: Scheduled CVE vulnerability scan of 7.x published images.
+
+env:
+  REGISTRY: ghcr.io
+
+on:
+  schedule:
+    - cron: '12 22 * * 3'
+  workflow_dispatch:
+    inputs:
+      summary:
+        description: 'Summary of the scheduled scan.'
+        required: false
+        default: 'Trivy CVE scan of 7.x published images.'
+      tag:
+        description: 'Tag to scan.'
+        required: false
+        default: '7.x'
+
+jobs:
+  vulnerability-scan-schedule:
+    name: Scan for vulnerabilities on 7.x images
+    uses: "dpc-sdp/bay/.github/workflows/vulnerability-scan.yml@7.x"
+    with:
+      tag: "7.x"
+      summary: "Trivy CVE scan of 7.x published images."

.github/workflows/vulnerability-scan.yml

@@ -39,6 +39,7 @@ jobs:
             exclude:
               - images: mailpit
               - images: php-fpm-exporter
+              - images: aws-es-proxy
       - if: inputs.tag != '5.x'
         uses: druzsan/setup-matrix@v2
         with:

README.md

@@ -26,22 +26,6 @@ Learn more from https://docs.lagoon.sh/
 
 ## Bay Features
 
-### Lock-down Ingress with Pre-Shared Key
-
-Using the nginx image, you can lock down access to your application with using a pre-shared key added at your CDN. 
-
-Set these environment variables in your nginx deployment:
-
-- `BAY_INGRESS_HEADER` defines the header which has the pre-shared key.
-- `BAY_INGRESS_PSK` is the token / PSK value.
-- `BAY_INGRESS_ENABLED` is a toggle for this feature, must be set to `"true"`.
-
-In your CDN configuration, set the header defined in `BAY_INGRESS_HEADER` with the token defined in `BAY_INGRESS_PSK`.
-
-- [Cloudfront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html)
-
-Once deployed, if the header is missing in the request nginx will return a `405 Not Allowed` HTTP response.
-
 ### Multiple architecture support
 Bay images are available in both amd64 and arm64 architectures.
 

gh-actions-bake.hcl

@@ -11,9 +11,16 @@ target "ci-builder" {
 
   platforms     = ["linux/amd64", "linux/arm64"]
 }
+target "opensearch" {
+  inherits = ["docker-metadata-action"]
+  context       = "${CONTEXT}/opensearch"
+  dockerfile    = "Dockerfile"
+
+  platforms     = ["linux/amd64", "linux/arm64"]
+}
 target "elasticsearch" {
   inherits = ["docker-metadata-action"]
-  context       = "${CONTEXT}/elasticsearch"
+  context       = "${CONTEXT}/opensearch"
   dockerfile    = "Dockerfile"
 
   platforms     = ["linux/amd64", "linux/arm64"]
@@ -93,6 +100,17 @@ target "php-fpm-exporter" {
     "org.opencontainers.image.source" = "https://github.com/dpc-sdp/bay/blob/6.x/images/bay-php-exporter/Dockerfile"
   }
 }
+
+target "aws-es-proxy" {
+  inherits = ["docker-metadata-action"]
+  context       = "${CONTEXT}/aws-es-proxy"
+  dockerfile    = "Dockerfile"
+
+  platforms     = ["linux/amd64", "linux/arm64"]
+  labels = {
+    "org.opencontainers.image.source" = "https://github.com/dpc-sdp/bay/blob/6.x/images/aws-es-proxy/Dockerfile"
+  }
+}
 target "ripple-static" {
   inherits = ["docker-metadata-action"]
   context       = "${CONTEXT}/ripple-static"

images/aws-es-proxy/Dockerfile

@@ -0,0 +1,26 @@
+FROM golang:alpine AS build
+
+RUN apk add --no-cache git
+RUN git clone https://github.com/abutaha/aws-es-proxy.git /go/src/github.com/abutaha/aws-es-proxy
+WORKDIR /go/src/github.com/abutaha/aws-es-proxy
+
+RUN go get -u && go mod tidy
+RUN CGO_ENABLED=0 GOOS=linux go build -o aws-es-proxy
+
+FROM alpine:latest
+
+RUN apk --no-cache add ca-certificates
+WORKDIR /home/
+COPY --from=build /go/src/github.com/abutaha/aws-es-proxy/aws-es-proxy /usr/local/bin/
+COPY entrypoint.sh /entrypoint.sh
+RUN apk add --no-cache bash aws-cli
+
+ENV BAY_OPENSEARCH_ENDPOINT=
+ENV BAY_OPENSEARCH_ROLE=
+ENV BAY_OPENSEARCH_PROXY_TIMEOUT=60
+ENV BAY_OPENSEARCH_PROXY_VERBOSE=
+ENV BAY_OPENSEARCH_PROXY_DEBUG=
+ENV BAY_OPENSEARCH_PROXY_PORT=9200
+EXPOSE 9200
+
+ENTRYPOINT ["/entrypoint.sh"]

images/aws-es-proxy/README.md

@@ -0,0 +1,63 @@
+# Container Image - aws-es-proxy
+
+This container provides a secure proxy for requests to an AWS OpenSearch endpoint using the [aws-es-proxy](https://github.com/abutaha/aws-es-proxy) 
+tool. It is designed for seamless integration and automated IAM authentication, with robust defaults and runtime 
+configuration via environment variables.
+
+## Features
+
+- Secure proxying to AWS OpenSearch services.
+- Automatic validation of critical environment variables and AWS credentials.
+- Configurable timeouts, port, and proxy flags.
+- Flexible runtime configuration for debugging and verbosity.
+
+## Usage
+
+This image is typically intended for use as a proxy in your infrastructure.  
+You can use it in your Docker Compose stack with the following snippet:
+
+```yaml
+services: 
+  aws-es-proxy: 
+    image: ghcr.io/dpc-sdp/bay/aws-es-proxy:6.x 
+    environment: 
+      BAY_OPENSEARCH_ENDPOINT=https://your-opensearch-endpoint.amazonaws.com
+      BAY_OPENSEARCH_ROLE=arn:aws:iam::123456789012:role/your-role 
+    ports: 
+      - "9200:9200"
+```
+
+
+## Environment Variables
+
+| Name                      | Default Value | Description                                                     |
+|---------------------------|---------------|-----------------------------------------------------------------|
+| `BAY_OPENSEARCH_ENDPOINT` | _(required)_  | The AWS OpenSearch domain endpoint to proxy requests to.        |
+| `BAY_OPENSEARCH_ROLE`     | _(required)_  | The AWS IAM role to assume for accessing the OpenSearch domain. |
+| `BAY_OPENSEARCH_PROXY_PORT`    | `9200`        | The port that the proxy listens on, inside the container.       |
+| `BAY_OPENSEARCH_PROXY_TIMEOUT` | `60`          | Timeout (in seconds) for incoming connections.                  |
+| `BAY_OPENSEARCH_PROXY_VERBOSE` | `false`       | enables verbose logging                                         |
+| `BAY_OPENSEARCH_PROXY_DEBUG` | `false`       | enables debug logging                                           |
+
+### Example: Enabling Debug and Verbose Logging
+
+```
+BAY_OPENSEARCH_PROXY_FLAGS=-debug -verbose
+```
+
+## Ports
+
+- **9200** (default, can be customized with `BAY_OPENSEARCH_PROXY_PORT`) – Proxy HTTP port
+
+## Entrypoint
+
+The container runs an entrypoint script that:
+
+1. Verifies mandatory environment variables and AWS credentials.
+2. Launches `aws-es-proxy` with your configuration.
+
+## AWS Credentials
+
+The container expects valid AWS credentials to be supplied via standard mechanisms (environment variables, mounted credentials files, or IAM roles if running in AWS ECS/EKS environments).
+
+For more advanced configuration, refer to the [aws-es-proxy documentation](https://github.com/abutaha/aws-es-proxy).