Docker: Add gui docker

.github/workflows/deploy.yml

@@ -97,8 +97,22 @@ jobs:
             latest=false
           tags: |
             type=ref,event=tag
-            type=raw,event=tag,value=latest
-            type=raw,event=workflow_dispatch,value=snapshot
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}
+            type=raw,value=snapshot,enable=${{ github.event_name == 'workflow_dispatch' }}
+            type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }}
+            type=sha
+      
+      - name: Extract metadata (tags, labels) for Gui Docker
+        id: meta_gui
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/openconext/openconext-attribute-aggregation/aa-gui
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=tag
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}
+            type=raw,value=snapshot,enable=${{ github.event_name == 'workflow_dispatch' }}
             type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }}
             type=sha
 
@@ -111,3 +125,13 @@ jobs:
           push: true
           tags: ${{ steps.meta_server.outputs.tags }}
           labels: ${{ steps.meta_server.outputs.labels }}
+
+      - name: Build and push the aa gui image
+        uses: docker/build-push-action@v5
+        with:
+          context: aa-server
+          file: aa-gui/docker/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta_gui.outputs.tags }}
+          labels: ${{ steps.meta_gui.outputs.labels }}

aa-gui/docker/Dockerfile

@@ -0,0 +1,4 @@
+FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest
+COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/
+COPY ./dist/ /var/www/
+

aa-gui/docker/conf/000-default.conf

@@ -0,0 +1,64 @@
+ServerName https://${HTTPD_SERVERNAME}
+RewriteEngine on
+RewriteCond %{REQUEST_URI} !\.html$
+RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$
+RewriteCond %{REQUEST_URI} !\.svg$
+RewriteCond %{REQUEST_URI} !\.png$
+RewriteCond %{REQUEST_URI} !\.ico$
+RewriteCond %{REQUEST_URI} !\.woff$
+RewriteCond %{REQUEST_URI} !\.woff2$
+RewriteCond %{REQUEST_URI} !\.ttf$
+RewriteCond %{REQUEST_URI} !\.eot$
+RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$
+RewriteCond %{REQUEST_URI} !^/aa/
+RewriteCond %{REQUEST_URI} !^/internal/
+RewriteCond %{REQUEST_URI} !^/redirect
+RewriteCond %{REQUEST_URI} !^/fonts/
+RewriteRule (.*) /index.html [L]
+
+ProxyPass /Shibboleth.sso !
+
+ProxyPass /internal/health http://localhost:{{ springapp_tcpport }}/aa/api/internal/health retry=0
+ProxyPass /internal/info http://localhost:{{ springapp_tcpport }}/aa/api/internal/info retry=0
+
+ProxyPass /aa/api http://localhost:{{ springapp_tcpport }}/aa/api retry=0
+ProxyPassReverse /aa/api http://localhost:{{ springapp_tcpport }}/aa/api
+
+ProxyPassReverse /aa/api/client http://localhost:{{ springapp_tcpport }}/aa/api/client
+
+<Location />
+  AuthType shibboleth
+  ShibUseHeaders On
+  ShibRequireSession On
+  Require valid-user
+</Location>
+
+DocumentRoot "/var/www/"
+
+<Directory "/var/www/">
+  Require all granted
+  Options     -Indexes
+</Directory>
+
+<Location ~ "/internal/(health|info)">
+Require all granted
+</Location>
+
+# The EB endpoints are secured with basic auth
+<Location ~ "/aa/api/internal/">
+  Require all granted
+</Location>
+
+# The internal info and health
+<Location ~ "/internal/(health|info)">
+  Require all granted
+</Location>
+
+# The Lifecycle endpoints are secured with basic auth
+<Location ~ "/aa/api/deprovision/">
+  Require all granted
+</Location>
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+Header always set X-Content-Type-Options "nosniff"