Add production deployment configuration and CI/CD

- Add deploy/ folder with Dockerfile.prod, nginx, uwsgi configs
- Add production.ini (secrets externalized to secrets.ini)
- Add entrypoint that merges production.ini + secrets.ini at startup
- Add build-deploy.yml GitHub Actions workflow
- Add dependabot.yml
- Update supervisor config with nginx and uwsgi programs

Author: cooper667

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/workflows/build-deploy.yml

@@ -0,0 +1,116 @@
+name: Build and Deploy CKAN
+
+on:
+  push:
+    branches: [master, ckan211-prod-deploy-pr]
+    tags: ["v*"]
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: "Image tag to deploy (e.g., sha-abc1234 or v1.0.0)"
+        required: true
+        type: string
+      environment:
+        description: "Target environment"
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+
+env:
+  ACR_NAME: adracr
+  IMAGE_NAME: ckan
+
+jobs:
+  build:
+    if: github.event_name != 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.set-env.outputs.image_tag }}
+      environment: ${{ steps.set-env.outputs.environment }}
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          submodules: recursive
+
+      - name: Determine environment and image tag
+        id: set-env
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            echo "environment=production" >> $GITHUB_OUTPUT
+            echo "image_tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          else
+            echo "environment=staging" >> $GITHUB_OUTPUT
+            echo "image_tag=sha-$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.6.1
+        with:
+          images: ${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+
+      - name: Login to ACR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ${{ env.ACR_NAME }}.azurecr.io
+          username: ${{ secrets.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.10.0
+        with:
+          context: .
+          file: deploy/Dockerfile.prod
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  deploy:
+    if: always() && (needs.build.result == 'success' || github.event_name == 'workflow_dispatch')
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ github.event_name == 'workflow_dispatch' && inputs.environment || needs.build.outputs.environment }}
+      url: ${{ steps.params.outputs.url }}
+    steps:
+      - name: Set deploy params
+        id: params
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            ENV="${{ inputs.environment }}"
+            echo "image_tag=${{ inputs.image_tag }}" >> $GITHUB_OUTPUT
+          else
+            ENV="${{ needs.build.outputs.environment }}"
+            echo "image_tag=${{ needs.build.outputs.image_tag }}" >> $GITHUB_OUTPUT
+          fi
+
+          if [[ "$ENV" == "production" ]]; then
+            echo "namespace=adr-p" >> $GITHUB_OUTPUT
+            echo "url=https://adr-p.fjelltopp.org" >> $GITHUB_OUTPUT
+          else
+            echo "namespace=adr-s" >> $GITHUB_OUTPUT
+            echo "url=https://adr-s.fjelltopp.org" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG_BASE64 }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Deploy to AKS
+        run: |
+          kubectl set image deployment/ckan \
+            ckan=${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}:${{ steps.params.outputs.image_tag }} \
+            -n ${{ steps.params.outputs.namespace }}
+          kubectl rollout status deployment/ckan -n ${{ steps.params.outputs.namespace }} --timeout=5m

ckan/ckan_supervisor.conf

@@ -95,3 +95,31 @@ startsecs=10
 ; Need to wait for currently executing tasks to finish at shutdown.
 ; Increase this if you have very long running tasks.
 stopwaitsecs = 600
+
+; ===============================
+; nginx reverse proxy
+; ===============================
+[program:nginx]
+command=/usr/sbin/nginx -g "daemon off;"
+user=root
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/fd/2
+stderr_logfile_maxbytes=0
+autostart=true
+autorestart=true
+priority=10
+
+; ===============================
+; uWSGI CKAN application
+; ===============================
+[program:uwsgi]
+command=/usr/local/bin/uwsgi --ini /usr/lib/adx/uwsgi.ini
+user=root
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/fd/2
+stderr_logfile_maxbytes=0
+autostart=true
+autorestart=true
+priority=20

deploy/Dockerfile.prod

@@ -0,0 +1,96 @@
+FROM python:3.10
+
+# OCI Annotations
+LABEL org.opencontainers.image.maintainer="support@fjelltopp.org"
+LABEL org.opencontainers.image.title="CKAN-ADX"
+LABEL org.opencontainers.image.description="Fjelltopp's ADX CKAN production image"
+
+ARG CKAN_SITE_URL
+
+# Set timezone
+ENV TZ=UTC
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+# Setting the locale
+ENV LC_ALL=en_US.UTF-8
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y locales && \
+    sed -i "/$LC_ALL/s/^# //g" /etc/locale.gen && \
+    dpkg-reconfigure --frontend=noninteractive locales && \
+    update-locale LANG=${LC_ALL}
+
+# Define environment variables
+ENV CKAN_HOME /usr/lib/adx
+ENV CKAN_VENV $CKAN_HOME/venv
+ENV CKAN_CONFIG /etc/ckan
+ENV CKAN_STORAGE_PATH=/var/lib/ckan
+ENV PATH=${CKAN_VENV}/bin:${PATH}
+
+# Install required system packages
+RUN apt-get -q -y update \
+    && apt-get -q -y install \
+        libpq-dev \
+        libmagic-dev \
+        libxml2-dev \
+        libxslt-dev \
+        libgeos-dev \
+        libssl-dev \
+        libffi-dev \
+        postgresql-client \
+        build-essential \
+        git-core \
+        vim \
+        wget \
+        curl \
+        xmlsec1 \
+        jq \
+        supervisor \
+        nginx \
+    && apt-get -q clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Add CKAN user
+RUN useradd -r -u 900 -m -c "ckan account" -d $CKAN_HOME -s /bin/false ckan
+
+# Install pipenv and uwsgi
+RUN pip3 install pipenv uwsgi
+
+# Copy submodules and Pipfile
+COPY submodules /usr/lib/adx/submodules
+COPY Pipfile Pipfile.lock /usr/lib/adx/
+
+# Install Python dependencies
+WORKDIR /usr/lib/adx
+RUN mkdir .venv && pipenv sync -v && ln -s .venv venv
+
+# Install Node.js and yarn for React build
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get install -y nodejs && \
+    npm install --global yarn
+
+# Build React components
+RUN yarn --cwd /usr/lib/adx/submodules/ckanext-unaids/ckanext/unaids/react/ && \
+    yarn --cwd /usr/lib/adx/submodules/ckanext-unaids/ckanext/unaids/react/ build && \
+    chmod -R 777 /usr/lib/adx/submodules/ckanext-unaids/ckanext/unaids/assets/build
+
+RUN chown -R ckan:ckan /usr/lib/adx/
+RUN mkdir -p /var/lib/ckan/resources && chmod 777 -R /var/lib/ckan
+
+# Create symlink for backward compatibility with configs that reference /usr/lib/ckan
+RUN ln -s /usr/lib/adx /usr/lib/ckan
+
+# Copy entrypoint and config files
+COPY deploy/ckan-entrypoint-prod.sh /ckan-entrypoint.sh
+COPY ckan/adx_config.ini $CKAN_CONFIG/ckan.ini
+COPY ckan/adx_who.ini $CKAN_CONFIG/who.ini
+COPY ckan/ckan_supervisor.conf /etc/supervisor/conf.d/ckan_supervisor.conf
+COPY deploy/uwsgi.ini /usr/lib/adx/uwsgi.ini
+COPY deploy/nginx.conf /etc/nginx/nginx.conf
+
+RUN chmod +x /*.sh
+
+USER root
+EXPOSE 5000
+
+ENTRYPOINT ["/ckan-entrypoint.sh"]
+CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

deploy/ckan-entrypoint-prod.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+set -e
+
+# URL for the primary database, in the format expected by sqlalchemy
+: "${CKAN_SQLALCHEMY_URL:=}"
+: "${CKAN_SOLR_URL:=}"
+: "${CKAN_REDIS_URL:=}"
+: "${CKAN_DATAPUSHER_URL:=}"
+
+export CKAN_HOME=/usr/lib/adx
+export CKAN_VENV=$CKAN_HOME/venv
+export PATH=${CKAN_VENV}/bin:${PATH}
+
+# Combine base config with secrets using Python ConfigParser
+# secrets.ini values override production.ini
+echo "Combining configuration files..."
+python3 << 'PYEOF'
+import configparser
+import sys
+
+config = configparser.ConfigParser()
+config.read('/etc/ckan/production.ini')
+config.read('/etc/ckan/secrets.ini')  # Later values override earlier
+
+with open('/tmp/ckan.ini', 'w') as f:
+    config.write(f)
+PYEOF
+export CONFIG="/tmp/ckan.ini"
+export CKAN_INI="/tmp/ckan.ini"
+
+abort () {
+  echo "$@" >&2
+  exit 1
+}
+
+set_environment () {
+  export CKAN_SITE_ID=${CKAN_SITE_ID}
+  export CKAN_SITE_URL=${CKAN_SITE_URL}
+  export CKAN_SQLALCHEMY_URL=${CKAN_SQLALCHEMY_URL}
+  export CKAN_SOLR_URL=${CKAN_SOLR_URL}
+  export CKAN_REDIS_URL=${CKAN_REDIS_URL}
+  export CKAN_STORAGE_PATH=/var/lib/ckan
+  export CKAN_DATAPUSHER_URL=${CKAN_DATAPUSHER_URL}
+  export CKAN_DATASTORE_WRITE_URL=${CKAN_DATASTORE_WRITE_URL}
+  export CKAN_DATASTORE_READ_URL=${CKAN_DATASTORE_READ_URL}
+  export CKAN_SMTP_SERVER=${CKAN_SMTP_SERVER}
+  export CKAN_SMTP_STARTTLS=${CKAN_SMTP_STARTTLS}
+  export CKAN_SMTP_USER=${CKAN_SMTP_USER}
+  export CKAN_SMTP_PASSWORD=${CKAN_SMTP_PASSWORD}
+  export CKAN_SMTP_MAIL_FROM=${CKAN_SMTP_MAIL_FROM}
+  export CKAN_MAX_UPLOAD_SIZE_MB=${CKAN_MAX_UPLOAD_SIZE_MB}
+  if [ -n "${ADR_CKAN_SAML_IDP_CERT}" ]; then
+    echo "${ADR_CKAN_SAML_IDP_CERT}" > /tmp/saml_idp.crt || echo "Warning: Could not write SAML IDP cert"
+  fi
+}
+
+# Validate required environment variables
+if [ -z "$CKAN_SQLALCHEMY_URL" ]; then
+  abort "ERROR: no CKAN_SQLALCHEMY_URL specified"
+fi
+
+if [ -z "$CKAN_SOLR_URL" ]; then
+    abort "ERROR: no CKAN_SOLR_URL specified"
+fi
+
+if [ -z "$CKAN_REDIS_URL" ]; then
+    abort "ERROR: no CKAN_REDIS_URL specified"
+fi
+
+if [ -z "$CKAN_DATAPUSHER_URL" ]; then
+    abort "ERROR: no CKAN_DATAPUSHER_URL specified"
+fi
+
+set_environment
+echo "CKAN production environment ready"
+
+# Initialize CKAN database and run plugin migrations
+echo "Initializing CKAN database..."
+ckan --config="$CONFIG" db init || echo "CKAN database already initialized"
+
+echo "Setting up DataStore permissions..."
+ckan --config="$CONFIG" datastore set-permissions | psql "${CKAN_DATASTORE_WRITE_URL}" || echo "Warning: DataStore set-permissions failed or already applied"
+
+echo "Running database migrations for plugins..."
+ckan --config="$CONFIG" db upgrade -p pages || echo "Warning: ckanext-pages migration failed or already applied"
+# ckan --config="$CONFIG" versions initdb || echo "Warning: ckanext-versions initdb failed or already applied"
+# ckan --config="$CONFIG" validation init-db || echo "Warning: ckanext-validation init-db failed or already applied"
+ckan --config="$CONFIG" unaids initdb || echo "Warning: ckanext-unaids initdb failed or already applied"
+
+exec "$@"