From 27b2a017128aed05982dfaea9a86abce5b02cae1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20Schmitz=20von=20H=C3=BClst?= Date: Mon, 5 Feb 2024 22:51:08 +0100 Subject: [PATCH] Add docker build for java-spiffe-helper container (#187) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add docker build for java-spiffe-helper container Signed-off-by: Moritz Schmitz von Hülst * Adopt JDK has been deprecated in favor of temurin Signed-off-by: Moritz Schmitz von Hülst * Push image after build Signed-off-by: Moritz Schmitz von Hülst * Remove build on pull request and fix image tag Signed-off-by: Moritz Schmitz von Hülst * Set user non-root, add separate stage for gradle dependencies and version to gradle properties Signed-off-by: Moritz Schmitz von Hülst * Fix entrypoint Signed-off-by: Moritz Schmitz von Hülst * Add example config and default container command Signed-off-by: Moritz Schmitz von Hülst * Revert changes to gradle workflow and rename container build workflow Signed-off-by: Moritz Schmitz von Hülst * Pin gradle builder image version Co-authored-by: Ryan Turner Signed-off-by: Moritz Schmitz von Hülst * Add buildx action Signed-off-by: Moritz Schmitz von Hülst * Use github variable in image tag Signed-off-by: Moritz Schmitz von Hülst * Add Qemu Signed-off-by: Moritz Schmitz von Hülst * Login before push Signed-off-by: Moritz Schmitz von Hülst * Adopt JDK has been deprecated in favor of temurin Signed-off-by: Moritz Schmitz von Hülst * Remove build on pull request and fix image tag Signed-off-by: Moritz Schmitz von Hülst * Revert changes to gradle workflow and rename container build workflow Signed-off-by: Moritz Schmitz von Hülst * Use new properties example file Signed-off-by: Moritz Schmitz von Hülst * Minor improvements according to PR comments Signed-off-by: Moritz Schmitz von Hülst --------- Signed-off-by: Moritz Schmitz von Hülst Co-authored-by: Ryan Turner --- .dockerignore | 110 +++++++++++++++++++++++++++ .github/workflows/docker.yml | 34 +++++++++ Dockerfile | 15 ++++ build.gradle | 2 +- gradle.properties | 1 + java-spiffe-helper/build.gradle | 2 +- java-spiffe-helper/gradle.properties | 1 + 7 files changed, 163 insertions(+), 2 deletions(-) create mode 100644 .dockerignore create mode 100644 .github/workflows/docker.yml create mode 100644 Dockerfile create mode 100644 gradle.properties create mode 100644 java-spiffe-helper/gradle.properties diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..66cd1b5 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,110 @@ +### Java template +# Compiled class file +*.class + +# Log file +*.log + +# BlueJ files +*.ctxt + +# Mobile Tools for Java (J2ME) +.mtj.tmp/ + +# Package Files # +*.jar +*.war +*.nar +*.ear +*.zip +*.tar.gz +*.rar + +# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml +hs_err_pid* +replay_pid* + +### JetBrains template +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +# User-specific stuff +.idea/**/workspace.xml +.idea/**/tasks.xml +.idea/**/usage.statistics.xml +.idea/**/dictionaries +.idea/**/shelf + +# AWS User-specific +.idea/**/aws.xml + +# Generated files +.idea/**/contentModel.xml + +# Sensitive or high-churn files +.idea/**/dataSources/ +.idea/**/dataSources.ids +.idea/**/dataSources.local.xml +.idea/**/sqlDataSources.xml +.idea/**/dynamic.xml +.idea/**/uiDesigner.xml +.idea/**/dbnavigator.xml + +# Gradle +.idea/**/gradle.xml +.idea/**/libraries + +# Gradle and Maven with auto-import +# When using Gradle or Maven with auto-import, you should exclude module files, +# since they will be recreated, and may cause churn. Uncomment if using +# auto-import. +# .idea/artifacts +# .idea/compiler.xml +# .idea/jarRepositories.xml +# .idea/modules.xml +# .idea/*.iml +# .idea/modules +# *.iml +# *.ipr + +# CMake +cmake-build-*/ + +# Mongo Explorer plugin +.idea/**/mongoSettings.xml + +# File-based project format +*.iws + +# IntelliJ +out/ + +# mpeltonen/sbt-idea plugin +.idea_modules/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Cursive Clojure plugin +.idea/replstate.xml + +# SonarLint plugin +.idea/sonarlint/ + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + +# Editor-based Rest Client +.idea/httpRequests + +# Android studio 3.1+ serialized cache file +.idea/caches/build_file_checksums.ser + +# GitHub +.github + +# Git +.git diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 0000000..059b350 --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,34 @@ +name: container build + +on: + push: + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + env: + REGISTRY: ghcr.io + steps: + - uses: actions/checkout@v4 + - uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-buildx-action@v3 + - run: echo "DOCKER_TAG=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV + - name: Publish java-spiffe-helper + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ env.REGISTRY }}/${{ github.repository }}-helper:${{ env.DOCKER_TAG }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..cc37874 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +FROM gradle:8.5.0-jdk17 AS builder +COPY --chown=gradle:gradle . /builder +WORKDIR /builder +RUN gradle dependencies +RUN gradle java-spiffe-helper:assemble -ParchiveClassifier=docker -Pversion=docker + +FROM eclipse-temurin:17-jre AS runner +COPY --chown=nobody:nobody \ + conf/java-spiffe-helper.properties /app/java-spiffe-helper.properties +COPY --from=builder \ + --chown=nobody:nobody \ + /builder/java-spiffe-helper/build/libs/java-spiffe-helper-docker-docker.jar /app/java-spiffe-helper.jar +USER nobody +ENTRYPOINT ["java", "-jar", "/app/java-spiffe-helper.jar"] +CMD ["--config", "/app/java-spiffe-helper.properties"] diff --git a/build.gradle b/build.gradle index d847f37..aec2f29 100644 --- a/build.gradle +++ b/build.gradle @@ -12,7 +12,7 @@ allprojects { subprojects { group = 'io.spiffe' - version = '0.8.4' + version = project.version ext { grpcVersion = '1.61.1' diff --git a/gradle.properties b/gradle.properties new file mode 100644 index 0000000..58b1003 --- /dev/null +++ b/gradle.properties @@ -0,0 +1 @@ +version=0.8.4 diff --git a/java-spiffe-helper/build.gradle b/java-spiffe-helper/build.gradle index 8eb0c78..a566d53 100644 --- a/java-spiffe-helper/build.gradle +++ b/java-spiffe-helper/build.gradle @@ -10,7 +10,7 @@ assemble.dependsOn shadowJar shadowJar { mergeServiceFiles() - archiveClassifier = osdetector.classifier + archiveClassifier = project.hasProperty('archiveClassifier') && project.archiveClassifier != "" ? project.archiveClassifier : osdetector.classifier manifest { attributes 'Main-Class': 'io.spiffe.helper.cli.Runner' } diff --git a/java-spiffe-helper/gradle.properties b/java-spiffe-helper/gradle.properties new file mode 100644 index 0000000..4792364 --- /dev/null +++ b/java-spiffe-helper/gradle.properties @@ -0,0 +1 @@ +archiveClassifier=