ARC-1239: Dockerize 'ehealthid-rp' for deployment (#18)

* ARC-1239: Setup Dockerfile & Release Flow

* ARC-1239: Use GHCR

* ARC-1239: Check off task :)

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: maven
+    registries: "*"
+    directory: "/"
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "NA:"
+    groups:
+      maven-non-breaking-changes:
+        update-types:
+          - 'minor'
+          - 'patch'
+  - package-ecosystem: docker
+    registries: "*"
+    directory: "/"
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "NA:"

.github/workflows/release.yml

@@ -0,0 +1,54 @@
+name: Build and Publish Application Image
+
+on:
+  push:
+    tags:
+      - 'ehealthid-relying-party/v[0-9]+.[0-9]+.[0-9]+-[a-z]+.[0-9]+'
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  deploy:
+    env:
+      DOCKER_REPO: 'europe-docker.pkg.dev/oviva-pkg/ovi/'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Get version
+        id: version
+        run: |
+          echo "parsing version from ref '$GITHUB_REF'"
+          VERSION=$(echo "$GITHUB_REF" | sed -e 's|.*/ehealthid-relying-party/v\(.*\)|\1|g')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+      - name: Update Version
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          echo "updating version to '$VERSION'"
+          make update-version "VERSION=$VERSION"
+      - name: Log in to the Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - id: buildx
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Image
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          make dist RELEASE_TAG=v$VERSION
+    permissions:
+      contents: read
+      packages: write

.github/workflows/spotless.yml

@@ -6,24 +6,18 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
-    env:
-      MAVEN_USERNAME: continuousintegration-oviva
-      MAVEN_PASSWORD: ${{ secrets.MAVEN_REPO_TOKEN }}
     permissions:
       contents: read
       packages: read
       checks: write
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
-          java-version: 17
+          java-version: 21
           distribution: 'temurin'
-          server-id: github
-          server-username: MAVEN_USERNAME
-          server-password: MAVEN_PASSWORD
           cache: 'maven'
       - name: run spotless
         id: spotless

.github/workflows/unit-tests.yml

@@ -11,22 +11,16 @@ on:
 
 jobs:
   test:
-    env:
-      MAVEN_USERNAME: continuousintegration-oviva
-      MAVEN_PASSWORD: ${{ secrets.MAVEN_REPO_TOKEN }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
-          java-version: 17
+          java-version: 21
           distribution: 'temurin'
-          server-id: github
-          server-username: MAVEN_USERNAME
-          server-password: MAVEN_PASSWORD
           cache: 'maven'
       - name: Cache SonarCloud packages
         uses: actions/cache@v3

Dockerfile

@@ -0,0 +1,29 @@
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3
+
+LABEL org.opencontainers.image.source="https://github.com/oviva-ag/ehealthid-relying-party"
+
+ARG JAVA_PACKAGE=java-21-openjdk-headless
+ARG RUN_JAVA_VERSION=1.3.8
+
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'
+
+# Install java and the run-java script
+# Also set up permissions for user `1001`
+RUN microdnf -y install ca-certificates ${JAVA_PACKAGE} \
+    && microdnf -y update \
+    && microdnf clean all \
+    && mkdir /deployments \
+    && chown 1001 /deployments \
+    && chmod "g+rwX" /deployments \
+    && chown 1001:root /deployments \
+    && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \
+    && chown 1001 /deployments/run-java.sh \
+    && chmod 540 /deployments/run-java.sh \
+    && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/conf/security/java.security \
+    && echo "securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,DRBG:SUN" >> /etc/alternatives/jre/conf/security/java.security
+
+COPY --chown=1001 ehealthid-rp/target/ehealthid-rp-jar-with-dependencies.jar /deployments/
+
+USER 1001
+
+ENTRYPOINT [ "/deployments/run-java.sh" ]

Makefile

@@ -0,0 +1,32 @@
+
+MVN=./mvnw
+
+VERSION?=$(shell $(MVN) -q -Dexec.executable=echo -Dexec.args='$${project.version}' --non-recursive exec:exec)
+
+DOCKER_REPO=ghcr.io/oviva-ag/
+IMAGE_NAME=ehealthid-relying-party
+
+GIT_COMMIT=`git rev-parse HEAD`
+
+.PHONY: update-version test unit-test integration-test setup dist build clean install docker
+
+build:
+	@$(MVN) -T 8 $(MAVEN_CLI_OPTS) -am package
+
+clean:
+	@$(MVN) -T 8 $(MAVEN_CLI_OPTS) -am clean
+
+test:
+	@$(MVN) -B verify
+
+update-version:
+	@$(MVN) -B versions:set "-DnewVersion=$(VERSION)"
+
+docker: build
+	@docker build -t $(IMAGE_NAME):v$(VERSION) .
+
+dist: build
+ifndef RELEASE_TAG
+	$(error RELEASE_TAG is not set)
+endif
+	docker buildx build --push --platform linux/amd64,linux/arm64 --label git-commit=$(GIT_COMMIT) --tag "$(DOCKER_REPO)$(IMAGE_NAME):$(RELEASE_TAG)" .

README.md

@@ -4,7 +4,7 @@
 # TODO
 In order of priority:
 - [ ] Health endpoint - sanity check whether Jakarta ws is up should be enough. I.e. `/health`
-- [ ] Dockerfile + CI/CD
+- [ ] Continuous Deployment
 - [ ] Helm chart (externally)
 - [ ] Internationalization (ResourceBundles) for templates (en & de)
   - see [Mustache Library](https://github.com/spullara/mustache.java/blob/main/compiler/src/main/java/com/github/mustachejava/functions/BundleFunctions.java)