From aab6b36791d570e4331b2b9a036a324711a65928 Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Fri, 13 Sep 2024 18:17:44 +0300 Subject: [PATCH 01/12] Add .github/workflows/docker-release.yml for creating cdoc2-server-liquibase Docker image --- .github/workflows/docker-release.yml | 63 ++++++++++++++++++++++ server-db/src/main/resources/db/Dockerfile | 4 +- 2 files changed, 65 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/docker-release.yml diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml new file mode 100644 index 00000000..b9b6e421 --- /dev/null +++ b/.github/workflows/docker-release.yml @@ -0,0 +1,63 @@ +# +name: Create and publish a Docker cdoc2-server-liquibase image + +# Configures this workflow to run every time release is created +on: + release: + types: [created] + +# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. +env: + REGISTRY: ghcr.io + IMAGE_NAME: cdoc2-server-liquibase + #IMAGE_NAME: ${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/cdoc2-put-server:${TAG}-${GITHUB_SHA} + +# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. +jobs: + build-and-push-image: + runs-on: ubuntu-latest + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + permissions: + contents: read + packages: write + attestations: write + id-token: write + # + steps: + - name: Checkout repository + uses: actions/checkout@v4 + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/${IMAGE_NAME}:${TAG}-${GITHUB_SHA} + # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. + # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. + # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + - name: Build and push Docker image + id: push + uses: docker/build-push-action@v5 + with: + context: server-db/src/main/resources/db + #file: server-db/src/main/resources/db/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + #subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-name: ${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/${IMAGE_NAME}:${TAG}-${GITHUB_SHA} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + diff --git a/server-db/src/main/resources/db/Dockerfile b/server-db/src/main/resources/db/Dockerfile index 3b47da05..ae75bd17 100644 --- a/server-db/src/main/resources/db/Dockerfile +++ b/server-db/src/main/resources/db/Dockerfile @@ -1,5 +1,5 @@ -# this file is used to build a docker image for upgrading the database in RIA infra -FROM nexus.riaint.ee:8500/liquibase/liquibase +# TODO: support for multiple registries +FROM liquibase/liquibase WORKDIR /liquibase/changelog From d057497eb501ccf6bd433fcf9e6a4ef75bb81a92 Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Fri, 13 Sep 2024 18:29:28 +0300 Subject: [PATCH 02/12] vars using ${{name}} format --- .github/workflows/docker-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index b9b6e421..9082041f 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -38,7 +38,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/${IMAGE_NAME}:${TAG}-${GITHUB_SHA} + images: ${{ github.actor }}/${{ env.IMAGE_NAME }} # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. @@ -57,7 +57,7 @@ jobs: uses: actions/attest-build-provenance@v1 with: #subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} - subject-name: ${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/${IMAGE_NAME}:${TAG}-${GITHUB_SHA} + subject-name: ${{ github.actor }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true From 991d9af3fdbf42c8674cfbff06d66fef5522442c Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Fri, 13 Sep 2024 18:33:52 +0300 Subject: [PATCH 03/12] specify registry for images --- .github/workflows/docker-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 9082041f..89b131ca 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -38,7 +38,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${{ github.actor }}/${{ env.IMAGE_NAME }} + images: ${{ env.REGISTRY }}/${{ github.actor }}/${{ env.IMAGE_NAME }} # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. @@ -57,7 +57,7 @@ jobs: uses: actions/attest-build-provenance@v1 with: #subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} - subject-name: ${{ github.actor }}/${{ env.IMAGE_NAME }} + subject-name: ${{ env.REGISTRY }}/${{ github.actor }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true From 2bf479fd63cdf4c7277fcbef799e3da801cf741f Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Fri, 13 Sep 2024 18:52:16 +0300 Subject: [PATCH 04/12] try to tag similarly to cdoc2-*-server images --- .github/workflows/docker-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 89b131ca..5800d41e 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -49,7 +49,7 @@ jobs: context: server-db/src/main/resources/db #file: server-db/src/main/resources/db/Dockerfile push: true - tags: ${{ steps.meta.outputs.tags }} + tags: ${{ env.REGISTRY }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}-${{ github.sha }} labels: ${{ steps.meta.outputs.labels }} # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." From d18f7e5e07ab685bcafb3e45775ce27a9872be1d Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Tue, 17 Sep 2024 12:53:50 +0300 Subject: [PATCH 05/12] Add documentation how to use cdoc2-server-liquibase image --- README.md | 5 +++-- postgres.README.md | 24 ++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index baa2822d..9f2639da 100644 --- a/README.md +++ b/README.md @@ -77,9 +77,10 @@ See [getting-started.md](getting-started.md) and [admin-guide.md](admin-guide.md Download `cdoc2-put-server` and `cdoc2-get-server` images from [open-eid Container registry](https://github.com/orgs/open-eid/packages?ecosystem=container) -[ghcr.io login](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-with-a-personal-access-token-classic) +* See [cdoc2-gatling-tests/setup-load-testing](https://github.com/open-eid/cdoc2-gatling-tests/tree/master/setup-load-testing) for `docker run` examples +* See [cdoc2-java-ref-impl/test/config/server/docker-compose.yml](https://github.com/open-eid/cdoc2-java-ref-impl/blob/master/test/test/config/server/docker-compose.yml) for `docker compose` example -TODO: Configuring Docker images +To create `cdoc2` database required by `put-server` and `get-server` see [postgres.README.md](postgres.README.md) ## Releasing and versioning diff --git a/postgres.README.md b/postgres.README.md index be7606c9..ab3e55fb 100644 --- a/postgres.README.md +++ b/postgres.README.md @@ -1,4 +1,4 @@ -Create postgres instance inside docker +## Create postgres instance inside docker ``` docker run --name cdoc2-psql -p 5432:5432 -e POSTGRES_DB=cdoc2 -e POSTGRES_PASSWORD=secret -d postgres @@ -6,4 +6,24 @@ docker run --name cdoc2-psql -p 5432:5432 -e POSTGRES_DB=cdoc2 -e POSTGRES_PASSW docker start cdoc2-psql docker stop cdoc2-psql ``` -#docker rm cdoc2-psql \ No newline at end of file +#docker rm cdoc2-psql + + +## Create cdoc2 database + +Download `cdoc2-server-liquibase` image (version must match server version) that contains liquibase changeset files +specific to server version and create a `cdoc2` database. If database is running inside Docker, then +`--link` is required, so that liquibase container can connect to it. +``` +docker run --link cdoc2-psql \ +ghcr.io/jann0k/cdoc2-server-liquibase:v1.4.0-liquibase.4-2bf479fd63cdf4c7277fcbef799e3da801cf741f \ +--url jdbc:postgresql://cdoc2-psql/cdoc2 \ +--username=postgres \ +--password=secret \ +--defaultsFile=liquibase.properties \ +update +``` + +Can also be used to update DB running in other host by changing `--url`, `--username` and `--password` parameters. + +More info https://hub.docker.com/r/liquibase/liquibase \ No newline at end of file From fd01ea76d705a9049b3b2841cd222f8e5fdf4f9a Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Tue, 17 Sep 2024 13:02:19 +0300 Subject: [PATCH 06/12] Add latest tag to liquibase/liquibase to make SonarCloud happy --- server-db/src/main/resources/db/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-db/src/main/resources/db/Dockerfile b/server-db/src/main/resources/db/Dockerfile index ae75bd17..49feb114 100644 --- a/server-db/src/main/resources/db/Dockerfile +++ b/server-db/src/main/resources/db/Dockerfile @@ -1,5 +1,5 @@ # TODO: support for multiple registries -FROM liquibase/liquibase +FROM liquibase/liquibase:latest WORKDIR /liquibase/changelog From 52cbf46d5d2deb4a3ef3e1bff3491f10c89f21fa Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Tue, 17 Sep 2024 13:05:17 +0300 Subject: [PATCH 07/12] Add specific version tag to liquibase/liquibase to make SonarCloud happy --- server-db/src/main/resources/db/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-db/src/main/resources/db/Dockerfile b/server-db/src/main/resources/db/Dockerfile index 49feb114..79022ddb 100644 --- a/server-db/src/main/resources/db/Dockerfile +++ b/server-db/src/main/resources/db/Dockerfile @@ -1,5 +1,5 @@ # TODO: support for multiple registries -FROM liquibase/liquibase:latest +FROM liquibase/liquibase:4.29.2 WORKDIR /liquibase/changelog From 2cd3ab30fc17fd5c20ec656393123e95864ce21a Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Tue, 17 Sep 2024 14:30:17 +0300 Subject: [PATCH 08/12] Read liquibase base image from build-arg (ARG) --- server-db/src/main/resources/db/Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/server-db/src/main/resources/db/Dockerfile b/server-db/src/main/resources/db/Dockerfile index 79022ddb..6a2881a9 100644 --- a/server-db/src/main/resources/db/Dockerfile +++ b/server-db/src/main/resources/db/Dockerfile @@ -1,5 +1,7 @@ -# TODO: support for multiple registries -FROM liquibase/liquibase:4.29.2 +# by default use docker.io as Docker registry, ovewrite with +# --build-arg LIQUIBASE_IMAGE=custom.registry.io:8500/liquibase/liquibase +ARG LIQUIBASE_IMAGE=docker.io/liquibase/liquibase:4.29.2 +FROM $LIQUIBASE_IMAGE WORKDIR /liquibase/changelog From 5dcfbed8a380d541f7ca625e24adee9b865b1626 Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Tue, 17 Sep 2024 14:31:43 +0300 Subject: [PATCH 09/12] fix type --- server-db/src/main/resources/db/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-db/src/main/resources/db/Dockerfile b/server-db/src/main/resources/db/Dockerfile index 6a2881a9..46e24aa0 100644 --- a/server-db/src/main/resources/db/Dockerfile +++ b/server-db/src/main/resources/db/Dockerfile @@ -1,4 +1,4 @@ -# by default use docker.io as Docker registry, ovewrite with +# by default use docker.io as Docker registry, overwrite with # --build-arg LIQUIBASE_IMAGE=custom.registry.io:8500/liquibase/liquibase ARG LIQUIBASE_IMAGE=docker.io/liquibase/liquibase:4.29.2 FROM $LIQUIBASE_IMAGE From d0d419bed0cc31065fb7e510dba0203ca388c152 Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Tue, 17 Sep 2024 17:51:51 +0300 Subject: [PATCH 10/12] run as USER liquibase --- server-db/src/main/resources/db/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/server-db/src/main/resources/db/Dockerfile b/server-db/src/main/resources/db/Dockerfile index 46e24aa0..f598f2cc 100644 --- a/server-db/src/main/resources/db/Dockerfile +++ b/server-db/src/main/resources/db/Dockerfile @@ -2,6 +2,7 @@ # --build-arg LIQUIBASE_IMAGE=custom.registry.io:8500/liquibase/liquibase ARG LIQUIBASE_IMAGE=docker.io/liquibase/liquibase:4.29.2 FROM $LIQUIBASE_IMAGE +USER liquibase WORKDIR /liquibase/changelog From 86aca0d1b9c2fa1053dd636edf5d164e49fdbceb Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Wed, 18 Sep 2024 10:32:38 +0300 Subject: [PATCH 11/12] documentation updates for running cdoc2-server-liquibase --- postgres.README.md | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/postgres.README.md b/postgres.README.md index ab3e55fb..48f3fd59 100644 --- a/postgres.README.md +++ b/postgres.README.md @@ -11,16 +11,27 @@ docker stop cdoc2-psql ## Create cdoc2 database -Download `cdoc2-server-liquibase` image (version must match server version) that contains liquibase changeset files +Download [cdoc2-server-liquibase](https://github.com/orgs/open-eid/packages?ecosystem=container) image +(version must match server version) that contains liquibase changeset files specific to server version and create a `cdoc2` database. If database is running inside Docker, then `--link` is required, so that liquibase container can connect to it. +``` +docker run --rm --link cdoc2-psql \ + --env DB_URL=jdbc:postgresql://cdoc2-psql/cdoc2 \ + --env DB_PASSWORD=secret \ + --env DB_USER=postgres \ + ghcr.io/jann0k/cdoc2-server-liquibase:v1.4.0-liquibase.4-2bf479fd63cdf4c7277fcbef799e3da801cf741f +``` + +or use standard liquibase command options: + ``` docker run --link cdoc2-psql \ ghcr.io/jann0k/cdoc2-server-liquibase:v1.4.0-liquibase.4-2bf479fd63cdf4c7277fcbef799e3da801cf741f \ ---url jdbc:postgresql://cdoc2-psql/cdoc2 \ ---username=postgres \ ---password=secret \ ---defaultsFile=liquibase.properties \ + --url jdbc:postgresql://cdoc2-psql/cdoc2 \ + --username=postgres \ + --password=secret \ + --defaultsFile=liquibase.properties \ update ``` From 075aa24a6c2e28083dee041a7cb8362d766e0cf4 Mon Sep 17 00:00:00 2001 From: Janno Kusman Date: Wed, 18 Sep 2024 10:38:15 +0300 Subject: [PATCH 12/12] Add `--rm` `to docker run` in documentation --- postgres.README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/postgres.README.md b/postgres.README.md index 48f3fd59..d1b90e29 100644 --- a/postgres.README.md +++ b/postgres.README.md @@ -26,7 +26,7 @@ docker run --rm --link cdoc2-psql \ or use standard liquibase command options: ``` -docker run --link cdoc2-psql \ +docker run --rm --link cdoc2-psql \ ghcr.io/jann0k/cdoc2-server-liquibase:v1.4.0-liquibase.4-2bf479fd63cdf4c7277fcbef799e3da801cf741f \ --url jdbc:postgresql://cdoc2-psql/cdoc2 \ --username=postgres \ @@ -35,6 +35,7 @@ ghcr.io/jann0k/cdoc2-server-liquibase:v1.4.0-liquibase.4-2bf479fd63cdf4c7277fcbe update ``` -Can also be used to update DB running in other host by changing `--url`, `--username` and `--password` parameters. +Can also be used to update DB running in other host by changing `--url`, `--username` and `--password` parameters. +Then `--link` is not required. More info https://hub.docker.com/r/liquibase/liquibase \ No newline at end of file