From 2e339ef95621fafbd7f77a83bd787d85461fcc6c Mon Sep 17 00:00:00 2001 From: sanderPostma Date: Wed, 23 Oct 2024 13:01:04 +0200 Subject: [PATCH 1/4] chore: docker production updates --- .docker/admin-server/Dockerfile | 1 - .docker/federation-server/Dockerfile | 1 - .docker/prod-deployment/build.sh | 6 + .docker/prod-deployment/docker-compose.yaml | 114 ++++++++++++++++++ .docker/prod-deployment/push.sh | 15 +++ .docker/prod-deployment/version-config.sh | 24 ++++ docker-compose.yaml | 11 +- .../src/main/resources/application.properties | 1 + 8 files changed, 169 insertions(+), 4 deletions(-) create mode 100644 .docker/prod-deployment/build.sh create mode 100644 .docker/prod-deployment/docker-compose.yaml create mode 100644 .docker/prod-deployment/push.sh create mode 100644 .docker/prod-deployment/version-config.sh diff --git a/.docker/admin-server/Dockerfile b/.docker/admin-server/Dockerfile index f912757a..87be1628 100644 --- a/.docker/admin-server/Dockerfile +++ b/.docker/admin-server/Dockerfile @@ -13,7 +13,6 @@ FROM openjdk:21-jdk as runner WORKDIR /app -COPY .env .env COPY --from=builder /app/modules/admin-server/build/libs/admin-server-0.0.1.jar ./admin-server-0.0.1.jar ENTRYPOINT ["java", "-jar", "admin-server-0.0.1.jar"] diff --git a/.docker/federation-server/Dockerfile b/.docker/federation-server/Dockerfile index e9adeec1..2a95313b 100644 --- a/.docker/federation-server/Dockerfile +++ b/.docker/federation-server/Dockerfile @@ -13,7 +13,6 @@ FROM openjdk:21-jdk as runner WORKDIR /app -COPY .env .env COPY --from=builder /app/modules/federation-server/build/libs/federation-server-0.0.1.jar ./federation-server-0.0.1.jar ENTRYPOINT ["java", "-jar", "federation-server-0.0.1.jar"] diff --git a/.docker/prod-deployment/build.sh b/.docker/prod-deployment/build.sh new file mode 100644 index 00000000..96c2a23e --- /dev/null +++ b/.docker/prod-deployment/build.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +source ./version-config.sh + +docker build -t ${FED_IMAGE}:${FED_VERSION} -f ../federation-server/Dockerfile ../../ +docker build -t ${ADMIN_IMAGE}:${ADMIN_VERSION} -f ../admin-server/Dockerfile ../../ diff --git a/.docker/prod-deployment/docker-compose.yaml b/.docker/prod-deployment/docker-compose.yaml new file mode 100644 index 00000000..17faed46 --- /dev/null +++ b/.docker/prod-deployment/docker-compose.yaml @@ -0,0 +1,114 @@ +version: '3.9' + +services: + db: + image: postgres:latest + container_name: openid-federation-datastore + environment: + POSTGRES_USER: ${DATASOURCE_USER} + POSTGRES_PASSWORD: ${DATASOURCE_PASSWORD} + POSTGRES_DB: ${DATASOURCE_DB} + volumes: + - /mnt/openid-federation/volumes/postgres:/var/lib/postgresql/data + networks: + - backend + healthcheck: + test: [ "CMD-SHELL", "pg_isready -d ${DATASOURCE_DB} -U ${DATASOURCE_USER}" ] + interval: 3s + timeout: 5s + retries: 20 + restart: unless-stopped + + local-kms-db: + image: postgres:latest + container_name: openid-federation-local-kms-datastore + environment: + POSTGRES_USER: ${LOCAL_KMS_DATASOURCE_USER} + POSTGRES_PASSWORD: ${LOCAL_KMS_DATASOURCE_PASSWORD} + POSTGRES_DB: ${LOCAL_KMS_DATASOURCE_DB} + volumes: + - /mnt/openid-federation/volumes/local-kms:/var/lib/postgresql/data + networks: + - backend + healthcheck: + test: [ "CMD-SHELL", "pg_isready -d ${LOCAL_KMS_DATASOURCE_DB} -U ${LOCAL_KMS_DATASOURCE_USER}" ] + interval: 3s + timeout: 5s + retries: 20 + + federation-server: + image: sphereonregistry.azurecr.io/federation-server:latest + container_name: openid-federation-server + environment: + DATASOURCE_URL: ${DATASOURCE_URL} + DATASOURCE_USER: ${DATASOURCE_USER} + DATASOURCE_PASSWORD: ${DATASOURCE_PASSWORD} + APP_KEY: ${APP_KEY} + KMS_PROVIDER: ${KMS_PROVIDER} + LOCAL_KMS_DATASOURCE_URL: ${LOCAL_KMS_DATASOURCE_URL} + LOCAL_KMS_DATASOURCE_USER: ${LOCAL_KMS_DATASOURCE_USER} + LOCAL_KMS_DATASOURCE_PASSWORD: ${LOCAL_KMS_DATASOURCE_PASSWORD} + LOCAL_KMS_DATASOURCE_DB: ${LOCAL_KMS_DATASOURCE_DB} + ROOT_IDENTIFIER: ${ROOT_IDENTIFIER} + volumes: + - ./config/federation-server/application.properties:/app/application.properties + depends_on: + admin-server: + condition: service_started + db: + condition: service_healthy + networks: + - frontend + - backend + labels: + - "traefik.enable=true" + - "traefik.docker.network=frontend" + - "traefik.http.routers.federation-server.entrypoints=websecure" + - "traefik.http.routers.federation-server.rule=Host(`${FEDERATION_HOSTS}`)" + - "traefik.http.routers.federation-server.tls.certresolver=acmeresolver" + - "traefik.http.services.federation-server.loadbalancer.server.port=8080" + - "traefik.http.services.federation-server.loadbalancer.server.scheme=http" + restart: unless-stopped + + admin-server: + image: sphereonregistry.azurecr.io/federation-admin-server:latest + container_name: openid-federation-server-admin + environment: + DATASOURCE_URL: ${DATASOURCE_URL} + DATASOURCE_USER: ${DATASOURCE_USER} + DATASOURCE_PASSWORD: ${DATASOURCE_PASSWORD} + APP_KEY: ${APP_KEY} + KMS_PROVIDER: ${KMS_PROVIDER} + LOCAL_KMS_DATASOURCE_URL: ${LOCAL_KMS_DATASOURCE_URL} + LOCAL_KMS_DATASOURCE_USER: ${LOCAL_KMS_DATASOURCE_USER} + LOCAL_KMS_DATASOURCE_PASSWORD: ${LOCAL_KMS_DATASOURCE_PASSWORD} + LOCAL_KMS_DATASOURCE_DB: ${LOCAL_KMS_DATASOURCE_DB} + ROOT_IDENTIFIER: ${ROOT_IDENTIFIER} + volumes: + - ./config/admin-server/application.properties:/app/application.properties + depends_on: + db: + condition: service_healthy + local-kms-db: + condition: service_healthy + networks: + - frontend + - backend + labels: + - "traefik.enable=true" + - "traefik.docker.network=frontend" + - "traefik.http.routers.federation-admin.entrypoints=websecure" + - "traefik.http.routers.federation-admin.rule=Host(`${FEDERATION_ADMIN_HOSTS}`)" + - "traefik.http.routers.federation-admin.tls.certresolver=acmeresolver" + - "traefik.http.services.federation-admin.loadbalancer.server.port=8080" + - "traefik.http.services.federation-admin.loadbalancer.server.scheme=http" + # IP Whitelist middleware + - "traefik.http.routers.federation-admin.middlewares=admin-whitelist-sourceip" + - "traefik.http.middlewares.admin-whitelist-sourceip.ipwhitelist.sourcerange=${ADMIN_IP_WHITELIST}" + restart: unless-stopped + +networks: + frontend: + external: true + backend: + driver: bridge diff --git a/.docker/prod-deployment/push.sh b/.docker/prod-deployment/push.sh new file mode 100644 index 00000000..77d27260 --- /dev/null +++ b/.docker/prod-deployment/push.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +source ./version-config.sh + +# Push federation server images +docker tag ${FED_IMAGE}:${FED_VERSION} ${REGISTRY}/${FED_IMAGE}:${FED_VERSION} +docker push ${REGISTRY}/${FED_IMAGE}:${FED_VERSION} +docker tag ${FED_IMAGE}:${FED_VERSION} ${REGISTRY}/${FED_IMAGE}:latest +docker push ${REGISTRY}/${FED_IMAGE}:latest + +# Push admin server images +docker tag ${ADMIN_IMAGE}:${ADMIN_VERSION} ${REGISTRY}/${ADMIN_IMAGE}:${ADMIN_VERSION} +docker push ${REGISTRY}/${ADMIN_IMAGE}:${ADMIN_VERSION} +docker tag ${ADMIN_IMAGE}:${ADMIN_VERSION} ${REGISTRY}/${ADMIN_IMAGE}:latest +docker push ${REGISTRY}/${ADMIN_IMAGE}:latest diff --git a/.docker/prod-deployment/version-config.sh b/.docker/prod-deployment/version-config.sh new file mode 100644 index 00000000..541e6c5c --- /dev/null +++ b/.docker/prod-deployment/version-config.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +# Function to extract version from gradle file +get_version() { + local gradle_file=$1 + local version=$(grep -m 1 "version = " "$gradle_file" | cut -d'"' -f2) + if [ -z "$version" ]; then + echo "Could not find version in $gradle_file" + exit 1 + fi + echo "$version" +} + +# Base paths +MODULES_PATH="../../modules" +REGISTRY="sphereonregistry.azurecr.io" + +# Get versions +FED_VERSION=$(get_version "${MODULES_PATH}/federation-server/build.gradle.kts") +ADMIN_VERSION=$(get_version "${MODULES_PATH}/admin-server/build.gradle.kts") + +# Image names +FED_IMAGE="federation-server" +ADMIN_IMAGE="federation-admin-server" diff --git a/docker-compose.yaml b/docker-compose.yaml index 356015bd..3237e79c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -7,7 +7,7 @@ services: POSTGRES_PASSWORD: ${DATASOURCE_PASSWORD} POSTGRES_DB: ${DATASOURCE_DB} ports: - - "5432:5432" + - "5436:5432" volumes: - postgres_data:/var/lib/postgresql/data networks: @@ -26,7 +26,7 @@ services: POSTGRES_PASSWORD: ${LOCAL_KMS_DATASOURCE_PASSWORD} POSTGRES_DB: ${LOCAL_KMS_DATASOURCE_DB} ports: - - "5433:5432" + - "5437:5432" volumes: - local_kms_data:/var/lib/postgresql/data networks: @@ -48,6 +48,13 @@ services: DATASOURCE_URL: ${DATASOURCE_URL} DATASOURCE_USER: ${DATASOURCE_USER} DATASOURCE_PASSWORD: ${DATASOURCE_PASSWORD} + APP_KEY: ${APP_KEY} + KMS_PROVIDER: ${KMS_PROVIDER} + LOCAL_KMS_DATASOURCE_URL: ${LOCAL_KMS_DATASOURCE_URL} + LOCAL_KMS_DATASOURCE_USER: ${LOCAL_KMS_DATASOURCE_USER} + LOCAL_KMS_DATASOURCE_PASSWORD: ${LOCAL_KMS_DATASOURCE_PASSWORD} + LOCAL_KMS_DATASOURCE_DB: ${LOCAL_KMS_DATASOURCE_DB} + ROOT_IDENTIFIER: ${ROOT_IDENTIFIER} depends_on: admin-server: condition: service_started diff --git a/modules/federation-server/src/main/resources/application.properties b/modules/federation-server/src/main/resources/application.properties index 0ac4201e..4bf9cbc5 100644 --- a/modules/federation-server/src/main/resources/application.properties +++ b/modules/federation-server/src/main/resources/application.properties @@ -3,6 +3,7 @@ spring.application.name=OpenID Federation Server spring.datasource.url=${DATASOURCE_URL} spring.datasource.username=${DATASOURCE_USER} spring.datasource.password=${DATASOURCE_PASSWORD} + # Mapping /actuator/health to /status management.endpoints.web.base-path=/ management.endpoints.web.path-mapping.health=status From 87aaf6c2468741b122f7f732039427f4bce25315 Mon Sep 17 00:00:00 2001 From: sanderPostma Date: Wed, 23 Oct 2024 13:11:43 +0200 Subject: [PATCH 2/4] chore: docker production updates --- .docker/prod-deployment/docker-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.docker/prod-deployment/docker-compose.yaml b/.docker/prod-deployment/docker-compose.yaml index 17faed46..244db8bf 100644 --- a/.docker/prod-deployment/docker-compose.yaml +++ b/.docker/prod-deployment/docker-compose.yaml @@ -64,7 +64,7 @@ services: - "traefik.enable=true" - "traefik.docker.network=frontend" - "traefik.http.routers.federation-server.entrypoints=websecure" - - "traefik.http.routers.federation-server.rule=Host(`${FEDERATION_HOSTS}`)" + - "traefik.http.routers.federation-server.rule=`${FEDERATION_HOSTS}`" - "traefik.http.routers.federation-server.tls.certresolver=acmeresolver" - "traefik.http.services.federation-server.loadbalancer.server.port=8080" - "traefik.http.services.federation-server.loadbalancer.server.scheme=http" @@ -98,7 +98,7 @@ services: - "traefik.enable=true" - "traefik.docker.network=frontend" - "traefik.http.routers.federation-admin.entrypoints=websecure" - - "traefik.http.routers.federation-admin.rule=Host(`${FEDERATION_ADMIN_HOSTS}`)" + - "traefik.http.routers.federation-admin.rule=`${FEDERATION_ADMIN_HOSTS}`" - "traefik.http.routers.federation-admin.tls.certresolver=acmeresolver" - "traefik.http.services.federation-admin.loadbalancer.server.port=8080" - "traefik.http.services.federation-admin.loadbalancer.server.scheme=http" From 75f2585ae6fa1cc7fd765b62adc6740f58f43134 Mon Sep 17 00:00:00 2001 From: sanderPostma Date: Wed, 23 Oct 2024 13:13:58 +0200 Subject: [PATCH 3/4] chore: docker production updates --- .docker/prod-deployment/docker-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.docker/prod-deployment/docker-compose.yaml b/.docker/prod-deployment/docker-compose.yaml index 244db8bf..82a0e91c 100644 --- a/.docker/prod-deployment/docker-compose.yaml +++ b/.docker/prod-deployment/docker-compose.yaml @@ -64,7 +64,7 @@ services: - "traefik.enable=true" - "traefik.docker.network=frontend" - "traefik.http.routers.federation-server.entrypoints=websecure" - - "traefik.http.routers.federation-server.rule=`${FEDERATION_HOSTS}`" + - "traefik.http.routers.federation-server.rule=${FEDERATION_HOSTS}" - "traefik.http.routers.federation-server.tls.certresolver=acmeresolver" - "traefik.http.services.federation-server.loadbalancer.server.port=8080" - "traefik.http.services.federation-server.loadbalancer.server.scheme=http" @@ -98,7 +98,7 @@ services: - "traefik.enable=true" - "traefik.docker.network=frontend" - "traefik.http.routers.federation-admin.entrypoints=websecure" - - "traefik.http.routers.federation-admin.rule=`${FEDERATION_ADMIN_HOSTS}`" + - "traefik.http.routers.federation-admin.rule=${FEDERATION_ADMIN_HOSTS}" - "traefik.http.routers.federation-admin.tls.certresolver=acmeresolver" - "traefik.http.services.federation-admin.loadbalancer.server.port=8080" - "traefik.http.services.federation-admin.loadbalancer.server.scheme=http" From 682bee617b8e53e06b9e0ee6155fa2d82451d525 Mon Sep 17 00:00:00 2001 From: sanderPostma Date: Wed, 23 Oct 2024 14:36:04 +0200 Subject: [PATCH 4/4] chore: revert docker compose ports updates --- docker-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 3237e79c..85609daa 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -7,7 +7,7 @@ services: POSTGRES_PASSWORD: ${DATASOURCE_PASSWORD} POSTGRES_DB: ${DATASOURCE_DB} ports: - - "5436:5432" + - "5432:5432" volumes: - postgres_data:/var/lib/postgresql/data networks: @@ -26,7 +26,7 @@ services: POSTGRES_PASSWORD: ${LOCAL_KMS_DATASOURCE_PASSWORD} POSTGRES_DB: ${LOCAL_KMS_DATASOURCE_DB} ports: - - "5437:5432" + - "5433:5432" volumes: - local_kms_data:/var/lib/postgresql/data networks: