Add docker build for java-spiffe-helper container #187
Conversation
moritzschmitz-oviva
force-pushed
the
add-docker-build
branch
from
2399117 to
5b12d46
Compare
java-spiffe-helper/Dockerfile
Outdated
| @@ -0,0 +1,10 @@ | |||
| FROM eclipse-temurin:17-jdk AS builder | |||
There was a problem hiding this comment.
I suggest moving this Dockerfile for java-spiffe-helper to the project's root. This simplifies build context management and path referencing, making the build process more straightforward.
There was a problem hiding this comment.
Suggestions for Dockerfile:
- Cache Gradle Dependencies: Separate Gradle config files from the rest of the code to improve caching, and run two separate gradle commands (dependencies and build).
- Non-Root User: Consider creating a non-root user in the runner stage.
- Explicit File Copying: Instead of copying the entire project context (COPY . /builder), explicitly copy only what's necessary.
- Versioning Strategy: Rethink including
JAVA_SPIFFE_HELPER_VERSIONin the Dockerfile. Tagging the Docker image with the project version might be more efficient.
There was a problem hiding this comment.
-
Explicit File Copying: I don't see any benefit here, except build time probably. 1. The context file won't end up in the final image. 2. Every change to the dependencies of
java-spiffe-helperwould require an adjustment of theDockerfileas well. -
Versioning Strategy: Yeah, my issue here was that the name of the built
Jaris dependent on the version. Solved this now by setting some special version duringdocker build. Easier to find and copy then.
| --chown=nobody:nobody \ | ||
| /builder/java-spiffe-helper/build/libs/java-spiffe-helper-docker-docker.jar /app/java-spiffe-helper.jar | ||
| USER nobody | ||
| ENTRYPOINT ["java", "-jar", "/app/java-spiffe-helper.jar"] |
There was a problem hiding this comment.
The ENTRYPOINT requires a --config configfile parameter. I'm submitting a PR to add a default config file and set a default for this parameter.
There was a problem hiding this comment.
Yeah, wasn't sure about this one. Effectively the app doesn't start without it, but I didn't want to force users to a location for the file.
There was a problem hiding this comment.
ENTRYPOINT ["java", "-jar", "/app/java-spiffe-helper.jar"]
COMMAND ["--config", "/etc/java-spiffe-helper.conf"]
So by default it works if they mount the config file in the right place, or they can easily override it otherwise?
There was a problem hiding this comment.
Probably the way to go, yes! Will add it now so no PR necessary.
There was a problem hiding this comment.
I believe it would be beneficial to implement a default value for the --config parameter. This change would enable the application to run out of the box. I'll be submitting the PR shortly.
moritzschmitz-oviva
force-pushed
the
add-docker-build
branch
3 times, most recently
from
6823bfd to
03b04a7
Compare
java-spiffe-helper/example.conf
Outdated
| keyStorePath = /tmp/keystore.p12 | ||
| keyStorePass = example123 | ||
| keyPass = pass123 | ||
|
|
||
| trustStorePath = /tmp/truststore.p12 | ||
| trustStorePass = otherpass123 | ||
|
|
||
| keyStoreType = pkcs12 | ||
|
|
||
| keyAlias = spiffe | ||
|
|
||
| spiffeSocketPath = unix:/tmp/agent.sock |
There was a problem hiding this comment.
This file is redundant now as #199 is merged, which adds a java-spiffe-helper.properties, an example configuration in the default config path. That file could be copied in the Dockerfile. WDYT?
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
…sion to gradle properties Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Co-authored-by: Ryan Turner <[email protected]> Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
moritzschmitz-oviva
force-pushed
the
add-docker-build
branch
from
c74a83f to
5dc3aa6
Compare
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Thank you. Made the adjustments. |
No description provided.