From f04848c950eb2e6ef570a75068ad14946f285ee9 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Mon, 3 Nov 2025 17:10:07 +0100 Subject: [PATCH 1/2] chore: update deployment resources Signed-off-by: Ruben Romero Montes --- deploy/README-docker.md | 174 +++++++++++++ deploy/docker-compose.application.yml | 38 +++ deploy/docker-compose.infra-sso.yml | 24 ++ deploy/docker-compose.infrastructure.yml | 39 +++ deploy/env.example | 4 + deploy/monitoring.yaml | 16 -- deploy/openshift/template.yaml | 285 ---------------------- deploy/trust-da.yaml | 20 +- src/main/docker/Dockerfile.jvm | 93 ------- src/main/docker/Dockerfile.multi-stage | 2 +- src/main/docker/Dockerfile.native | 27 -- src/main/resources/application.properties | 6 +- 12 files changed, 287 insertions(+), 441 deletions(-) create mode 100644 deploy/README-docker.md create mode 100644 deploy/docker-compose.application.yml create mode 100644 deploy/docker-compose.infra-sso.yml create mode 100644 deploy/docker-compose.infrastructure.yml create mode 100644 deploy/env.example delete mode 100644 deploy/monitoring.yaml delete mode 100644 deploy/openshift/template.yaml delete mode 100644 src/main/docker/Dockerfile.jvm delete mode 100644 src/main/docker/Dockerfile.native diff --git a/deploy/README-docker.md b/deploy/README-docker.md new file mode 100644 index 00000000..036d2018 --- /dev/null +++ b/deploy/README-docker.md @@ -0,0 +1,174 @@ +# Trustify Docker Compose Deployment + +This directory contains Docker Compose files for local development deployment of Trustify with its required infrastructure components. + +## Files + +- `docker-compose.infrastructure.yml` - Infrastructure services (Redis, PostgreSQL) +- `docker-compose.infra-sso.yml` - Infrastructure services (Keycloak) +- `docker-compose.application.yml` - Application service (trust-da) +- `env.example` - Environment variables template + +## Quick Start + +### 1. Start Infrastructure Services + +```bash +# Start Redis, PostgreSQL, and Keycloak +docker-compose -f docker-compose.infrastructure.yml up -d + +# Start Keycloak +docker-compose -f docker-compose.infra-sso.yml up -d + +# Check if services are healthy +docker-compose -f docker-compose.infrastructure.yml ps +``` + +### 2. Configure Environment (Optional) + +```bash +# Copy environment template +cp env.example .env + +# Edit .env with your actual values +nano .env +``` + +### 3. Start Application + +```bash +# Start the trust-da application +docker-compose -f docker-compose.application.yml up -d + +# Check application status +docker-compose -f docker-compose.application.yml ps +``` + +## Services + +### Infrastructure Services + +| Service | Port | Description | +|---------|------|-------------| +| Redis | 6379 | Cache and session storage | +| PostgreSQL | 5432 | Database for Keycloak and application | +| Keycloak | 8080 | Identity and access management | + +### Application Services + +| Service | Port | Description | +|---------|------|-------------| +| trust-da | 8081 | Main application (mapped from 8080) | +| trust-da | 9001 | Management/health endpoints (mapped from 9000) | + +## Access Points + +- **Application**: http://localhost:8081 +- **Keycloak Admin**: http://localhost:8080 + - Username: `admin` + - Password: `admin123` +- **PostgreSQL**: localhost:5432 + - Database: `trustify` + - Username: `trustify` + - Password: `trustify123` +- **Redis**: localhost:6379 + - Password: `trustify123` + +## Health Checks + +All services include health checks. You can monitor them with: + +```bash +# Check infrastructure health +docker-compose -f docker-compose.infrastructure.yml ps + +# Check Keycloak health +docker-compose -f docker-compose.infra-sso.yml ps + +# Check application health +docker-compose -f docker-compose.application.yml ps +``` + +## Logs + +```bash +# View infrastructure logs +docker-compose -f docker-compose.infrastructure.yml logs -f + +# View Keycloak logs +docker-compose -f docker-compose.infra-sso.yml logs -f + +# View application logs +docker-compose -f docker-compose.application.yml logs -f + +# View specific service logs +docker-compose -f docker-compose.application.yml logs -f trust-da +``` + +## Stopping Services + +```bash +# Stop application +docker-compose -f docker-compose.application.yml down +# Stop Keycloak +docker-compose -f docker-compose.infa-sso.yml down +# Stop infrastructure +docker-compose -f docker-compose.infrastructure.yml down + +# Stop everything and remove volumes +docker-compose -f docker-compose.infrastructure.yml down -v +docker-compose -f docker-compose.infra-sso.yml down +docker-compose -f docker-compose.application.yml down +``` + +## Data Persistence + +- **PostgreSQL data**: Stored in Docker volume `postgres_data` +- **Redis data**: Stored in Docker volume `redis_data` + +To reset all data: + +```bash +docker-compose -f docker-compose.infrastructure.yml down -v +``` + +## Environment Variables + +Create a `.env` file based on `env.example` to customize: + +- `TRUSTIFY_CLIENT_ID`: Your Trustify client ID +- `TRUSTIFY_CLIENT_SECRET`: Your Trustify client secret +- `SENTRY_DSN`: Sentry DSN for error tracking +- `TELEMETRY_WRITE_KEY`: Telemetry write key + +## Troubleshooting + +### Services not starting + +```bash +# Check logs for errors +docker-compose -f docker-compose.infrastructure.yml logs +docker-compose -f docker-compose.application.yml logs + +# Restart services +docker-compose -f docker-compose.infrastructure.yml restart +docker-compose -f docker-compose.application.yml restart +``` + +### Port conflicts + +If you have port conflicts, modify the port mappings in the compose files: + +```yaml +ports: + - "8082:8080" # Change 8081 to 8082 +``` + +### Network issues + +The application uses an external network. If you encounter network issues: + +```bash +# Create the network manually +docker network create trustify-network +``` diff --git a/deploy/docker-compose.application.yml b/deploy/docker-compose.application.yml new file mode 100644 index 00000000..d088b42a --- /dev/null +++ b/deploy/docker-compose.application.yml @@ -0,0 +1,38 @@ +version: '3.8' + +services: + trust-da: + image: trust-da:latest + container_name: trustify-trust-da + ports: + - "8081:8080" # Application port + - "9001:9000" # Management port + environment: + # Monitoring + MONITORING_ENABLED: "false" + + # Database + DB_REDIS_HOST: redis + DB_REDIS_PORT: 6379 + + # Trustify + TRUSTIFY_HOST: ${TRUSTIFY_HOST:-https://rhtpa.stage.devshift.net/api/v2/} + TRUSTIFY_CLIENT_ID: ${TRUSTIFY_CLIENT_ID:-your-trustify-client-id} + TRUSTIFY_CLIENT_SECRET: ${TRUSTIFY_CLIENT_SECRET:-your-trustify-client-secret} + TRUSTIFY_AUTH_SERVER_URL: http://keycloak:8080 + depends_on: + redis: + condition: service_healthy + keycloak: + condition: service_healthy + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:9000/q/health/ready"] + interval: 30s + timeout: 10s + retries: 3 + restart: unless-stopped + +networks: + default: + name: trustify-network + external: true diff --git a/deploy/docker-compose.infra-sso.yml b/deploy/docker-compose.infra-sso.yml new file mode 100644 index 00000000..918b47d7 --- /dev/null +++ b/deploy/docker-compose.infra-sso.yml @@ -0,0 +1,24 @@ +version: '3.8' + +services: + keycloak: + image: quay.io/keycloak/keycloak:26.4 + container_name: trustify-keycloak + ports: + - "8080:8080" + environment: + KEYCLOAK_ADMIN: admin + KEYCLOAK_ADMIN_PASSWORD: admin123 + KC_DB: postgres + KC_DB_URL: jdbc:postgresql://postgres:5432/trustify + KC_DB_USERNAME: trustify + KC_DB_PASSWORD: trustify123 + command: start-dev + depends_on: + postgres: + condition: service_healthy + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"] + interval: 30s + timeout: 10s + retries: 3 diff --git a/deploy/docker-compose.infrastructure.yml b/deploy/docker-compose.infrastructure.yml new file mode 100644 index 00000000..79e08429 --- /dev/null +++ b/deploy/docker-compose.infrastructure.yml @@ -0,0 +1,39 @@ +version: '3.8' + +services: + redis: + image: redis:8-alpine + container_name: trustify-redis + ports: + - "6379:6379" + volumes: + - redis_data:/data + environment: + - REDIS_PASSWORD=trustify123 + command: redis-server --requirepass trustify123 + healthcheck: + test: ["CMD", "redis-cli", "--raw", "incr", "ping"] + interval: 30s + timeout: 10s + retries: 3 + + postgres: + image: postgres:18-alpine + container_name: trustify-postgres + ports: + - "5432:5432" + environment: + POSTGRES_DB: trustify + POSTGRES_USER: trustify + POSTGRES_PASSWORD: trustify123 + volumes: + - postgres_data:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U trustify -d trustify"] + interval: 30s + timeout: 10s + retries: 3 + +volumes: + redis_data: + postgres_data: diff --git a/deploy/env.example b/deploy/env.example new file mode 100644 index 00000000..4f44a5da --- /dev/null +++ b/deploy/env.example @@ -0,0 +1,4 @@ +# Trustify Configuration +TRUSTIFY_HOST=http://trustify.example.com/api/v2/ +TRUSTIFY_CLIENT_ID=your-trustify-client-id +TRUSTIFY_CLIENT_SECRET=your-trustify-client-secret diff --git a/deploy/monitoring.yaml b/deploy/monitoring.yaml deleted file mode 100644 index 7b4b7a00..00000000 --- a/deploy/monitoring.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - k8s-app: exhort-monitor - name: exhort-monitor - namespace: exhort -spec: - endpoints: - - interval: 30s - port: "web" - scheme: http - path: /q/metrics - selector: - matchLabels: - app: exhort \ No newline at end of file diff --git a/deploy/openshift/template.yaml b/deploy/openshift/template.yaml deleted file mode 100644 index a44b09a2..00000000 --- a/deploy/openshift/template.yaml +++ /dev/null @@ -1,285 +0,0 @@ -kind: Template -apiVersion: template.openshift.io/v1 -metadata: - name: exhort -labels: - template: exhort -objects: - - kind: ServiceAccount - apiVersion: v1 - metadata: - name: '${SERVICE_ACCOUNT_NAME}' - - kind: Service - apiVersion: v1 - metadata: - name: '${SERVICE_NAME}' - labels: - app-name: '${APP_NAME}' - spec: - ports: - - name: http - protocol: TCP - appProtocol: http - port: '${{SERVICE_PORT}}' - targetPort: http - - name: management - protocol: TCP - appProtocol: http - port: '${{MANAGEMENT_PORT}}' - targetPort: management - selector: - app: '${APP_NAME}' - - kind: Deployment - apiVersion: apps/v1 - metadata: - name: '${APP_NAME}' - spec: - replicas: '${{REPLICAS}}' - selector: - matchLabels: - app: '${APP_NAME}' - template: - metadata: - labels: - app: '${APP_NAME}' - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - '${APP_NAME}' - topologyKey: kubernetes.io/hostname - weight: 90 - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - '${APP_NAME}' - topologyKey: topology.kubernetes.io/zone - weight: 100 - containers: - - name: app - image: '${IMAGE}:${IMAGE_TAG}' - livenessProbe: - httpGet: - path: /q/health/live - port: '${{MANAGEMENT_PORT}}' - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /q/health/ready - port: '${{MANAGEMENT_PORT}}' - initialDelaySeconds: 2 - periodSeconds: 15 - ports: - - name: http - containerPort: '${{SERVICE_PORT}}' - protocol: TCP - - name: management - containerPort: '${{MANAGEMENT_PORT}}' - protocol: TCP - env: - - name: PROVIDER_RHTPA_HOST - value: '${RHTPA_HOST}' - - name: PROVIDER_RHTPA_AUTH_SERVER_URL - value: '${RHTPA_AUTH_SERVER_URL}' - - name: PROVIDER_RHTPA_AUTH_CLIENT_ID - valueFrom: - secretKeyRef: - name: trust-da-secret - key: rhtpa.client.id - - name: PROVIDER_RHTPA_AUTH_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: trust-da-secret - key: rhtpa.client.secret - - name: PROVIDER_RHTPA_DISABLED - value: '${RHTPA_DISABLED}' - - name: TELEMETRY_WRITE_KEY - valueFrom: - secretKeyRef: - name: trust-da-secret - key: telemetry-write-key - - name: DB_REDIS_HOST - valueFrom: - secretKeyRef: - name: '${ELASTICACHE_SECRET}' - key: db.endpoint - - name: DB_REDIS_PORT - valueFrom: - secretKeyRef: - name: '${ELASTICACHE_SECRET}' - key: db.port - - name: DB_POSTGRES_HOST - valueFrom: - secretKeyRef: - name: '${POSTGRES_SECRET}' - key: db.host - - name: DB_POSTGRES_PORT - valueFrom: - secretKeyRef: - name: '${POSTGRES_SECRET}' - key: db.port - - name: DB_POSTGRES_USER - valueFrom: - secretKeyRef: - name: '${POSTGRES_SECRET}' - key: db.user - - name: DB_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: '${POSTGRES_SECRET}' - key: db.password - - name: DB_POSTGRES_DATABASE - valueFrom: - secretKeyRef: - name: '${POSTGRES_SECRET}' - key: db.name - - name: DB_POSTGRES_CA_CERT - valueFrom: - secretKeyRef: - name: '${POSTGRES_SECRET}' - key: db.ca_cert - - name: DB_POSTGRES_SSLMODE - value: '${POSTGRES_SSLMODE}' - - name: MONITORING_ENABLED - value: "true" - - name: MONITORING_SENTRY_DSN - valueFrom: - secretKeyRef: - name: '${PROJECT_NAME}-dsn' - key: dsn - - name: MONITORING_SENTRY_SERVERNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MONITORING_SENTRY_ENVIRONMENT - value: '${ENV_NAME}' - - name: QUARKUS_HTTP_PORT - value: '8080' - - name: QUARKUS_MANAGEMENT_PORT - value: '9000' - - name: QUARKUS_REDIS_MAX_POOL_SIZE - value: '20' - - name: QUARKUS_REDIS_MAX_POOL_WAITING - value: '100' - securityContext: - runAsNonRoot: true - resources: - limits: - cpu: ${CPU_LIMIT} - memory: ${MEMORY_LIMIT} - requests: - cpu: ${CPU_REQUEST} - memory: ${MEMORY_REQUEST} - imagePullPolicy: Always - restartPolicy: Always - serviceAccountName: '${SERVICE_ACCOUNT_NAME}' - -parameters: - - name: APP_NAME - displayName: Application name - description: Application name - value: exhort - required: true - - name: REPLICAS - displayName: Replicas - description: Number of desired pods - value: '1' - required: true - - name: IMAGE - displayName: Container image name - description: Container image name - value: quay.io/redhat-services-prod/trusted-content/exhort - required: true - - name: IMAGE_TAG - displayName: Container image tag - description: Container image tag - value: latest - required: true - - name: SERVICE_ACCOUNT_NAME - displayName: ServiceAccount name - description: The name of the ServiceAccount to use to run this pod. - value: exhort-sa - required: true - - name: SERVICE_NAME - displayName: Service name - description: Service name - value: exhort - required: true - - name: ELASTICACHE_SECRET - displayName: Elasticache Secret - description: Name of the secret containing the Elasticache settings - value: exhort-elasticache - required: true - - name: POSTGRES_SECRET - displayName: Postgres Secret - description: Name of the secret containing the Postgres settings - value: exhort-rds - required: true - - name: POSTGRES_SSLMODE - displayName: Postgres SSL Mode - description: SSL Mode for Postgres - value: 'prefer' - required: true - - name: RHTPA_DISABLED - displayName: Disable RHTPA - description: Disable RHTPA integration - value: "false" - required: true - - name: RHTPA_HOST - displayName: RHTPA Host - description: RHTPA REST API - value: https://trust.rhcloud.com/api/v2/ - required: true - - name: RHTPA_AUTH_SERVER_URL - displayName: RHTPA Auth Server URL - description: Trustify Auth Server URL - value: https://sso.redhat.com/auth/realms/redhat-external - required: true - - name: SERVICE_PORT - displayName: Service port - description: Service port - value: '8080' - required: true - - name: MANAGEMENT_PORT - displayName: Management port - description: Management port for exposing health and metrics - value: '9000' - required: true - - name: CPU_REQUEST - description: The minimum amount of CPU required by a container - displayName: Memory Limit - required: true - value: 100m - - name: CPU_LIMIT - description: The maximum amount of CPU the container can use. - displayName: Memory Limit - required: true - value: 500m - - name: MEMORY_REQUEST - description: The minimum amount of memory required by a container - displayName: Memory Limit - required: true - value: 512Mi - - name: MEMORY_LIMIT - description: The maximum amount of memory the container can use. - displayName: Memory Limit - required: true - value: 5120Mi - - name: ENV_NAME - value: stage - displayName: Environment (default -- stage) - description: 'Application environment' - - name: PROJECT_NAME - value: trusted-content-exhort-stage - displayName: Project name (default -- trusted-content-exhort-stage) - description: 'Project name' diff --git a/deploy/trust-da.yaml b/deploy/trust-da.yaml index be9d33fb..fa39af90 100644 --- a/deploy/trust-da.yaml +++ b/deploy/trust-da.yaml @@ -31,23 +31,7 @@ spec: cpu: "500m" env: - name: MONITORING_ENABLED - value: "true" - - name: MONITORING_SENTRY_DSN - valueFrom: - secretKeyRef: - name: trust-da-secret - key: sentry-dsn - - name: MONITORING_SENTRY_SERVERNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MONITORING_SENTRY_ENVIRONMENT - value: development - - name: TELEMETRY_WRITE_KEY - valueFrom: - secretKeyRef: - name: trust-da-secret - key: telemetry-write-key + value: "false" - name: DB_REDIS_HOST valueFrom: secretKeyRef: @@ -59,7 +43,7 @@ spec: name: trust-da-secret key: db.port - name: TRUSTIFY_HOST - value: https://trust.rhcloud.com/api/v2/ + value: http://trustify:8080/api/v2/ - name: TRUSTIFY_CLIENT_ID valueFrom: secretKeyRef: diff --git a/src/main/docker/Dockerfile.jvm b/src/main/docker/Dockerfile.jvm deleted file mode 100644 index 6e189865..00000000 --- a/src/main/docker/Dockerfile.jvm +++ /dev/null @@ -1,93 +0,0 @@ -#### -# This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode -# -# Before building the container image run: -# -# ./mvnw package -# -# Then, build the image with: -# -# docker build -f src/main/docker/Dockerfile.jvm -t quarkus/dependency-analytics-jvm . -# -# Then run the container using: -# -# docker run -i --rm -p 8080:8080 quarkus/dependency-analytics-jvm -# -# If you want to include the debug port into your docker image -# you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5005 -# -# Then run the container using : -# -# docker run -i --rm -p 8080:8080 quarkus/dependency-analytics-jvm -# -# This image uses the `run-java.sh` script to run the application. -# This scripts computes the command line to execute your Java application, and -# includes memory/GC tuning. -# You can configure the behavior using the following environment properties: -# - JAVA_OPTS: JVM options passed to the `java` command (example: "-verbose:class") -# - JAVA_OPTS_APPEND: User specified Java options to be appended to generated options -# in JAVA_OPTS (example: "-Dsome.property=foo") -# - JAVA_MAX_MEM_RATIO: Is used when no `-Xmx` option is given in JAVA_OPTS. This is -# used to calculate a default maximal heap memory based on a containers restriction. -# If used in a container without any memory constraints for the container then this -# option has no effect. If there is a memory constraint then `-Xmx` is set to a ratio -# of the container available memory as set here. The default is `50` which means 50% -# of the available memory is used as an upper boundary. You can skip this mechanism by -# setting this value to `0` in which case no `-Xmx` option is added. -# - JAVA_INITIAL_MEM_RATIO: Is used when no `-Xms` option is given in JAVA_OPTS. This -# is used to calculate a default initial heap memory based on the maximum heap memory. -# If used in a container without any memory constraints for the container then this -# option has no effect. If there is a memory constraint then `-Xms` is set to a ratio -# of the `-Xmx` memory as set here. The default is `25` which means 25% of the `-Xmx` -# is used as the initial heap size. You can skip this mechanism by setting this value -# to `0` in which case no `-Xms` option is added (example: "25") -# - JAVA_MAX_INITIAL_MEM: Is used when no `-Xms` option is given in JAVA_OPTS. -# This is used to calculate the maximum value of the initial heap memory. If used in -# a container without any memory constraints for the container then this option has -# no effect. If there is a memory constraint then `-Xms` is limited to the value set -# here. The default is 4096MB which means the calculated value of `-Xms` never will -# be greater than 4096MB. The value of this variable is expressed in MB (example: "4096") -# - JAVA_DIAGNOSTICS: Set this to get some diagnostics information to standard output -# when things are happening. This option, if set to true, will set -# `-XX:+UnlockDiagnosticVMOptions`. Disabled by default (example: "true"). -# - JAVA_DEBUG: If set remote debugging will be switched on. Disabled by default (example: -# true"). -# - JAVA_DEBUG_PORT: Port used for remote debugging. Defaults to 5005 (example: "8787"). -# - CONTAINER_CORE_LIMIT: A calculated core limit as described in -# https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt. (example: "2") -# - CONTAINER_MAX_MEMORY: Memory limit given to the container (example: "1024"). -# - GC_MIN_HEAP_FREE_RATIO: Minimum percentage of heap free after GC to avoid expansion. -# (example: "20") -# - GC_MAX_HEAP_FREE_RATIO: Maximum percentage of heap free after GC to avoid shrinking. -# (example: "40") -# - GC_TIME_RATIO: Specifies the ratio of the time spent outside the garbage collection. -# (example: "4") -# - GC_ADAPTIVE_SIZE_POLICY_WEIGHT: The weighting given to the current GC time versus -# previous GC times. (example: "90") -# - GC_METASPACE_SIZE: The initial metaspace size. (example: "20") -# - GC_MAX_METASPACE_SIZE: The maximum metaspace size. (example: "100") -# - GC_CONTAINER_OPTIONS: Specify Java GC to use. The value of this variable should -# contain the necessary JRE command-line options to specify the required GC, which -# will override the default of `-XX:+UseParallelGC` (example: -XX:+UseG1GC). -# - HTTPS_PROXY: The location of the https proxy. (example: "myuser@127.0.0.1:8080") -# - HTTP_PROXY: The location of the http proxy. (example: "myuser@127.0.0.1:8080") -# - NO_PROXY: A comma separated lists of hosts, IP addresses or domains that can be -# accessed directly. (example: "foo.example.com,bar.example.com") -# -### -FROM registry.redhat.io/ubi9/openjdk-21:1.23 - -ENV LANGUAGE='en_US:en' - -# We make four distinct layers so if there are application changes the library layers can be re-used -COPY --chown=185 target/quarkus-app/lib/ /deployments/lib/ -COPY --chown=185 target/quarkus-app/*.jar /deployments/ -COPY --chown=185 target/quarkus-app/app/ /deployments/app/ -COPY --chown=185 target/quarkus-app/quarkus/ /deployments/quarkus/ - -EXPOSE 8080 -USER 185 -ENV JAVA_OPTS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" -ENV JAVA_APP_JAR="/deployments/quarkus-run.jar" - -ENTRYPOINT [ "/opt/jboss/container/java/run/run-java.sh" ] \ No newline at end of file diff --git a/src/main/docker/Dockerfile.multi-stage b/src/main/docker/Dockerfile.multi-stage index 2d806628..98e7fb54 100644 --- a/src/main/docker/Dockerfile.multi-stage +++ b/src/main/docker/Dockerfile.multi-stage @@ -10,7 +10,7 @@ USER quarkus WORKDIR /code RUN ./mvnw -B -Pnative org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline COPY --chown=quarkus:quarkus src /code/src -RUN ./mvnw verify -B -Dmaven.test.skip=true -Dquarkus.native.native-image-xmx=8g +RUN ./mvnw verify -B -Dmaven.test.skip=true -Pnative -Dquarkus.native.native-image-xmx=8g ## Stage 2 : create the docker final image FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6-1760515502 diff --git a/src/main/docker/Dockerfile.native b/src/main/docker/Dockerfile.native deleted file mode 100644 index 33de8e75..00000000 --- a/src/main/docker/Dockerfile.native +++ /dev/null @@ -1,27 +0,0 @@ -#### -# This Dockerfile is used in order to build a container that runs the Quarkus application in native (no JVM) mode. -# -# Before building the container image run: -# -# ./mvnw package -Pnative -# -# Then, build the image with: -# -# docker build -f src/main/docker/Dockerfile.native -t quarkus/dependency-analytics . -# -# Then run the container using: -# -# docker run -i --rm -p 8080:8080 quarkus/dependency-analytics -# -### -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6-1760515502 -WORKDIR /work/ -RUN chown 1001 /work \ - && chmod "g+rwX" /work \ - && chown 1001:root /work -COPY --chown=1001:root target/*-runner /work/application - -EXPOSE 8080 -USER 1001 - -CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index dc161bc9..9f753c04 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -71,4 +71,8 @@ quarkus.hibernate-orm.sql-load-script=no-file #branding.display.name=Trustify #branding.explore.url=https://guac.sh/trustify/ #branding.explore.title=Learn more about Trustify -#branding.explore.description=The Trustify project is a collection of software components that enables you to store and retrieve Software Bill of Materials (SBOMs), and advisory documents. \ No newline at end of file +#branding.explore.description=The Trustify project is a collection of software components that enables you to store and retrieve Software Bill of Materials (SBOMs), and advisory documents. +# Note: For native images, you can either: +# 1. Set directly: -Dquarkus.datasource.jdbc.url=jdbc:postgresql://... (overrides everything) +# 2. Use environment variables: DB_POSTGRES_HOST, DB_POSTGRES_PORT, etc. +# 3. Use custom properties: -Ddb.postgres.host=... (works in JVM mode, may need explicit profile in native) From 45ad7635e7aee3fe126cc17502c0c359c94e1346 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Tue, 4 Nov 2025 14:01:23 +0100 Subject: [PATCH 2/2] chore: simplify deployment and fix environment Signed-off-by: Ruben Romero Montes --- deploy/README-docker.md | 59 ++++++++---------------- deploy/docker-compose.application.yml | 29 ++++++------ deploy/docker-compose.infra-sso.yml | 24 ---------- deploy/docker-compose.infrastructure.yml | 10 ++-- deploy/env.example | 1 + 5 files changed, 41 insertions(+), 82 deletions(-) delete mode 100644 deploy/docker-compose.infra-sso.yml diff --git a/deploy/README-docker.md b/deploy/README-docker.md index 036d2018..0dcd09df 100644 --- a/deploy/README-docker.md +++ b/deploy/README-docker.md @@ -2,10 +2,11 @@ This directory contains Docker Compose files for local development deployment of Trustify with its required infrastructure components. +**Note**: Replace `docker-compose` with `podman-compose` if you're using Podman instead. + ## Files - `docker-compose.infrastructure.yml` - Infrastructure services (Redis, PostgreSQL) -- `docker-compose.infra-sso.yml` - Infrastructure services (Keycloak) - `docker-compose.application.yml` - Application service (trust-da) - `env.example` - Environment variables template @@ -17,9 +18,6 @@ This directory contains Docker Compose files for local development deployment of # Start Redis, PostgreSQL, and Keycloak docker-compose -f docker-compose.infrastructure.yml up -d -# Start Keycloak -docker-compose -f docker-compose.infra-sso.yml up -d - # Check if services are healthy docker-compose -f docker-compose.infrastructure.yml ps ``` @@ -34,7 +32,13 @@ cp env.example .env nano .env ``` -### 3. Start Application +### 3. Create Network + +```bash +docker network create trustify-network +``` + +### 4. Start Application ```bash # Start the trust-da application @@ -52,7 +56,6 @@ docker-compose -f docker-compose.application.yml ps |---------|------|-------------| | Redis | 6379 | Cache and session storage | | PostgreSQL | 5432 | Database for Keycloak and application | -| Keycloak | 8080 | Identity and access management | ### Application Services @@ -64,15 +67,12 @@ docker-compose -f docker-compose.application.yml ps ## Access Points - **Application**: http://localhost:8081 -- **Keycloak Admin**: http://localhost:8080 - - Username: `admin` - - Password: `admin123` - **PostgreSQL**: localhost:5432 - Database: `trustify` - Username: `trustify` - Password: `trustify123` - **Redis**: localhost:6379 - - Password: `trustify123` + - No authentication required ## Health Checks @@ -82,9 +82,6 @@ All services include health checks. You can monitor them with: # Check infrastructure health docker-compose -f docker-compose.infrastructure.yml ps -# Check Keycloak health -docker-compose -f docker-compose.infra-sso.yml ps - # Check application health docker-compose -f docker-compose.application.yml ps ``` @@ -95,9 +92,6 @@ docker-compose -f docker-compose.application.yml ps # View infrastructure logs docker-compose -f docker-compose.infrastructure.yml logs -f -# View Keycloak logs -docker-compose -f docker-compose.infra-sso.yml logs -f - # View application logs docker-compose -f docker-compose.application.yml logs -f @@ -110,14 +104,11 @@ docker-compose -f docker-compose.application.yml logs -f trust-da ```bash # Stop application docker-compose -f docker-compose.application.yml down -# Stop Keycloak -docker-compose -f docker-compose.infa-sso.yml down # Stop infrastructure docker-compose -f docker-compose.infrastructure.yml down # Stop everything and remove volumes docker-compose -f docker-compose.infrastructure.yml down -v -docker-compose -f docker-compose.infra-sso.yml down docker-compose -f docker-compose.application.yml down ``` @@ -132,14 +123,22 @@ To reset all data: docker-compose -f docker-compose.infrastructure.yml down -v ``` +## Remove the network + +```bash +docker network rm trustify-network +``` + ## Environment Variables Create a `.env` file based on `env.example` to customize: +- `TRUSTIFY_HOST`: Your Trustify server host - `TRUSTIFY_CLIENT_ID`: Your Trustify client ID - `TRUSTIFY_CLIENT_SECRET`: Your Trustify client secret -- `SENTRY_DSN`: Sentry DSN for error tracking -- `TELEMETRY_WRITE_KEY`: Telemetry write key +- `TRUSTIFY_AUTH_SERVER_URL`: The Trustify SSO Server URL +- `SENTRY_DSN`: Sentry DSN for error tracking (Optional) +- `TELEMETRY_WRITE_KEY`: Telemetry write key (Optional) ## Troubleshooting @@ -154,21 +153,3 @@ docker-compose -f docker-compose.application.yml logs docker-compose -f docker-compose.infrastructure.yml restart docker-compose -f docker-compose.application.yml restart ``` - -### Port conflicts - -If you have port conflicts, modify the port mappings in the compose files: - -```yaml -ports: - - "8082:8080" # Change 8081 to 8082 -``` - -### Network issues - -The application uses an external network. If you encounter network issues: - -```bash -# Create the network manually -docker network create trustify-network -``` diff --git a/deploy/docker-compose.application.yml b/deploy/docker-compose.application.yml index d088b42a..aa0f0f1a 100644 --- a/deploy/docker-compose.application.yml +++ b/deploy/docker-compose.application.yml @@ -1,12 +1,12 @@ -version: '3.8' - services: trust-da: - image: trust-da:latest + image: ${TRUST_DA_IMAGE:-trust-da:latest} container_name: trustify-trust-da + env_file: + - .env ports: - - "8081:8080" # Application port - - "9001:9000" # Management port + - "8080:8080" # Application port + - "9000:9000" # Management port environment: # Monitoring MONITORING_ENABLED: "false" @@ -14,17 +14,18 @@ services: # Database DB_REDIS_HOST: redis DB_REDIS_PORT: 6379 + DB_POSTGRES_HOST: postgres + DB_POSTGRES_PORT: 5432 + DB_POSTGRES_DATABASE: trustify + DB_POSTGRES_USER: trustify + DB_POSTGRES_PASSWORD: trustify123 + API_ONGUARD_DISABLED: true # Trustify - TRUSTIFY_HOST: ${TRUSTIFY_HOST:-https://rhtpa.stage.devshift.net/api/v2/} - TRUSTIFY_CLIENT_ID: ${TRUSTIFY_CLIENT_ID:-your-trustify-client-id} - TRUSTIFY_CLIENT_SECRET: ${TRUSTIFY_CLIENT_SECRET:-your-trustify-client-secret} - TRUSTIFY_AUTH_SERVER_URL: http://keycloak:8080 - depends_on: - redis: - condition: service_healthy - keycloak: - condition: service_healthy + PROVIDER_TRUSTIFY_HOST: ${TRUSTIFY_HOST:-https://trustify.example.com/api/v2/} + PROVIDER_TRUSTIFY_AUTH_CLIENT_ID: ${TRUSTIFY_CLIENT_ID:-your-trustify-client-id} + PROVIDER_TRUSTIFY_AUTH_CLIENT_SECRET: ${TRUSTIFY_CLIENT_SECRET:-your-trustify-client-secret} + PROVIDER_TRUSTIFY_AUTH_SERVER_URL: ${TRUSTIFY_AUTH_SERVER_URL:-http://sso-trustify.example.com:8090} healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9000/q/health/ready"] interval: 30s diff --git a/deploy/docker-compose.infra-sso.yml b/deploy/docker-compose.infra-sso.yml deleted file mode 100644 index 918b47d7..00000000 --- a/deploy/docker-compose.infra-sso.yml +++ /dev/null @@ -1,24 +0,0 @@ -version: '3.8' - -services: - keycloak: - image: quay.io/keycloak/keycloak:26.4 - container_name: trustify-keycloak - ports: - - "8080:8080" - environment: - KEYCLOAK_ADMIN: admin - KEYCLOAK_ADMIN_PASSWORD: admin123 - KC_DB: postgres - KC_DB_URL: jdbc:postgresql://postgres:5432/trustify - KC_DB_USERNAME: trustify - KC_DB_PASSWORD: trustify123 - command: start-dev - depends_on: - postgres: - condition: service_healthy - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"] - interval: 30s - timeout: 10s - retries: 3 diff --git a/deploy/docker-compose.infrastructure.yml b/deploy/docker-compose.infrastructure.yml index 79e08429..b1ac35d7 100644 --- a/deploy/docker-compose.infrastructure.yml +++ b/deploy/docker-compose.infrastructure.yml @@ -1,5 +1,3 @@ -version: '3.8' - services: redis: image: redis:8-alpine @@ -8,9 +6,6 @@ services: - "6379:6379" volumes: - redis_data:/data - environment: - - REDIS_PASSWORD=trustify123 - command: redis-server --requirepass trustify123 healthcheck: test: ["CMD", "redis-cli", "--raw", "incr", "ping"] interval: 30s @@ -37,3 +32,8 @@ services: volumes: redis_data: postgres_data: + +networks: + default: + name: trustify-network + external: true diff --git a/deploy/env.example b/deploy/env.example index 4f44a5da..ea3a79ab 100644 --- a/deploy/env.example +++ b/deploy/env.example @@ -2,3 +2,4 @@ TRUSTIFY_HOST=http://trustify.example.com/api/v2/ TRUSTIFY_CLIENT_ID=your-trustify-client-id TRUSTIFY_CLIENT_SECRET=your-trustify-client-secret +TRUSTIFY_AUTH_SERVER_URL=https://sso-trustify.example.com/auth/realms/trustify \ No newline at end of file