Add docker build for java-spiffe-helper container (spiffe#187)

* Add docker build for java-spiffe-helper container

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Adopt JDK has been deprecated in favor of temurin

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Push image after build

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Remove build on pull request and fix image tag

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Set user non-root, add separate stage for gradle dependencies and version to gradle properties

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Fix entrypoint

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Add example config and default container command

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Revert changes to gradle workflow and rename container build workflow

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Pin gradle builder image version

Co-authored-by: Ryan Turner <[email protected]>
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Add buildx action

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Use github variable in image tag

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Add Qemu

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Login before push

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Adopt JDK has been deprecated in favor of temurin

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Remove build on pull request and fix image tag

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Revert changes to gradle workflow and rename container build workflow

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Use new properties example file

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

* Minor improvements according to PR comments

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>

---------

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
Co-authored-by: Ryan Turner <[email protected]>

.dockerignore

@@ -0,0 +1,110 @@
+### Java template
+# Compiled class file
+*.class
+
+# Log file
+*.log
+
+# BlueJ files
+*.ctxt
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.jar
+*.war
+*.nar
+*.ear
+*.zip
+*.tar.gz
+*.rar
+
+# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+hs_err_pid*
+replay_pid*
+
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+# GitHub
+.github
+
+# Git
+.git

.github/workflows/docker.yml

@@ -0,0 +1,34 @@
+name: container build
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    env:
+      REGISTRY: ghcr.io
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - run: echo "DOCKER_TAG=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
+      - name: Publish java-spiffe-helper
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ github.repository }}-helper:${{ env.DOCKER_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Dockerfile

@@ -0,0 +1,15 @@
+FROM gradle:8.5.0-jdk17 AS builder
+COPY --chown=gradle:gradle . /builder
+WORKDIR /builder
+RUN gradle dependencies
+RUN gradle java-spiffe-helper:assemble -ParchiveClassifier=docker -Pversion=docker
+
+FROM eclipse-temurin:17-jre AS runner
+COPY --chown=nobody:nobody \
+  conf/java-spiffe-helper.properties /app/java-spiffe-helper.properties
+COPY --from=builder \
+  --chown=nobody:nobody \
+  /builder/java-spiffe-helper/build/libs/java-spiffe-helper-docker-docker.jar /app/java-spiffe-helper.jar
+USER nobody
+ENTRYPOINT ["java", "-jar", "/app/java-spiffe-helper.jar"]
+CMD ["--config", "/app/java-spiffe-helper.properties"]

build.gradle

@@ -12,7 +12,7 @@ allprojects {
 
 subprojects {
     group = 'io.spiffe'
-    version = '0.8.4'
+    version = project.version
 
     ext {
         grpcVersion = '1.61.1'

gradle.properties

@@ -0,0 +1 @@
+version=0.8.4

java-spiffe-helper/build.gradle

@@ -10,7 +10,7 @@ assemble.dependsOn shadowJar
 
 shadowJar {
     mergeServiceFiles()
-    archiveClassifier = osdetector.classifier
+    archiveClassifier = project.hasProperty('archiveClassifier') && project.archiveClassifier != "" ? project.archiveClassifier : osdetector.classifier
     manifest {
         attributes 'Main-Class': 'io.spiffe.helper.cli.Runner'
     }

java-spiffe-helper/gradle.properties

@@ -0,0 +1 @@
+archiveClassifier=