This service deploys as an immutable Docker image published to GitHub Container Registry (GHCR). Runtime configuration is injected through the EC2 .env file generated by GitHub Actions; private resource files are not copied into the image or bind-mounted from the host.
Deployment access:
EC2_HOSTEC2_USEREC2_SSH_KEYGHCR_USERNAMEGHCR_READ_TOKEN
Runtime image and port:
BACKEND_HTTP_PORT(optional, defaults to8080)BACKEND_MEMORY_LIMIT(optional, defaults to768m; use640mif the EC2 instance is memory constrained)BACKEND_CPU_LIMIT(optional, defaults to1.0)
Spring and database:
SPRING_APPLICATION_NAMESPRING_DATASOURCE_URL(jdbc:mysql://ontime-prod.cpoeguokwaq5.ap-northeast-2.rds.amazonaws.com:3306/ontime_prod?useSSL=true&serverTimezone=Asia/Seoul&characterEncoding=UTF-8)SPRING_DATASOURCE_USERNAME(ontimeadmin)SPRING_DATASOURCE_PASSWORD
The deploy workflow hardcodes safe production defaults for the datasource driver, JPA DDL mode, and Flyway:
SPRING_DATASOURCE_DRIVER_CLASS_NAME=com.mysql.cj.jdbc.DriverSPRING_JPA_HIBERNATE_DDL_AUTO=validateSPRING_FLYWAY_ENABLED=trueSPRING_FLYWAY_BASELINE_ON_MIGRATE=false
It also fails before restart if the datasource URL does not point to an RDS MySQL endpoint using the ontime_prod database, or if EC2 cannot reach RDS on 3306.
Authentication and OAuth:
JWT_SECRETKEYJWT_ACCESS_EXPIRATIONJWT_REFRESH_EXPIRATIONJWT_ACCESS_HEADERJWT_REFRESH_HEADERGOOGLE_WEB_CLIENT_IDGOOGLE_APP_CLIENT_IDSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENT_SECRETSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_SCOPESPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_REDIRECT_URISPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_AUTHORIZATION_GRANT_TYPESPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENT_NAMESPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_AUTHORIZATION_URISPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_TOKEN_URISPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_USER_INFO_URISPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_USER_NAME_ATTRIBUTESPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_CLIENT_IDSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_SCOPESPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_REDIRECT_URISPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_AUTHORIZATION_GRANT_TYPESPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KAKAO_CLIENT_NAMESPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KAKAO_AUTHORIZATION_URISPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KAKAO_TOKEN_URISPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KAKAO_USER_INFO_URISPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KAKAO_USER_NAME_ATTRIBUTEAPPLE_CLIENT_IDAPPLE_TEAM_IDAPPLE_LOGIN_KEYAPPLE_PRIVATE_KEY_BASE64FEATURE_APPLE_LOGIN_ENABLED(optional, defaults totrue)
Firebase:
FIREBASE_CREDENTIALS_BASE64
Set the base64 secrets from the ignored local credential files:
base64 -i ontime-back/src/main/resources/ontime-c63f1-firebase-adminsdk-fbsvc-a043cdc829.json | tr -d '\n' | gh secret set FIREBASE_CREDENTIALS_BASE64 --repo DevKor-github/OnTime-backbase64 -i ontime-back/src/main/resources/key/AuthKey_743M7R5W3W.p8 | tr -d '\n' | gh secret set APPLE_PRIVATE_KEY_BASE64 --repo DevKor-github/OnTime-backPush to the main branch, or run .github/workflows/deploy.yml manually, to deploy production.
Pushes to dev run CI only. There is no dev-server deploy workflow in the one-EC2 plan.
The workflow:
- Builds
ontime-back/Dockerfilefrom theontime-back/context. - Pushes two GHCR tags:
ghcr.io/devkor-github/ontime-back:<commit-sha>ghcr.io/devkor-github/ontime-back:deploy-latest
- Uploads
docker-compose.ymlto/home/ubuntu/OnTime-back. - Writes
/home/ubuntu/OnTime-back/.envfrom GitHub secrets. - Verifies EC2 can reach private RDS on
3306. - Runs
docker compose pull && docker compose up -d --remove-orphans. - Waits until the
ontime-containerDocker health status ishealthy.
The production image exposes a Docker healthcheck against:
/actuator/health/readiness
Manual checks on EC2:
cd /home/ubuntu/OnTime-back
sudo docker compose ps
sudo docker inspect -f '{{.State.Health.Status}}' ontime-container
curl -fsS http://localhost:8080/actuator/health/readiness
nc -zv ontime-prod.cpoeguokwaq5.ap-northeast-2.rds.amazonaws.com 3306Every deploy is tagged by commit SHA. To roll back, set IMAGE_TAG in /home/ubuntu/OnTime-back/.env to the previous known-good SHA, then restart from the existing Compose file:
cd /home/ubuntu/OnTime-back
sudo docker compose pull
sudo docker compose up -d --remove-orphans
sudo docker inspect -f '{{.State.Health.Status}}' ontime-containerKeep the previous SHA in the release notes or GitHub Actions deploy history so rollback does not depend on deploy-latest.