From 4da414c5508944371d19649cced24abc124830f8 Mon Sep 17 00:00:00 2001
From: Jesse Jaara <jesse.jaara@vincit.fi>
Date: Wed, 18 Feb 2026 19:31:27 +0200
Subject: [PATCH] Fix Docker file

* Removed `applicationinsights.json` from `.gitignore` as that
  prevents docker from finding that file, as docker reads and respects
  `.gitignore`.
* Fixed file permissions:
  - Only script files should be executable.
  - No file should be writable.
  - Files should be readable.
* Fixed `HEALTHCHECK`. The Ubuntu base image used by our
  `eclipse-temurin` Docker base image, does not provide `curl` or
  any other alterntives. Instead of installing `curl` and polluting
  the image with APT cache stuff, a simple custom Java based applet is
  used to check the status. This allows us to in the future to also
  switch to completely distroless base images.
---
 .dockerignore |  1 +
 Dockerfile    | 13 ++++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 94c9b58..9d9c2db 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -6,3 +6,4 @@
 !/profiles
 !/pom.xml
 !/read-secrets.sh
+!/applicationinsights.json
diff --git a/Dockerfile b/Dockerfile
index 2fcce60..c2a2ba3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,13 +22,16 @@ ARG APPINSIGHTS_VERSION=3.7.7
 # expose server port
 EXPOSE 8080
 
-# download script for reading docker secrets
-ADD --chmod=755 https://raw.githubusercontent.com/HSLdevcom/jore4-tools/main/docker/read-secrets.sh /app/scripts/read-secrets.sh
+# Download script for reading docker secrets
+ADD --chmod=555 https://raw.githubusercontent.com/HSLdevcom/jore4-tools/main/docker/read-secrets.sh /app/scripts/read-secrets.sh
+
+# Downaload a Java applet to perform HEALTHCHECK with
+ADD --chmod=444 https://raw.githubusercontent.com/HSLdevcom/jore4-tools/main/docker/HealhtCheck.jar /app/scripts/HealhtCheck.jar
 
 # Connection string is provided as env in Kubernetes by secrets manager
 # it should not be provided for other environments (local etc)
-ADD --chmod=755 https://github.com/microsoft/ApplicationInsights-Java/releases/download/${APPINSIGHTS_VERSION}/applicationinsights-agent-${APPINSIGHTS_VERSION}.jar /usr/src/jore4-auth/applicationinsights-agent.jar
-COPY --chmod=755 ./applicationinsights.json /usr/src/jore4-auth/applicationinsights.json
+ADD --chmod=444 https://github.com/microsoft/ApplicationInsights-Java/releases/download/${APPINSIGHTS_VERSION}/applicationinsights-agent-${APPINSIGHTS_VERSION}.jar /usr/src/jore4-auth/applicationinsights-agent.jar
+COPY --chmod=444 ./applicationinsights.json /usr/src/jore4-auth/applicationinsights.json
 
 # copy over compiled jar
 COPY --from=builder /build/target/*.jar /usr/src/jore4-auth/auth-backend.jar
@@ -37,4 +40,4 @@ COPY --from=builder /build/target/*.jar /usr/src/jore4-auth/auth-backend.jar
 CMD ["/bin/bash", "-c", "source /app/scripts/read-secrets.sh && java -javaagent:/usr/src/jore4-auth/applicationinsights-agent.jar -jar /usr/src/jore4-auth/auth-backend.jar"]
 
 HEALTHCHECK --interval=1m --timeout=5s \
-  CMD curl --fail http://localhost:8080/actuator/health
+  CMD ["java", "-jar", "/app/scripts/HealhtCheck.jar"]