Adds Docker image build and basic health check using docker-compose

jdrodjpl · jdrodjpl · commit 4df4d36d0a28 · 2025-05-08T09:54:35.000-07:00
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,120 @@
+name: Docker Build
+
+on:
+  push:
+    branches: [main, develop, docker_build] # Adjust branches as needed
+  pull_request:
+    branches: [main] # Adjust branches as needed
+
+permissions:
+  contents: read
+  packages: write # Needed to push images to GHCR
+
+jobs:
+  build-push-run:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract CWS Version and Define Image Tag
+        id: image_info
+        run: |
+          # Assuming utils.sh is at the repository root
+          CWS_VER=$(grep 'export CWS_VER=' utils.sh | cut -d"'" -f2)
+          # Use GitHub owner and repo name for GHCR image path (lowercase)
+          OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
+          REPO_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
+          IMAGE_NAME="ghcr.io/$OWNER_LOWER/$REPO_LOWER"
+          echo "version=$CWS_VER" >> $GITHUB_OUTPUT
+          echo "original_tag=nasa-ammos/common-workflow-service:$CWS_VER" >> $GITHUB_OUTPUT
+          echo "ghcr_tag=$IMAGE_NAME:$CWS_VER" >> $GITHUB_OUTPUT
+        working-directory: ${{ github.workspace }} # Run from repo root
+
+      - name: Build CWS Docker Image using script
+        run: |
+          chmod +x build.sh
+          # The script builds using the 'nasa-ammos/...' tag internally
+          # Execute the script directly now that we are in its directory
+          ./build.sh
+          # Explicitly check the exit code of the script
+          if [ $? -ne 0 ]; then
+            echo "::error::Docker image build script failed."
+            exit 1
+          fi
+        working-directory: install/docker/cws-image # Run from the script's directory
+
+      - name: Re-tag image for GHCR
+        run: |
+          echo "Tagging ${{ steps.image_info.outputs.original_tag }} as ${{ steps.image_info.outputs.ghcr_tag }}"
+          docker tag "${{ steps.image_info.outputs.original_tag }}" "${{ steps.image_info.outputs.ghcr_tag }}"
+
+      - name: Push Docker image to GHCR
+        run: |
+          echo "Pushing ${{ steps.image_info.outputs.ghcr_tag }}"
+          docker push "${{ steps.image_info.outputs.ghcr_tag }}"
+
+      - name: Prepare Docker Compose Environment
+        run: |
+          # Create external network required by docker-compose
+          docker network create cws-network
+          echo "Docker network 'cws-network' created"
+        working-directory: install/docker/console-db-es-ls-kibana
+
+      - name: Update image tag in docker-compose.yml
+        run: |
+          # Escape slashes in the image tag for sed
+          ESCAPED_TAG=$(echo "${{ steps.image_info.outputs.ghcr_tag }}" | sed 's/\//\\\//g')
+          echo "Updating image tag in docker-compose.yml to $ESCAPED_TAG"
+          # Target both cws and cws-worker services
+          sed -i "s/image: nasa-ammos\/common-workflow-service:.*/image: $ESCAPED_TAG/g" docker-compose.yml
+          echo "docker-compose.yml after update:"
+          cat docker-compose.yml
+        working-directory: install/docker/console-db-es-ls-kibana
+
+      - name: Start Services with Docker Compose
+        run: docker compose up -d
+        working-directory: install/docker/console-db-es-ls-kibana
+
+      - name: Verify CWS Console Startup
+        run: |
+          echo "Waiting up to 1 minute for CWS console to become healthy..." # Updated comment
+          MAX_WAIT=60 # 1 minute max wait # Updated value and comment
+          INTERVAL=15  # Check every 15 seconds
+          ELAPSED=0
+          # Use the healthcheck URL from docker-compose.yml
+          HEALTHCHECK_URL="https://localhost:38443/cws-ui/login"
+
+          while true; do
+            # Use curl's exit code to check success (-k for self-signed cert, -f to fail on server errors, -s silent, -L follow redirects)
+            if curl -kfsL --output /dev/null "$HEALTHCHECK_URL"; then
+              echo "CWS console is up and responding at $HEALTHCHECK_URL!"
+              echo "Current running containers:"
+              docker ps
+              exit 0
+            fi
+
+            if [ $ELAPSED -ge $MAX_WAIT ]; then
+              echo "CWS console did not become healthy within $MAX_WAIT seconds."
+              echo "Current running containers:"
+              docker ps
+              echo "Docker Compose logs for cws service (cws-console):"
+              docker compose logs cws
+              exit 1
+            fi
+
+            sleep $INTERVAL
+            ELAPSED=$((ELAPSED + INTERVAL))
+            echo "Still waiting for CWS console... ($ELAPSED/$MAX_WAIT seconds)"
+          done
+        working-directory: install/docker/console-db-es-ls-kibana # Ensure correct context for docker-compose logs
diff --git a/cws-certs/generate-certs-testing.sh b/cws-certs/generate-certs-testing.sh
@@ -0,0 +1,61 @@
+#! /bin/bash
+
+# This script creates certs required by CWS when run inside the container.
+
+# Define target directories within the container
+# Ensure TOMCAT_VER matches the version used in the CWS distribution
+TOMCAT_VER="9.0.75"
+TOMCAT_BASE_DIR="/home/cws_user/cws/server/apache-tomcat-${TOMCAT_VER}"
+TOMCAT_CONF_DIR="${TOMCAT_BASE_DIR}/conf"
+TOMCAT_LIB_DIR="${TOMCAT_BASE_DIR}/lib"
+KEYSTORE_FILE="${TOMCAT_CONF_DIR}/.keystore"
+TRUSTSTORE_FILE="${TOMCAT_LIB_DIR}/cws_truststore.jks"
+CERT_FILE="/tmp/cws.crt" # Temporary location for the exported cert
+PASSWORD="changeit"     # Must match the password expected by CWS/Tomcat
+
+echo "Generating CWS certificates..."
+echo "  Keystore target: ${KEYSTORE_FILE}"
+echo "  Truststore target: ${TRUSTSTORE_FILE}"
+
+# Ensure target directories exist
+mkdir -p "${TOMCAT_CONF_DIR}"
+mkdir -p "${TOMCAT_LIB_DIR}"
+
+# Create private key and self-signed certificate within the keystore at the target location
+keytool -genkey -keyalg RSA \
+        -dname "cn=cws-container, ou=CWS, o=NASA, l=Pasadena, s=CA, c=US" \
+        -alias cws \
+        -keypass "${PASSWORD}" \
+        -keystore "${KEYSTORE_FILE}" \
+        -storepass "${PASSWORD}" \
+        -storetype JKS \
+        -validity 3650 \
+        -keysize 2048
+if [ $? -ne 0 ]; then echo "ERROR: Failed to generate keystore."; exit 1; fi
+echo "  Keystore generated."
+
+# Extract self-signed certificate from keystore to a temporary file
+keytool -export -alias cws \
+        -file "${CERT_FILE}" \
+        -keystore "${KEYSTORE_FILE}" \
+        -storepass "${PASSWORD}"
+if [ $? -ne 0 ]; then echo "ERROR: Failed to export certificate."; exit 1; fi
+echo "  Certificate exported to ${CERT_FILE}."
+
+# Import self-signed certificate into truststore at the target location
+keytool -import -alias cws \
+        -file "${CERT_FILE}" \
+        -keypass "${PASSWORD}" \
+        -noprompt \
+        -keystore "${TRUSTSTORE_FILE}" \
+        -storepass "${PASSWORD}" \
+        -storetype JKS
+if [ $? -ne 0 ]; then echo "ERROR: Failed to import certificate into truststore."; exit 1; fi
+echo "  Certificate imported into truststore."
+
+# Clean up temporary certificate file
+rm -f "${CERT_FILE}"
+echo "  Temporary certificate file removed."
+
+echo "Certificate generation complete."
+exit 0
diff --git a/cws-certs/generate-certs.sh b/cws-certs/generate-certs.sh
@@ -1,16 +1,61 @@
 #! /bin/bash
 
-# the following bash script creates open-source certs required to access CWS
+# This script creates certs required by CWS when run inside the container.
 
-# create private key and self-signed certificate within a keystore
-keytool -genkey -keyalg RSA -dname "cn=cws, ou=cws, o=cws, l=cws, s=FL, c=US" -alias cws -keypass changeit -keystore .keystore -storepass changeit -storetype JKS -validity 360 -keysize 2048
+# Define target directories within the container
+# Ensure TOMCAT_VER matches the version used in the CWS distribution
+TOMCAT_VER="9.0.75"
+TOMCAT_BASE_DIR="/home/cws_user/cws/server/apache-tomcat-${TOMCAT_VER}"
+TOMCAT_CONF_DIR="${TOMCAT_BASE_DIR}/conf"
+TOMCAT_LIB_DIR="${TOMCAT_BASE_DIR}/lib"
+KEYSTORE_FILE="${TOMCAT_CONF_DIR}/.keystore"
+TRUSTSTORE_FILE="${TOMCAT_LIB_DIR}/cws_truststore.jks"
+CERT_FILE="/tmp/cws.crt" # Temporary location for the exported cert
+PASSWORD="changeit"     # Must match the password expected by CWS/Tomcat
 
-# extract self-signed certificate from keystore
-keytool -export -alias cws -file cws.crt -keystore .keystore -storepass changeit
+echo "Generating CWS certificates..."
+echo "  Keystore target: ${KEYSTORE_FILE}"
+echo "  Truststore target: ${TRUSTSTORE_FILE}"
 
-# insert self-signed certificate into truststore
-keytool -import -alias cws -file cws.crt -keypass changeit -noprompt -keystore cws_truststore.jks -storepass changeit -storetype JKS
+# Ensure target directories exist
+mkdir -p "${TOMCAT_CONF_DIR}"
+mkdir -p "${TOMCAT_LIB_DIR}"
 
-# place open-source certs in appropriate directories
-cp .keystore ../install
-cp cws_truststore.jks ../install/tomcat_lib
+# Create private key and self-signed certificate within the keystore at the target location
+keytool -genkey -keyalg RSA \
+        -dname "cn=cws-container, ou=CWS, o=NASA, l=Pasadena, s=CA, c=US" \
+        -alias cws \
+        -keypass "${PASSWORD}" \
+        -keystore "${KEYSTORE_FILE}" \
+        -storepass "${PASSWORD}" \
+        -storetype JKS \
+        -validity 3650 \
+        -keysize 2048
+if [ $? -ne 0 ]; then echo "ERROR: Failed to generate keystore."; exit 1; fi
+echo "  Keystore generated."
+
+# Extract self-signed certificate from keystore to a temporary file
+keytool -export -alias cws \
+        -file "${CERT_FILE}" \
+        -keystore "${KEYSTORE_FILE}" \
+        -storepass "${PASSWORD}"
+if [ $? -ne 0 ]; then echo "ERROR: Failed to export certificate."; exit 1; fi
+echo "  Certificate exported to ${CERT_FILE}."
+
+# Import self-signed certificate into truststore at the target location
+keytool -import -alias cws \
+        -file "${CERT_FILE}" \
+        -keypass "${PASSWORD}" \
+        -noprompt \
+        -keystore "${TRUSTSTORE_FILE}" \
+        -storepass "${PASSWORD}" \
+        -storetype JKS
+if [ $? -ne 0 ]; then echo "ERROR: Failed to import certificate into truststore."; exit 1; fi
+echo "  Certificate imported into truststore."
+
+# Clean up temporary certificate file
+rm -f "${CERT_FILE}"
+echo "  Temporary certificate file removed."
+
+echo "Certificate generation complete."
+exit 0
diff --git a/install/docker/console-db-es-ls-kibana/docker-compose.yml b/install/docker/console-db-es-ls-kibana/docker-compose.yml
@@ -126,8 +126,8 @@ services:
       timeout: 2s
       retries: 12
     volumes:
-      - ./config.properties:/home/cws_user/config.properties:ro
-      - ~/.cws/creds:/root/.cws/creds:ro
+      - ./config.properties:/home/cws_user/config.properties:rw
+      # - ~/.cws/creds:/root/.cws/creds:rw
       - console-logs-volume:/home/cws_user/cws/server/apache-tomcat-9.0.75/logs
     networks:
       - external-network
@@ -151,8 +151,8 @@ services:
       - ES_HOST=es
       - ES_PORT=9200
     volumes:
-      - ./worker-config.properties:/home/cws_user/config.properties:ro
-      - ~/.cws/creds:/root/.cws/creds:ro
+      - ./worker-config.properties:/home/cws_user/config.properties:rw
+      # - ~/.cws/creds:/root/.cws/creds:rw
       - worker1-logs-volume:/home/cws_user/cws/server/apache-tomcat-9.0.75/logs
     networks:
       - external-network
diff --git a/install/docker/cws-image/Dockerfile b/install/docker/cws-image/Dockerfile
@@ -1,7 +1,7 @@
 FROM oraclelinux:8
 
 RUN yum update -y && \
-    yum install -y mysql java-17-openjdk java-17-openjdk-devel rsync which && \
+    yum install -y mysql java-17-openjdk java-17-openjdk-devel rsync which wget tar gzip && \
     yum clean all
 
 ENV JAVA_HOME /usr/lib/jvm/java-openjdk
@@ -14,9 +14,16 @@ WORKDIR /home/cws_user
 ADD cws_server.tar.gz .
 ADD startup.sh .
 ADD wait_for_db_es_console.sh .
+ADD utils.sh /home/cws_user/utils.sh
 
 # For time check
 ADD getTime.java .
 ADD joda-time-2.1.jar .
 
+# Copy certificate generation scripts from the build context
+COPY cws-certs /opt/cws-certs
+
+RUN chmod +x /opt/cws-certs/generate-certs.sh
+RUN curl -o /home/cws_user/cws/server/logstash-8.12.0.zip https://artifacts.elastic.co/downloads/logstash/logstash-8.12.0-windows-x86_64.zip
+
 ENTRYPOINT [ "./wait_for_db_es_console.sh" ]
diff --git a/install/docker/cws-image/build.sh b/install/docker/cws-image/build.sh
@@ -1,11 +1,14 @@
 #!/usr/bin/env bash
+set -e # Exit immediately if a command exits with a non-zero status.
 
-ver='2.6.0'    # update this each CWS release
+# Get version from utils.sh
+ROOT=$(pwd)
+cd ../../.. # Change to project root
+source utils.sh # Source utils.sh from project root
+ver=$CWS_VER    # use version from utils.sh
 
 # Rebuild cws tar-ball
-ROOT=$(pwd)
-cd ../../..
-./build.sh
+./build.sh # Execute build.sh from project root
 
 cd $ROOT
 
@@ -19,13 +22,21 @@ fi
 
 cp "$CWS_PACKAGE" .
 cp ../../../cws-core/cws-core-libs/joda-time-2.1.jar .
+# Copy the certs directory from the project root into the build context
+cp -R ../../../cws-certs .
+# Copy utils.sh for setup_test_env.sh to use
+cp ../../../utils.sh .
 
 echo "Building CWS docker image.  Version = $ver"
 
 docker build -t nasa-ammos/common-workflow-service:$ver .
 
 rm cws_server.tar.gz
 rm joda-time-2.1.jar
+# Remove the copied certs directory
+rm -rf cws-certs
+# Remove the copied utils.sh
+rm utils.sh
 
 echo
 echo "Done building!"
