diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000000..45964f0d96 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,32 @@ +########################################################################## +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################## + +# Ignore all files by default to reduce build context size and protect secrets. +* + +# Allow the target directory and its subdirectories for the required artifacts. +!target/ +!target/*/ +!target/*/knox-*.tar.gz +!target/*/knoxshell-*.tar.gz + +# Allow the build workflow configurations and scripts. +!.github/ +!.github/workflows/ +!.github/workflows/build/ +!.github/workflows/build/** diff --git a/.github/workflows/build/Dockerfile b/.github/workflows/build/Dockerfile index 441cf1ba43..68e6d6dd24 100644 --- a/.github/workflows/build/Dockerfile +++ b/.github/workflows/build/Dockerfile @@ -19,31 +19,34 @@ MAINTAINER moresandeep RUN useradd -ms /bin/bash gateway -# Create directories -RUN mkdir /knox-runtime -RUN mkdir /knox-runtime/knoxshell - -# Copy artifacts -COPY knox-temp-artifacts /knox-temp-artifacts-staging -COPY knoxshell-temp-artifacts /knoxshell-temp-artifacts-staging - -# Move runtime to new location -RUN mv /knox-temp-artifacts-staging/*/* /knox-runtime/ && \ - mv /knoxshell-temp-artifacts-staging/*/* /knox-runtime/knoxshell/ && \ - rm -rf /knox-temp-artifacts-staging /knoxshell-temp-artifacts-staging - -# Add configuration -ADD master /knox-runtime/data/security/master -ADD gateway-site.xml /knox-runtime/conf/gateway-site.xml -ADD conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml -ADD conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml -ADD conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml - -ADD conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml +# Create temporary directories for extraction +RUN mkdir -p /tmp/knox-artifacts /tmp/knoxshell-artifacts /knox-runtime /knoxshell /knox-runtime/knoxshell + +# Copy pre-built tarballs from the local target directory +# In CI, these are built in the previous step. +# Locally, these are built by the developer. +COPY target/*/knox-*.tar.gz /tmp/knox-artifacts/ +COPY target/*/knoxshell-*.tar.gz /tmp/knoxshell-artifacts/ + +# Extract and move to runtime location +RUN tar -xvzf /tmp/knox-artifacts/knox-*.tar.gz -C /tmp/knox-artifacts/ && \ + tar -xvzf /tmp/knoxshell-artifacts/knoxshell-*.tar.gz -C /tmp/knoxshell-artifacts/ && \ + mv /tmp/knox-artifacts/knox-*/* /knox-runtime/ && \ + mv /tmp/knoxshell-artifacts/knoxshell-*/* /knox-runtime/knoxshell/ && \ + rm -rf /tmp/knox-artifacts /tmp/knoxshell-artifacts + +# Master secret, configuration and topologies +ADD .github/workflows/build/master /knox-runtime/data/security/master +ADD .github/workflows/build/gateway-site.xml /knox-runtime/conf/gateway-site.xml +ADD .github/workflows/build/conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml +ADD .github/workflows/build/conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml +ADD .github/workflows/build/conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml +ADD .github/workflows/build/conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml RUN chown -R gateway /knox-runtime/ -ADD ldap.sh /ldap.sh -ADD gateway.sh /gateway.sh +ADD .github/workflows/build/ldap.sh /ldap.sh +ADD .github/workflows/build/gateway.sh /gateway.sh -RUN chmod +x /ldap.sh /gateway.sh +RUN chmod +x /ldap.sh +RUN chmod +x /gateway.sh diff --git a/.github/workflows/build/Dockerfile.local b/.github/workflows/build/Dockerfile.local deleted file mode 100644 index 73e1c9bfe8..0000000000 --- a/.github/workflows/build/Dockerfile.local +++ /dev/null @@ -1,75 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM maven:3.9.9-eclipse-temurin-17 - -MAINTAINER moresandeep - -# Install dependencies -RUN apt-get update - -RUN apt-get install -y git - -RUN useradd -ms /bin/bash gateway - -# Clone our dev branch -ARG knoxurl -ARG branch - -RUN git clone -b $branch $knoxurl knox - -RUN mkdir /knox/knox-temp-artifacts -RUN mkdir /knox/knoxshell-temp-artifacts - -# Update maven settings to ignore jcenter repo -#ADD settings.xml /home/gateway/.m2/settings.xml -#RUN mv /home/gateway/.m2/settings.xml ~/.m2/settings.xml -ADD settings.xml /usr/share/maven/ref/ - -# Skipping tests here for faster turnaround. -RUN cd knox && mvn -settings /usr/share/maven/ref/settings.xml clean -Ppackage,release install -Dforbiddenapis.skip=true -Denforcer.skip -Dpmd.failOnViolation=false -DskipTests=true -Dcheckstyle.skip=true -Dspotbugs.skip=true -Dpmd.skip=true -Drat.skip -DskipTests && tar -xvzf target/*/knox-*.tar.gz -C knox-temp-artifacts && tar -xvzf /knox/target/*/knoxshell-*.tar.gz -C knoxshell-temp-artifacts - -# move runtime to new location -# See https://github.com/docker/compose/issues/4581#issuecomment-321386605 -# for KnoxShell dance -RUN mkdir /knox-runtime -RUN mkdir /knoxshell -RUN mkdir /knox-runtime/knoxshell -RUN mv /knox/knox-temp-artifacts/*/* /knox-runtime -RUN mv /knox/knoxshell-temp-artifacts/*/* /knox-runtime/knoxshell - -# delete build artifacts -RUN rm -rf /knox - -ADD master /knox-runtime/data/security/master -# Enable websockets -ADD gateway-site.xml /knox-runtime/conf/gateway-site.xml -ADD conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml -ADD conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml -ADD conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml -ADD conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml - - -RUN chown -R gateway /knox-runtime/ - -# Cleanup -RUN rm -rf /home/gateway/.m2/repository - -ADD ldap.sh /ldap.sh -ADD gateway.sh /gateway.sh - -RUN chmod +x /ldap.sh -RUN chmod +x /gateway.sh - diff --git a/.github/workflows/compose/docker-compose.yml b/.github/workflows/compose/docker-compose.yml index 3aa1798edc..e03e90e5a0 100644 --- a/.github/workflows/compose/docker-compose.yml +++ b/.github/workflows/compose/docker-compose.yml @@ -8,35 +8,26 @@ # http://www.apache.org/licenses/LICENSE-2.0 #

# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations under -# the License. +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. services: knox-dev: build: - context: ../build - dockerfile: Dockerfile - image: apache/knox-dev:master - - knox-dev-local: - build: - context: ../build - dockerfile: Dockerfile.local - args: - knoxurl: ${knoxurl:-https://github.com/apache/knox.git} - branch: ${branch:-master} - image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local} + context: ../../../ + dockerfile: .github/workflows/build/Dockerfile + image: apache/knox-dev:${IMAGE_TAG:-master} ldap: - image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local} + image: apache/knox-dev:${IMAGE_TAG:-master} command: /ldap.sh depends_on: - - knox-dev-local + - knox-dev knox: - image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local} + image: apache/knox-dev:${IMAGE_TAG:-master} command: /gateway.sh volumes: # - ./topologies:/knox-runtime/conf/topologies @@ -59,5 +50,3 @@ services: && pytest --junitxml=test-results.xml" depends_on: - knox - - diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4f90c4a379..bb91ae7658 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -30,10 +30,6 @@ jobs: checks: write pull-requests: write - env: - KNOX_URL: "https://github.com/apache/knox.git" - BRANCH: "${{ github.head_ref }}" # PR branch being tested - steps: - name: Checkout Repository uses: actions/checkout@v4 @@ -54,20 +50,11 @@ jobs: -Dshellcheck.skip=true -Dxml.skip=true \ -s .github/workflows/build/settings.xml - - name: Extract Artifacts - run: | - mkdir -p .github/workflows/build/knox-temp-artifacts .github/workflows/build/knoxshell-temp-artifacts - # Extract artifacts to the build directory where Dockerfile expects them - tar -xvzf target/*/knox-*.tar.gz -C .github/workflows/build/knox-temp-artifacts - tar -xvzf target/*/knoxshell-*.tar.gz -C .github/workflows/build/knoxshell-temp-artifacts - - name: Set up Docker Compose run: docker compose version - name: Build Docker Images run: | - export knoxurl=${KNOX_URL} - export branch=${BRANCH:-master} # Build only knox-dev which is the runtime image using artifacts docker compose -f ./.github/workflows/compose/docker-compose.yml build knox-dev @@ -99,7 +86,7 @@ jobs: if: always() run: | docker compose -f ./.github/workflows/compose/docker-compose.yml down --volumes - IMAGE_TAG="local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}" - if docker image inspect "apache/knox-dev:$IMAGE_TAG" >/dev/null 2>&1; then - docker rmi "apache/knox-dev:$IMAGE_TAG" + TAG=${IMAGE_TAG:-master} + if docker image inspect "apache/knox-dev:$TAG" >/dev/null 2>&1; then + docker rmi "apache/knox-dev:$TAG" fi