KNOX-3256: Refactor Docker build to use local Maven artifacts and unify CI/Dev workflows

.dockerignore

@@ -0,0 +1,32 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+# Ignore all files by default to reduce build context size and protect secrets.
+*
+
+# Allow the target directory and its subdirectories for the required artifacts.
+!target/
+!target/*/
+!target/*/knox-*.tar.gz
+!target/*/knoxshell-*.tar.gz
+
+# Allow the build workflow configurations and scripts.
+!.github/
+!.github/workflows/
+!.github/workflows/build/
+!.github/workflows/build/**

.github/workflows/build/Dockerfile

@@ -19,31 +19,34 @@ MAINTAINER moresandeep
 
 RUN useradd -ms /bin/bash gateway
 
-# Create directories
-RUN mkdir /knox-runtime
-RUN mkdir /knox-runtime/knoxshell
-
-# Copy artifacts
-COPY knox-temp-artifacts /knox-temp-artifacts-staging
-COPY knoxshell-temp-artifacts /knoxshell-temp-artifacts-staging
-
-# Move runtime to new location
-RUN mv /knox-temp-artifacts-staging/*/* /knox-runtime/ && \
-    mv /knoxshell-temp-artifacts-staging/*/* /knox-runtime/knoxshell/ && \
-    rm -rf /knox-temp-artifacts-staging /knoxshell-temp-artifacts-staging
-
-# Add configuration
-ADD master /knox-runtime/data/security/master
-ADD gateway-site.xml /knox-runtime/conf/gateway-site.xml
-ADD conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml
-ADD conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml
-ADD conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml
-
-ADD conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml
+# Create temporary directories for extraction
+RUN mkdir -p /tmp/knox-artifacts /tmp/knoxshell-artifacts /knox-runtime /knoxshell /knox-runtime/knoxshell
+
+# Copy pre-built tarballs from the local target directory
+# In CI, these are built in the previous step.
+# Locally, these are built by the developer.
+COPY target/*/knox-*.tar.gz /tmp/knox-artifacts/
+COPY target/*/knoxshell-*.tar.gz /tmp/knoxshell-artifacts/
+
+# Extract and move to runtime location
+RUN tar -xvzf /tmp/knox-artifacts/knox-*.tar.gz -C /tmp/knox-artifacts/ && \
+    tar -xvzf /tmp/knoxshell-artifacts/knoxshell-*.tar.gz -C /tmp/knoxshell-artifacts/ && \
+    mv /tmp/knox-artifacts/knox-*/* /knox-runtime/ && \
+    mv /tmp/knoxshell-artifacts/knoxshell-*/* /knox-runtime/knoxshell/ && \
+    rm -rf /tmp/knox-artifacts /tmp/knoxshell-artifacts
+
+# Master secret, configuration and topologies
+ADD .github/workflows/build/master /knox-runtime/data/security/master
+ADD .github/workflows/build/gateway-site.xml /knox-runtime/conf/gateway-site.xml
+ADD .github/workflows/build/conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml
+ADD .github/workflows/build/conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml
+ADD .github/workflows/build/conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml
+ADD .github/workflows/build/conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml
 
 RUN chown -R gateway /knox-runtime/
 
-ADD ldap.sh /ldap.sh
-ADD gateway.sh /gateway.sh
+ADD .github/workflows/build/ldap.sh /ldap.sh
+ADD .github/workflows/build/gateway.sh /gateway.sh
 
-RUN chmod +x /ldap.sh /gateway.sh
+RUN chmod +x /ldap.sh
+RUN chmod +x /gateway.sh

.github/workflows/compose/docker-compose.yml

@@ -8,35 +8,26 @@
 # http://www.apache.org/licenses/LICENSE-2.0
 # <p>
 # Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations under
-# the License.
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 services:
   knox-dev:
     build:
-      context: ../build
-      dockerfile: Dockerfile
-    image: apache/knox-dev:master
-
-  knox-dev-local:
-    build:
-      context: ../build
-      dockerfile: Dockerfile.local
-      args:
-        knoxurl: ${knoxurl:-https://github.com/apache/knox.git}
-        branch: ${branch:-master}
-    image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}
+      context: ../../../
+      dockerfile: .github/workflows/build/Dockerfile
+    image: apache/knox-dev:${IMAGE_TAG:-master}
 
   ldap:
-    image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}
+    image: apache/knox-dev:${IMAGE_TAG:-master}
     command: /ldap.sh
     depends_on:
-      - knox-dev-local
+      - knox-dev
 
   knox:
-    image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}
+    image: apache/knox-dev:${IMAGE_TAG:-master}
     command: /gateway.sh
     volumes:
 #      - ./topologies:/knox-runtime/conf/topologies
@@ -59,5 +50,3 @@ services:
       && pytest --junitxml=test-results.xml"
     depends_on:
       - knox
-
-

.github/workflows/tests.yml

@@ -30,10 +30,6 @@ jobs:
       checks: write
       pull-requests: write
 
-    env:
-      KNOX_URL: "https://github.com/apache/knox.git"
-      BRANCH: "${{ github.head_ref }}"  # PR branch being tested
-
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -54,20 +50,11 @@ jobs:
           -Dshellcheck.skip=true -Dxml.skip=true \
           -s .github/workflows/build/settings.xml
 
-      - name: Extract Artifacts
-        run: |
-          mkdir -p .github/workflows/build/knox-temp-artifacts .github/workflows/build/knoxshell-temp-artifacts
-          # Extract artifacts to the build directory where Dockerfile expects them
-          tar -xvzf target/*/knox-*.tar.gz -C .github/workflows/build/knox-temp-artifacts
-          tar -xvzf target/*/knoxshell-*.tar.gz -C .github/workflows/build/knoxshell-temp-artifacts
-
       - name: Set up Docker Compose
         run: docker compose version
 
       - name: Build Docker Images
         run: |
-          export knoxurl=${KNOX_URL}
-          export branch=${BRANCH:-master}
           # Build only knox-dev which is the runtime image using artifacts
           docker compose -f ./.github/workflows/compose/docker-compose.yml build knox-dev
 
@@ -99,7 +86,7 @@ jobs:
         if: always()
         run: |
           docker compose -f ./.github/workflows/compose/docker-compose.yml down --volumes
-          IMAGE_TAG="local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}"
-          if docker image inspect "apache/knox-dev:$IMAGE_TAG" >/dev/null 2>&1; then
-            docker rmi "apache/knox-dev:$IMAGE_TAG"
+          TAG=${IMAGE_TAG:-master}
+          if docker image inspect "apache/knox-dev:$TAG" >/dev/null 2>&1; then
+            docker rmi "apache/knox-dev:$TAG"
           fi