docker/runtime-loader/README.md

# cameleer-runtime-loader

Init container that fetches the deployable JAR into a shared volume before the
main runtime container starts. The image is consumed by
`DockerRuntimeOrchestrator` in the **cameleer-server** repo as a tenant
sidecar — see that repo's `.claude/rules/docker-orchestration.md`
("Init-Container Loader Pattern") for the contract.

## Build

CI (`.gitea/workflows/ci.yml`, `docker` job, "Build and push runtime-loader
image" step) builds and pushes this image on every main / feature-branch
push. Manual build for local testing:

    docker build -t registry.cameleer.io/cameleer/cameleer-runtime-loader:<tag> .
    docker push registry.cameleer.io/cameleer/cameleer-runtime-loader:<tag>

## Contract (consumed by cameleer-server)

- Env: `ARTIFACT_URL` (signed download URL), `ARTIFACT_EXPECTED_SIZE` (bytes).
- Volume: writes `/app/jars/app.jar`.
- Exit 0 on success; non-zero on fetch/size failure.
- Runs as UID 1000 (loader user), drops all caps, read-only rootfs except `/app/jars`.

Contract regression coverage lives on the cameleer-server side
(`LoaderHardeningIT`); pulls the published `:latest` and asserts exit 0
under the orchestrator's hardening shape. Don't change the env vars,
mount path, or exit-code semantics without updating the cameleer-server
side in the same change.
feat(ci): build and push cameleer-runtime-loader image Move the init-container loader image build from cameleer-server CI into this repo so all sidecar/infra image builds (runtime-base, postgres, clickhouse, traefik, logto, and now runtime-loader) live in one place. The loader is consumed by cameleer-server's DockerRuntimeOrchestrator as a per-replica init container that fetches the tenant JAR from a signed URL into a named volume before the main container starts. Source + Dockerfile copied verbatim from cameleer-server@c2efb7fb (the image with the volume-permission fix). The published tag path is unchanged (gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running tenant servers continue pulling the same image. Build step matches the runtime-base/postgres/clickhouse/traefik pattern (unconditional rebuild on every push, sha + branch tags, --provenance=false for Gitea). cameleer-server will follow up with a commit removing its loader-build step and switching its LoaderHardeningIT to pull the published image instead of building from a local Dockerfile. 2026-04-28 13:00:23 +02:00			`# cameleer-runtime-loader`

			`Init container that fetches the deployable JAR into a shared volume before the`
			`main runtime container starts. The image is consumed by`
			`DockerRuntimeOrchestrator` in the cameleer-server repo as a tenant
			sidecar — see that repo's `.claude/rules/docker-orchestration.md`
			`("Init-Container Loader Pattern") for the contract.`

			`## Build`

			CI (`.gitea/workflows/ci.yml`, `docker` job, "Build and push runtime-loader
			`image" step) builds and pushes this image on every main / feature-branch`
			`push. Manual build for local testing:`

refactor: rebrand from net.siegeln to io.cameleer Institutionalize the product identity ahead of public release: - Java package: net.siegeln.cameleer.saas → io.cameleer.saas (109 files) - Maven groupId: net.siegeln.cameleer → io.cameleer - Public image defaults: gitea.siegeln.net/cameleer/ → registry.cameleer.io/cameleer/ - Updated docs (architecture, user-manual, HOWTO, runtime-loader README) - Updated CLAUDE.md path references Internal build infra (CI workflows, .gitmodules, npm registry, Maven repo) intentionally kept at gitea.siegeln.net — code stays on internal Gitea. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-28 16:26:34 +02:00			`docker build -t registry.cameleer.io/cameleer/cameleer-runtime-loader:<tag> .`
			`docker push registry.cameleer.io/cameleer/cameleer-runtime-loader:<tag>`
feat(ci): build and push cameleer-runtime-loader image Move the init-container loader image build from cameleer-server CI into this repo so all sidecar/infra image builds (runtime-base, postgres, clickhouse, traefik, logto, and now runtime-loader) live in one place. The loader is consumed by cameleer-server's DockerRuntimeOrchestrator as a per-replica init container that fetches the tenant JAR from a signed URL into a named volume before the main container starts. Source + Dockerfile copied verbatim from cameleer-server@c2efb7fb (the image with the volume-permission fix). The published tag path is unchanged (gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running tenant servers continue pulling the same image. Build step matches the runtime-base/postgres/clickhouse/traefik pattern (unconditional rebuild on every push, sha + branch tags, --provenance=false for Gitea). cameleer-server will follow up with a commit removing its loader-build step and switching its LoaderHardeningIT to pull the published image instead of building from a local Dockerfile. 2026-04-28 13:00:23 +02:00
			`## Contract (consumed by cameleer-server)`

			- Env: `ARTIFACT_URL` (signed download URL), `ARTIFACT_EXPECTED_SIZE` (bytes).
			- Volume: writes `/app/jars/app.jar`.
			`- Exit 0 on success; non-zero on fetch/size failure.`
			- Runs as UID 1000 (loader user), drops all caps, read-only rootfs except `/app/jars`.

			`Contract regression coverage lives on the cameleer-server side`
			(`LoaderHardeningIT`); pulls the published `:latest` and asserts exit 0
			`under the orchestrator's hardening shape. Don't change the env vars,`
			`mount path, or exit-code semantics without updating the cameleer-server`
			`side in the same change.`