docker/runtime-loader/README.md

# cameleer-runtime-loader

Init container that fetches the deployable JAR into a shared volume before the
main runtime container starts. The image is consumed by
`DockerRuntimeOrchestrator` in the **cameleer-server** repo as a tenant
sidecar — see that repo's `.claude/rules/docker-orchestration.md`
("Init-Container Loader Pattern") for the contract.

## Build

CI (`.gitea/workflows/ci.yml`, `docker` job, "Build and push runtime-loader
image" step) builds and pushes this image on every main / feature-branch
push. Manual build for local testing:

    docker build -t gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag> .
    docker push gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag>

## Contract (consumed by cameleer-server)

- Env: `ARTIFACT_URL` (signed download URL), `ARTIFACT_EXPECTED_SIZE` (bytes).
- Volume: writes `/app/jars/app.jar`.
- Exit 0 on success; non-zero on fetch/size failure.
- Runs as UID 1000 (loader user), drops all caps, read-only rootfs except `/app/jars`.

Contract regression coverage lives on the cameleer-server side
(`LoaderHardeningIT`); pulls the published `:latest` and asserts exit 0
under the orchestrator's hardening shape. Don't change the env vars,
mount path, or exit-code semantics without updating the cameleer-server
side in the same change.
feat(ci): build and push cameleer-runtime-loader image Move the init-container loader image build from cameleer-server CI into this repo so all sidecar/infra image builds (runtime-base, postgres, clickhouse, traefik, logto, and now runtime-loader) live in one place. The loader is consumed by cameleer-server's DockerRuntimeOrchestrator as a per-replica init container that fetches the tenant JAR from a signed URL into a named volume before the main container starts. Source + Dockerfile copied verbatim from cameleer-server@c2efb7fb (the image with the volume-permission fix). The published tag path is unchanged (gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running tenant servers continue pulling the same image. Build step matches the runtime-base/postgres/clickhouse/traefik pattern (unconditional rebuild on every push, sha + branch tags, --provenance=false for Gitea). cameleer-server will follow up with a commit removing its loader-build step and switching its LoaderHardeningIT to pull the published image instead of building from a local Dockerfile. 2026-04-28 13:00:23 +02:00			`# cameleer-runtime-loader`

			`Init container that fetches the deployable JAR into a shared volume before the`
			`main runtime container starts. The image is consumed by`
			`DockerRuntimeOrchestrator` in the cameleer-server repo as a tenant
			sidecar — see that repo's `.claude/rules/docker-orchestration.md`
			`("Init-Container Loader Pattern") for the contract.`

			`## Build`

			CI (`.gitea/workflows/ci.yml`, `docker` job, "Build and push runtime-loader
			`image" step) builds and pushes this image on every main / feature-branch`
			`push. Manual build for local testing:`

			`docker build -t gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag> .`
			`docker push gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag>`

			`## Contract (consumed by cameleer-server)`

			- Env: `ARTIFACT_URL` (signed download URL), `ARTIFACT_EXPECTED_SIZE` (bytes).
			- Volume: writes `/app/jars/app.jar`.
			`- Exit 0 on success; non-zero on fetch/size failure.`
			- Runs as UID 1000 (loader user), drops all caps, read-only rootfs except `/app/jars`.

			`Contract regression coverage lives on the cameleer-server side`
			(`LoaderHardeningIT`); pulls the published `:latest` and asserts exit 0
			`under the orchestrator's hardening shape. Don't change the env vars,`
			`mount path, or exit-code semantics without updating the cameleer-server`
			`side in the same change.`