cameleer/cameleer-saas
2
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ci): build and push cameleer-runtime-loader image
Some checks failed
CI / build (push) Successful in 2m1s
Details
CI / docker (push) Failing after 7s
Details

Browse Source 
Move the init-container loader image build from cameleer-server CI into
this repo so all sidecar/infra image builds (runtime-base, postgres,
clickhouse, traefik, logto, and now runtime-loader) live in one place.

The loader is consumed by cameleer-server's DockerRuntimeOrchestrator as
a per-replica init container that fetches the tenant JAR from a signed
URL into a named volume before the main container starts. Source +
Dockerfile copied verbatim from cameleer-server@c2efb7fb (the image with
the volume-permission fix). The published tag path is unchanged
(gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running
tenant servers continue pulling the same image.

Build step matches the runtime-base/postgres/clickhouse/traefik pattern
(unconditional rebuild on every push, sha + branch tags, --provenance=false
for Gitea). cameleer-server will follow up with a commit removing its
loader-build step and switching its LoaderHardeningIT to pull the
published image instead of building from a local Dockerfile.
This commit is contained in:
hsiegeln
2026-04-28 13:00:23 +02:00
parent bc32d7e994
commit ac8d628271
4 changed files with 82 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docker/runtime-loader/README.md Normal file
View File

@@ -0,0 +1,29 @@
# cameleer-runtime-loader
Init container that fetches the deployable JAR into a shared volume before the
main runtime container starts. The image is consumed by
`DockerRuntimeOrchestrator` in the **cameleer-server** repo as a tenant
sidecar — see that repo's `.claude/rules/docker-orchestration.md`
("Init-Container Loader Pattern") for the contract.
## Build
CI (`.gitea/workflows/ci.yml`, `docker` job, "Build and push runtime-loader
image" step) builds and pushes this image on every main / feature-branch
push. Manual build for local testing:
docker build -t gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag> .
docker push gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag>
## Contract (consumed by cameleer-server)
- Env: `ARTIFACT_URL` (signed download URL), `ARTIFACT_EXPECTED_SIZE` (bytes).
- Volume: writes `/app/jars/app.jar`.
- Exit 0 on success; non-zero on fetch/size failure.
- Runs as UID 1000 (loader user), drops all caps, read-only rootfs except `/app/jars`.
Contract regression coverage lives on the cameleer-server side
(`LoaderHardeningIT`); pulls the published `:latest` and asserts exit 0
under the orchestrator's hardening shape. Don't change the env vars,
mount path, or exit-code semantics without updating the cameleer-server
side in the same change.