cameleer/cameleer-saas
2
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6ac06d6859b9b7a8a3e68f3d8374438ba71e9389
cameleer-saas/docker/runtime-loader/README.md
hsiegeln ac8d628271
Some checks failed
CI / build (push) Successful in 2m1s
Details
CI / docker (push) Failing after 7s
Details
feat(ci): build and push cameleer-runtime-loader image 
Move the init-container loader image build from cameleer-server CI into
this repo so all sidecar/infra image builds (runtime-base, postgres,
clickhouse, traefik, logto, and now runtime-loader) live in one place.

The loader is consumed by cameleer-server's DockerRuntimeOrchestrator as
a per-replica init container that fetches the tenant JAR from a signed
URL into a named volume before the main container starts. Source +
Dockerfile copied verbatim from cameleer-server@c2efb7fb (the image with
the volume-permission fix). The published tag path is unchanged
(gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running
tenant servers continue pulling the same image.

Build step matches the runtime-base/postgres/clickhouse/traefik pattern
(unconditional rebuild on every push, sha + branch tags, --provenance=false
for Gitea). cameleer-server will follow up with a commit removing its
loader-build step and switching its LoaderHardeningIT to pull the
published image instead of building from a local Dockerfile.
2026-04-28 13:00:23 +02:00

1.3 KiB
Raw Blame History

cameleer-runtime-loader

Init container that fetches the deployable JAR into a shared volume before the main runtime container starts. The image is consumed by DockerRuntimeOrchestrator in the cameleer-server repo as a tenant sidecar — see that repo's .claude/rules/docker-orchestration.md ("Init-Container Loader Pattern") for the contract.

Build

CI (.gitea/workflows/ci.yml, docker job, "Build and push runtime-loader image" step) builds and pushes this image on every main / feature-branch push. Manual build for local testing:

docker build -t gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag> .
docker push gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag>

Contract (consumed by cameleer-server)

  • Env: ARTIFACT_URL (signed download URL), ARTIFACT_EXPECTED_SIZE (bytes).
  • Volume: writes /app/jars/app.jar.
  • Exit 0 on success; non-zero on fetch/size failure.
  • Runs as UID 1000 (loader user), drops all caps, read-only rootfs except /app/jars.

Contract regression coverage lives on the cameleer-server side (LoaderHardeningIT); pulls the published :latest and asserts exit 0 under the orchestrator's hardening shape. Don't change the env vars, mount path, or exit-code semantics without updating the cameleer-server side in the same change.

Reference in New Issue View Git Blame Copy Permalink