cameleer/cameleer-server
1
0
Fork 0
Code Issues 46 Pull Requests Actions Packages Projects Releases Wiki Activity

chore: hand cameleer-runtime-loader image build to cameleer-saas
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 3m0s
Details
CI / docker (push) Successful in 3m26s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 45s
Details

Browse Source 
The loader is infra glue (per-replica init container that fetches the
tenant JAR from a signed URL) — same shape as runtime-base, postgres,
clickhouse, traefik, logto images already living in cameleer-saas. Move
the source + CI build there so all sidecar/infra image builds are in
one place; cameleer-server's CI is back to building only what it owns
(server, server-ui).

Coordination: cameleer-saas@ac8d628 added the build step and copied the
source verbatim. Published tag path is unchanged
(gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running
tenant servers continue pulling the same image without disruption.

This commit:
- Deletes cameleer-runtime-loader/ (Dockerfile, entrypoint.sh, README).
- Removes the conditional "Build and push runtime-loader" step and its
  upstream "Detect runtime-loader changes" detection from .gitea/workflows/ci.yml.
  Drops the fetch-depth: 0 + outputs.loader_changed plumbing that only
  existed for the change-detection path.
- Drops cameleer-runtime-loader from the in-job and cleanup-branch image
  cleanup loops — saas owns the registry lifecycle now.
- Rewrites LoaderHardeningIT to pull the published :latest from the
  registry (via Testcontainers GenericContainer) instead of building
  from a local Dockerfile. The IT now functions as a cross-repo contract
  test: cameleer-server's hardening expectations vs. the saas-published
  artifact. Local devs need `docker login gitea.siegeln.net`; CI runners
  are pre-authenticated.
- Updates .claude/rules/docker-orchestration.md to point at the new
  source-of-truth location and reframe LoaderHardeningIT as the
  cross-repo contract test.

The image's runtime contract (ARTIFACT_URL, ARTIFACT_EXPECTED_SIZE,
/app/jars/app.jar mount, exit code semantics) is unchanged. Future
contract changes need coordinated commits across both repos.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-28 13:02:54 +02:00
parent 2871bdcc92
commit 3334f0a1d2
6 changed files with 13 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
cameleer-server-app/src/test/java/com/cameleer/server/app/runtime/LoaderHardeningIT.java
View File

@@ -13,13 +13,11 @@ import org.testcontainers.containers.BindMode;
import org.testcontainers.containers.GenericContainer;
import org.testcontainers.containers.Network;
import org.testcontainers.containers.startupcheck.OneShotStartupCheckStrategy;
import org.testcontainers.images.builder.ImageFromDockerfile;
import org.testcontainers.junit.jupiter.Testcontainers;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.time.Duration;
import java.util.List;
import java.util.Map;
@@ -37,14 +35,19 @@ import static org.assertj.core.api.Assertions.assertThat;
* {@link DockerRuntimeOrchestrator}'s {@code baseHardenedHostConfig()} +
* loader-specific bind, against a real artifact server, and asserts the
* loader writes the expected file.
*
* <p>Image source: the loader's Dockerfile lives in the cameleer-saas repo
* (`docker/runtime-loader/`) and is built+pushed by saas CI. This IT pulls
* the published `:latest` tag — running it locally requires a `docker login
* gitea.siegeln.net` (CI runners are pre-authenticated). The IT acts as a
* cross-repo contract test: cameleer-server's hardening expectations versus
* the saas-published artifact.
*/
@Testcontainers
class LoaderHardeningIT {
private static final Path LOADER_DIR = Paths
.get(System.getProperty("user.dir"))
.getParent()
.resolve("cameleer-runtime-loader");
private static final String LOADER_IMAGE =
"gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest";
private static final int ARTIFACT_BYTES = 1024;
@@ -54,7 +57,6 @@ class LoaderHardeningIT {
private GenericContainer<?> loader;
private Path fixtureDir;
private String volumeName;
private String loaderImageId;
@BeforeEach
void setUp() throws IOException {
@@ -74,10 +76,6 @@ class LoaderHardeningIT {
BindMode.READ_ONLY);
fileServer.start();
loaderImageId = new ImageFromDockerfile()
.withFileFromPath(".", LOADER_DIR)
.get();
volumeName = "cameleer-loader-it-" + UUID.randomUUID().toString().substring(0, 8);
dockerClient.createVolumeCmd().withName(volumeName).exec();
}
@@ -107,7 +105,7 @@ class LoaderHardeningIT {
// exited with status 0. Anything else (non-zero exit, timeout) throws
// ContainerLaunchException — the assertion below is a belt-and-braces
// explicit check on the resolved exit code.
loader = new GenericContainer<>(loaderImageId)
loader = new GenericContainer<>(LOADER_IMAGE)
.withNetwork(network)
.withEnv("ARTIFACT_URL", "http://file-server/artifact.jar")
.withEnv("ARTIFACT_EXPECTED_SIZE", String.valueOf(ARTIFACT_BYTES))