chore: add build and cicd configuration

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>
RHEcosystemAppEng · Jan 16, 2024 · fc6c38d · fc6c38d
1 parent 5535108
commit fc6c38d
Show file tree

Hide file tree

Showing 5 changed files with 134 additions and 125 deletions.
diff --git a/devfile.yaml b/devfile.yaml
@@ -0,0 +1,58 @@
+schemaVersion: 2.2.0
+metadata:
+  name: exhort-cve-service
+  version: 1.0.0
+  provider: Red Hat
+  supportUrl: https://github.com/RHEcosystemAppEng/exhort-cve-service/issues
+  website: https://github.com/RHEcosystemAppEng/exhort-cve-service
+  displayName: Exhort CVE Service
+  description: Exhort CVE Service that aggregates data from OSV and NVD
+  tags:
+    - Exhort
+    - RHTPA
+    - Java
+    - Quarkus
+    - NVD
+    - OSV
+  projectType: Quarkus
+  language: Java
+  attributes:
+    alpha.dockerimage-port: 8080
+parent:
+  id: java-quarkus
+  registryUrl: 'https://registry.devfile.io'
+components:
+  - name: image-build
+    image:
+      imageName: exhort-cve-service:latest
+      dockerfile:
+        uri: src/main/docker/Dockerfile.multi-stage
+        buildContext: .
+        rootRequired: false
+  - name: kubernetes-deploy
+    attributes:
+      deployment/replicas: 1
+      deployment/cpuRequest: 10m
+      deployment/memoryRequest: 128Mi
+      deployment/container-port: 9000
+    kubernetes:
+      uri: kubernetes/deploy.yaml
+      endpoints:
+        - name: http
+          targetPort: 8080
+          path: /
+commands:
+  - id: build-image
+    apply:
+      component: image-build
+  - id: deployk8s
+    apply:
+      component: kubernetes-deploy
+  - id: deploy
+    composite:
+      commands:
+        - build-image
+        - deployk8s
+      group:
+        kind: deploy
+        isDefault: true
diff --git a/kubernetes/deploy.yaml b/kubernetes/deploy.yaml
@@ -1,162 +1,72 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: osv-nvd-service
+  name: exhort-cve-service
   labels:
-    app: osv-nvd-service
+    app: exhort-cve-service
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: osv-nvd-service
+      app: exhort-cve-service
   template:
     metadata:
       labels:
-        app: osv-nvd-service
+        app: exhort-cve-service
     spec:
       containers:
-      - name: osv-nvd-service
-        image: quay.io/ruben/osv-nvd-service:latest
+      - name: exhort-cve-service
+        image: exhort-cve-service:latest
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8080
           protocol: TCP
+        - name: management
+          containerPort: 9000
+          protocol: TCP
         resources:
           limits:
             memory: "128Mi"
             cpu: "500m"
         env:
-          - name: QUARKUS_MONGODB_CONNECTION-STRING
-            valueFrom:
-              secretKeyRef:
-                name: mongodb-creds
-                key: mongodb-connection
-          - name: QUARKUS_MONGODB_DATABASE
+          - name: DB_REDIS_ENDPOINT
             valueFrom:
               secretKeyRef:
-                name: mongodb-creds
-                key: mongodb-database
-          - name: QUARKUS_MONGODB_CREDENTIALS_USERNAME
+                name: exhort-stage
+                key: db.endpoint
+          - name: DB_REDIS_PORT
             valueFrom:
               secretKeyRef:
-                name: mongodb-creds
-                key: mongodb-username
-          - name: QUARKUS_MONGODB_CREDENTIALS_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: mongodb-creds
-                key: mongodb-password
-          - name: MIGRATION_NVD_FILE_PATH
-            value: "/repo/cvelistV5/cves"
-        volumeMounts:
-          - name: repo
-            mountPath: "/repo"
-      volumes:
-        - name: repo
-          persistentVolumeClaim:
-            claimName: nvd-data
+                name: exhort-stage
+                key: db.port
+        livenessProbe:
+          httpGet:
+            path: /q/health/live
+            port: 9000
+          initialDelaySeconds: 1
+        readinessProbe:
+          httpGet:
+            path: /q/health/ready
+            port: 9000
+          initialDelaySeconds: 5
+          periodSeconds: 20
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: osv-nvd-service
+  name: exhort-cve-service
   labels:
-    app: osv-nvd-service
+    app: exhort-cve-service
 spec:
   ports:
   - name: http
     port: 8080
     protocol: TCP
     targetPort: 8080
+  - name: management
+    port: 9000
+    protocol: TCP
+    targetPort: 9000
   selector:
-    app: osv-nvd-service
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nvd-data
-spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 8Gi
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: nvd-sync
-spec:
-  schedule: "0 * * * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: git-job
-            image: quay.io/ruben/ubi8-git:latest
-            imagePullPolicy: IfNotPresent
-            command:
-            - /bin/sh
-            - -c
-            - /scripts/pull.sh
-            - /scripts/sync.sh
-            env:
-              - name: REPO_PATH
-                value: /repo
-              - name: REPO_URL
-                value: https://github.com/CVEProject/cvelistV5.git
-              - name: SERVICE_ENDPOINT
-                value: http://osv-nvd-service:8080/cves
-            volumeMounts:
-            - name: repo
-              mountPath: "/repo"
-            - name: scripts
-              mountPath: /scripts
-          restartPolicy: OnFailure
-          volumes:
-            - name: repo
-              persistentVolumeClaim:
-                claimName: nvd-data
-            - name: scripts
-              configMap:
-                name: fetch-nvd-repo-scripts
-                defaultMode: 0777
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: nvd-clone
-spec:
-  template:
-    spec:
-      containers:
-      - name: git-job
-        image: quay.io/ruben/ubi8-git:latest
-        imagePullPolicy: IfNotPresent
-        command:
-        - /bin/sh
-        - -c
-        - /scripts/clone.sh
-        env:
-          - name: REPO_PATH
-            value: /repo
-          - name: REPO_URL
-            value: https://github.com/CVEProject/cvelistV5.git
-        volumeMounts:
-        - name: repo
-          mountPath: "/repo"
-        - name: scripts
-          mountPath: /scripts
-      restartPolicy: OnFailure
-      volumes:
-        - name: repo
-          persistentVolumeClaim:
-            claimName: nvd-data
-        - name: scripts
-          configMap:
-            name: fetch-nvd-repo-scripts
-            defaultMode: 0777
-  backoffLimit: 4
+    app: exhort-cve-service
diff --git a/src/main/docker/Dockerfile.multi-stage b/src/main/docker/Dockerfile.multi-stage
@@ -0,0 +1,38 @@
+## Stage 1 : build with maven builder image with native capabilities
+FROM registry.redhat.io/quarkus/mandrel-23-rhel8:23.0 AS build
+
+COPY --chown=quarkus:quarkus mvnw /code/mvnw
+COPY --chown=quarkus:quarkus .mvn /code/.mvn
+COPY --chown=quarkus:quarkus pom.xml /code/
+## Maven Settings with the auth token for Github Maven Repository
+COPY --chown=quarkus:quarkus settings.xml /code/settings.xml
+
+USER quarkus
+WORKDIR /code
+RUN ./mvnw -B --settings /code/settings.xml org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline
+COPY --chown=quarkus:quarkus src /code/src
+RUN ./mvnw verify -B -Pnative -Dmaven.test.skip=true -Dquarkus.native.native-image-xmx=8g
+
+## Stage 2 : create the docker final image
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3
+
+LABEL description="Red Hat Trusted Profile Analyzer - Exhort CVE Service"
+LABEL io.k8s.description="Red Hat Trusted Profile Analyzer - Exhort CVE Service"
+LABEL io.k8s.display-name="RHTPA Exhort CVE Service"
+LABEL io.openshift.tags="rhtpa exhort cve service"
+LABEL summary="The RHTPA Exhort CVE exposes an API for retrieving vulnerability data \
+from OSV and NVD databases"
+
+WORKDIR /work/
+COPY --from=build /code/target/*-runner /work/application
+
+# set up permissions for user `1001`
+RUN chmod 775 /work /work/application \
+  && chown -R 1001 /work \
+  && chmod -R "g+rwX" /work \
+  && chown -R 1001:root /work
+
+EXPOSE 8080
+USER 1001
+
+CMD ["./application", "-Dquarkus.http.host=0.0.0.0"]
diff --git a/src/main/docker/Dockerfile.native b/src/main/docker/Dockerfile.native
@@ -14,7 +14,7 @@
 # docker run -i --rm -p 8080:8080 quarkus/exhort-vuln-ingester
 #
 ###
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.6
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3
 WORKDIR /work/
 RUN chown 1001 /work \
     && chmod "g+rwX" /work \

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -1,9 +1,12 @@
 
 # quarkus.redis.hosts=redis://localhost/
+quarkus.redis.hosts=redis://${db.redis.host:localhost}:${db.redis.port:6379}/
 # quarkus.log.level=DEBUG
 
 migration.cve.file.path=/repo/cvelistV5/cves
 migration.osv.pageSize=100
 
 quarkus.rest-client.osv-api.url=https://api.osv.dev
-quarkus.rest-client.nvd-api.url=https://services.nvd.nist.gov
+quarkus.rest-client.nvd-api.url=https://services.nvd.nist.gov
+
+quarkus.management.enabled=true