From d3d2a0d53e1e588dd5f50cf855d2426f76499ffa Mon Sep 17 00:00:00 2001
From: Dylan Hall <dehall@mitre.org>
Date: Thu, 7 Mar 2024 07:42:25 -0500
Subject: [PATCH] FI-2338: New Dockerfile for validator (#458)

* FI-2338: new dockerfile for HL7 validator wrapper

* rename to inferno-resource-validator

* Move steps from readme to separate script
---
 Dockerfile.fhir_resource_validator | 10 ---------
 docker-compose.background.yml      |  7 +-----
 validator/Dockerfile               | 36 ++++++++++++++++++++++++++++++
 validator/README.md                | 20 +++++++++++++++++
 validator/build_and_push.sh        | 12 ++++++++++
 5 files changed, 69 insertions(+), 16 deletions(-)
 delete mode 100644 Dockerfile.fhir_resource_validator
 create mode 100644 validator/Dockerfile
 create mode 100644 validator/README.md
 create mode 100755 validator/build_and_push.sh

diff --git a/Dockerfile.fhir_resource_validator b/Dockerfile.fhir_resource_validator
deleted file mode 100644
index 8fdab5547..000000000
--- a/Dockerfile.fhir_resource_validator
+++ /dev/null
@@ -1,10 +0,0 @@
-FROM markiantorno/validator-wrapper
-
-USER root
-# Java certs need to be installed as root, so switch to that user for this step only
-# (the image does not contain 'sudo')
-RUN wget https://gitlab.mitre.org/mitre-scripts/mitre-pki/-/raw/master/tool_scripts/install_certs.sh -O - | MODE=java sh
-
-USER $APPLICATION_USER
-
-# CMD is inherited from parent image as long as we don't override it or ENTRYPOINT
diff --git a/docker-compose.background.yml b/docker-compose.background.yml
index 41c6cf003..ca3d70d34 100644
--- a/docker-compose.background.yml
+++ b/docker-compose.background.yml
@@ -31,12 +31,7 @@ services:
   # To enable the HL7 Validator Wrapper, both the section below and
   # the section in nginx.background.conf need to be uncommented
   # hl7_validator_service:
-  #   image: markiantorno/validator-wrapper
-  #   # If running on the MITRE network, comment out the "image" line above
-  #   # and uncomment the "build" section below
-  #   # build:
-  #   #   context: .
-  #   #   dockerfile: Dockerfile.fhir_resource_validator
+  #   image: infernocommunity/inferno-resource-validator
   #   # Update this path to match your directory structure
   #   volumes:
   #     - ./igs:/home/igs
diff --git a/validator/Dockerfile b/validator/Dockerfile
new file mode 100644
index 000000000..06bf4abc9
--- /dev/null
+++ b/validator/Dockerfile
@@ -0,0 +1,36 @@
+# This Dockerfile is based on the Dockerfile for org.hl7.fhir.validator-wrapper
+# https://github.com/hapifhir/org.hl7.fhir.validator-wrapper/blob/master/Dockerfile
+# with 3 key differences:
+# 1. It fetches the built JAR from GitHub instead of locally, or building from source
+# 2. It adds MITRE certs, for ease of use by the MITRE development team
+# 3. It uses an Ubuntu-based base image instead of Alpine to support both AMD64 and ARM architectures
+#
+# The software release to use is based on the PROJECT_VERSION build argument (required)
+
+FROM eclipse-temurin:11-jre-jammy
+
+RUN wget https://gitlab.mitre.org/mitre-scripts/mitre-pki/-/raw/master/os_scripts/install_certs.sh -O - | MODE=ubuntu sh \
+ && wget https://gitlab.mitre.org/mitre-scripts/mitre-pki/-/raw/master/tool_scripts/install_certs.sh -O - | MODE=java sh
+
+ARG PROJECT_VERSION
+RUN echo "Project version set to -> ${PROJECT_VERSION}"
+
+ENV APPLICATION_USER ktor
+RUN adduser $APPLICATION_USER
+
+RUN mkdir /app
+RUN chown -R $APPLICATION_USER /app
+
+USER $APPLICATION_USER
+
+# These lines copy the packaged application into the Docker image and sets the working directory to where it was copied.
+WORKDIR /app
+RUN wget -O validator-wrapper.jar "https://github.com/hapifhir/org.hl7.fhir.validator-wrapper/releases/download/${PROJECT_VERSION}/validator_cli.jar"
+
+# Environment vars here
+ENV ENVIRONMENT prod
+
+EXPOSE 3500
+
+# The last line instructs Docker to run java with G10s GC,  assigns 79% of the system's available memory, and indicates the packaged application.
+CMD ["java", "-server", "-XX:+UnlockExperimentalVMOptions", "-XX:InitialRAMPercentage=79", "-XX:MinRAMPercentage=79", "-XX:MaxRAMPercentage=79", "-XX:+UseG1GC", "-XX:MaxGCPauseMillis=100", "-XX:+UseStringDeduplication", "-XX:+CrashOnOutOfMemoryError", "-jar", "validator-wrapper.jar", "-startServer"]
diff --git a/validator/README.md b/validator/README.md
new file mode 100644
index 000000000..fafb5ab39
--- /dev/null
+++ b/validator/README.md
@@ -0,0 +1,20 @@
+# infernocommunity/inferno-resource-validator
+
+This Dockerfile is based on the Dockerfile for org.hl7.fhir.validator-wrapper (see https://github.com/hapifhir/org.hl7.fhir.validator-wrapper/blob/master/Dockerfile ) with 3 key differences relevant to Inferno:
+1. It fetches the built JAR from GitHub instead of locally, or building from source
+2. It adds MITRE certs, for ease of use by the MITRE development team
+3. It uses an Ubuntu-based base image instead of Alpine to support both AMD64 and ARM architectures
+
+It is intended to be a drop-in replacement for the official image; i.e., if you don't need features 2 & 3 above you can use the same version of `markiantorno/validator-wrapper` with all the same settings, environment variables, etc. Version numbers of this image should match the version number of the official image.
+
+In addition to the above differences, published versions of this image have been tested by the Inferno team and are known to be compatible with Inferno test kits.
+
+
+## Publishing a new version
+A script `build_and_push.sh` is provided to assist with publishing a new version. The version of the wrapper service to use must be provided as the first command-line argument (required).
+The available versions are listed at https://github.com/hapifhir/org.hl7.fhir.validator-wrapper/releases .
+Replace `1.0.50` in the example below with the appropriate number and run the following command to build & push a multi-arch image to Docker Hub. Images will be tagged as both the provided version number and as `latest`
+
+```sh
+./build_and_push.sh 1.0.50
+```
\ No newline at end of file
diff --git a/validator/build_and_push.sh b/validator/build_and_push.sh
new file mode 100755
index 000000000..4969196ce
--- /dev/null
+++ b/validator/build_and_push.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+PROJECT_VERSION=$1
+if [ -z $PROJECT_VERSION ]; then
+    echo "Usage: $0 PROJECT_VERSION"
+    echo The available project versions are listed at https://github.com/hapifhir/org.hl7.fhir.validator-wrapper/releases 
+    exit 1
+fi
+
+echo Using PROJECT_VERSION $PROJECT_VERSION
+
+docker buildx build --platform linux/arm64,linux/amd64 --build-arg "PROJECT_VERSION=${PROJECT_VERSION}" --tag "infernocommunity/inferno-resource-validator:${PROJECT_VERSION}" --tag infernocommunity/inferno-resource-validator:latest --push .
\ No newline at end of file