feat(build): add fiat-integration module to exercise the just-built d…

…ocker imageTest docker image (#6206)

* fix(web): replace deprecated spring.profiles in configuration

with spring.config.activate.on-profile to remove these warnings:

2024-05-01 21:29:23.746  WARN 1 --- [           main] o.s.b.c.config.ConfigDataEnvironment     : Property 'spring.profiles' imported from location 'class path resource [clouddriver.yml]' is invalid and should be replaced with 'spring.config.activate.on-profile' [origin: class path resource [clouddriver.yml] - 375:13]
2024-05-01 21:29:23.746  WARN 1 --- [           main] o.s.b.c.config.ConfigDataEnvironment     : Property 'spring.profiles' imported from location 'class path resource [clouddriver.yml]' is invalid and should be replaced with 'spring.config.activate.on-profile' [origin: class path resource [clouddriver.yml] - 363:13]
2024-05-01 21:29:23.746  WARN 1 --- [           main] o.s.b.c.config.ConfigDataEnvironment     : Property 'spring.profiles' imported from location 'class path resource [clouddriver.yml]' is invalid and should be replaced with 'spring.config.activate.on-profile' [origin: class path resource [clouddriver.yml] - 350:13]
2024-05-01 21:29:23.746  WARN 1 --- [           main] o.s.b.c.config.ConfigDataEnvironment     : Property 'spring.profiles' imported from location 'class path resource [clouddriver.yml]' is invalid and should be replaced with 'spring.config.activate.on-profile' [origin: class path resource [clouddriver.yml] - 312:13]

See https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-Config-Data-Migration-Guide#profile-specific-documents.

* feat(docker): add HEALTHCHECK

to facilitate testing container startup

* feat(build): add clouddriver-integration module to exercise the just-built docker image

* feat(gha): run integration test in pr builds

multi-arch with --load doesn't work, so add a separate step using the local platform to
make an image available for testing.

see docker/buildx#59

* feat(gha): run integration test in branch builds

* fix(docker): reduce the chance for false positives in the health check

In case the health check contains more detailed information where one check could report UP but the overall status is down/out of service/etc.

See https://docs.spring.io/spring-boot/docs/2.6.15/reference/html/actuator.html#actuator.endpoints.health for more.

(cherry picked from commit 9ea2224)

# Conflicts:
#	.github/workflows/pr.yml
#	Dockerfile.java11.slim
#	Dockerfile.java11.ubuntu
#	Dockerfile.ubuntu

.github/workflows/build.yml

@@ -39,6 +39,19 @@ jobs:
         env:
           ORG_GRADLE_PROJECT_version: ${{ steps.build_variables.outputs.VERSION }}
         run: ./gradlew build --stacktrace ${{ steps.build_variables.outputs.REPO }}-web:installDist
+      - name: Build local slim container image for testing
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.slim
+          load: true
+          platforms: local
+          tags: |
+            "${{ steps.build_variables.outputs.REPO }}:${{ steps.build_variables.outputs.VERSION }}-unvalidated"
+      - name: Test local slim container image
+        env:
+          FULL_DOCKER_IMAGE_NAME: "${{ steps.build_variables.outputs.REPO }}:${{ steps.build_variables.outputs.VERSION }}-unvalidated"
+        run: ./gradlew ${{ steps.build_variables.outputs.REPO }}-integration:test
       - name: Login to GAR
         # Only run this on repositories in the 'spinnaker' org, not on forks.
         if: startsWith(github.repository, 'spinnaker/')

.github/workflows/pr.yml

@@ -53,3 +53,39 @@ jobs:
           tags: |
             "${{ env.CONTAINER_REGISTRY }}/${{ steps.build_variables.outputs.REPO }}:latest-ubuntu"
             "${{ env.CONTAINER_REGISTRY }}/${{ steps.build_variables.outputs.REPO }}:${{ steps.build_variables.outputs.VERSION }}-ubuntu"
+<<<<<<< HEAD
+=======
+      - name: Build slim JRE 11 container image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.java11.slim
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            "${{ env.CONTAINER_REGISTRY }}/${{ steps.build_variables.outputs.REPO }}:latest-java11"
+            "${{ env.CONTAINER_REGISTRY }}/${{ steps.build_variables.outputs.REPO }}:${{ steps.build_variables.outputs.VERSION }}-java11"
+            "${{ env.CONTAINER_REGISTRY }}/${{ steps.build_variables.outputs.REPO }}:latest-java11-slim"
+            "${{ env.CONTAINER_REGISTRY }}/${{ steps.build_variables.outputs.REPO }}:${{ steps.build_variables.outputs.VERSION }}-java11-slim"
+      - name: Build ubuntu JRE 11 container image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.java11.ubuntu
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            "${{ env.CONTAINER_REGISTRY }}/${{ steps.build_variables.outputs.REPO }}:latest-java11-ubuntu"
+            "${{ env.CONTAINER_REGISTRY }}/${{ steps.build_variables.outputs.REPO }}:${{ steps.build_variables.outputs.VERSION }}-java11-ubuntu"
+      - name: Build local slim container image for testing
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.slim
+          load: true
+          platforms: local
+          tags: |
+            "${{ steps.build_variables.outputs.REPO }}:${{ steps.build_variables.outputs.VERSION }}"
+      - name: Test local slim container image
+        env:
+          FULL_DOCKER_IMAGE_NAME: "${{ steps.build_variables.outputs.REPO }}:${{ steps.build_variables.outputs.VERSION }}"
+        run: ./gradlew ${{ steps.build_variables.outputs.REPO }}-integration:test
+>>>>>>> 9ea2224ef0 (feat(build): add fiat-integration module to exercise the just-built docker imageTest docker image (#6206))

Dockerfile.java11.slim

@@ -0,0 +1,69 @@
+FROM python:3.7-alpine3.16
+LABEL maintainer="[email protected]"
+ARG TARGETARCH
+
+ENV KUBECTL_DEFAULT_RELEASE=1.22.17
+ENV KUBECTL_RELEASES="${KUBECTL_DEFAULT_RELEASE} 1.26.12 1.27.9 1.28.5 1.29.0"
+ENV AWS_CLI_VERSION=2.15.22
+ENV AWS_AIM_AUTHENTICATOR_VERSION=0.6.14
+ENV GOOGLE_CLOUD_SDK_VERSION=412.0.0
+ENV ECR_TOKEN_VERSION=v1.0.2
+
+ENV PATH "$PATH:/usr/local/bin/:/opt/google-cloud-sdk/bin/:/usr/local/bin/aws-iam-authenticator"
+
+RUN apk update \
+  && apk upgrade \
+  && apk --no-cache add --update \
+    bash \
+    ca-certificates \
+    curl \
+    wget \
+    openjdk11 \
+    git \
+    openssh-client \
+    unzip
+
+# AWS CLI 2
+RUN if [ "${TARGETARCH}" = "arm64" ]; then \
+    wget -nv -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-aarch64-${AWS_CLI_VERSION}.zip"; \
+  else \
+    wget -nv -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip"; \
+  fi && \
+  unzip awscliv2.zip && \
+  ./aws/install && \
+  rm -rf ./awscliv2.zip ./aws
+
+# Google cloud SDK
+RUN [ $TARGETARCH == 'amd64' ] &&  export GCP_ARCH="x86_64" || export GCP_ARCH="arm"  \
+  && wget -nv https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GOOGLE_CLOUD_SDK_VERSION}-linux-${GCP_ARCH}.tar.gz \
+  && mkdir -p /opt && cd /opt \
+  && tar -xzf /google-cloud-sdk-${GOOGLE_CLOUD_SDK_VERSION}-linux-${GCP_ARCH}.tar.gz \
+  && rm /google-cloud-sdk-${GOOGLE_CLOUD_SDK_VERSION}-linux-${GCP_ARCH}.tar.gz \
+  && CLOUDSDK_PYTHON="python3" /opt/google-cloud-sdk/install.sh --usage-reporting=false --bash-completion=false \
+     --additional-components app-engine-java app-engine-go gke-gcloud-auth-plugin \
+  && rm -rf ~/.config/gcloud \
+  && rm -rf /opt/google-cloud-sdk/.install/.backup
+
+# kubectl + AWS IAM authenticator
+RUN for version in $KUBECTL_RELEASES; do \
+      release_version=$(echo ${version} | cut -d. -f1,2); \
+      wget -nv https://cdn.dl.k8s.io/release/v${version}/bin/linux/${TARGETARCH}/kubectl -O /usr/local/bin/kubectl-${release_version}; \
+      chmod +x /usr/local/bin/kubectl-${release_version}; \
+      done \
+  && ln -sf "/usr/local/bin/kubectl-$(echo ${KUBECTL_DEFAULT_RELEASE} | cut -d. -f1,2)" /usr/local/bin/kubectl \
+  && wget -nv -O aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_AIM_AUTHENTICATOR_VERSION}/aws-iam-authenticator_${AWS_AIM_AUTHENTICATOR_VERSION}_linux_${TARGETARCH} \
+  && chmod +x ./aws-iam-authenticator \
+  && mv ./aws-iam-authenticator /usr/local/bin/aws-iam-authenticator\
+  && ln -sf /usr/local/bin/aws-iam-authenticator /usr/local/bin/heptio-authenticator-aws
+
+RUN rm /var/cache/apk/*
+
+RUN addgroup -S -g 10111 spinnaker
+RUN adduser -S -G spinnaker -u 10111 spinnaker
+
+COPY clouddriver-web/build/install/clouddriver /opt/clouddriver
+RUN mkdir -p /opt/clouddriver/plugins && chown -R spinnaker:nogroup /opt/clouddriver/plugins
+
+USER spinnaker
+HEALTHCHECK CMD curl --fail http://localhost:7002/health
+CMD ["/opt/clouddriver/bin/clouddriver"]

Dockerfile.java11.ubuntu

@@ -0,0 +1,66 @@
+FROM ubuntu:jammy
+LABEL maintainer="[email protected]"
+ARG TARGETARCH
+ENV GOOGLE_CLOUD_SDK_VERSION=412.0.0
+ENV PATH "$PATH:/opt/google-cloud-sdk/bin/"
+ENV KUBECTL_DEFAULT_RELEASE=1.22.17
+ENV KUBECTL_RELEASES="${KUBECTL_DEFAULT_RELEASE} 1.26.12 1.27.9 1.28.5 1.29.0"
+ENV AWS_CLI_VERSION=2.15.22
+ENV AWS_AIM_AUTHENTICATOR_VERSION=0.6.14
+
+RUN apt-get update && apt-get install -y curl gnupg && \
+  curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - && \
+  echo "deb https://packages.cloud.google.com/apt cloud-sdk  main" > /etc/apt/sources.list.d/cloud-sdk.list && \
+  apt-get update && \
+  apt-get upgrade -y && \
+  apt-get install -y \
+  curl \
+  openjdk-11-jre-headless \
+  wget \
+  python3-pip \
+  python3 \
+  git \
+  openssh-client \
+  unzip && \
+  rm -rf ~/.config/gcloud
+
+# AWS CLI 2
+RUN if [ "${TARGETARCH}" = "arm64" ]; then \
+    wget -nv -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-aarch64-${AWS_CLI_VERSION}.zip"; \
+  else \
+    wget -nv -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip"; \
+  fi && \
+  unzip awscliv2.zip && \
+  ./aws/install && \
+  rm -rf ./awscliv2.zip ./aws
+
+# kubectl + AWS IAM authenticator
+RUN for version in $KUBECTL_RELEASES; do \
+      release_version=$(echo ${version} | cut -d. -f1,2); \
+      wget -nv https://cdn.dl.k8s.io/release/v${version}/bin/linux/${TARGETARCH}/kubectl -O /usr/local/bin/kubectl-${release_version}; \
+      chmod +x /usr/local/bin/kubectl-${release_version}; \
+      done \
+  && ln -sf "/usr/local/bin/kubectl-$(echo ${KUBECTL_DEFAULT_RELEASE} | cut -d. -f1,2)" /usr/local/bin/kubectl \
+  && wget -nv -O aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_AIM_AUTHENTICATOR_VERSION}/aws-iam-authenticator_${AWS_AIM_AUTHENTICATOR_VERSION}_linux_${TARGETARCH} \
+  && chmod +x ./aws-iam-authenticator \
+  && mv ./aws-iam-authenticator /usr/local/bin/aws-iam-authenticator\
+  && ln -sf /usr/local/bin/aws-iam-authenticator /usr/local/bin/heptio-authenticator-aws
+
+# Google cloud SDK
+RUN [ $TARGETARCH = 'amd64' ] &&  export GCP_ARCH="x86_64" || export GCP_ARCH="arm"  \
+  && wget -nv https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GOOGLE_CLOUD_SDK_VERSION}-linux-${GCP_ARCH}.tar.gz \
+  && mkdir -p /opt && cd /opt \
+  && tar -xzf /google-cloud-sdk-${GOOGLE_CLOUD_SDK_VERSION}-linux-${GCP_ARCH}.tar.gz \
+  && rm /google-cloud-sdk-${GOOGLE_CLOUD_SDK_VERSION}-linux-${GCP_ARCH}.tar.gz \
+  && CLOUDSDK_PYTHON="python3" /opt/google-cloud-sdk/install.sh --usage-reporting=false --bash-completion=false  \
+     --additional-components app-engine-java app-engine-go gke-gcloud-auth-plugin  \
+  && rm -rf ~/.config/gcloud \
+  && rm -rf /opt/google-cloud-sdk/.install/.backup
+
+
+RUN adduser --system --uid 10111 --group spinnaker
+COPY clouddriver-web/build/install/clouddriver /opt/clouddriver
+RUN mkdir -p /opt/clouddriver/plugins && chown -R spinnaker:nogroup /opt/clouddriver/plugins
+USER spinnaker
+HEALTHCHECK CMD curl --fail http://localhost:7002/health
+CMD ["/opt/clouddriver/bin/clouddriver"]

Dockerfile.slim

@@ -17,6 +17,7 @@ RUN apk update \
   && apk --no-cache add --update \
     bash \
     ca-certificates \
+    curl \
     wget \
     openjdk11 \
     git \
@@ -55,5 +56,5 @@ COPY clouddriver-web/build/install/clouddriver /opt/clouddriver
 RUN mkdir -p /opt/clouddriver/plugins && chown -R spinnaker:nogroup /opt/clouddriver/plugins
 
 USER spinnaker
-
+HEALTHCHECK CMD curl --fail http://localhost:7002/health
 CMD ["/opt/clouddriver/bin/clouddriver"]

Dockerfile.ubuntu

@@ -14,7 +14,12 @@ RUN apt-get update && apt-get install -y curl gnupg && \
   apt-get update && \
   apt-get upgrade -y && \
   apt-get install -y \
+<<<<<<< HEAD
   openjdk-11-jre-headless \
+=======
+  curl \
+  openjdk-17-jre-headless \
+>>>>>>> 9ea2224ef0 (feat(build): add fiat-integration module to exercise the just-built docker imageTest docker image (#6206))
   wget \
   python3-pip \
   python3 \
@@ -51,4 +56,5 @@ RUN adduser --system --uid 10111 --group spinnaker
 COPY clouddriver-web/build/install/clouddriver /opt/clouddriver
 RUN mkdir -p /opt/clouddriver/plugins && chown -R spinnaker:nogroup /opt/clouddriver/plugins
 USER spinnaker
+HEALTHCHECK CMD curl --fail http://localhost:7002/health
 CMD ["/opt/clouddriver/bin/clouddriver"]

clouddriver-integration/clouddriver-integration.gradle

@@ -0,0 +1,24 @@
+dependencies {
+  testImplementation "com.fasterxml.jackson.core:jackson-databind"
+  testImplementation "org.assertj:assertj-core"
+  testImplementation "org.junit.jupiter:junit-jupiter-api"
+  testImplementation "org.slf4j:slf4j-api"
+  testImplementation "org.testcontainers:testcontainers"
+  testImplementation "org.testcontainers:junit-jupiter"
+  testRuntimeOnly "ch.qos.logback:logback-classic"
+}
+
+test.configure {
+  def fullDockerImageName = System.getenv('FULL_DOCKER_IMAGE_NAME')
+  onlyIf("there is a docker image to test") {
+    fullDockerImageName != null && fullDockerImageName.trim() != ''
+  }
+}
+
+test {
+  // So stdout and stderr from the just-built container are available in CI
+  testLogging.showStandardStreams = true
+
+  // Run the tests when the docker image changes
+  inputs.property 'fullDockerImageName', System.getenv('FULL_DOCKER_IMAGE_NAME')
+}

clouddriver-integration/src/test/java/com/netflix/spinnaker/clouddriver/StandaloneContainerTest.java

@@ -0,0 +1,133 @@
+/*
+ * Copyright 2024 Salesforce, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.netflix.spinnaker.clouddriver;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.time.Duration;
+import java.util.Map;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+import org.testcontainers.containers.output.Slf4jLogConsumer;
+import org.testcontainers.containers.wait.strategy.Wait;
+import org.testcontainers.junit.jupiter.Testcontainers;
+import org.testcontainers.utility.DockerImageName;
+
+@Testcontainers
+class StandaloneContainerTest {
+
+  private static final String REDIS_NETWORK_ALIAS = "redisHost";
+
+  private static final int REDIS_PORT = 6379;
+
+  private static final Logger logger = LoggerFactory.getLogger(StandaloneContainerTest.class);
+
+  private static final Network network = Network.newNetwork();
+
+  private static final GenericContainer redis =
+      new GenericContainer(DockerImageName.parse("library/redis:5-alpine"))
+          .withNetwork(network)
+          .withNetworkAliases(REDIS_NETWORK_ALIAS)
+          .withExposedPorts(REDIS_PORT);
+
+  private static GenericContainer clouddriverContainer;
+
+  @BeforeAll
+  static void setupOnce() throws Exception {
+    String fullDockerImageName = System.getenv("FULL_DOCKER_IMAGE_NAME");
+
+    // Skip the tests if there's no docker image.  This allows gradlew build to work.
+    assumeTrue(fullDockerImageName != null);
+
+    redis.start();
+
+    DockerImageName dockerImageName = DockerImageName.parse(fullDockerImageName);
+
+    clouddriverContainer =
+        new GenericContainer(dockerImageName)
+            .withNetwork(network)
+            .withExposedPorts(7002)
+            .dependsOn(redis)
+            .waitingFor(Wait.forHealthcheck().withStartupTimeout(Duration.ofSeconds(90)))
+            .withEnv("SPRING_APPLICATION_JSON", getSpringApplicationJson());
+
+    Slf4jLogConsumer logConsumer = new Slf4jLogConsumer(logger);
+    clouddriverContainer.start();
+    clouddriverContainer.followOutput(logConsumer);
+  }
+
+  private static String getSpringApplicationJson() throws JsonProcessingException {
+    String redisUrl = "redis://" + REDIS_NETWORK_ALIAS + ":" + REDIS_PORT;
+    logger.info("redisUrl: '{}'", redisUrl);
+    Map<String, String> properties =
+        Map.of("redis.connection", redisUrl, "services.fiat.baseUrl", "http://nowhere");
+    ObjectMapper mapper = new ObjectMapper();
+    return mapper.writeValueAsString(properties);
+  }
+
+  @AfterAll
+  static void cleanupOnce() {
+    if (clouddriverContainer != null) {
+      clouddriverContainer.stop();
+    }
+
+    if (redis != null) {
+      redis.stop();
+    }
+  }
+
+  @BeforeEach
+  void init(TestInfo testInfo) {
+    System.out.println("--------------- Test " + testInfo.getDisplayName());
+  }
+
+  @Test
+  void testHealthCheck() throws Exception {
+    // hit an arbitrary endpoint
+    HttpRequest request =
+        HttpRequest.newBuilder()
+            .uri(
+                new URI(
+                    "http://"
+                        + clouddriverContainer.getHost()
+                        + ":"
+                        + clouddriverContainer.getFirstMappedPort()
+                        + "/health"))
+            .GET()
+            .build();
+
+    HttpClient client = HttpClient.newHttpClient();
+
+    HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+    assertThat(response).isNotNull();
+    logger.info("response: {}, {}", response.statusCode(), response.body());
+    assertThat(response.statusCode()).isEqualTo(200);
+  }
+}