34 dockerisation and ci build

.github/dependabot.yml

@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "develop"

.github/workflows/build.yml

@@ -0,0 +1,175 @@
+name: Build
+
+on:
+  push:
+    branches:
+    - main
+    - develop
+    tags:
+    - 'v*.*.*'
+  pull_request:
+    branches:
+    - main
+    - develop
+  schedule:
+  - cron: '0 1 * * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 21
+
+      - name: Cache Local Maven Repo
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: maven-${{ hashFiles('pom.xml') }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: java
+          queries: security-and-quality
+
+      - name: Build
+        run: mvn -B verify
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+
+      - name: Upload Torch Jar
+        uses: actions/upload-artifact@v4
+        with:
+          name: torch-jar
+          path: target/torch.jar
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and Export to Docker
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          tags: torch:latest
+          outputs: type=docker,dest=/tmp/flare.tar
+
+      - name: Upload torch Image
+        uses: actions/upload-artifact@v4
+        with:
+          name: torch-image
+          path: /tmp/torch.tar
+
+  image-scan:
+    needs: build
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Download torch Image
+        uses: actions/download-artifact@v4
+        with:
+          name: torch-image
+          path: /tmp
+
+      - name: Load torch Image
+        run: docker load --input /tmp/torch.tar
+
+      - name: Check out Git repository
+        uses: actions/checkout@v4
+
+      - name: Run Trivy Vulnerability Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: torch:latest
+          format: sarif
+          output: trivy-results.sarif
+          severity: 'CRITICAL,HIGH'
+          timeout: '15m0s'
+
+      - name: Upload Trivy Scan Results to GitHub Security Tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
+
+  push-image:
+    needs:
+      - build
+      - image-scan
+    runs-on: ubuntu-22.04
+    if: ${{ ! startsWith(github.head_ref, 'dependabot/')}}
+
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 21 for Maven Build
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 21
+
+      - name: Maven Build for Ontology Download
+        run: mvn process-resources
+
+      - name: Download torch Jar
+        uses: actions/download-artifact@v4
+        with:
+          name: torch-jar
+          path: target
+
+      - name: Download torch Image
+        uses: actions/download-artifact@v4
+        with:
+          name: torch-image
+          path: /tmp
+
+      - name: Load torch Image
+        run: docker load --input /tmp/flare.tar
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/medizininformatik-initiative/torch
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')

.gitignore

@@ -13,4 +13,5 @@
 
 # Maven
 log/
-target/
+target/
+bundles/

Dockerfile

@@ -0,0 +1,23 @@
+FROM eclipse-temurin:21.0.3_9-jre
+
+RUN apt-get update && apt-get upgrade -y && \
+    apt-get purge wget libbinutils libctf0 libctf-nobfd0 libncurses6 -y && \
+    apt-get autoremove -y && apt-get clean && \
+    rm -rf /var/lib/apt/lists/
+
+ENV JAVA_TOOL_OPTIONS="-Xmx4g"
+ENV CERTIFICATE_PATH=/app/certs
+ENV TRUSTSTORE_PATH=/app/truststore
+ENV TRUSTSTORE_FILE=self-signed-truststore.jks
+
+COPY target/torch.jar /app/
+COPY structureDefinitions  app/structureDefinitions
+RUN mkdir /app/output
+RUN chown -R 1001:1001 /app
+
+
+WORKDIR /app
+USER 1001
+
+COPY docker-entrypoint.sh /
+ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]

docker-compose.yml

@@ -0,0 +1,56 @@
+services:
+  torch-data-store:
+    image: "samply/blaze:0.28"
+    environment:
+      BASE_URL: "http://torch-data-store:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      LOG_LEVEL: "debug"
+    ports:
+    - "8082:8080"
+    volumes:
+    - "data-store-data:/app/data"
+  torch-flare:
+    image: ghcr.io/medizininformatik-initiative/flare:pr-179
+    ports:
+      - ${FEASIBILITY_FLARE_PORT:-127.0.0.1:8084}:8080
+    environment:
+      FLARE_FHIR_SERVER: ${FLARE_FHIR_SERVER_URL:-http://torch-data-store:8080/fhir/}
+      FLARE_FHIR_MAX_CONNECTIONS: ${FLARE_FHIR_MAX_CONNECTIONS:-32}
+      FLARE_FHIR_PAGE_COUNT: ${FLARE_FHIR_PAGE_COUNT:-500}
+      FLARE_CACHE_MEM_SIZE_MB: ${FLARE_CACHE_MEM_SIZE_MB:-1024}
+      FLARE_CACHE_MEM_EXPIRE: ${FLARE_CACHE_MEM_EXPIRE:-PT48H}
+      FLARE_CACHE_MEM_REFRESH: ${FLARE_CACHE_MEM_REFRESH:-PT24H}
+      FLARE_CACHE_DISK_PATH: ${FLARE_CACHE_DISK_PATH:-cache}
+      FLARE_CACHE_DISK_THREADS: ${FLARE_CACHE_DISK_THREADS:-4}
+      FLARE_CACHE_DISK_EXPIRE: ${FLARE_CACHE_DISK_EXPIRE:-P7D}
+      JAVA_TOOL_OPTIONS: ${FLARE_JAVA_TOOL_OPTIONS:--Xmx4g}
+      LOG_LEVEL: ${FLARE_LOG_LEVEL:-info}
+    restart: unless-stopped
+  torch-nginx:
+    restart: unless-stopped
+    image: nginxinc/nginx-unprivileged:1.25.5-alpine
+    ports:
+      - ${PORT_TORCH_NGINX:-127.0.0.1:80}:8080
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf
+      - "torch-data-store:/app/output"
+  torch:
+    restart: unless-stopped
+    build:
+      context: .
+      dockerfile: Dockerfile
+    ports:
+      - ${PORT_TORCH:-127.0.0.1:8086}:8080
+    environment:
+      SERVER_PORT: 8080
+      TORCH_PROFILE_DIR: /app/StructureDefinitions
+      TORCH_FHIR_URL: http://torch-data-store:8080/fhir
+      TORCH_FLARE_URL: http://torch-flare:8080
+      LOG_LEVEL: debug
+    volumes:
+      - "torch-data-store:/app/output"
+      - ./structureDefinitions:/app/StructureDefinitions
+
+volumes:
+  data-store-data:
+  torch-data-store:

docker-entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+TRUSTSTORE_FILE="/app/truststore/self-signed-truststore.jks"
+TRUSTSTORE_PASS=${TRUSTSTORE_PASS:-changeit}
+KEY_PASS=${KEY_PASS:-changeit}
+
+shopt -s nullglob
+IFS=$'\n'
+ca_files=(certs/*.pem)
+
+if [ ! "${#ca_files[@]}" -eq 0 ]; then
+
+    echo "# At least one CA file with extension *.pem found in certs folder -> starting torch with own CAs"
+
+    if [[ -f "$TRUSTSTORE_FILE" ]]; then
+          echo "## Truststore already exists -> resetting truststore"
+          rm "$TRUSTSTORE_FILE"
+    fi
+
+    keytool -genkey -alias self-signed-truststore -keyalg RSA -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -keypass "$KEY_PASS" -dname "CN=self-signed,OU=self-signed,O=self-signed,L=self-signed,S=self-signed,C=TE"
+    keytool -delete -alias self-signed-truststore -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt
+
+    for filename in "${ca_files[@]}"; do
+
+      echo "### ADDING CERT: $filename"
+      keytool -delete -alias "$filename" -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt > /dev/null 2>&1
+      keytool -importcert -alias "$filename" -file "$filename" -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt
+
+    done
+
+    java -Djavax.net.ssl.trustStore="$TRUSTSTORE_FILE" -Djavax.net.ssl.trustStorePassword="$TRUSTSTORE_PASS" -jar torch.jar
+else
+    echo "# No CA *.pem cert files found in /app/certs -> starting torch without own CAs"
+    java -jar torch.jar
+fi

nginx.conf

@@ -0,0 +1,27 @@
+events{}
+pid /tmp/nginx.pid;
+
+http {
+    server {
+        listen 8080;
+        server_name localhost;
+
+        root /output;
+
+        index index.html;
+
+        location / {
+            try_files $uri $uri/ =404;
+            autoindex off;
+        }
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        error_page 404 /404.html;
+        location = /404.html {
+            internal;
+        }
+    }
+}
+