deploy: add prod configuration (gcs + local mongo + local redpanda)

rabbull · rabbull · commit f586b7c71df7 · 2025-10-10T05:28:26.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,29 @@
+FROM eclipse-temurin:24-jdk AS build
+WORKDIR /app
+
+# Copy build tooling first to leverage layer caching during dependency resolution
+COPY .mvn/ .mvn/
+COPY mvnw pom.xml ./
+
+# Pre-fetch dependencies to speed up subsequent builds
+RUN ./mvnw -B -ntp dependency:go-offline
+
+# Bring in the full project and build the Spring Boot fat jar
+COPY . .
+RUN ./mvnw -B -DskipTests clean package \
+ && JAR_FILE="$(find target -maxdepth 1 -type f -name '*.jar' ! -name '*original*' | head -n 1)" \
+ && test -n "$JAR_FILE" \
+ && cp "$JAR_FILE" app.jar
+
+FROM eclipse-temurin:24-jre AS runtime
+WORKDIR /app
+
+# Run as a non-root user for better container hardening
+RUN useradd --system --create-home --home-dir /app ezclaim
+
+COPY --from=build /app/app.jar ./app.jar
+
+EXPOSE 8080
+USER ezclaim
+
+ENTRYPOINT ["java","-jar","/app/app.jar"]
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
@@ -0,0 +1,76 @@
+services:
+  app:
+    image: rabbull/ezclaim-server:0.0.1-snapshot
+    container_name: ezclaim-server-app
+    restart: unless-stopped
+    depends_on:
+      mongo:
+        condition: service_healthy
+      redpanda:
+        condition: service_healthy
+    ports:
+      - "8080:8080"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_DATA_MONGODB_URI: mongodb://ezclaim:E2ClaimPass@mongo:27017/ezclaim?authSource=admin
+      KAFKA_BOOTSTRAP_SERVERS: redpanda:9092
+      APP_OBJECTSTORE_ENDPOINT: https://storage.googleapis.com
+      APP_OBJECTSTORE_REGION: auto
+      APP_OBJECTSTORE_BUCKET: ezclaim
+      APP_OBJECTSTORE_ACCESS_KEY: changeme
+      APP_OBJECTSTORE_SECRET_KEY: changeme
+      APP_OBJECTSTORE_PATH_STYLE: false
+      APP_OBJECTSTORE_ENSURE_BUCKET: false
+      APP_JWT_SECRET: changeme
+      APP_JWT_ALG: HS256
+      APP_JWT_TTL: PT12H
+
+  mongo:
+    image: mongo:8.0
+    container_name: ezclaim-server-mongo
+    restart: unless-stopped
+    ports:
+      - "27017:27017"
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: ezclaim
+      MONGO_INITDB_ROOT_PASSWORD: E2ClaimPass
+    volumes:
+      - /mnt/ezclaim/ezclaim-server/mongo:/data/db
+    healthcheck:
+      test: ["CMD", "mongosh", "--quiet", "--eval", "db.adminCommand('ping')"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  redpanda:
+    image: docker.redpanda.com/redpandadata/redpanda:latest
+    container_name: ezclaim-server-redpanda
+    restart: unless-stopped
+    ports:
+      - "9092:9092"
+      - "9644:9644"
+    volumes:
+      - /mnt/ezclaim/ezclaim-server/redpanda:/var/lib/redpanda/data
+    command:
+      - redpanda
+      - start
+      - --smp
+      - "1"
+      - --memory
+      - 2G
+      - --reserve-memory
+      - 0M
+      - --overprovisioned
+      - --node-id
+      - "0"
+      - --check=false
+      - --kafka-addr
+      - PLAINTEXT://0.0.0.0:9092
+      - --advertise-kafka-addr
+      - PLAINTEXT://redpanda:9092
+    healthcheck:
+      test: ["CMD", "bash", "-lc", "curl -fsS http://localhost:9644/v1/status/ready >/dev/null"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
diff --git a/infra/env/.gitignore b/infra/env/.gitignore
@@ -0,0 +1,3 @@
+# Keep actual prod env files out of version control.
+*.env
+
diff --git a/infra/gcs/cors.json b/infra/gcs/cors.json
@@ -0,0 +1,8 @@
+[
+    {
+      "origin": ["https://claim.acssz.org", "https://claim-admin.acssz.org"],
+      "method": ["GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS"],
+      "responseHeader": ["Content-Type"],
+      "maxAgeSeconds": 3600
+    }
+]
diff --git a/src/main/java/org/acssz/ezclaim/config/CorsConfig.java b/src/main/java/org/acssz/ezclaim/config/CorsConfig.java
@@ -0,0 +1,28 @@
+package org.acssz.ezclaim.config;
+
+import java.time.Duration;
+import java.util.List;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+@Configuration
+public class CorsConfig {
+
+  @Bean
+  public CorsConfigurationSource corsConfigurationSource() {
+    CorsConfiguration c = new CorsConfiguration();
+    c.setAllowedOriginPatterns(List.of("https://*.acssz.org", "https://acssz.org"));
+    c.setAllowedMethods(List.of("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"));
+    c.setAllowedHeaders(List.of("*"));
+    c.setAllowCredentials(true);
+    c.setMaxAge(Duration.ofHours(1));
+
+    UrlBasedCorsConfigurationSource s = new UrlBasedCorsConfigurationSource();
+    s.registerCorsConfiguration("/**", c);
+    return s;
+  }
+
+}
diff --git a/src/main/java/org/acssz/ezclaim/config/DevCorsConfig.java b/src/main/java/org/acssz/ezclaim/config/DevCorsConfig.java
diff --git a/src/main/resources/application-prod.yml b/src/main/resources/application-prod.yml
@@ -1,4 +1,15 @@
 spring:
+  kafka:
+    bootstrap-servers: ${KAFKA_BOOTSTRAP_SERVERS}
+  mvc:
+    cors:
+      mappings:
+        "[/**]":
+          allowed-origins: ${APP_CORS_ALLOWED_ORIGINS}
+          allowed-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS,HEAD
+          allowed-headers: "*"
+          allow-credentials: true
+          max-age: PT1H
   data:
     mongodb:
       # Provide as environment variable in deployment

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Keep actual prod env files out of version control.`
	`2`	`+*.env`
	`3`	`+`