Add Docker packaging and CI pipeline

Author: flex420

.dockerignore

@@ -0,0 +1,21 @@
+# Root VCS metadata and docs
+.git
+.gitmodules
+.github
+
+# Local configuration files
+.env
+.env.*
+
+# Development assets not needed in build context
+compose/
+scripts/
+
+# Module internals
+app/urlaubsverwaltung/.git
+app/urlaubsverwaltung/.github
+app/urlaubsverwaltung/target/
+
+# OS noise
+**/.DS_Store
+**/Thumbs.db

.env.example

@@ -0,0 +1,48 @@
+# Global defaults consumed by Docker Compose and GitHub Actions.
+# Copy to .env and override per environment.
+
+# --- Core Spring Boot configuration ---
+SERVER_PORT=8080
+SPRING_PROFILES_ACTIVE=default
+SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/urlaubsverwaltung
+SPRING_DATASOURCE_USERNAME=urlaubsverwaltung
+SPRING_DATASOURCE_PASSWORD=urlaubsverwaltung
+
+SPRING_MAIL_HOST=mailpit
+SPRING_MAIL_PORT=1025
+SPRING_MAIL_USERNAME=
+SPRING_MAIL_PASSWORD=
+MANAGEMENT_HEALTH_MAIL_ENABLED=false
+
+UV_MAIL_FROM=[email protected]
+UV_MAIL_FROMDISPLAYNAME=Urlaubsverwaltung
+UV_MAIL_REPLYTO=[email protected]
+UV_MAIL_REPLYTODISPLAYNAME=Urlaubsverwaltung
+UV_MAIL_APPLICATIONURL=http://localhost:8080
+UV_CALENDAR_ORGANIZER=[email protected]
+
+# --- Database (docker compose) ---
+POSTGRES_DB=urlaubsverwaltung
+POSTGRES_USER=urlaubsverwaltung
+POSTGRES_PASSWORD=urlaubsverwaltung
+
+# --- Mailpit (docker compose) ---
+MAILPIT_DASHBOARD_PORT=8025
+MAILPIT_SMTP_PORT=1025
+
+# --- Optional OpenID Connect (docker-compose.oidc.yml) ---
+SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_CLIENT_ID=urlaubsverwaltung
+SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_CLIENT_SECRET=urlaubsverwaltung-secret
+SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_CLIENT_NAME=urlaubsverwaltung
+SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_SCOPE=openid,profile,email,roles
+SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_AUTHORIZATION_GRANT_TYPE=authorization_code
+SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_REDIRECT_URI=http://localhost:8080/login/oauth2/code/{registrationId}
+SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_DEFAULT_ISSUER_URI=http://keycloak:8080/realms/urlaubsverwaltung
+SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=http://keycloak:8080/realms/urlaubsverwaltung
+UV_SECURITY_OIDC_CLAIM_MAPPERS_GROUP_CLAIM_ENABLED=true
+UV_SECURITY_OIDC_CLAIM_MAPPERS_GROUP_CLAIM_CLAIM_NAME=groups
+
+# --- Docker image publication ---
+IMAGE_REGISTRY=docker.io
+IMAGE_NAME=flex420/urlaubsverwaltung
+IMAGE_TAG=dev

.github/workflows/ci.yml

@@ -0,0 +1,101 @@
+name: Build and Publish
+
+on:
+  push:
+    branches: [ main ]
+    tags: [ 'v*' ]
+  pull_request:
+    branches: [ main ]
+
+env:
+  IMAGE_NAME: flex420/urlaubsverwaltung
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '21'
+
+      - name: Cache Maven repository
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-m2-${{ hashFiles('app/urlaubsverwaltung/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-
+
+      - name: Run unit tests
+        run: ./app/urlaubsverwaltung/mvnw -B -DskipITs test
+
+      - name: Verify Docker and Compose
+        run: bash ./scripts/verify.sh
+
+      - name: Extract project version
+        id: version
+        run: |
+          VERSION=$(./app/urlaubsverwaltung/mvnw -q help:evaluate -Dexpression=project.version -DforceStdout)
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          if [[ "$VERSION" == *-SNAPSHOT ]]; then
+            echo "sanitized=${VERSION%-SNAPSHOT}" >> "$GITHUB_OUTPUT"
+          else
+            echo "sanitized=${VERSION}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Compute image tags
+        id: tags
+        run: |
+          IMAGE=${{ env.IMAGE_NAME }}
+          VERSION=${{ steps.version.outputs.sanitized }}
+          SHORT_SHA=${GITHUB_SHA::12}
+          TAGS="$IMAGE:$VERSION\n$IMAGE:sha-$SHORT_SHA"
+          if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
+            if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
+              TAGS="$TAGS\n$IMAGE:latest"
+            elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+              REF_TAG="${GITHUB_REF#refs/tags/}"
+              TAGS="$TAGS\n$IMAGE:$REF_TAG"
+            fi
+          fi
+          printf 'list<<EOF\n%s\nEOF\n' "$TAGS" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Docker Hub
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and (optionally) push image
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: ${{ github.event_name == 'push' }}
+          load: true
+          tags: ${{ steps.tags.outputs.list }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.IMAGE_NAME }}:${{ steps.version.outputs.sanitized }}
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.spdx.json

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "app/urlaubsverwaltung"]
+	path = app/urlaubsverwaltung
+	url = https://github.com/urlaubsverwaltung/urlaubsverwaltung.git

Dockerfile

@@ -0,0 +1,48 @@
+# syntax=docker/dockerfile:1.7
+
+ARG BUILDER_IMAGE=eclipse-temurin:21-jdk
+ARG RUNTIME_IMAGE=eclipse-temurin:21-jre
+
+FROM ${BUILDER_IMAGE} AS builder
+
+WORKDIR /workspace
+
+# Warm up Maven dependency cache
+COPY app/urlaubsverwaltung/.mvn/ .mvn/
+COPY app/urlaubsverwaltung/mvnw mvnw
+COPY app/urlaubsverwaltung/pom.xml pom.xml
+RUN --mount=type=cache,target=/root/.m2 ./mvnw -B -DskipTests -DskipITs dependency:go-offline
+
+# Copy sources and build the Spring Boot fat jar
+COPY app/urlaubsverwaltung/. ./
+RUN --mount=type=cache,target=/root/.m2 ./mvnw -B -DskipTests -DskipITs package
+
+FROM ${RUNTIME_IMAGE} AS runtime
+
+# Install runtime dependencies needed for health checks
+RUN apt-get update \
+    && apt-get install --no-install-recommends --yes curl \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV APP_HOME=/opt/uv \
+    TZ=UTC \
+    JAVA_TOOL_OPTIONS="-XX:+UseContainerSupport -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -XX:InitialRAMPercentage=10 -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom"
+ENV SPRING_PROFILES_ACTIVE=default
+ENV SERVER_PORT=8080
+
+WORKDIR ${APP_HOME}
+
+RUN groupadd --system uv \
+    && useradd --system --create-home --gid uv uv
+
+COPY --from=builder /workspace/target/*.jar app.jar
+COPY config/ ./config/
+
+USER uv:uv
+
+EXPOSE 8080
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=5 \
+  CMD curl --fail http://127.0.0.1:${SERVER_PORT}/actuator/health/readiness || exit 1
+
+ENTRYPOINT ["java","-jar","app.jar"]

README.md

@@ -0,0 +1,157 @@
+# Urlaubsantraege Platform
+
+Lead-engineered packaging for the [urlaubsverwaltung](https://github.com/urlaubsverwaltung/urlaubsverwaltung) HR leave management application. This repository vendors the upstream source as a git submodule and adds everything required to build, ship, and operate the service with Docker, Docker Compose, and GitHub Actions.
+
+## Repository layout
+
+```
+app/urlaubsverwaltung   # upstream source (git submodule)
+compose/                # docker compose stacks
+config/                 # baseline Spring Boot configuration overlays
+.github/workflows/      # CI/CD pipelines
+scripts/                # helper scripts for local validation
+Dockerfile              # production-grade image build
+.dockerignore           # docker build context filter
+.env.example            # base environment configuration
+README.md               # this file
+```
+
+Run `git submodule update --init --recursive` after cloning to hydrate `app/urlaubsverwaltung`.
+
+## Upstream requirements snapshot
+
+| Concern | Value |
+| --- | --- |
+| JDK | 21 (Temurin) |
+| Build tool | Maven Wrapper (`./mvnw`) |
+| Database | PostgreSQL 15.x |
+| Mail | SMTP (sample: Mailpit) |
+| Profiles | `default` (production), `demodata` (demo/dev) |
+| Optional auth | OpenID Connect (Keycloak example included) |
+
+The upstream application exposes Spring Boot actuators at `/actuator/health`, `/actuator/health/readiness`, and `/actuator/health/liveness`. Our Docker image enables these endpoints for container health checks.
+
+## Configuration defaults
+
+Configuration lives under `config/` and is loaded by Spring when placed on the classpath (`--spring.config.additional-location=classpath:/config/`). Environment variables override every secret or deployment specific value.
+
+| Environment variable | Purpose | Default |
+| --- | --- | --- |
+| `SERVER_PORT` | HTTP listener | `8080` |
+| `SPRING_PROFILES_ACTIVE` | Active Spring profiles | `default` (production) |
+| `SPRING_DATASOURCE_URL` | JDBC URL | `jdbc:postgresql://postgres:5432/urlaubsverwaltung` |
+| `SPRING_DATASOURCE_USERNAME` | DB user | `urlaubsverwaltung` |
+| `SPRING_DATASOURCE_PASSWORD` | DB password | `urlaubsverwaltung` |
+| `SPRING_MAIL_HOST` | SMTP host | `mailpit` |
+| `SPRING_MAIL_PORT` | SMTP port | `1025` |
+| `SPRING_MAIL_USERNAME` | SMTP user | _empty_ |
+| `SPRING_MAIL_PASSWORD` | SMTP password | _empty_ |
+| `UV_MAIL_FROM` | Sender email | `[email protected]` |
+| `UV_MAIL_FROMDISPLAYNAME` | Sender display name | `Urlaubsverwaltung` |
+| `UV_MAIL_REPLYTO` | Reply-to email | `[email protected]` |
+| `UV_MAIL_REPLYTODISPLAYNAME` | Reply-to display name | `Urlaubsverwaltung` |
+| `UV_MAIL_APPLICATIONURL` | Public base URL | `http://localhost:8080` |
+| `UV_CALENDAR_ORGANIZER` | Calendar organiser | `[email protected]` |
+| `MANAGEMENT_HEALTH_MAIL_ENABLED` | Disable expensive mail health probe | `false` |
+
+Optional OpenID Connect variables (used in the OIDC compose stack):
+
+| Environment variable | Purpose | Default (OIDC stack) |
+| --- | --- | --- |
+| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_CLIENT_ID` | OIDC client id | `urlaubsverwaltung` |
+| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_CLIENT_SECRET` | OIDC client secret | `urlaubsverwaltung-secret` |
+| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_CLIENT_NAME` | Display name | `urlaubsverwaltung` |
+| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_SCOPE` | Requested scopes | `openid,profile,email,roles` |
+| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_AUTHORIZATION_GRANT_TYPE` | Flow | `authorization_code` |
+| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_DEFAULT_REDIRECT_URI` | Redirect template | `http://localhost:8080/login/oauth2/code/{registrationId}` |
+| `SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_DEFAULT_ISSUER_URI` | Issuer URL | `http://keycloak:8080/realms/urlaubsverwaltung` |
+| `SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI` | Resource server issuer | `http://keycloak:8080/realms/urlaubsverwaltung` |
+| `UV_SECURITY_OIDC_CLAIM_MAPPERS_GROUP_CLAIM_ENABLED` | Enable group claim mapping | `true` |
+| `UV_SECURITY_OIDC_CLAIM_MAPPERS_GROUP_CLAIM_CLAIM_NAME` | Group claim name | `groups` |
+
+All secrets (DB password, OIDC secret, SMTP credentials) must be provided via env vars or external secret managers. They never live in git.
+
+## Building the Docker image
+
+Requirements: Docker 24+, git submodules initialised.
+
+```
+docker build \
+  -t flex420/urlaubsverwaltung:local \
+  .
+```
+
+Key characteristics:
+
+- Multi-stage build: Temurin 21 JDK for Maven build -> Temurin 21 JRE runtime.
+- Uses Maven wrapper with dependency download caching via buildkit.
+- Produces a non-root image (`uv` user, UID 1000) exposing port 8080.
+- Boots with sensible `JAVA_TOOL_OPTIONS` (container aware heap and GC tuning).
+- Declares an `HEALTHCHECK` hitting `/actuator/health/readiness`.
+
+## Docker Compose stacks
+
+We ship two Compose bundles under `compose/`.
+
+### `docker-compose.dev.yml`
+
+- Services: `app` (built locally), `postgres`, `mailpit`.
+- Activates `demodata` profile by default for seeded demo accounts.
+- Persists the database via the `urlaubsverwaltung-data` named volume.
+- Mailpit listens on `localhost:8025` (UI) and `localhost:1025` (SMTP).
+
+Usage:
+
+```
+cp .env.example .env
+# edit credentials if needed
+docker compose -f compose/docker-compose.dev.yml up --build
+```
+
+Visit http://localhost:8080 and sign in with the pre-seeded demo users described in the upstream README (`[email protected]` / `secret`).
+
+### `docker-compose.oidc.yml`
+
+Extends the dev stack with Keycloak for OpenID Connect testing:
+
+- Adds `keycloak` with an imported realm and demo users.
+- Binds Keycloak to `localhost:8090` and wires the issuer into the app.
+- Documents how to obtain tokens via `scripts/keycloak-demo.sh`.
+
+Start it with:
+
+```
+docker compose \
+  -f compose/docker-compose.dev.yml \
+  -f compose/docker-compose.oidc.yml \
+  up --build
+```
+
+## Helper scripts
+
+`scripts/verify.sh` runs `docker build` and `docker compose config` validation locally. `scripts/keycloak-demo.sh` (requires curl and jq) demonstrates obtaining an OIDC token from the sample realm.
+
+## CI/CD pipeline
+
+`.github/workflows/ci.yml` performs:
+
+1. Checks out this repo and pulls the upstream submodule.
+2. Executes the upstream unit test suite via `./app/urlaubsverwaltung/mvnw -B -DskipITs test`.
+3. Runs `scripts/verify.sh` to lint the Docker context and Compose files.
+4. Builds the production image with caching and pushes tagged images to Docker Hub (`flex420/urlaubsverwaltung`) on `main` and version tags.
+5. Publishes a lightweight SBOM and attaches it as workflow artifact.
+GitHub secrets required (already provisioned):
+
+- `DOCKERHUB_USERNAME`
+- `DOCKERHUB_TOKEN`
+
+## Updating upstream
+
+To update the upstream application:
+
+```
+git submodule update --remote app/urlaubsverwaltung
+# optionally pin to a release tag, then commit
+```
+
+Re-run the CI pipeline to publish a refreshed image.