feat(db): inherit from scl image, enforce PG_ENCRYPT_KEY (#129)

db/Dockerfile

@@ -1,2 +1,8 @@
-FROM docker.io/library/postgres:15
-COPY ./pgcrypto.sql /docker-entrypoint-initdb.d/
+FROM quay.io/sclorg/postgresql-15-c8s:latest
+
+ENTRYPOINT ["/usr/local/bin/cryostat-db-entrypoint.bash"]
+
+ENV POSTGRESQL_LOG_DESTINATION=/dev/stderr
+
+COPY ./entrypoint.bash /usr/local/bin/cryostat-db-entrypoint.bash
+COPY ./include /opt/app-root/src/

db/entrypoint.bash

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+if [ "$1" = "postgres" ]; then
+    shift
+fi
+
+exec /usr/bin/run-postgresql \
+    -c encrypt.key="${PG_ENCRYPT_KEY?:\$PG_ENCRYPT_KEY must be set and non-empty}" \
+    "$@"

db/include/postgresql-cfg/pgcrypto.conf

@@ -0,0 +1 @@
+shared_preload_libraries='pgcrypto'

db/include/postgresql-init/pgcrypto.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+psql -d template1 -c "CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA public CASCADE;"

smoketest/compose/db.yml

@@ -3,28 +3,22 @@ services:
   cryostat:
     environment:
       QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: drop-and-create
-      QUARKUS_DATASOURCE_DB_KIND: postgresql
       QUARKUS_DATASOURCE_USERNAME: cryostat3
       QUARKUS_DATASOURCE_PASSWORD: cryostat3
       QUARKUS_DATASOURCE_JDBC_URL: jdbc:postgresql://db:5432/cryostat3
   db:
     image: quay.io/cryostat/cryostat3-db:dev
     build: ../../db
-    entrypoint:
-      - /usr/local/bin/docker-entrypoint.sh
-    command:
-      - postgres
-      - -c
-      - encrypt.key=REPLACEME
     hostname: db
     expose:
       - "5432"
     environment:
-      POSTGRES_USER: cryostat3
-      POSTGRES_PASSWORD: cryostat3
+      POSTGRESQL_USER: cryostat3
+      POSTGRESQL_PASSWORD: cryostat3
+      POSTGRESQL_DATABASE: cryostat3
       PG_ENCRYPT_KEY: REPLACEME
     volumes:
-      - postgresql:/var/lib/postgresql/data
+      - postgresql:/var/lib/pgsql/data
     restart: always
     healthcheck:
       test: pg_isready -U cryostat3 -d cryostat3 || exit 1

smoketest/k8s/cryostat-deployment.yaml

@@ -57,8 +57,12 @@ spec:
               value: cryostat3
             - name: QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION
               value: drop-and-create
+            - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID
+              value: minioroot
+            - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY
+              value: minioroot
             - name: QUARKUS_S3_AWS_CREDENTIALS_TYPE
-              value: default
+              value: static
             - name: QUARKUS_S3_AWS_REGION
               value: us-east-1
             - name: QUARKUS_S3_ENDPOINT_OVERRIDE

smoketest/k8s/s3-deployment.yaml

@@ -64,7 +64,7 @@ spec:
               name: minio-data
             - mountPath: /certs
               name: minio-certs
-      hostname: minio
+      hostname: s3
       restartPolicy: Always
       volumes:
         - name: minio-data

src/main/resources/application-dev.properties

@@ -17,3 +17,27 @@ quarkus.log.category."org.jboss.resteasy.reactive.common.core.AbstractResteasyRe
 cryostat.discovery.jdp.enabled=true
 cryostat.discovery.podman.enabled=true
 cryostat.discovery.docker.enabled=true
+
+quarkus.datasource.devservices.enabled=true
+quarkus.datasource.devservices.image-name=quay.io/cryostat/cryostat3-db
+
+# !!! prod databases must set this configuration parameter some other way via a secret !!!
+quarkus.datasource.devservices.container-env.PG_ENCRYPT_KEY=examplekey
+quarkus.datasource.devservices.container-env.POSTGRESQL_USER=quarkus
+quarkus.datasource.devservices.container-env.POSTGRESQL_PASSWORD=quarkus
+quarkus.datasource.devservices.container-env.POSTGRESQL_DATABASE=quarkus
+quarkus.datasource.devservices.username=quarkus
+quarkus.datasource.devservices.password=quarkus
+quarkus.datasource.devservices.db-name=quarkus
+# !!!
+
+quarkus.s3.devservices.enabled=true
+quarkus.s3.devservices.buckets=archivedrecordings
+# FIXME the following overrides should not be required, but currently seem to help with testcontainers reliability
+quarkus.aws.devservices.localstack.image-name=localstack/localstack:2.1.0
+quarkus.aws.devservices.localstack.container-properties.START_WEB=0
+quarkus.aws.devservices.localstack.container-properties.SERVICES=s3
+quarkus.aws.devservices.localstack.container-properties.EAGER_SERVICE_LOADING=1
+quarkus.aws.devservices.localstack.container-properties.SKIP_SSL_CERT_DOWNLOAD=1
+quarkus.aws.devservices.localstack.container-properties.SKIP_INFRA_DOWNLOADS=1
+quarkus.aws.devservices.localstack.container-properties.DISABLE_EVENTS=1

src/main/resources/application-test.properties

@@ -9,3 +9,27 @@ grafana-dashboard.url=http://grafana:3000
 grafana-datasource.url=http://jfr-datasource:8080
 
 quarkus.test.env.JAVA_OPTS_APPEND=-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false
+
+quarkus.datasource.devservices.enabled=true
+quarkus.datasource.devservices.image-name=quay.io/cryostat/cryostat3-db
+
+# !!! prod databases must set this configuration parameter some other way via a secret !!!
+quarkus.datasource.devservices.container-env.PG_ENCRYPT_KEY=examplekey
+quarkus.datasource.devservices.container-env.POSTGRESQL_USER=quarkus
+quarkus.datasource.devservices.container-env.POSTGRESQL_PASSWORD=quarkus
+quarkus.datasource.devservices.container-env.POSTGRESQL_DATABASE=quarkus
+quarkus.datasource.devservices.username=quarkus
+quarkus.datasource.devservices.password=quarkus
+quarkus.datasource.devservices.db-name=quarkus
+# !!!
+
+quarkus.s3.devservices.enabled=true
+quarkus.s3.devservices.buckets=archivedrecordings
+# FIXME the following overrides should not be required, but currently seem to help with testcontainers reliability
+quarkus.aws.devservices.localstack.image-name=localstack/localstack:2.1.0
+quarkus.aws.devservices.localstack.container-properties.START_WEB=0
+quarkus.aws.devservices.localstack.container-properties.SERVICES=s3
+quarkus.aws.devservices.localstack.container-properties.EAGER_SERVICE_LOADING=1
+quarkus.aws.devservices.localstack.container-properties.SKIP_SSL_CERT_DOWNLOAD=1
+quarkus.aws.devservices.localstack.container-properties.SKIP_INFRA_DOWNLOADS=1
+quarkus.aws.devservices.localstack.container-properties.DISABLE_EVENTS=1

src/main/resources/application.properties

@@ -51,27 +51,8 @@ quarkus.security.users.embedded.roles.user=read,write
 quarkus.security.users.embedded.users.reader=reader
 quarkus.security.users.embedded.roles.reader=read
 
-quarkus.datasource.db-kind=postgresql
-quarkus.datasource.db-version=13.0
-quarkus.datasource.devservices.enabled=true
-quarkus.datasource.devservices.image-name=quay.io/cryostat/cryostat3-db
-
-# !!! prod databases must set this configuration parameter some other way via a secret !!!
-quarkus.datasource.devservices.command=postgres -c encrypt.key=REPLACEME
-# !!!
-
 storage.buckets.archives.name=archivedrecordings
 storage.buckets.archives.expiration-label=expiration
-quarkus.s3.devservices.enabled=true
-quarkus.s3.devservices.buckets=archivedrecordings
-# FIXME the following overrides should not be required, but currently seem to help with testcontainers reliability
-quarkus.aws.devservices.localstack.image-name=localstack/localstack:2.1.0
-quarkus.aws.devservices.localstack.container-properties.START_WEB=0
-quarkus.aws.devservices.localstack.container-properties.SERVICES=s3
-quarkus.aws.devservices.localstack.container-properties.EAGER_SERVICE_LOADING=1
-quarkus.aws.devservices.localstack.container-properties.SKIP_SSL_CERT_DOWNLOAD=1
-quarkus.aws.devservices.localstack.container-properties.SKIP_INFRA_DOWNLOADS=1
-quarkus.aws.devservices.localstack.container-properties.DISABLE_EVENTS=1
 
 quarkus.quinoa.build-dir=dist
 quarkus.quinoa.enable-spa-routing=true

src/test/java/io/cryostat/credentials/CredentialsIT.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright The Cryostat Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cryostat.credentials;
+
+import io.quarkus.test.junit.QuarkusIntegrationTest;
+
+@QuarkusIntegrationTest
+public class CredentialsIT extends CredentialsTest {}

src/test/java/io/cryostat/credentials/CredentialsTest.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright The Cryostat Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cryostat.credentials;
+
+import static io.cryostat.TestUtils.givenBasicAuth;
+
+import java.util.List;
+
+import io.quarkus.test.common.http.TestHTTPEndpoint;
+import io.quarkus.test.junit.QuarkusTest;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Test;
+
+@QuarkusTest
+@TestHTTPEndpoint(Credentials.class)
+public class CredentialsTest {
+
+    @Test
+    public void testHealth() {
+        givenBasicAuth()
+                .when()
+                .get()
+                .then()
+                .statusCode(200)
+                .body(
+                        "meta.type", Matchers.equalTo("application/json"),
+                        "meta.status", Matchers.equalTo("OK"),
+                        "data.result", Matchers.equalTo(List.of()));
+    }
+}