Merge pull request #16 from sprinthubmobile/feat/gvm

JVM to GraaVM

Author: cybersokari

.github/workflows/deploy.yml

@@ -13,8 +13,7 @@ jobs:
   deploy:
 
     env:
-      # https://github.com/actions/setup-java#cache-segment-restore-timeout
-      SEGMENT_DOWNLOAD_TIMEOUT_MINS: '4'
+      IMAGE_NAME: ${{vars.DOCKER_CRED_HELPER}}/${{vars.IMAGE_PATH}}
 
     runs-on: ubuntu-latest
     permissions:
@@ -24,13 +23,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set up JDK 17
-        uses: actions/setup-java@v4
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-          cache: 'maven'
-
       - name: Authenticate Google Cloud
         uses: google-github-actions/auth@v2
         with:
@@ -47,14 +39,22 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Create Google Default credentials file
+        run: |
+          cp ${{ env.GOOGLE_APPLICATION_CREDENTIALS }} cred.json
 
-      - name: Build and Submit to Artifact Registry
-        run: mvn -B package -DskipTests
+      - name: Build Image
+        run: docker build -t web -f ${{vars.DOCKER_FILE_NAME}} . --build-arg PROJECT_ID=${{vars.PROJECT_ID}}
 
       - name: Configure Docker for Artifact Registry
         run: gcloud auth configure-docker ${{vars.DOCKER_CRED_HELPER}} -q
 
-      - name: Update VM with new image
+      - name: Tag and push Docker Image
+        run: |
+          docker tag web ${{env.IMAGE_NAME}} \
+            && docker push ${{env.IMAGE_NAME}}
+
+      - name: Restart VM with new image
         run: |
           gcloud compute instances update-container ${{vars.VM_NAME}} --zone=${{vars.ZONE}} \
-            --container-image=${{vars.DOCKER_CRED_HELPER}}/${{vars.IMAGE_PATH}}
+            --container-image=${{env.IMAGE_NAME}}

README.md

@@ -37,29 +37,32 @@ When running in `prod` Logs are sent to [Cloud Logging](https://cloud.google.com
 The Logback plugin only reports logs from the LF4J logging API, so we only use the `org.slf4j.Logger` interface for logging.
 When running in `dev` profile, logs are configured to write to the console.
 
-
 Use this [setup to configure Docker](https://docs.docker.com/config/containers/logging/gcplogs/) to work with Cloud Logging when moving to a new VM
 
-#### Deploying custom config for Google's Ops Agent
-Our custom Ops Agent config can be found in the ``config.yaml`` file. Use the following command to Update the Ops Agent config  when setting up a new VM
-```shell 
-$ gcloud compute scp config.yaml gated-vm:/etc/google-cloud-ops-agent/config.yaml
-```
-
 ### Secrets Management 🔒
 We use Google Cloud Secrets Manager to manage secrets (API keys, passwords, database URLs, etc.)
 
-### Deployments
+## Deployments
 
 Deployments are currently automated via GitHub actions. The workflow file is located at ``/.github/workflows/deploy.yml``
+The app runs on a Google Compute Engine VM with full GCP API permissions and required scopes.
+
+### Building the production docker image on a new machine
+1. Install Docker and Gcloud CLI
+2. Run ``gcloud auth application-default login`` to authenticate with Google Cloud Platform
+3. Run ``CP $HOME/.config/gcloud/application_default_credentials.json cred.json`` from the project root folder.
+4. Run ``docker build -t <IMAGE_NAME> -f Dockerfile . --build-arg PROJECT_ID=<GCP_PROJECT_ID>`` to build the docker image.\
+   Replace the `<GCP_PROJECT_ID>` with the appropriate Google Cloud Project ID.\
+   Replace `Dockerfile` with `native.Dockerfile` if you want to build the GraalVM native docker image.\
+   Replace `IMAGE_NAME` with `jvm` or `native` to match the service name in the `docker-compose.yml` file if you want to run the images locally.
+5. Temporarily allow the production MongoDB Atlas to accept traffic from your local machine's IP address.
+6. Run ``docker-compose up <service-name>`` from the project root folder. Use `jvm` or `native` as the service name.
 
-The app runs on a Google Compute Engine VM with full GCP API permissions and required scopes
 
 ### Publishing a new version to Google Artifact Registry
 You will need to have write access to our Google Artifact Registry on Google Cloud Platform and install docker on your machine.
 1. Run ``gcloud auth configure-docker us-central1-docker.pkg.dev`` to enable [Google Cloud CLI to authenticate requests to Artifact Registry](https://cloud.google.com/artifact-registry/docs/docker/store-docker-container-images#linux).
-2. Run the ``mvn clean package`` command to publish the new version to Google Artifact Registry. The required repository path is
-configured in the [Jib Maven plugin](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin) in pom.xml file
+2. Run the ``docker tag web <GCP_IMAGE_NAME> && docker push <GCP_IMAGE_NAME>`` command to publish the new version to Google Artifact Registry.
 
 
 ### Updating the container image with the new image version
@@ -77,13 +80,6 @@ While will not need to log into the VM to get Telementry information, you can SS
 
 Use Cloud logging to inspect the logs and health of the machine.
 
-### Running the production docker image on local machine
-1. Install and start docker daemon
-2. Run ``mvn clean compile jib:dockerBuild`` to build the docker image
-3. Temporarily allow the production Mongo Atlas to accept traffic from anywhere on the internet.
-4. Install Gcloud CLI and authenticate it ``gcloud auth application-default login``
-5. Run ``docker-compose up`` from the project root folder.
-
 
 ### Tests 🧪
 #### Unit test
@@ -94,11 +90,12 @@ an [Embedded DB](https://github.com/flapdoodle-oss/de.flapdoodle.embed.mongo) th
 1. `Mockito` is used for Mocking external services
 2. `MockMvc` is used for the Integration test
 
-While ``mvn clean test`` is good for running the tests during development, we advise you use the following command to run the `Dockerfile` to verify that the test can run in an
-isolated environment without any preconfiguration on your local machine.
+While ``mvn clean test`` is good for running the tests during development, we advise you use the following command to build the `test.Dockerfile` 
+to verify that the test can run in an isolated environment without any preconfiguration on your local machine.
 ```shell
-docker build -t java-docker-image-test --progress=plain --no-cache --target=test .
+docker build -t test -f test.Dockerfile .
 ```
+A successful build from the above command indicates that all tests are passing on your local machine.
 
 ---
 

docker-compose.yaml

@@ -1,9 +1,18 @@
-# Use this file to run the image locally after building the image using 'mvn compile jib:dockerBuild'
+# Use this file to run the image locally after building the image
 services:
-  cove:
-    image: us-central1-docker.pkg.dev/gatedaccessdev/cove-repo/vm
+  jvm:
+    image: jvm
     ports:
-      - 8080:80
+      - "8080:80"
+    volumes:
+      - $HOME/.config/gcloud/application_default_credentials.json:/gcp/cred.json
+    environment:
+      - GOOGLE_APPLICATION_CREDENTIALS=/gcp/cred.json
+      - GCLOUD_PROJECT=gatedaccessdev
+  native:
+    image: native
+    ports:
+      - "8081:80"
     volumes:
       - $HOME/.config/gcloud/application_default_credentials.json:/gcp/cred.json
     environment:

gcp-vm.sh

@@ -0,0 +1,20 @@
+gcloud compute instances create-with-container graalvm \
+    --project=gatedaccessdev \
+    --zone=us-central1-a \
+    --machine-type=e2-micro \
+    --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=default \
+    --maintenance-policy=MIGRATE \
+    --provisioning-model=STANDARD \
+    --service-account=653203556655-compute@developer.gserviceaccount.com \
+    --scopes=https://www.googleapis.com/auth/cloud-platform \
+    --tags=sok,http-server,https-server,lb-health-check \
+    --image=projects/cos-cloud/global/images/cos-stable-113-18244-85-24 \
+    --boot-disk-size=10GB \
+    --boot-disk-type=pd-balanced \
+    --boot-disk-device-name=graalvm \
+    --container-image=us-central1-docker.pkg.dev/gatedaccessdev/cove-repo/vm:latest \
+    --container-restart-policy=always \
+    --no-shielded-secure-boot \
+    --shielded-vtpm \
+    --shielded-integrity-monitoring \
+    --labels=goog-ec-src=vm_add-gcloud,container-vm=cos-stable-113-18244-85-24

jvm.Dockerfile

@@ -0,0 +1,36 @@
+LABEL authors="cybersokari"
+FROM eclipse-temurin:21 as build
+# GOOGLE_APPLICATION_CREDENTIALS and GCLOUD_PROJECT
+# environment variables are required for a successful
+# AOT compilation process, which starts the app
+# before the compilation.
+ARG PROJECT_ID
+RUN if [ -z "$PROJECT_ID" ]; then \
+     echo "PROJECT_ID is required but not set"; \
+     exit 1; \
+    fi
+RUN echo "PROJECT_ID is set to $PROJECT_ID"
+ENV GCLOUD_PROJECT=$PROJECT_ID
+ENV GOOGLE_APPLICATION_CREDENTIALS=/gcp/cred.json
+
+WORKDIR /app
+# Copy the  Google Cloud credentials
+COPY cred.json $GOOGLE_APPLICATION_CREDENTIALS
+# Copy the source code
+COPY .mvn/ .mvn/
+COPY --chmod=0755 mvnw mvnw
+COPY pom.xml .
+COPY ./src src/
+# Download the dependencies and cache them
+RUN ./mvnw dependency:go-offline -DskipTests
+# Build the application
+RUN ./mvnw package -DskipTests
+
+# Stage 2: Create the final Docker image
+FROM bellsoft/liberica-openjre-alpine as final
+# Copy the application from the build stage
+COPY --from=build /app/target/web-0.0.1-SNAPSHOT.jar .
+# Command to run the application
+ENTRYPOINT ["java", "-jar", "/web-0.0.1-SNAPSHOT.jar"]
+# Expose the port the application runs on
+EXPOSE 80

native.Dockerfile

@@ -0,0 +1,41 @@
+LABEL authors="cybersokari"
+FROM ghcr.io/graalvm/graalvm-ce:latest as build
+# GOOGLE_APPLICATION_CREDENTIALS and GCLOUD_PROJECT
+# environment variables are required for a successful
+# AOT compilation process, which starts the app
+# before the compilation.
+ARG PROJECT_ID
+RUN if [ -z "$PROJECT_ID" ]; then \
+     echo "PROJECT_ID is required but not set"; \
+     exit 1; \
+    fi
+RUN echo "PROJECT_ID is set to $PROJECT_ID"
+ENV GCLOUD_PROJECT=$PROJECT_ID
+ENV GOOGLE_APPLICATION_CREDENTIALS=/gcp/cred.json
+
+WORKDIR /app
+# Copy the  Google Cloud credentials
+COPY cred.json $GOOGLE_APPLICATION_CREDENTIALS
+# Copy the source code
+COPY .mvn/ .mvn/
+COPY --chmod=0755 mvnw mvnw
+COPY pom.xml .
+COPY ./src src/
+# Download the dependencies and cache them
+RUN ./mvnw dependency:go-offline -DskipTests
+# Build the application
+RUN ./mvnw package -Pnative -DskipTests
+
+# Stage 2: Create the final Docker image
+FROM alpine:latest AS final
+# Set the working directory
+WORKDIR /app
+# Installs the libc6-compat package, which provides
+# compatibility with glibc-based binaries.
+RUN apk add --no-cache libc6-compat
+# Copy the native executable from the build stage
+COPY --from=build /app/target/web .
+# Command to run the application
+CMD ["./web"]
+# Expose the port the application runs on
+EXPOSE 80

pom.xml

@@ -16,7 +16,6 @@
     <properties>
         <java.version>17</java.version>
         <kotlin.version>1.9.23</kotlin.version>
-        <image.path>us-central1-docker.pkg.dev/gatedaccessdev/cove-repo/vm</image.path>
     </properties>
     <dependencyManagement>
         <dependencies>
@@ -125,6 +124,7 @@
         <sourceDirectory>src/main/kotlin</sourceDirectory>
         <testSourceDirectory>src/test/kotlin</testSourceDirectory>
         <plugins>
+            <!-- Jacoco plugin -->
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
@@ -144,34 +144,18 @@
                     </execution>
                 </executions>
             </plugin>
-            <!--Jib-->
+            <!-- Surefire plugin -->
             <plugin>
-                <groupId>com.google.cloud.tools</groupId>
-                <artifactId>jib-maven-plugin</artifactId>
-                <version>3.4.2</version>
-                <executions>
-                    <execution>
-                        <phase>package</phase>
-                        <goals>
-                            <goal>build</goal>
-                        </goals>
-                    </execution>
-                </executions>
-                <configuration>
-                    <from>
-                        <image>
-                            eclipse-temurin:17-jre@sha256:15b50cf95210242511c17e1ec8281fd691ad7d34f163c250a21298943d65de87
-                        </image>
-                    </from>
-                    <to>
-                        <image>${image.path}</image>
-                    </to>
-                    <container>
-                        <ports>
-                            <port>80</port>
-                        </ports>
-                    </container>
-                </configuration>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>3.2.5</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.maven.surefire</groupId>
+                        <artifactId>surefire-junit-platform</artifactId>
+                        <version>3.2.5</version>
+                    </dependency>
+                </dependencies>
             </plugin>
             <!--Spring Boot Maven-->
             <plugin>
@@ -283,5 +267,35 @@
         <profile>
             <id>test</id>
         </profile>
+        <profile>
+            <id>native</id>
+            <build>
+                <plugins>
+                    <!-- GraalVM -->
+                    <plugin>
+                        <groupId>org.graalvm.buildtools</groupId>
+                        <artifactId>native-maven-plugin</artifactId>
+                        <extensions>true</extensions>
+                        <configuration>
+                            <skipNativeTests>true</skipNativeTests>
+                            <buildArgs>
+                                <arg>--initialize-at-build-time=org.slf4j.helpers</arg>
+                                <!-- 3. Quick build mode -->
+                                <!--                        <buildArg>-Ob</buildArg>-->
+                            </buildArgs>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <id>build-native</id>
+                                <goals>
+                                    <goal>compile-no-fork</goal>
+                                </goals>
+                                <phase>package</phase>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 </project>

src/main/resources/application-prod.properties

@@ -1,5 +1,6 @@
 spring.mvc.async.request-timeout=20000
-server.tomcat.threads.max=80
+server.tomcat.threads.max=100
+server.tomcat.threads.min-spare=10
 server.port=80
 
 # Disable Swagger UI on production

test.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1
+LABEL authors="cybersokari"
 # Dockerfile for running test
 FROM eclipse-temurin:17-jdk-jammy as base
 WORKDIR /build
@@ -20,6 +20,9 @@ RUN --mount=type=bind,source=pom.xml,target=pom.xml \
 
 FROM deps as package
 WORKDIR /build
+ENV GCLOUD_PROJECT=gatedaccessdev
+ENV GOOGLE_APPLICATION_CREDENTIALS=/gcp/cred.json
+COPY cred.json $GOOGLE_APPLICATION_CREDENTIALS
 COPY ./src src/
 RUN --mount=type=bind,source=pom.xml,target=pom.xml \
     --mount=type=cache,target=/root/.m2 \