NASA-AMMOS · jdrodjpl · May 7, 2025
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,120 @@
+name: Docker Build
+
+on:
+  push:
+    branches: [main, develop, docker_build] # Adjust branches as needed
+  pull_request:
+    branches: [main] # Adjust branches as needed
+
+permissions:
+  contents: read
+  packages: write # Needed to push images to GHCR
+
+jobs:
+  build-push-run:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract CWS Version and Define Image Tag
+        id: image_info
+        run: |
+          # Assuming utils.sh is at the repository root
+          CWS_VER=$(grep 'export CWS_VER=' utils.sh | cut -d"'" -f2)
+          # Use GitHub owner and repo name for GHCR image path (lowercase)
+          OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
+          REPO_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
+          IMAGE_NAME="ghcr.io/$OWNER_LOWER/$REPO_LOWER"
+          echo "version=$CWS_VER" >> $GITHUB_OUTPUT
+          echo "original_tag=nasa-ammos/common-workflow-service:$CWS_VER" >> $GITHUB_OUTPUT
+          echo "ghcr_tag=$IMAGE_NAME:$CWS_VER" >> $GITHUB_OUTPUT
+        working-directory: ${{ github.workspace }} # Run from repo root
+
+      - name: Build CWS Docker Image using script
+        run: |
+          chmod +x build-testing.sh
+          # The script builds using the 'nasa-ammos/...' tag internally
+          # Execute the script directly now that we are in its directory
+          ./build-testing.sh
+          # Explicitly check the exit code of the script
+          if [ $? -ne 0 ]; then
+            echo "::error::Docker image build script failed."
+            exit 1
+          fi
+        working-directory: install/docker/cws-image # Run from the script's directory
+
+      - name: Re-tag image for GHCR
+        run: |
+          echo "Tagging ${{ steps.image_info.outputs.original_tag }} as ${{ steps.image_info.outputs.ghcr_tag }}"
+          docker tag "${{ steps.image_info.outputs.original_tag }}" "${{ steps.image_info.outputs.ghcr_tag }}"
+
+      - name: Push Docker image to GHCR
+        run: |
+          echo "Pushing ${{ steps.image_info.outputs.ghcr_tag }}"
+          docker push "${{ steps.image_info.outputs.ghcr_tag }}"
+
+      - name: Prepare Docker Compose Environment
+        run: |
+          # Create external network required by docker-compose
+          docker network create cws-network
+          echo "Docker network 'cws-network' created"
+        working-directory: install/docker/console-db-es-ls-kibana
+
+      - name: Update image tag in docker-compose-testing.yml
+        run: |
+          # Escape slashes in the image tag for sed
+          ESCAPED_TAG=$(echo "${{ steps.image_info.outputs.ghcr_tag }}" | sed 's/\//\\\//g')
+          echo "Updating image tag in docker-compose.yml to $ESCAPED_TAG"
+          # Target both cws and cws-worker services
+          sed -i "s/image: nasa-ammos\/common-workflow-service:.*/image: $ESCAPED_TAG/g" docker-compose-testing.yml
+          echo "docker-compose-testing.yml after update:"
+          cat docker-compose.yml
+        working-directory: install/docker/console-db-es-ls-kibana
+
+      - name: Start Services with Docker Compose
+        run: docker compose -f docker-compose-testing.yml up -d
+        working-directory: install/docker/console-db-es-ls-kibana
+
+      - name: Verify CWS Console Startup
+        run: |
+          echo "Waiting up to 1 minute for CWS console to become healthy..." # Updated comment
+          MAX_WAIT=60 # 1 minute max wait # Updated value and comment
+          INTERVAL=15  # Check every 15 seconds
+          ELAPSED=0
+          # Use the healthcheck URL from docker-compose.yml
+          HEALTHCHECK_URL="https://localhost:38443/cws-ui/login"
+
+          while true; do
+            # Use curl's exit code to check success (-k for self-signed cert, -f to fail on server errors, -s silent, -L follow redirects)
+            if curl -kfsL --output /dev/null "$HEALTHCHECK_URL"; then
+              echo "CWS console is up and responding at $HEALTHCHECK_URL!"
+              echo "Current running containers:"
+              docker ps
+              exit 0
+            fi
+
+            if [ $ELAPSED -ge $MAX_WAIT ]; then
+              echo "CWS console did not become healthy within $MAX_WAIT seconds."
+              echo "Current running containers:"
+              docker ps
+              echo "Docker Compose logs for cws service (cws-console):"
+              docker compose logs cws
+              exit 1
+            fi
+
+            sleep $INTERVAL
+            ELAPSED=$((ELAPSED + INTERVAL))
+            echo "Still waiting for CWS console... ($ELAPSED/$MAX_WAIT seconds)"
+          done
+        working-directory: install/docker/console-db-es-ls-kibana # Ensure correct context for docker-compose logs
diff --git a/cws-certs/generate-certs-testing.sh b/cws-certs/generate-certs-testing.sh
@@ -0,0 +1,61 @@
+#! /bin/bash
+
+# This script creates certs required by CWS when run inside the container.
+
+# Define target directories within the container
+# Ensure TOMCAT_VER matches the version used in the CWS distribution
+TOMCAT_VER="9.0.75"
+TOMCAT_BASE_DIR="/home/cws_user/cws/server/apache-tomcat-${TOMCAT_VER}"
+TOMCAT_CONF_DIR="${TOMCAT_BASE_DIR}/conf"
+TOMCAT_LIB_DIR="${TOMCAT_BASE_DIR}/lib"
+KEYSTORE_FILE="${TOMCAT_CONF_DIR}/.keystore"
+TRUSTSTORE_FILE="${TOMCAT_LIB_DIR}/cws_truststore.jks"
+CERT_FILE="/tmp/cws.crt" # Temporary location for the exported cert
+PASSWORD="changeit"     # Must match the password expected by CWS/Tomcat
+
+echo "Generating CWS certificates..."
+echo "  Keystore target: ${KEYSTORE_FILE}"
+echo "  Truststore target: ${TRUSTSTORE_FILE}"
+
+# Ensure target directories exist
+mkdir -p "${TOMCAT_CONF_DIR}"
+mkdir -p "${TOMCAT_LIB_DIR}"
+
+# Create private key and self-signed certificate within the keystore at the target location
+keytool -genkey -keyalg RSA \
+        -dname "cn=cws-container, ou=CWS, o=NASA, l=Pasadena, s=CA, c=US" \
+        -alias cws \
+        -keypass "${PASSWORD}" \
+        -keystore "${KEYSTORE_FILE}" \
+        -storepass "${PASSWORD}" \
+        -storetype JKS \
+        -validity 3650 \
+        -keysize 2048
+if [ $? -ne 0 ]; then echo "ERROR: Failed to generate keystore."; exit 1; fi
+echo "  Keystore generated."
+
+# Extract self-signed certificate from keystore to a temporary file
+keytool -export -alias cws \
+        -file "${CERT_FILE}" \
+        -keystore "${KEYSTORE_FILE}" \
+        -storepass "${PASSWORD}"
+if [ $? -ne 0 ]; then echo "ERROR: Failed to export certificate."; exit 1; fi
+echo "  Certificate exported to ${CERT_FILE}."
+
+# Import self-signed certificate into truststore at the target location
+keytool -import -alias cws \
+        -file "${CERT_FILE}" \
+        -keypass "${PASSWORD}" \
+        -noprompt \
+        -keystore "${TRUSTSTORE_FILE}" \
+        -storepass "${PASSWORD}" \
+        -storetype JKS
+if [ $? -ne 0 ]; then echo "ERROR: Failed to import certificate into truststore."; exit 1; fi
+echo "  Certificate imported into truststore."
+
+# Clean up temporary certificate file
+rm -f "${CERT_FILE}"
+echo "  Temporary certificate file removed."
+
+echo "Certificate generation complete."
+exit 0
diff --git a/install/docker/console-db-es-ls-kibana/docker-compose-testing.yml b/install/docker/console-db-es-ls-kibana/docker-compose-testing.yml
@@ -0,0 +1,174 @@
+version: "3.2"
+
+services:
+  db:
+    restart: always
+    image: mariadb:10.11
+    container_name: cws-db
+    ports:
+      - "3306:3306"
+    command: mysqld --max-connections=2000 --transaction-isolation=READ-COMMITTED
+    environment:
+      - MYSQL_DATABASE=cws
+      - MYSQL_ROOT_PASSWORD=test
+      - TZ=America/Los_Angeles
+    healthcheck:
+      test: '/usr/bin/mysql --user=root --password=test --execute "SHOW DATABASES;"'
+      interval: 3s
+      timeout: 1s
+      retries: 5
+    networks:
+      - external-network
+  es:
+    labels:
+      com.example.service: "es"
+      com.example.description: "For searching and indexing data"
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.12.0
+    container_name: cws-es
+    ports:
+      - "9200:9200"
+      - "9300:9300"
+    environment:
+      - MAX_MAP_COUNT=262144
+      - discovery.type=single-node
+      - cluster.name=docker-cluster
+      - xpack.security.enabled=false
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    networks:
+      - external-network
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl --silent --fail localhost:9200/_cluster/health || exit 1",
+        ]
+      interval: 5s
+      timeout: 2s
+      retries: 12
+    #ulimits:
+    #memlock:
+    #soft: -1
+    #hard: -1
+    #nofile:
+    #soft: 65536
+    #hard: 65536
+    #mem_limit: 2g
+  #  kibana:
+  #    labels:
+  #      com.example.service: "kibana"
+  #      com.example.description: "Data visualisation and for log aggregation"
+  #    image: kibana:8.12.0
+  #    container_name: cws-kibana
+  #    ports:
+  #      - "5601:5601"
+  #    networks:
+  #      - frontend
+  #      - backend
+  #    environment:
+  #      - ELASTICSEARCH_HOSTS=http://es:9200
+  #    depends_on:
+  #      - es
+  #  logstash:
+  #    labels:
+  #      com.example.service: "logstash"
+  #      com.example.description: "For logging data"
+  #    image: logstash:8.12.0
+  #    container_name: cws-logstash
+  #    volumes:
+  #      - ./cws-logstash.conf:/home/cws_user/cws-logstash.conf:ro
+  #      - logs-volume:/cws_logs
+  #    command: logstash -f /home/cws_user/cws-logstash.conf
+  #    environment:
+  #      - XPACK_MONITORING_ENABLED=false
+  #    healthcheck:
+  #        test: ["CMD-SHELL", "curl --silent --fail localhost:9600 || exit 1"]
+  #        interval: 5s
+  #        timeout: 2s
+  #        retries: 12
+  #    depends_on:
+  #    - es
+  #    ports:
+  #      - "9600:9600"
+  #    networks:
+  #      - frontend
+  #      - backend
+  cws:
+    container_name: cws-console
+    labels:
+      com.example.service: "cws-server"
+      com.example.description: "Common Workflow Service"
+    image: nasa-ammos/common-workflow-service:2.6.0 # update this each CWS release
+    depends_on:
+      - db
+      - es
+      - ldapsearch
+    #      - logstash
+    #      - kibana
+    ports:
+      - "38080:38080"
+      - "38443:38443"
+      - "31616:31616"
+    hostname: cws-console
+    environment:
+      - DB_HOST=db
+      - DB_USER=root
+      - DB_PW=test
+      - ES_PROTOCOL=http
+      - ES_HOST=es
+      - ES_PORT=9200
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl -k --silent --fail https://localhost:38443/cws-ui/login || exit 1",
+        ]
+      interval: 5s
+      timeout: 2s
+      retries: 12
+    volumes:
+      - ./config.properties:/home/cws_user/config.properties:rw
+      # - ~/.cws/creds:/root/.cws/creds:rw
+      - console-logs-volume:/home/cws_user/cws/server/apache-tomcat-9.0.75/logs
+    networks:
+      - external-network
+  cws-worker:
+    container_name: cws-worker1
+    labels:
+      com.example.service: "cws-worker1"
+      com.example.description: "Common Workflow Service"
+    image: nasa-ammos/common-workflow-service:2.6.0 # update this each CWS release
+    depends_on:
+      - db
+      - es
+      - cws
+      - ldapsearch
+    hostname: cws-worker1
+    environment:
+      - DB_HOST=db
+      - DB_USER=root
+      - DB_PW=test
+      - ES_PROTOCOL=http
+      - ES_HOST=es
+      - ES_PORT=9200
+    volumes:
+      - ./worker-config.properties:/home/cws_user/config.properties:rw
+      # - ~/.cws/creds:/root/.cws/creds:rw
+      - worker1-logs-volume:/home/cws_user/cws/server/apache-tomcat-9.0.75/logs
+    networks:
+      - external-network
+  ldapsearch:
+    container_name: ldapsearch_container
+    image: ghcr.io/nasa-ammos/common-workflow-service/openldap:v2.6
+    ports:
+      - 389:389
+    networks:
+      - external-network
+
+volumes:
+  console-logs-volume:
+  worker1-logs-volume:
+
+networks:
+  external-network:
+    external:
+      name: cws-network
diff --git a/install/docker/console-db-es-ls-kibana/docker-compose.yml b/install/docker/console-db-es-ls-kibana/docker-compose.yml
@@ -126,8 +126,8 @@ services:
       timeout: 2s
       retries: 12
     volumes:
-      - ./config.properties:/home/cws_user/config.properties:ro
-      - ~/.cws/creds:/root/.cws/creds:ro
+      - ./config.properties:/home/cws_user/config.properties:rw
+      - ~/.cws/creds:/root/.cws/creds:rw
       - console-logs-volume:/home/cws_user/cws/server/apache-tomcat-9.0.75/logs
     networks:
       - external-network
@@ -151,8 +151,8 @@ services:
       - ES_HOST=es
       - ES_PORT=9200
     volumes:
-      - ./worker-config.properties:/home/cws_user/config.properties:ro
-      - ~/.cws/creds:/root/.cws/creds:ro
+      - ./worker-config.properties:/home/cws_user/config.properties:rw
+      - ~/.cws/creds:/root/.cws/creds:rw
       - worker1-logs-volume:/home/cws_user/cws/server/apache-tomcat-9.0.75/logs
     networks:
       - external-network