Add java image

images/java/Dockerfile

@@ -0,0 +1,17 @@
+ARG JAVA_VERSION=17
+
+FROM eclipse-temurin:${JAVA_VERSION}-jre-alpine
+MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
+
+ARG JMX_EXPORTER_VERSION=0.19.0
+
+COPY resources/ /
+RUN set -exo pipefail &&\
+    apk --no-cache upgrade &&\
+    apk --no-cache add openssl curl xmlstarlet ca-certificates tini &&\
+    mkdir /jmx_exporter &&\
+    curl -sSL https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/${JMX_EXPORTER_VERSION}/jmx_prometheus_javaagent-${JMX_EXPORTER_VERSION}.jar -o /jmx_exporter/jmx_prometheus_javaagent.jar
+
+ENTRYPOINT ["tini", "--", "/entrypoint.sh"]
+
+CMD ["sh"]

images/java/build.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+for JAVA_VERSION in 11 17; do
+  docker build -t danielberteaud/java:${JAVA_VERSION}-alpine --build-arg JAVA_VERSION=${JAVA_VERSION} -f Dockerfile .
+  docker push danielberteaud/java:${JAVA_VERSION}-alpine
+done

images/java/resources/entrypoint.d/20-cert-pem-to-pkcs12.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -eo pipefail
+
+# This script expects the following env vars to be set :
+# PEM_KEY_FILE : the path of the PEM private key (must exists)
+# PEM_CERT_FILE : the path of the PEM certificate (must exists)
+# (both PEM_KEY_FILE and PEM_CERT_FILE can refer to the same file if it contains both)
+# P12_FILE : the path of the PKCS12 bundle to create
+
+if [ -n "${PEM_KEY_FILE}" -a -f "${PEM_KEY_FILE}" -a -n "${PEM_CERT_FILE}" -a -f "${PEM_CERT_FILE}" -a -n "${P12_FILE}" ]; then
+  if [ ! -f "${P12_FILE}" -o "${PEM_KEY_FILE}" -nt "${P12_FILE}" ]; then
+    echo "Converting PEM files ${PEM_KEY_FILE} and ${PEM_CERT_FILE} to PKCS12 format ${P12_FILE}"
+    openssl pkcs12 -export -out ${P12_FILE} -in ${PEM_CERT_FILE} -inkey ${PEM_KEY_FILE} -passout pass:password
+    chmod 640 ${P12_FILE}
+  else
+    echo "${P12_FILE} already exist and is newer than ${PEM_KEY_FILE}"
+  fi
+fi

images/java/resources/entrypoint.d/30-custom-java-ca-cert.env

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+if [ $(printenv | grep -c -E '^TRUSTED_CA(_\d+)?') -lt 1 ]; then
+  return
+fi
+
+if [ -e "/opt/java/openjdk/lib/security/cacerts" ]; then
+  TRUST_STORE=${NOMAD_SECRETS_DIR:-/tmp}/java_cacerts.jks
+  cp /opt/java/openjdk/lib/security/cacerts ${TRUST_STORE}
+
+  for CA in $(printenv | grep -E '^TRUSTED_CA(_\d+)?' | cut -d= -f1); do
+    CA_PATH=$(printenv ${CA})
+    if [ -e "${CA_PATH}" ]; then
+      echo "Adding ${CA_PATH} to the trusted JKS store ${TRUST_STORE}"
+      keytool -import -alias "${CA}" -file "${CA_PATH}" -keystore ${TRUST_STORE} -storepass "changeit" -noprompt
+    else
+      echo "${CA_PATH} doesn't exist, skiping"
+    fi
+  done
+  export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=${NOMAD_SECRETS_DIR:-/tmp}/java_cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit"
+fi
+

images/java/resources/entrypoint.d/90-java.env

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# If running under Nomad, try to size Xmx automatically as
+# all minus 25% memory, with a cap at 1024
+if [ -z "${JVM_XMX}" -a -n "${NOMAD_MEMORY_LIMIT}" ]; then
+  MIN_FREE_MEM=$(printf "%.0f" $(echo ${NOMAD_MEMORY_LIMIT}*0.25 | bc))
+  [ ${MIN_FREE_MEM} -gt 1024 ] && MIN_FREE_MEM=1024
+  export JVM_XMX=$(echo ${NOMAD_MEMORY_LIMIT}-${MIN_FREE_MEM} | bc)m
+fi
+export JVM_XMX=${JVM_XMX:-64m}
+export JVM_XSS=${JVM_XSS:-512k}
+
+JAVA_OPTS="$JAVA_OPTS -Xshare:off"
+if [ -n "${JVM_MAXRAM}" ]; then
+  JAVA_OPTS="$JAVA_OPTS -XX:MaxRAM=${JVM_MAXRAM}"
+   if [ -n "${JVM_MINRAM_PERCENTAGE}" ]; then
+     JAVA_OPTS="${JAVA_OPTS} -XX:MinRAMPercentage=${JVM_MINRAM_PERCENTAGE}"
+   fi
+   if [ -n "${JVM_MAXRAM_PERCENTAGE}" ]; then
+     JAVA_OPTS="${JAVA_OPTS} -XX:MaxRAMPercentage=${JVM_MAXRAM_PERCENTAGE}"
+   fi
+else
+  JAVA_OPTS="$JAVA_OPTS -Xmx${JVM_XMX} -Xss${JVM_XSS}"
+fi
+
+JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true -Dfile.encoding=UTF8"
+
+if [ -n "${HTTP_MAX_CONNECTIONS}" ]; then
+  JAVA_OPTS="$JAVA_OPTS -Dhttp.maxConnections=${HTTP_MAX_CONNECTIONS}"
+fi
+
+# Handle proxy options
+if [ -n "${HTTP_PROXY_HOST}" ]; then
+  JAVA_OPTS="$JAVA_OPTS -Dhttp.proxyHost=${HTTP_PROXY_HOST}"
+  if [ -n "${HTTP_PROXY_PORT}" ]; then
+    JAVA_OPTS="$JAVA_OPTS -Dhttp.proxyPort=${HTTP_PROXY_PORT}"
+  fi
+fi
+if [ -n "${HTTPS_PROXY_HOST}" ]; then
+  JAVA_OPTS="$JAVA_OPTS -Dhttps.proxyHost=${HTTPS_PROXY_HOST}"
+  if [ -n "${HTTPS_PROXY_PORT}" ]; then
+    JAVA_OPTS="$JAVA_OPTS -Dhttps.proxyPort=${HTTPS_PROXY_PORT}"
+  fi
+fi
+if [ -n "${NO_PROXY}" ]; then
+  JAVA_OPTS="$JAVA_OPTS -Dhttp.nonProxyHosts=${NO_PROXY}"
+fi
+
+echo "JAVA_OPTS=$JAVA_OPTS"
+export JAVA_OPTS=$JAVA_OPTS

images/java/resources/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -eo pipefail
+
+# Scriplets in /entrypoint.d will be sourced (if ending with .env) or executed
+if [ -d "/entrypoint.d" ]; then
+  for H in $(find /entrypoint.d -type f -o -type l | sort); do
+    if [[ "$H" == "*.env" ]]; then
+      echo "Sourcing entrypoint snippet $H"
+      source "$H"
+    elif [ -x "$H" ]; then
+      echo "Running entrypoint script $H"
+      $H "$@"
+    else
+      echo "Skiping $H"
+    fi
+  done
+fi
+
+exec "$@"

images/java/resources/usr/local/bin/fetch-artifact.sh

@@ -0,0 +1,102 @@
+#!/bin/sh
+
+set -eo pipefail
+
+while getopts "r:g:a:v:f:d:t:u:p:" OPTS; do
+  case ${OPTS} in
+    r)
+      ARTIFACT_REPO=${OPTARG}
+      ;;
+    g)
+      GROUP_ID=${OPTARG}
+      ;;
+    a)
+      ARTIFACT_ID=${OPTARG}
+      ;;
+    v)
+      VERSION=${OPTARG}
+      ;;
+    f)
+      FORMAT=${OPTARG}
+      ;;
+    d)
+      DEST=${OPTARG}
+      ;;
+    t)
+      TYPE=${OPTARG}
+      ;;
+    u)
+      ARTIFACT_USER=${OPTARG}
+      ;;
+    p)
+      ARTIFACT_PWD=${OPTARG}
+      ;;
+  esac
+done
+
+if [ -z ${ARTIFACT_REPO} ]; then
+  if [[ "${VERSION}" = "*-SNAPSHOT" ]]; then
+    ARTIFACT_REPO=https://nexus.ehtrace.com/repository/maven-snapshots
+  else
+    ARTIFACT_REPO=https://nexus.ehtrace.com/repository/maven-public
+  fi
+fi
+GROUP_ID=${GROUP_ID:-com.ehtrace}
+FORMAT=${FORMAT:-jar}
+DEST=${DEST:-launch.jar}
+TYPE=${TYPE:-}
+
+if [ -d "$DEST" ]; then
+  echo "Can't download to ${DEST} : directory exists"
+  exit 1
+fi
+
+# If the groupe id is given using dot notation
+GROUP_ID=$(echo -n $GROUP_ID | sed -e 's|\.|/|g')
+
+CURL="curl --location-trusted -s"
+if [ -n "${ARTIFACT_USER}" -a -n "${ARTIFACT_PWD}" ]; then
+  CURL="${CURL} -u ${ARTIFACT_USER}:${ARTIFACT_PWD}"
+fi
+
+retrieveSnapshotLatestTimestampedVersion() {
+   snapshotMetadata=$(${CURL} "${ARTIFACT_REPO}/${GROUP_ID}/${ARTIFACT_ID}/${VERSION}/maven-metadata.xml")
+   timestamp=$(echo "$snapshotMetadata" | xmlstarlet sel -t -v "//snapshot/timestamp/text()")
+   if [ -n "$timestamp" ]; then
+      # unique version mode (with timstamp)
+      buildNumber=$(echo "$snapshotMetadata" | xmlstarlet sel -t -v "//snapshot/buildNumber/text()")
+      echo ${VERSION%-SNAPSHOT*}-${timestamp}-${buildNumber}
+   else
+      # non unique mode
+      echo ${VERSION}
+   fi
+}
+
+if [[ "${VERSION}" = "*-SNAPSHOT" ]]; then
+   ARTIFACT_VERSION=$(retrieveSnapshotLatestTimestampedVersion)
+   echo "${VERSION} is a SNAPSHOT version"
+else
+   ARTIFACT_VERSION=${VERSION}
+fi
+
+echo "Artifact version=${ARTIFACT_VERSION}"
+
+[ -n "${TYPE}" ] && TYPE="-${TYPE}"
+
+DOWNLOAD_URL="${ARTIFACT_REPO}/${GROUP_ID}/${ARTIFACT_ID}/${VERSION}/$(basename ${ARTIFACT_ID})-${ARTIFACT_VERSION}${TYPE}.${FORMAT}"
+
+echo "Downloading artifact with following url : $DOWNLOAD_URL"
+${CURL} "${DOWNLOAD_URL}" -o ${DEST}
+echo "File ${DEST} has been downloaded"
+
+echo "Fetching expected sha1 from ${DOWNLOAD_URL}.sha1"
+EXPECTED_SHA1=$(${CURL} ${DOWNLOAD_URL}.sha1)
+echo "Computing sha1 of the downloaded file"
+REAL_SHA1=$(sha1sum $DEST | cut -d' ' -f1)
+
+if [ "${REAL_SHA1}" == "${EXPECTED_SHA1}" ]; then
+  echo "The downloaded file has the expected checksum (${REAL_SHA1})"
+else
+  echo "Expected sha1 ${EXPECTED_SHA1} but got ${REAL_SHA1}"
+  exit 1
+fi