feat: support building and publishing development containers on GitHub

.github/dev-containers/build-local.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e # Exit immediately if a command exits with a non-zero status.
+
+# Build X-Road
+cd ../../src
+./gradlew clean build
+
+# Package X-Road
+cd packages
+./build-deb.sh jammy
+
+# Set up Central Server context and build container
+cd ../../.github/dev-containers/centralserver
+rm -rf build
+./init_context.sh
+mkdir -p build/packages
+cp ../../../src/packages/build/ubuntu22.04/* build/packages/
+docker build -t centralserver .
+
+# Set up Security Server context and build container
+cd ../securityserver
+rm -rf build
+./init_context.sh
+mkdir -p build/packages
+cp ../../../src/packages/build/ubuntu22.04/* build/packages/
+docker build -t centralserver .
+
+# Set up TestCA context and build container
+cd ../testca
+./init_context.sh
+docker build -t testca .

.github/dev-containers/centralserver/Dockerfile

@@ -0,0 +1,48 @@
+FROM ubuntu:jammy
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get -qq update \
+  && apt-get -qq upgrade \
+  && apt-get -qq install --no-install-recommends sudo ca-certificates gnupg supervisor net-tools locales openjdk-17-jre-headless rlwrap ca-certificates-java crudini adduser expect curl rsyslog dpkg-dev \
+  && echo "LC_ALL=en_US.UTF-8" >>/etc/environment \
+  && locale-gen en_US.UTF-8 \
+  && adduser --quiet --system --uid 998 --home /var/lib/postgresql --no-create-home --shell /bin/bash --group postgres \
+  && adduser --quiet --system --uid 999 --home /var/lib/xroad --no-create-home --shell /bin/bash --group xroad \
+  && useradd -m xrd -s /usr/sbin/nologin -p '$6$JeOzaeWnLAQSUVuO$GOJ0wUKSVQnOR4I2JgZxdKr.kMO.YGS21SGaAshaYhayv8kSV9WuIFCZHTGAX8WRRTB/2ojuLnJg4kMoyzpcu1' \
+  && echo "xroad-center xroad-common/username string xrd" | debconf-set-selections \
+  && apt-get -qq install --no-install-recommends postgresql postgresql-contrib \
+  && apt-get -qq clean \
+  && rm -rf var/lib/apt/lists/*
+
+ADD ["build/packages", "/tmp/repo"]
+
+RUN cd /tmp/repo && dpkg-scanpackages -m . > Packages \
+  && echo "deb [trusted=yes] file:/tmp/repo /" >/etc/apt/sources.list.d/xroad.list \
+  &&pg_ctlcluster 14 main start \
+  && apt-get -qq update \
+  && apt-get -qq install xroad-centralserver xroad-autologin \
+  && apt-get -qq clean \
+  && pg_ctlcluster 14 main stop \
+  && { nginx -s stop ||:; } \
+  && rm -f /var/run/nginx.pid \
+  && rm -rf /tmp/xroad \
+  # Back up read-only config (for volume support)
+  && mkdir -p /root/etc/xroad \
+  && cp -a /etc/xroad /root/etc/ \
+  && rm -f /root/etc/xroad/services/local.properties \
+     /root/etc/xroad/conf.d/local.ini \
+     /root/etc/xroad/devices.ini \
+     /root/etc/xroad/db.properties \
+  && dpkg-query --showformat='${Version}' --show xroad-center >/root/VERSION \
+  && cp /root/VERSION /etc/xroad/VERSION \
+  && chmod 0755 /usr/share/xroad/scripts/verify_external_configuration.sh \
+  # Clean up
+  && rm -rf /tmp/repo \
+  && apt-get remove -qq dpkg-dev && apt-get -qq clean && apt-get -qq autoremove \
+  && rm -rf var/lib/apt/lists/*
+
+COPY files/cs-entrypoint.sh /root/entrypoint.sh
+COPY --chown=root:root files/cs-xroad.conf /etc/supervisor/conf.d/xroad.conf
+CMD ["/root/entrypoint.sh"]
+
+EXPOSE 4000 2222

.github/dev-containers/centralserver/files/cs-entrypoint.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+PACKAGED_VERSION="$(cat /root/VERSION)"
+INSTALLED_VERSION=$(dpkg-query --showformat='${Version}' --show xroad-center)
+
+log() { echo "$(date --utc -Iseconds) INFO [entrypoint] $*"; }
+warn() { echo "$(date --utc -Iseconds) WARN [entrypoint] $*" >&2; }
+
+wait_db() {
+  local count=0
+  while ((count++ < 60)) && ! pg_isready -q -t 2; do
+    sleep 1
+  done
+}
+
+log "Starting X-Road central server version $INSTALLED_VERSION"
+
+if [ "$INSTALLED_VERSION" == "$PACKAGED_VERSION" ]; then
+    if [ -f /etc/xroad/VERSION ]; then
+        CONFIG_VERSION="$(cat /etc/xroad/VERSION)"
+    else
+        warn "Current configuration version not known"
+        CONFIG_VERSION=
+    fi
+    if [ -n "$CONFIG_VERSION" ] && dpkg --compare-versions "$PACKAGED_VERSION" gt "$CONFIG_VERSION"; then
+        # Update X-Road configuration on startup, if necessary
+        log "Updating configuration from $CONFIG_VERSION to $PACKAGED_VERSION"
+        cp -a /root/etc/xroad/* /etc/xroad/
+        pg_ctlcluster 14 main start
+        wait_db
+        dpkg-reconfigure xroad-center
+        pg_ctlcluster 14 main stop
+        nginx -s stop
+        sleep 1
+        echo "$PACKAGED_VERSION" >/etc/xroad/version
+    fi
+else
+    echo "WARN: Installed version ($INSTALLED_VERSION) does not match packaged version ($PACKAGED_VERSION)" >&2
+fi
+
+if [  -n "$XROAD_TOKEN_PIN" ]
+then
+    log "XROAD_TOKEN_PIN variable set, writing to /etc/xroad/autologin"
+    echo "$XROAD_TOKEN_PIN" > /etc/xroad/autologin
+    unset XROAD_TOKEN_PIN
+fi
+
+if ! crudini --get /etc/xroad/conf.d/local.ini registration-service api-token &>/dev/null; then
+  log "Creating API token for registration and management services..."
+  TOKEN=$(tr -C -d "[:alnum:]" </dev/urandom | head -c32)
+  ENCODED=$(echo -n "$TOKEN" | sha256sum -b | cut -d' ' -f1)
+  pg_ctlcluster 14 main start
+  wait_db
+  su -c "psql -q centerui_production" postgres <<EOF
+SET ROLE centerui;
+DO \$\$
+DECLARE
+  id bigint;
+BEGIN
+  SELECT nextval('hibernate_sequence') INTO id;
+  INSERT INTO apikey values (id, '$ENCODED');
+  INSERT INTO apikey_roles values (nextval('apikey_roles_id_seq'), id, 'XROAD_MANAGEMENT_SERVICE');
+END
+\$\$
+;
+EOF
+  pg_ctlcluster 14 main stop
+  crudini --set /etc/xroad/conf.d/local.ini registration-service api-token "$TOKEN"
+  crudini --set /etc/xroad/conf.d/local.ini management-service api-token "$TOKEN"
+fi
+
+log "Making sure that token pin policy is enforced by default"
+if ! crudini --get /etc/xroad/conf.d/local.ini signer enforce-token-pin-policy &>/dev/null; then
+  crudini --set /etc/xroad/conf.d/local.ini signer enforce-token-pin-policy "true"
+fi
+
+#initialize transport keys
+mkdir -p -m0750 /var/run/xroad
+chown xroad:xroad /var/run/xroad
+su - xroad -c sh -c /usr/share/xroad/scripts/xroad-base.sh
+
+exec /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf

.github/dev-containers/centralserver/files/cs-xroad.conf

@@ -0,0 +1,53 @@
+[supervisord]
+user=root
+
+[program:postgres]
+command=/usr/lib/postgresql/14/bin/postgres -D /var/lib/postgresql/14/main -c config_file=/etc/postgresql/14/main/postgresql.conf
+user=postgres
+stopsignal=INT
+stopwaitsecs=30
+autorestart=unexpected
+priority=100
+
+[program:nginx]
+command=/usr/sbin/nginx -g "daemon off;"
+autorestart=unexpected
+priority=100
+
+[program:xroad-center]
+command=/usr/share/xroad/bin/xroad-centralserver-admin-service
+user=xroad
+autorestart=true
+
+[program:xroad-center-registration-service]
+command=/usr/share/xroad/bin/xroad-centralserver-registration-service
+user=xroad
+autorestart=true
+
+[program:xroad-center-management-service]
+command=/usr/share/xroad/bin/xroad-centralserver-management-service
+user=xroad
+autorestart=true
+
+[program:xroad-signer]
+command=/usr/share/xroad/bin/xroad-signer
+user=xroad
+autorestart=true
+priority=200
+
+[program:xroad-confclient]
+command=/usr/share/xroad/bin/xroad-confclient
+user=xroad
+autorestart=true
+priority=100
+
+[program:xroad-autologin]
+command=/usr/share/xroad/autologin/xroad-autologin-retry.sh
+user=xroad
+autorestart=false
+
+[program:cron]
+command=/usr/sbin/cron -f
+user=root
+autorestart=true
+

.github/dev-containers/centralserver/init_context.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+rm -rf ./files
+mkdir -p ./files
+
+cp ../../../Docker/centralserver/files/cs-entrypoint.sh ./files/.
+
+# Remove test CA services from the configuration file
+cat ../../../Docker/centralserver/files/cs-xroad.conf | sed '/\[program\:ocsp]/,/^$/d' | sed '/\[program\:tsa]/,/^$/d' | sed '/\[program\:sign]/,/^$/d' > ./files/cs-xroad.conf

.github/dev-containers/devenv/.env

@@ -0,0 +1,3 @@
+CS_IMG=ghcr.io/nordic-institute/xrddev-central-server:latest
+SS_IMG=ghcr.io/nordic-institute/xrddev-security-server:latest
+CA_IMG=ghcr.io/nordic-institute/xrddev-testca:latest

.github/dev-containers/devenv/README.md

@@ -0,0 +1,89 @@
+# Using this Docker Compose environment
+
+**NB!** The compose environment is meant only for testing X-Road in a development setup, it should never be used in a
+production environment.
+
+This document expects that you have a working Docker setup with Docker Compose installed on your system.
+
+The environment is set up by default to be used with the `xrddev-*` images available from the
+[main X-Road repository](https://github.com/orgs/nordic-institute/packages?repo_name=X-Road).
+
+The Compose environment also contains a Hurl container and scripts to initialize an environment with the following
+settings:
+
+* One Central Server
+* One management Security Server, which also acts as the producer Security Server for the example adapter under the
+  `DEV:COM:1234:TestService` subsystem. Permissions are given to the `DEV:COM:4321:TestClient` subsystem to access all
+  requests under it.
+* One consumer Security Server, which has the `DEV:COM:4321:TestClient` subsystem registered to it.
+* The `example-adapter` container. More information regarding it is available in
+  [its own repository](https://github.com/nordic-institute/xrd4j/tree/develop/example-adapter).
+
+The compose file has the following port mappings for the UI-s:
+
+* 4001 - Central Server UI
+* 4002 - Management Security Server UI
+* 4003 - Consumer Security Server UI
+* 8080 - Consumer Security Server client information system port
+* 8888 - TestCA UI
+
+Please note that the containers do not have any persistent volume mappings, so once they are removed, all data is also
+lost.
+
+## Starting and initialising the environment
+
+To start the containers, simply run the following command under the directory `.github/dev-containers/devenv`:
+
+```bash
+docker compose up -d
+```
+
+After all of the containers have started, you can initialise the environment with the following command in the same
+directory:
+
+```bash
+docker compose run hurl --insecure --variables-file /hurl-src/vars.env --file-root /hurl-files /hurl-src/setup.hurl --very-verbose --retry 12 --retry-interval 10000
+```
+
+Initialising the environment will take a few minutes, and there will be several points where it will get HTTP errors
+and keep retrying. This is normal and is due to the time it takes for the global configuration updates to happen and be
+distributed to the Security Servers.
+
+The command should finish with a successful reply from the `example-adapter`'s `getRandom` service if everything went
+as planned.
+
+## Setting up an environment based on your own local code
+
+This step expects that you are able to build and package the X-Road source code. In that case the simplest way to
+deploy containers based on your own code is to use the script and environmental overrides for the compose file.
+
+Assuming that you are starting from the root of this repository, run the following commands:
+
+```bash
+cd .github/dev-containers
+./build-local.sh
+```
+
+This script will do the following:
+
+* Build the source code with Gradle
+* Build Ubuntu Jammy packages in Docker
+* Copy the resulting Debian packages to their correct locations
+* Build the `centralserver`, `securityserver` and `testca` Docker images
+
+After that, navigate to the `.github/dev-containers/devenv` directory and create a `.env.override` file with the
+following content:
+
+```ini
+CS_IMG=centralserver
+SS_IMG=securityserver
+CA_IMG=testca
+```
+
+Then in the same directory, run the following command:
+
+```bash
+docker compose --env-file .env.override up -d
+```
+
+After that you can use the `hurl` command as shown in the previous example.

.github/dev-containers/devenv/compose.yaml

@@ -0,0 +1,50 @@
+services:
+  cs:
+    image: ${CS_IMG}
+    healthcheck: 
+      test: ["CMD", "curl", "-f", "-k", "https://localhost:4000"]
+    ports:
+      - "4001:4000"
+  ssm:
+    image: ${SS_IMG}
+    healthcheck: 
+      test: ["CMD", "curl", "-f", "-k", "https://localhost:4000"]
+    ports:
+      - "4002:4000"
+  ss1:
+    image: ${SS_IMG}
+    healthcheck: 
+      test: ["CMD", "curl", "-f", "-k", "https://localhost:4000"]
+    ports:
+      - "4003:4000"
+      - "8080:8080"
+  testca:
+    image: ${CA_IMG}
+    healthcheck: 
+      test: ["CMD", "curl", "-f", "-k", "http://localhost:8888/testca/certs"]
+    volumes:
+      - ca-volume:/home/ca/certs
+    ports:
+      - "8888:8888"
+  exadapter:
+    image: niis/example-adapter 
+    healthcheck:
+      test: ["CMD", "curl", "-f", "-k", "http://localhost:8080/example-adapter/Endpoint?wsdl"]
+  hurl:
+    image: ghcr.io/orange-opensource/hurl:latest
+    volumes:
+      - ./hurl-src:/hurl-src
+      - ca-volume:/hurl-files/ca
+    depends_on:
+      cs:
+        condition: service_healthy
+      testca:
+        condition: service_healthy
+      ssm:
+        condition: service_healthy
+      ss1:
+        condition: service_healthy
+      exadapter:
+        condition: service_healthy
+volumes:
+  ca-volume: