Improve Docker and CI/CD configuration with best practices

- Dockerfile: Add non-root user, healthcheck, optimized layer caching - docker-compose.yml: Add healthchecks, data volumes, networking, better configuration - CI/CD: Add multi-platform builds, image testing, multiple tags, metadata - .dockerignore: Comprehensive exclusions for faster builds These improvements enhance security, reliability, and maintainability following Docker and Spring Boot best practices. Signed-off-by: Bhavesh Khandelwal <bhaveshkhandelwal1232@gmail.com>
2025-12-27 19:07:28 +00:00 · 2025-12-14 10:49:10 +05:30 · 2025-12-14 10:49:10 +05:30 · bdbece8d3f
commit bdbece8d3f
parent 0200c9fe61
4 changed files with 164 additions and 15 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,15 +1,77 @@
+# Build outputs
 /target
 /build
+*.jar
+*.war
+*.ear
+
+# Maven
 /.mvn/wrapper/maven-wrapper.jar
+.mvn/wrapper/maven-wrapper.properties
+
+# IDE
 /.idea
 /.vscode
+/.settings
+/.classpath
+/.project
+*.iml
+*.ipr
+*.iws
+
+# Version control
 /.git
 /.gitignore
+/.gitattributes
+
+# Documentation
 README.md
 LICENSE.txt
-docker-compose.yml
-k8s
-node_modules
-*.iml
-*.log
+*.md
+/docs
+
+# Docker
+docker-compose.yml
+docker-compose.*.yml
+.dockerignore
+Dockerfile*
+
+# Kubernetes
+/k8s
+*.yaml
+!src/**/*.yml
+!src/**/*.yaml
+
+# CI/CD
+/.github
+/.gitlab-ci.yml
+/.travis.yml
+/.circleci
+
+# Dependencies
+node_modules
+/.gradle
+/.m2
+
+# Logs
+*.log
+logs/
+
+# OS
+.DS_Store
+Thumbs.db
+*.swp
+*.swo
+*~
+
+# Test files
+**/test/**
+**/*Test.java
+**/*Tests.java
+**/__tests__/
+
+# Temporary files
+*.tmp
+*.temp
+.cache

--- a/.github/workflows/container-build.yml
+++ b/.github/workflows/container-build.yml
@ -6,15 +6,16 @@ on:
  pull_request:
    branches: [ main ]

+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
-    env:
-      REGISTRY: ghcr.io
-      IMAGE_NAME: ${{ github.repository }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
@ -32,6 +33,19 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix={{branch}}-
+            type=raw,value=latest,enable={{is_default_branch}}
+
      - name: Log in to GitHub Container Registry
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: docker/login-action@v3
@ -45,7 +59,24 @@ jobs:
        with:
          context: .
          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64
+
+      - name: Test Docker image
+        if: github.event_name == 'pull_request'
+        run: |
+          docker build -t spring-petclinic-test .
+          docker run -d --name petclinic-test -p 8080:8080 \
+            -e SPRING_PROFILES_ACTIVE=h2 \
+            spring-petclinic-test
+          echo "Waiting for application to start..."
+          sleep 45
+          echo "Testing health endpoint..."
+          curl -f http://localhost:8080/actuator/health || exit 1
+          echo "Health check passed!"
+          docker stop petclinic-test
+          docker rm petclinic-test

--- a/32
+++ b/32
@ -1,23 +1,49 @@
 FROM eclipse-temurin:25-jdk-alpine AS builder
 WORKDIR /workspace

+# Copy Maven wrapper and configuration files first for better layer caching
 COPY mvnw .
 COPY .mvn .mvn
 COPY pom.xml .
+
+# Download dependencies (this layer will be cached if pom.xml doesn't change)
+RUN chmod +x mvnw && ./mvnw dependency:go-offline -B
+
+# Copy source code
 COPY src src

-RUN chmod +x mvnw \
-    && ./mvnw -B -DskipTests package
+# Build the application
+RUN ./mvnw -B -DskipTests package

-FROM eclipse-temurin:25-jre-alpine
+FROM eclipse-temurin:17-jre-alpine
 WORKDIR /app

+# Install wget for healthcheck
+RUN apk add --no-cache wget
+
+# Create a non-root user for security
+RUN addgroup -S spring && adduser -S spring -G spring
+
+# Set environment variables
 ENV SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE:-mysql}
 ENV JAVA_OPTS=""

+# Copy the JAR file from builder
 COPY --from=builder /workspace/target/*.jar app.jar

+# Change ownership to non-root user
+RUN chown spring:spring app.jar
+
+# Switch to non-root user
+USER spring:spring
+
+# Expose the application port
 EXPOSE 8080

+# Add healthcheck
+HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:8080/actuator/health || exit 1
+
+# Use exec form for better signal handling
 ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS -jar app.jar"]

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -4,6 +4,7 @@ services:
      context: .
      dockerfile: Dockerfile
    image: spring-petclinic:latest
+    container_name: spring-petclinic-app
    ports:
      - "8080:8080"
    environment:
@ -15,11 +16,20 @@ services:
      mysql:
        condition: service_healthy
    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:8080/actuator/health || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    networks:
+      - petclinic-network

  mysql:
    image: mysql:9.2
+    container_name: spring-petclinic-mysql
    ports:
-      - "3306:3306"
+      - "${MYSQL_PORT:-3306}:3306"
    environment:
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-root}
      MYSQL_USER: ${SPRING_DATASOURCE_USERNAME:-petclinic}
@ -27,27 +37,47 @@ services:
      MYSQL_DATABASE: ${MYSQL_DATABASE:-petclinic}
      MYSQL_ALLOW_EMPTY_PASSWORD: "false"
    volumes:
+      - mysql-data:/var/lib/mysql
      - "./conf.d:/etc/mysql/conf.d:ro"
    healthcheck:
-      test: ["CMD-SHELL", "mysqladmin ping -h localhost -p${MYSQL_ROOT_PASSWORD:-root}"]
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p${MYSQL_ROOT_PASSWORD:-root}"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 20s
+    restart: unless-stopped
+    networks:
+      - petclinic-network

  postgres:
    image: postgres:18.0
+    container_name: spring-petclinic-postgres
    ports:
-      - "5432:5432"
+      - "${POSTGRES_PORT:-5432}:5432"
    environment:
      POSTGRES_PASSWORD: ${SPRING_DATASOURCE_PASSWORD:-petclinic}
      POSTGRES_USER: ${SPRING_DATASOURCE_USERNAME:-petclinic}
      POSTGRES_DB: ${POSTGRES_DB:-petclinic}
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${SPRING_DATASOURCE_USERNAME:-petclinic}"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 20s
+    restart: unless-stopped
    profiles:
      - postgres
+    networks:
+      - petclinic-network
+
+volumes:
+  mysql-data:
+    driver: local
+  postgres-data:
+    driver: local
+
+networks:
+  petclinic-network:
+    driver: bridge