Use distroless JDK17-image (#127)

geir-waagboe · web-flow · commit d5c6acbde09b · 2022-05-10T10:28:13.000+02:00
diff --git a/.github/workflows/dispatch.yaml b/.github/workflows/dispatch.yaml
@@ -27,7 +27,7 @@ jobs:
         if: ${{ !env.found_image }}
         uses: actions/setup-java@v1
         with:
-          java-version: '11.x'
+          java-version: '17.x'
       - name: Checkout code
         if: ${{ !env.found_image }}
         uses: actions/checkout@v2
@@ -47,6 +47,15 @@ jobs:
           ORG_GRADLE_PROJECT_githubPassword: ${{ secrets.GITHUB_TOKEN }}
         run: |
           ./gradlew shadowJar -x test
+      - name: Install cosign
+        if: ${{ !env.found_image }}
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.3.1'
+      - name: Verify distroless base image
+        if: ${{ !env.found_image }}
+        run: |
+          cosign verify --key distroless.pub gcr.io/distroless/java17
       - name: Build and publish Docker image if not already done
         if: ${{ !env.found_image }}
         env:
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -13,7 +13,7 @@ jobs:
       - name: Setup java
         uses: actions/setup-java@v1
         with:
-          java-version: '11.x'
+          java-version: '17.x'
       - name: Checkout code
         uses: actions/checkout@v1
       - uses: actions/cache@v1
@@ -46,6 +46,13 @@ jobs:
           ORG_GRADLE_PROJECT_githubPassword: ${{ secrets.GITHUB_TOKEN }}
         run: |
           ./gradlew shadowJar -x test
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.3.1'
+      - name: Verify distroless base image
+        run: |
+          cosign verify --key distroless.pub gcr.io/distroless/java17
       - name: Build and publish Docker image
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,8 @@
-FROM navikt/java:11
+FROM gcr.io/distroless/java17
+WORKDIR /app
 COPY build/libs/app.jar app.jar
-ENV JAVA_OPTS="-Dlogback.configurationFile=logback.xml"
-ENV APPLICATION_PROFILE="remote"
+ENV JDK_JAVA_OPTIONS="-XX:MaxRAMPercentage=75 -Dlogback.configurationFile=logback.xml"
+ENV TZ="Europe/Oslo"
+EXPOSE 8080
+USER nonroot
+CMD [ "app.jar" ]
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -120,7 +120,7 @@ tasks {
     }
 
     withType<KotlinCompile> {
-        kotlinOptions.jvmTarget = "11"
+        kotlinOptions.jvmTarget = "17"
     }
 
     withType<Test> {
diff --git a/distroless.pub b/distroless.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q
+OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA==
+-----END PUBLIC KEY-----
diff --git a/src/main/kotlin/no/nav/syfo/App.kt b/src/main/kotlin/no/nav/syfo/App.kt
@@ -55,7 +55,7 @@ fun main() {
 
     applicationEngineEnvironment.monitor.subscribe(ApplicationStarted) { application ->
         applicationState.ready = true
-        application.environment.log.info("Application is ready")
+        application.environment.log.info("Application is ready, running Java VM ${Runtime.version()}")
         launchKafkaModule(
             applicationState = applicationState,
             environment = environment,

Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ tasks {`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`withType<KotlinCompile> {`
`123`		`- kotlinOptions.jvmTarget = "11"`
	`123`	`+ kotlinOptions.jvmTarget = "17"`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`withType<Test> {`