-
Notifications
You must be signed in to change notification settings - Fork 8
Migrate credentials to LabKey native SSM integration (26.6+) #184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
labkey-willm
wants to merge
2
commits into
release26.6-SNAPSHOT
Choose a base branch
from
26.6_fb_ssm_credential_migration
base: release26.6-SNAPSHOT
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| # CLAUDE.md | ||
|
|
||
| This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. | ||
|
|
||
| ## What This Repo Does | ||
|
|
||
| Builds and publishes Docker images for LabKey Server (a biomedical data management platform) to AWS ECR. A single `Dockerfile` produces multiple distributions (`community`, `enterprise`, `lims_starter`, `allpg`) via the `LABKEY_DISTRIBUTION` build arg. | ||
|
|
||
| ## Common Commands | ||
|
|
||
| ```bash | ||
| # Local development cycle | ||
| make build # Build image locally (uses local .jar if present) | ||
| make up # Run community via docker-compose (https://localhost:8443) | ||
| make up-enterprise # Run enterprise distribution | ||
| make up-lims_starter | ||
| make down # Tear down containers | ||
| make test # Run smoke.bash health check against running container | ||
|
|
||
| # Lint | ||
| # Hadolint runs in CI; run locally via: | ||
| docker run --rm -i hadolint/hadolint < Dockerfile | ||
|
|
||
| # AWS ECR workflow | ||
| make login # Authenticate to ECR | ||
| make tag # Tag image for ECR | ||
| make push # Push to ECR | ||
| make all # login → build → tag → push (default) | ||
| ``` | ||
|
|
||
| ## Architecture | ||
|
|
||
| ### Build Flow | ||
|
|
||
| `Dockerfile` downloads the LabKey `.tar.gz` from a URL (or uses a local `.jar` file placed in the repo root for development). The `LABKEY_VERSION` and `LABKEY_DISTRIBUTION` build args control which artifact is fetched. Base image is `eclipse-temurin:25-jre-noble` (Debian); Alpine variant is also supported. | ||
|
|
||
| ### Runtime | ||
|
|
||
| `entrypoint.sh` is the container entry point. It: | ||
| 1. Validates required `LABKEY_*` env vars (excludes `*SSM*`, `*GUID*`, `*MEK*`, initial-user vars) | ||
| 2. Optionally downloads startup properties from S3 | ||
| 3. Handles SSM vs. non-AWS mode: if `LABKEY_SSM_PREFIX` is set, normalizes trailing slashes on both prefix vars; otherwise removes the `context.awsParameterStore.prefix` line and substitutes `ssm:` references in `application.properties` with direct env var values | ||
| 4. Runs `envsubst` on all `.properties` files, then `sed` to substitute `@@placeholder@@` values | ||
| 5. Generates a self-signed TLS keystore via `openssl` | ||
| 6. Unsets connection/SMTP env vars, then `exec`s `java -jar labkeyServer.jar` | ||
|
|
||
| ### Multi-Distribution | ||
|
|
||
| The `startup/` directory contains per-distribution `.properties` files (`community.properties`, `enterprise.properties`, etc.). The `LABKEY_DISTRIBUTION` env var selects which file is copied in at build time and passed to the JVM. | ||
|
|
||
| ### Configuration Surface | ||
|
|
||
| Almost all runtime behavior is controlled via environment variables. The major groups are documented in `README.md`: | ||
| - **DB**: `POSTGRES_*` — connection, pooling | ||
| - **App**: `LABKEY_*` — version, distribution, base URL, encryption key, initial user | ||
| - **SSM (AWS, 26.6+)**: `LABKEY_SSM_PREFIX` (app-level prefix) and `LABKEY_VPC_SSM_PREFIX` (VPC-level prefix) — when set, DB credentials (`database_user`, `database_password`), encryption key (`ek`), and SMTP credentials (`smtp_user`, `smtp_password`) are fetched from SSM instead of env vars; see `application.properties` for the `ssm:` references and `README.md` for the full SSM parameter table | ||
| - **JVM**: `JAVA_*`, `MAX_JVM_RAM_PERCENT`, `JAVA_PRE_JAR_EXTRA` / `JAVA_POST_JAR_EXTRA` | ||
| - **SSL**: `CERT_*`, `TOMCAT_KEYSTORE_*` | ||
| - **Observability**: Datadog APM (`dd-java-agent.jar` baked in), `LOG_LEVEL_*`, `LOGGER_PATTERN` | ||
| - **Debug**: `DEBUG=1` installs extra tools (ping, netcat, vim, etc.) at runtime | ||
|
|
||
| ### CI/CD (GitHub Actions) | ||
|
|
||
| | Workflow | Trigger | | ||
| |----------|---------| | ||
| | `hadolint.yml` | Push to `fb_*` / `*_fb_*`; PRs to develop/release* | | ||
| | `validate_pr.yml` | PR opened/ready for review | | ||
| | `merge_release.yml` | PR review approved (auto-merges release branches) | | ||
| | `dockle_xeol.yml` | Security scanning | | ||
| | `branch_release.yml` | Release branch automation | | ||
|
|
||
| Feature branches follow the pattern `fb_<description>` or `<version>_fb_<description>`. | ||
|
|
||
| ### Local JAR Development | ||
|
|
||
| Place a `labkeyServer.jar.*` file in the repo root (already gitignored). The `Makefile` detects it and uses it as the build artifact instead of downloading from a remote URL, enabling local iteration without publishing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@labkey-willm It is confusing that we have encryption key value "123abc456" showing up in source code. I presume this is just an example, right?