(#921) Implement AWS EKS for registry application

.github/workflows/build.yaml

@@ -0,0 +1,74 @@
+# syntax=docker/dockerfile:1.4
+name: Build and push
+
+on:
+  push:
+    branches: ["eks-infrastructure","staging","main","production"]
+
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Build & Push'
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  AWS_REGION: us-east-1
+  ECR_REPOSITORY: registry
+  EKS_CLUSTER: ce-registry-eks
+
+concurrency:
+  group: eks-cluster-image-build
+  cancel-in-progress: true
+
+jobs:
+  build-and-push:
+    if: ${{ github.repository_owner == 'CredentialEngine' }}
+    runs-on: ubuntu-latest
+    outputs:
+      image: ${{ steps.img.outputs.image }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/github-oidc-widget
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Compute image tag (date.build)
+        id: tag
+        run: |
+          DATE_TAG=$(date -u +%Y.%m.%d)
+          BUILD_NUM=$(printf "%04d" $(( GITHUB_RUN_NUMBER % 10000 )) )
+          TAG="$DATE_TAG.$BUILD_NUM"
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Build Docker image (multi-stage)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.tag.outputs.tag }}
+            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:staging
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Export image URI
+        id: img
+        run: |
+          echo "image=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.tag.outputs.tag }}" >> "$GITHUB_OUTPUT"

.github/workflows/test.yaml

@@ -41,7 +41,15 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: ruby/[email protected]
+
+      - name: Pre-cache grape-middleware-logger gem
+        run: |
+          mkdir -p vendor/cache
+          if [ -f local_packages/grape-middleware-logger-2.4.0.gem ]; then
+            cp -v local_packages/grape-middleware-logger-2.4.0.gem vendor/cache/
+          fi
+
+      - uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
       - run: RACK_ENV=test bundle exec rake db:migrate

.gitignore

@@ -60,3 +60,19 @@ config/authorized_keys/learning_registry/public_key.txt
 .DS_Store
 
 *~
+
+# Terraform
+**/builds
+# Ignore only .terraform directories (keep .terraform.lock.hcl tracked)
+**/.terraform/
+terraform*backup
+*.zip
+
+# Allow vendored artifacts in local_packages for Docker build
+!local_packages/
+!local_packages/*.gem
+!local_packages/*.zip
+terraform.tfstate
+terraform.tfstate.backup
+terraform/development/builds/
+terraform/builds

Dockerfile

@@ -31,7 +31,6 @@ RUN set -eux; \
     findutils diffutils procps-ng \
     ca-certificates \
     libpq libpq-devel \
-    postgresql \
     krb5-libs \
     openldap \
     cyrus-sasl-lib \
@@ -45,6 +44,17 @@ RUN set -eux; \
     pkgconf-pkg-config \
     && microdnf clean all
 
+# Install PostgreSQL 17 client from PGDG and expose binaries on PATH
+RUN set -eux; \
+    curl -fsSL https://download.postgresql.org/pub/repos/yum/reporpms/EL-10-x86_64/pgdg-redhat-repo-latest.noarch.rpm -o /tmp/pgdg.rpm; \
+    rpm -Uvh /tmp/pgdg.rpm; \
+    microdnf -y module disable postgresql || true; \
+    microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs postgresql17; \
+    ln -sf /usr/pgsql-17/bin/psql /usr/bin/psql; \
+    ln -sf /usr/pgsql-17/bin/pg_dump /usr/bin/pg_dump; \
+    ln -sf /usr/pgsql-17/bin/pg_restore /usr/bin/pg_restore; \
+    microdnf clean all
+
 # Install local RPMs shipped in repo (EL10 builds)
 COPY rpms/ /tmp/rpms/
 RUN if ls /tmp/rpms/*.rpm >/dev/null 2>&1; then rpm -Uvh --nosignature /tmp/rpms/*.rpm; fi
@@ -108,8 +118,12 @@ RUN mkdir -p /runtime/usr/local /runtime/etc /runtime/usr/bin /runtime/usr/lib64
     cp -a /usr/share/crypto-policies/back-ends/opensslcnf.config /runtime/etc/crypto-policies/back-ends/; \
     fi && \
     cp -a /usr/bin/openssl /runtime/usr/bin/ && \
-    for b in /usr/bin/psql /usr/bin/pg_dump /usr/bin/pg_restore; do \
-    cp -a "$b" /runtime/usr/bin/ 2>/dev/null || true; \
+    # Copy PostgreSQL client binaries, dereferencing symlinks if present
+    for b in \
+      /usr/bin/psql /usr/bin/pg_dump /usr/bin/pg_restore \
+      /usr/pgsql-17/bin/psql /usr/pgsql-17/bin/pg_dump /usr/pgsql-17/bin/pg_restore; do \
+      [ -f "$b" ] || continue; \
+      cp -aL "$b" /runtime/usr/bin/ 2>/dev/null || true; \
     done && \
     mkdir -p /runtime/usr/lib64/ossl-modules && \
     cp -a /usr/lib64/ossl-modules/* /runtime/usr/lib64/ossl-modules/ 2>/dev/null || true

docker-compose.yml

@@ -27,6 +27,7 @@ services:
       - SECRET_KEY_BASE=${SECRET_KEY_BASE}
       - RACK_ENV=production
       - DOCKER_ENV=true
+      - ENVELOPE_GRAPHS_BUCKET=ce-registry-envelopes-staging
     ports:
       - 9292:9292
     depends_on:
@@ -49,6 +50,7 @@ services:
       - RACK_ENV=production
       - DOCKER_ENV=true
       - STATEMENT_TIMEOUT=900000
+      - ENVELOPE_GRAPHS_BUCKET=ce-registry-envelopes-staging
     # no ports needed for worker
     depends_on:
       - db

openssl.cnf

@@ -12,4 +12,3 @@ activate = 1
 
 [legacy_sect]
 activate = 1
-

scripts/stress_get_root.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Simple HTTP stress script for GET /
+# - Sends N total requests with C concurrent workers to the provided base URL
+# - Prints HTTP status code distribution and average latency
+
+usage() {
+  cat <<USAGE
+Usage: $(basename "$0") [-u BASE_URL] [-n REQUESTS] [-c CONCURRENCY]
+
+Options:
+  -u BASE_URL   Base URL of the registry app (default: http://localhost:9292)
+  -n REQUESTS   Total number of requests to send (default: 200)
+  -c CONCURRENCY  Number of concurrent workers (default: 20)
+
+Example:
+  $(basename "$0") -u http://localhost:9292 -n 1000 -c 50
+USAGE
+}
+
+BASE_URL="http://localhost:9292"
+TOTAL=200
+CONCURRENCY=20
+
+while getopts ":u:n:c:h" opt; do
+  case "$opt" in
+    u) BASE_URL="$OPTARG" ;;
+    n) TOTAL="$OPTARG" ;;
+    c) CONCURRENCY="$OPTARG" ;;
+    h) usage; exit 0 ;;
+    :) echo "Option -$OPTARG requires an argument" >&2; usage; exit 1 ;;
+    \?) echo "Unknown option -$OPTARG" >&2; usage; exit 1 ;;
+  esac
+done
+
+if ! command -v curl >/dev/null 2>&1; then
+  echo "curl is required" >&2
+  exit 1
+fi
+
+TMP_OUT=$(mktemp)
+trap 'rm -f "$TMP_OUT"' EXIT
+
+echo "Hitting: ${BASE_URL}/  Total: ${TOTAL}  Concurrency: ${CONCURRENCY}" >&2
+
+# Fire requests in parallel; record http_code and total_time per request
+seq 1 "$TOTAL" | \
+  xargs -P "$CONCURRENCY" -n 1 -I {} \
+    curl -sS -o /dev/null -w "%{http_code} %{time_total}\n" "${BASE_URL}/" \
+  | tee "$TMP_OUT" >/dev/null
+
+# Summarize results
+TOTAL_DONE=$(wc -l < "$TMP_OUT" | awk '{print $1}')
+SUCCESS=$(awk '$1 ~ /^2/ {count++} END {print count+0}' "$TMP_OUT")
+REDIRECT=$(awk '$1 ~ /^3/ {count++} END {print count+0}' "$TMP_OUT")
+CLIENT_ERR=$(awk '$1 ~ /^4/ {count++} END {print count+0}' "$TMP_OUT")
+SERVER_ERR=$(awk '$1 ~ /^5/ {count++} END {print count+0}' "$TMP_OUT")
+AVG_LAT=$(awk '{sum+=$2} END { if (NR>0) printf "%.3f", sum/NR; else print "0" }' "$TMP_OUT")
+
+echo "--- Summary ---"
+echo "Total:     $TOTAL_DONE"
+echo "2xx:       $SUCCESS"
+echo "3xx:       $REDIRECT"
+echo "4xx:       $CLIENT_ERR"
+echo "5xx:       $SERVER_ERR"
+echo "Avg (s):   $AVG_LAT"
+
+exit 0
+