mirror of
https://github.com/azaion/missions.git
synced 2026-06-21 10:41:07 +00:00
Oleksandr Bezdieniezhnykh
2840ccb9b6
ci/woodpecker/push/build-arm Pipeline was successful
This commit transitions the project from Azaion.Flights to Azaion.Missions, updating namespaces, DTOs, services, and database entities accordingly. The Docker configuration and entry points have been modified to reflect the new project structure. Additionally, the README and documentation have been updated to clarify the ongoing renaming process and its implications. All references to flights have been replaced with missions, ensuring consistency across the codebase.
144 lines
6.1 KiB
YAML
144 lines
6.1 KiB
YAML
## Test compose stack for the missions service.
|
|
## Naming: post-rename target. Project entrypoint is Azaion.Missions.csproj.
|
|
## B5 (namespace), B6 (domain), B7 (drop GPS-Denied), B8 (HTTP routes), B9
|
|
## (DB migration), B12 (default-vehicle rule) have all landed locally.
|
|
## Cross-repo work pending: B4 (Gitea repo rename + suite .gitmodules + git mv),
|
|
## B10 (suite compose service block), B11 (autopilot/ui consumer cutover).
|
|
## Documented in _docs/02_document/tests/environment.md.
|
|
##
|
|
## Post-2026-05-14 drift re-verification: JWT model is ECDSA-SHA256 with JWKS
|
|
## fetched from the `admin` service. Tests provide a `jwks-mock` container that
|
|
## stands in for `admin` -- it holds a fixed ECDSA P-256 keypair, serves the
|
|
## public key as JWKS over HTTPS at `https://jwks-mock/.well-known/jwks.json`,
|
|
## and signs test tokens on demand at `https://jwks-mock/sign`. The consumer
|
|
## fetches signed tokens from the mock; missions validates them against the
|
|
## mock's JWKS. The private key never leaves the mock container.
|
|
services:
|
|
postgres-test:
|
|
image: postgres:16-alpine
|
|
container_name: missions-postgres-test
|
|
environment:
|
|
POSTGRES_DB: azaion
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres-test
|
|
ports:
|
|
- "5433:5432"
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U postgres -d azaion"]
|
|
interval: 1s
|
|
timeout: 1s
|
|
retries: 30
|
|
networks:
|
|
- e2e-net
|
|
tmpfs:
|
|
## Ephemeral PG data; recreated per `docker compose down -v`.
|
|
- /var/lib/postgresql/data
|
|
|
|
jwks-mock:
|
|
## Build context populated by Step 6 (Implement Tests). The mock is a tiny
|
|
## ASP.NET Core / Python / Node app that:
|
|
## - Holds a fixed ECDSA P-256 keypair (in-memory; never exported).
|
|
## - Serves `GET /.well-known/jwks.json` over HTTPS with `Cache-Control:
|
|
## public, max-age=60` (60s instead of admin's 3600s so tests can observe
|
|
## rotation within a single 15-minute CI window).
|
|
## - Serves `POST /sign` over HTTPS accepting a claims JSON body and
|
|
## returning a signed JWT (ECDSA-SHA256) for test consumption.
|
|
## - Supports `POST /rotate-key` to generate a new keypair with a new
|
|
## `kid`; the prior public key stays in the JWKS for `OldKeyGraceSeconds`
|
|
## to verify the rotation transition (used by NFT-RES-07).
|
|
## - Self-signs its TLS certificate; the `missions` container trusts the
|
|
## mock's CA via a mounted volume at /etc/ssl/certs/jwks-mock-ca.crt.
|
|
## - Image tag: `azaion/jwks-mock:test`. Until built, run-tests.sh prints
|
|
## a clear "jwks-mock not yet built" message.
|
|
build:
|
|
context: tests/Azaion.Missions.JwksMock
|
|
dockerfile: Dockerfile
|
|
container_name: missions-jwks-mock
|
|
environment:
|
|
JWT_ISSUER: https://admin-test.azaion.local
|
|
JWT_AUDIENCE: azaion-edge
|
|
OLD_KEY_GRACE_SECONDS: 5
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "wget -q --no-check-certificate -O - https://127.0.0.1:8443/.well-known/jwks.json || exit 1"]
|
|
interval: 2s
|
|
timeout: 1s
|
|
retries: 30
|
|
networks:
|
|
- e2e-net
|
|
|
|
missions:
|
|
build:
|
|
context: .
|
|
container_name: missions-sut
|
|
environment:
|
|
DATABASE_URL: postgresql://postgres:postgres-test@postgres-test:5432/azaion
|
|
JWT_ISSUER: https://admin-test.azaion.local
|
|
JWT_AUDIENCE: azaion-edge
|
|
JWT_JWKS_URL: https://jwks-mock:8443/.well-known/jwks.json
|
|
## Shorten the JWKS cache so NFT-RES-07 + NFT-SEC-11 can observe rotation
|
|
## within the 15-minute CI wall-clock budget. Production leaves both
|
|
## unset and inherits the library defaults (12h / 5min).
|
|
JWT_JWKS_AUTO_REFRESH_INTERVAL_SECONDS: "30"
|
|
JWT_JWKS_REFRESH_INTERVAL_SECONDS: "10"
|
|
ASPNETCORE_URLS: http://+:8080
|
|
ASPNETCORE_ENVIRONMENT: Test
|
|
## CORS: Test environment (NOT Production) -- empty allow-list falls back
|
|
## to permissive with a PermissiveDefaultWarning log line (per
|
|
## CorsConfigurationValidator). Production-gate scenarios (E9 lock test)
|
|
## set ASPNETCORE_ENVIRONMENT=Production and assert startup THROWS.
|
|
## The jwks-mock CA cert is mounted so missions can validate the mock's
|
|
## TLS cert when fetching JWKS over HTTPS. The container ENTRYPOINT runs
|
|
## update-ca-certificates on startup so the mounted CA is trusted by the
|
|
## OS bundle that .NET HttpClient reads from.
|
|
volumes:
|
|
- ./tests/jwks-mock-ca.crt:/usr/local/share/ca-certificates/jwks-mock-ca.crt:ro
|
|
ports:
|
|
- "5002:8080"
|
|
depends_on:
|
|
postgres-test:
|
|
condition: service_healthy
|
|
jwks-mock:
|
|
condition: service_healthy
|
|
healthcheck:
|
|
## Per AC-7.1, /health is anonymous. Container is "healthy" once /health returns 200.
|
|
test: ["CMD-SHELL", "wget -q -O - http://127.0.0.1:8080/health || exit 1"]
|
|
interval: 2s
|
|
timeout: 1s
|
|
retries: 30
|
|
networks:
|
|
- e2e-net
|
|
|
|
e2e-consumer:
|
|
## Build context placeholder -- populated by Step 6 (Implement Tests) when the
|
|
## test csproj is created. Until then, run-tests.sh detects the absence and
|
|
## prints a clear "test project not yet created" message.
|
|
build:
|
|
context: tests/Azaion.Missions.E2E.Tests
|
|
dockerfile: Dockerfile
|
|
container_name: missions-e2e
|
|
environment:
|
|
MISSIONS_BASE_URL: http://missions:8080
|
|
DB_SIDE_CHANNEL: Host=postgres-test;Port=5432;Database=azaion;Username=postgres;Password=postgres-test
|
|
## Consumer fetches test tokens from jwks-mock instead of minting locally:
|
|
## the private key never leaves the mock container, so tests can't
|
|
## accidentally sign with a key that doesn't match the mock's published JWKS.
|
|
JWKS_MOCK_SIGN_URL: https://jwks-mock:8443/sign
|
|
JWT_ISSUER: https://admin-test.azaion.local
|
|
JWT_AUDIENCE: azaion-edge
|
|
depends_on:
|
|
missions:
|
|
condition: service_healthy
|
|
jwks-mock:
|
|
condition: service_healthy
|
|
volumes:
|
|
- ./test-results:/app/results
|
|
- ./tests/jwks-mock-ca.crt:/usr/local/share/ca-certificates/jwks-mock-ca.crt:ro
|
|
networks:
|
|
- e2e-net
|
|
profiles:
|
|
- test
|
|
|
|
networks:
|
|
e2e-net:
|
|
name: missions-e2e-net
|