/ris-backend-service

RIS Backend/API service

Primary LanguageJavaOtherNOASSERTION

RIS Backend Service

Pipeline Scan Secrets Check

Prerequisites

You need (or may want) the following CLI tools. For UNIX users, there is a prepared Brewfile, see below.

Necessary tools:

  • lefthook - manages our git hooks
  • talisman - scans for secrets before you would commit them
  • docker - our container runtime (on macOS, the easiest way is to use Docker Desktop)
  • gopass - a tool to sync secrets
  • Node.js - JavaScript runtime & dependency management
  • nodenv - manages the node.js environment

Backend only:

  • java - we use Java 17 in the backend

Optional, but recommended tools:

If you use homebrew, you can simply execute this to to install all required and optional dependencies:

brew bundle

If you decided to install direnv, you have to hook it onto your shell as described here. E.g. for ZSH add this to ~/.zshrc:

eval "$(direnv hook zsh)"

Getting started

To get started with development, run:

./run.sh init

This will install a couple of Git hooks which are supposed to help you to:

Setup local environment

For shared secrets required for development we're using gopass. To set up follow these steps:

Provide some team member a public GPG key with encryption capability (that team member will add you as a recipient).

Then, run:

gopass --yes setup --remote git@github.com:digitalservicebund/neuris-password-store.git --alias neuris --name <your-name-from-gpg-key> --email <your-email-from-gpg-key>

Note

If there are any issues with this command, you need to clean the store and try again until it works unfortunately ☹️:

rm -rf ~/.local/share/gopass/stores

Try if you can get access:

gopass ls

Synchronize the password store:

gopass sync

Now you can generate a new .env file containig the secrets:

./run.sh env

Note

This needs to be repeated every time the secrets change.

Importing example data

Learn how to import example data for the app here. Note that while this step isn't required to run the app, some tests may fail since they depend on preexisting data from the example data set.

Development

./run.sh dev

If you don't want to watch the log stream but let Docker perform health checks until everything is up, use detached mode:

./run.sh dev -d

The application is available at http://127.0.0.1.

This will start the backend utilizing Spring Boot developer tools so changes in the Java sources will be reflected without manually restarting. Similarly, the frontend is served from Vite with HMR.

Note

When first starting the development server, dependencies will be installed automatically. This includes supported browsers for E2E and a11y testing through playwright. Should that fail, you can install them manually.

To see logs of the containers, use e.g.

docker compose logs # for all
docker compose logs frontend # for specific services

To stop the whole environment:

./run.sh down

Read the component individual documentation to figure out how to run them individually:

Deployment

The pipeline performs the deployment through GitOps using ArgoCD (see example pipeline deploy step definition):

  • Build and push the new Docker image (see here)
  • Commit the new tag in the deployment manifest in the neuris-infra repository
  • Sync the respective ArgoCD App, which will cause ArgoCD to apply all changed Kubernetes manifests on the cluster to create the desired state

Working with Talisman

Given you already know that a file that was edited, f.ex. .github/workflows/pipeline.yml, will require an updated checksum field in .talismanrc, execute the following command:

talisman -c .github/workflows/pipeline.yml | sed -n '3,5p' | yq e '.fileignoreconfig[0].checksum' - | tr -d '\r\n' | pbcopy

Note that Talisman calculates the checksum based on contents in the index!

What's left is to paste the new checksum into .talismanrc:

diff --git a/.talismanrc b/.talismanrc
index df6f840..de8d552 100644
--- a/.talismanrc
+++ b/.talismanrc
@@ -4,7 +4,7 @@ fileignoreconfig:
   - filename: build.gradle
     checksum: 3837e805b74b2251453049241cd7bd5e0f101d06769af7748344c09ef3d514b0
   - filename: .github/workflows/pipeline.yml
-    checksum: cb0bcce8968af031875bde690a48a60be440a67069c2b9aeffb4771a46abf9b9
+    checksum: e4518e01194712f64c54b62ec18b0c5745fe973a82390a336790674cdfe96e70
   - filename: .github/workflows/secrets-check.yml
     checksum: 836ea67ce7c67ecfb56519ff7f65ff461821cc221797f15c635108f212646664
   - filename: .github/workflows/scan.yml

Architecture Decision Records

Architecture decisions are kept in the doc/adr directory and are managed with adr-tools.

Slack notifications

Opt in to CI posting notifications for failing jobs to a particular Slack channel by setting a repository secret with the name SLACK_WEBHOOK_URL, containing a url for Incoming Webhooks.