Pinit-Scheduler · GoGradually · Dec 20, 2025 · Dec 20, 2025 · Dec 20, 2025 · Copilot
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,8 @@
+**
+
+!Dockerfile
-!Dockerfile
-!Dockerfile
+!k8s/**
-!k8s/**
-!k8s/**
+
+!build/
+!build/libs/
+!build/libs/*.jar
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -86,6 +86,9 @@ jobs:
 
           echo "KUBECONFIG=$PWD/kubeconfig" >> $GITHUB_ENV
 
+      - name: Install envsubst
+        run: sudo apt-get update && sudo apt-get install -y gettext-base
+
       - name: Deploy (apply manifest with GITHUB_SHA substitution)
         shell: bash
         run: |

diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,28 @@
+# syntax=docker/dockerfile:1
+
+FROM eclipse-temurin:21-jre-jammy
+
+WORKDIR /app
+
+# 비루트 실행(쿠버네티스 securityContext와도 정합성 좋음)
+RUN useradd -r -u 10001 -g root appuser \
+  && mkdir -p /app \
+  && chown -R 10001:0 /app
+
+# GitHub Actions에서 ./gradlew clean test build 로 생성된 산출물 사용
+# (주의) build/libs 에 plain.jar 와 bootJar가 같이 생길 수 있어 bootJar를 선택하도록 처리
+COPY build/libs/*.jar /app/
+
+RUN set -eux; \
+  JAR="$(ls /app/*.jar | grep -v -- '-plain\.jar$' | head -n 1)"; \
-  JAR="$(ls /app/*.jar | grep -v -- '-plain\.jar$' | head -n 1)"; \
+  JARS="$(ls /app/*.jar | grep -v -- '-plain\.jar$' || true)"; \
+  JAR_COUNT="$(printf '%s\n' "$JARS" | sed '/^$/d' | wc -l)"; \
+  if [ "$JAR_COUNT" -ne 1 ]; then \
+    echo "ERROR: Expected exactly 1 non-plain JAR in /app, but found $JAR_COUNT." >&2; \
+    echo "Non-plain JAR candidates:" >&2; \
+    printf '%s\n' "$JARS" >&2; \
+    exit 1; \
+  fi; \
+  JAR="$(printf '%s\n' "$JARS" | sed '/^$/d')"; \
-  JAR="$(ls /app/*.jar | grep -v -- '-plain\.jar$' | head -n 1)"; \
+  JARS="$(ls /app/*.jar | grep -v -- '-plain\.jar$' || true)"; \
+  JAR_COUNT="$(printf '%s\n' "$JARS" | sed '/^$/d' | wc -l)"; \
+  if [ "$JAR_COUNT" -ne 1 ]; then \
+    echo "ERROR: Expected exactly 1 non-plain JAR in /app, but found $JAR_COUNT." >&2; \
+    echo "Non-plain JAR candidates:" >&2; \
+    printf '%s\n' "$JARS" >&2; \
+    exit 1; \
+  fi; \
+  JAR="$(printf '%s\n' "$JARS" | sed '/^$/d')"; \
+  mv "$JAR" /app/app.jar; \
+  rm -f /app/*-plain.jar || true; \
+  chown 10001:0 /app/app.jar
+
+USER 10001
+
+# Spring Boot 기본 포트가 8080인 경우가 많아 문서화 목적(EXPOSE는 필수 아님)
+EXPOSE 8080
+
+# JVM 옵션은 Kubernetes 매니페스트에서 JAVA_TOOL_OPTIONS로 주입 권장
+ENTRYPOINT ["java","-jar","/app/app.jar"]
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
@@ -23,6 +23,8 @@ spec:
       labels:
         app: pinit-auth
     spec:
+      imagePullSecrets:
+        - name: ghcr-pull-secret
       terminationGracePeriodSeconds: 30
       volumes:
         - name: keys