feat: add psi probe with ability to enable during run/build time

Dockerfile

@@ -8,15 +8,20 @@ ARG CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,HEAD,OPTIONS
 ARG CORS_ALLOWED_HEADERS=Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers
 ARG CORS_ALLOW_CREDENTIALS=false
 
+# PSI Probe configuration
+ARG PSI_PROBE_ENABLED=false
+ARG PSI_PROBE_VERSION=3.5.1
+
 ENV CORS_ENABLED=$CORS_ENABLED
 ENV CORS_ALLOWED_ORIGINS=$CORS_ALLOWED_ORIGINS
 ENV CORS_ALLOWED_METHODS=$CORS_ALLOWED_METHODS
 ENV CORS_ALLOWED_HEADERS=$CORS_ALLOWED_HEADERS
 ENV CORS_ALLOW_CREDENTIALS=$CORS_ALLOW_CREDENTIALS
+ENV PSI_PROBE_ENABLED=$PSI_PROBE_ENABLED
 
 ARG APP_LOCATION="geoserver"
 
-RUN apt-get update && apt-get install -y unzip
+RUN apt-get update && apt-get install -y unzip curl
 
 # accepts local files and URLs. Tar(s) are automatically extracted
 WORKDIR /output/datadir
@@ -60,6 +65,34 @@ RUN \
       mv /output/webapp/geoserver /output/webapp/${APP_LOCATION}; \
     fi
 
+# Download and prepare PSI Probe if enabled
+WORKDIR /output/probe
+RUN \
+    echo "PSI_PROBE_ENABLED=${PSI_PROBE_ENABLED}"; \
+    if [ "${PSI_PROBE_ENABLED}" = "true" ]; then \
+        echo "Downloading PSI Probe ${PSI_PROBE_VERSION}..."; \
+        # Try GitHub releases first
+        GITHUB_URL="https://github.com/psi-probe/psi-probe/releases/download/psi-probe-${PSI_PROBE_VERSION}/probe.war"; \
+        echo "Trying GitHub URL: ${GITHUB_URL}"; \
+        if curl -fSL "${GITHUB_URL}" -o probe.war; then \
+            echo "PSI Probe downloaded from GitHub ($(ls -lh probe.war))"; \
+        else \
+            echo "GitHub download failed, trying Maven Central..."; \
+            # Fallback to Maven Central
+            MAVEN_URL="https://repo1.maven.org/maven2/com/github/psi-probe/psi-probe-web/${PSI_PROBE_VERSION}/psi-probe-web-${PSI_PROBE_VERSION}.war"; \
+            echo "Trying Maven URL: ${MAVEN_URL}"; \
+            if curl -fSL "${MAVEN_URL}" -o probe.war; then \
+                echo "PSI Probe downloaded from Maven Central ($(ls -lh probe.war))"; \
+            else \
+                echo "ERROR: PSI Probe download failed from both sources!"; \
+                exit 1; \
+            fi; \
+        fi; \
+    else \
+        echo "PSI Probe disabled, skipping download"; \
+        touch .placeholder; \
+    fi
+
 FROM tomcat:9-jdk11-temurin-jammy
 
 ARG UID=1000
@@ -69,6 +102,10 @@ ARG CUSTOM_FONTS="./.placeholder"
 ENV ADMIN_PASSWORD=""
 ENV APP_LOCATION="geoserver"
 
+# PSI Probe configuration
+ENV PSI_PROBE_ENABLED="false"
+ENV PSI_PROBE_PASSWORD=""
+
 ENV CATALINA_BASE "$CATALINA_HOME"
 # set externalizations
 ENV GEOSERVER_HOME="/var/geoserver"
@@ -135,6 +172,9 @@ COPY --from=mother "/output/datadir" "${GEOSERVER_DATA_DIR}"
 COPY --from=mother "/output/webapp/geoserver" "${CATALINA_BASE}/webapps/geoserver"
 COPY --from=mother "/output/plugins" "${CATALINA_BASE}/webapps/geoserver/WEB-INF/lib"
 
+# copy PSI Probe if enabled
+COPY --from=mother "/output/probe" "/tmp/probe"
+
 COPY geoserver-plugin-download.sh /usr/local/bin/geoserver-plugin-download.sh
 COPY geoserver-rest-config.sh /usr/local/bin/geoserver-rest-config.sh
 COPY geoserver-rest-reload.sh /usr/local/bin/geoserver-rest-reload.sh

README.md

@@ -99,6 +99,68 @@ CORS headers can be configured with env variables (they are also build arguments
 - `CORS_ALLOW_CREDENTIALS` (default `false`) Setting this to true will only have the desired effect if 
 - `CORS_ALLOWED_ORIGINS` defines explicit origins (not *)
 
+### PSI Probe Integration
+
+This Docker image includes optional PSI Probe integration for monitoring database connections and connection pools. PSI Probe is a powerful web application monitoring tool that provides detailed insights into Tomcat's internals, including:
+
+- Database connection pool monitoring
+- Session tracking
+- Thread pool monitoring
+- Memory usage analysis
+- Application performance metrics
+
+#### PSI Probe Configuration
+
+PSI Probe can be enabled at both build time and runtime with the following configuration options:
+
+**Build-time arguments:**
+- `PSI_PROBE_ENABLED` - Enable/disable PSI Probe (default: `false`)
+- `PSI_PROBE_VERSION` - PSI Probe version to download (default: `3.5.1`)
+
+**Runtime environment variables:**
+- `PSI_PROBE_ENABLED` - Enable/disable PSI Probe at runtime (default: `false`)
+- `PSI_PROBE_PASSWORD` - Password for PSI Probe authentication (required for security)
+
+#### Usage Examples
+
+**Enable PSI Probe with Docker Compose:**
+
+```yaml
+services:
+  geoserver:
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+      args:
+                 GEOSERVER_WEBAPP_SRC: "https://build.geoserver.org/geoserver/main/geoserver-main-latest-war.zip"
+         PSI_PROBE_ENABLED: "true"
+         PSI_PROBE_VERSION: "3.5.5"
+    environment:
+      PSI_PROBE_ENABLED: "true"
+      PSI_PROBE_PASSWORD: "your-secure-password"
+    ports:
+      - 8080:8080
+```
+
+**Enable PSI Probe with Docker run:**
+
+```bash
+docker run -e PSI_PROBE_ENABLED=true \
+           -e PSI_PROBE_PASSWORD=mypassword \
+           -p 8080:8080 \
+           geosolutionsit/geoserver
+```
+
+#### Accessing PSI Probe
+
+Once enabled, PSI Probe will be available at:
+- **Local access**: `http://localhost:8080/probe`
+- **Container access**: `http://container-ip:8080/probe`
+
+**Default credentials:**
+- **Username**: `probe`
+- **Password**: The value set in `PSI_PROBE_PASSWORD`
+
 ### Building with WAR files and plugins
 
 Example of how to build a docker image with just geoserver war and then add plugins at runtime.

docker-compose.yml

@@ -28,12 +28,17 @@ services:
       dockerfile: ./Dockerfile
       args:
         GEOSERVER_WEBAPP_SRC: "https://build.geoserver.org/geoserver/main/geoserver-main-latest-war.zip"
+        PSI_PROBE_ENABLED: "true"
+        PSI_PROBE_VERSION: "3.5.1"
     container_name: geoserver
     depends_on:
       postgres:
         condition: service_healthy
     ports:
       - 8080
+    environment:
+      PSI_PROBE_ENABLED: "true"
+      PSI_PROBE_PASSWORD: "geoserver"
     networks:
       - geoserver-network
 

entrypoint.sh

@@ -171,6 +171,80 @@ case "$GS_CORE_JAR" in
   ;;
 esac
 
+# Configure PSI Probe if enabled
+setup_psi_probe() {
+  if [ "${PSI_PROBE_ENABLED}" = "true" ]; then
+    printf "INFO: Setting up PSI Probe...\n"
+
+    if [ -f "/tmp/probe/probe.war" ]; then
+      cp "/tmp/probe/probe.war" "$CATALINA_HOME/webapps/"
+      printf "INFO: PSI Probe WAR deployed\n"
+    else
+      printf "WARNING: PSI Probe WAR not found, skipping deployment\n"
+      return
+    fi
+
+    if [ -n "${PSI_PROBE_PASSWORD}" ]; then
+      printf "INFO: Configuring PSI Probe security...\n"
+
+      TOMCAT_USERS_XML="$CATALINA_HOME/conf/tomcat-users.xml"
+
+      if [ ! -f "${TOMCAT_USERS_XML}.backup" ]; then
+        cp "$TOMCAT_USERS_XML" "${TOMCAT_USERS_XML}.backup"
+      fi
+
+      cat > "$TOMCAT_USERS_XML" << EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+              version="1.0">
+  <role rolename="manager-gui"/>
+  <role rolename="manager-script"/>
+  <role rolename="manager-status"/>
+  <role rolename="poweruser"/>
+  <role rolename="poweruserplus"/>
+  <role rolename="probeuser"/>
+  <user username="probe" password="${PSI_PROBE_PASSWORD}" roles="manager-gui,manager-script,manager-status,poweruser,poweruserplus,probeuser"/>
+</tomcat-users>
+EOF
+
+      printf "INFO: PSI Probe user configured with provided password\n"
+    else
+      printf "WARNING: PSI_PROBE_PASSWORD not set, PSI Probe will be accessible without authentication\n"
+    fi
+
+    # Force proper WAR extraction (fix Tomcat auto-deployment issues)
+    if [ -f "$CATALINA_HOME/webapps/probe.war" ]; then
+      printf "INFO: Ensuring PSI Probe WAR is properly extracted...\n"
+      cd "$CATALINA_HOME/webapps"
+      rm -rf probe
+      unzip -q probe.war -d probe
+      printf "INFO: PSI Probe WAR manually extracted\n"
+    fi
+
+    # Configure access restrictions
+    printf "INFO: Configuring PSI Probe for Docker-compatible local access...\n"
+    CONTEXT_XML="$CATALINA_HOME/webapps/probe/META-INF/context.xml"
+    mkdir -p "$CATALINA_HOME/webapps/probe/META-INF"
+    cat > "$CONTEXT_XML" << EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<Context privileged="true">
+  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
+         allow="127\.0\.0\.1|::1|0:0:0:0:0:0:0:1|172\.1[6-9]\..*|172\.2[0-9]\..*|172\.3[0-1]\..*|10\..*|192\.168\..*"/>
+</Context>
+EOF
+
+    printf "INFO: PSI Probe configured for Docker-compatible access\n"
+
+    printf "INFO: PSI Probe setup completed\n"
+  else
+    printf "INFO: PSI Probe disabled, skipping setup\n"
+  fi
+}
+
+setup_psi_probe
+
 catalina.sh run &
 /usr/local/bin/geoserver-rest-config.sh
 fg %1