Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Wolfi-based Docker images #4276

Merged
merged 4 commits into from
Jul 18, 2024
Merged

feat: Wolfi-based Docker images #4276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ce0460d
feat(build): wolfi-os based build
khvn26 Jul 2, 2024
c73086f
fix frontend build
khvn26 Jul 2, 2024
44c6d04
fix shebang
khvn26 Jul 2, 2024
3f537b4
Merge branch 'main' into feat/wolfi-os-docker
khvn26 Jul 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 25 additions & 16 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,9 @@
# * build-node [node]
# * build-node-django [build-node]
# * build-node-selfhosted [build-node]
# * build-python [python]
# * build-python [wolfi-base]
# * build-python-private [build-python]
# * api-runtime [python:slim]
# * api-runtime [wolfi-base]
# * api-runtime-private [api-runtime]

# - Target (shippable) stages
Expand All @@ -52,9 +52,7 @@ ARG NODE_VERSION=16
ARG PYTHON_VERSION=3.11

FROM public.ecr.aws/docker/library/node:${NODE_VERSION}-bookworm as node
FROM public.ecr.aws/docker/library/node:${NODE_VERSION}-bookworm-slim as node-slim
FROM public.ecr.aws/docker/library/python:${PYTHON_VERSION}-bookworm as python
FROM public.ecr.aws/docker/library/python:${PYTHON_VERSION}-slim-bookworm as python-slim
FROM cgr.dev/chainguard/wolfi-base:latest as wolfi-base

# - Intermediary stages
# * build-node
Expand Down Expand Up @@ -82,9 +80,15 @@ FROM build-node as build-node-selfhosted
RUN cd frontend && npm run bundle

# * build-python
FROM python as build-python
FROM wolfi-base as build-python
WORKDIR /build

ARG PYTHON_VERSION
RUN apk add build-base linux-headers curl git \
python-${PYTHON_VERSION} \
python-${PYTHON_VERSION}-dev \
py${PYTHON_VERSION}-pip

COPY api/pyproject.toml api/poetry.lock api/Makefile ./
ENV POETRY_VIRTUALENVS_IN_PROJECT=true \
POETRY_VIRTUALENVS_OPTIONS_ALWAYS_COPY=true \
Expand All @@ -108,12 +112,12 @@ RUN --mount=type=secret,id=github_private_cloud_token \
make install-private-modules

# * api-runtime
FROM python-slim as api-runtime
FROM wolfi-base as api-runtime

# Uninstall pip to reduce CVE-2018-20225 noise
# and make system Python available to venv entrypoints
RUN pip uninstall -y pip && mkdir -p /build/.venv/bin && \
ln -s /usr/local/bin/python /build/.venv/bin/python
# Install Python and make it available to venv entrypoints
ARG PYTHON_VERSION
RUN apk add python-${PYTHON_VERSION} && \
mkdir /build/ && ln -s /usr/local/ /build/.venv

WORKDIR /app

Expand All @@ -136,7 +140,7 @@ CMD ["migrate-and-serve"]
FROM api-runtime as api-runtime-private

# Install SAML binary dependency
RUN apt-get update && apt-get install -y xmlsec1 && rm -rf /var/lib/apt/lists/*
RUN apk add xmlsec

# - Target (shippable) stages
# * private-cloud-api [api-runtime-private, build-python-private]
Expand Down Expand Up @@ -165,7 +169,7 @@ FROM api-runtime-private as saas-api

# Install GnuPG and import private key
RUN --mount=type=secret,id=sse_pgp_pkey \
apt-get update && apt-get install -y gnupg && \
apk add gnupg && \
gpg --import /run/secrets/sse_pgp_pkey && \
mv /root/.gnupg/ /app/ && \
chown -R nobody /app/.gnupg/
Expand All @@ -187,12 +191,14 @@ RUN python manage.py collectstatic --no-input
USER nobody

# * oss-frontend [build-node-selfhosted]
FROM node-slim AS oss-frontend
FROM wolfi-base AS oss-frontend

ARG NODE_VERSION
RUN apk add nodejs-${NODE_VERSION}

USER node
WORKDIR /srv/bt

COPY --from=build-node-selfhosted --chown=node:node /build/frontend .
COPY --from=build-node-selfhosted /build/frontend/ /srv/bt/

ENV NODE_ENV=production

Expand All @@ -201,8 +207,11 @@ RUN echo ${CI_COMMIT_SHA} > /srv/bt/CI_COMMIT_SHA
COPY .release-please-manifest.json /srv/bt/.versions.json

EXPOSE 8080

CMD ["node", "./api/index.js"]

USER node

# * oss-unified [api-runtime, build-python, build-node-django]
FROM api-runtime as oss-unified

Expand Down
2 changes: 1 addition & 1 deletion api/scripts/run-docker.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/sh
set -e

# The script can take 2 optional arguments:
Expand Down
Loading