docker UBI images for pipelines

2025-05-04 23:22:42 +08:00 · 2023-06-06 14:51:33 +02:00 · 2023-06-06 14:51:33 +02:00 · 85361d27fb
commit 85361d27fb
parent 8cf58dbde9
9 changed files with 147 additions and 39 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,12 @@
 *.sqlite
 *.sqlite3
 web/node_modules
 web/dist
 release
 .idea
 coverage.out
 # ignore any executables we build
 /gitness
 /gitrpcserver
 /githook
--- a/19
+++ b/19
@ -51,10 +51,18 @@ build: generate ## Build the all-in-one gitness binary
 	@echo "Building Gitness Server"
 	go build -ldflags=${LDFLAGS} -o ./gitness ./cmd/gitness
 build-pq: generate ## Build the all-in-one gitness binary
 	@echo "Building Gitness Server"
 	go build -tags=pq -ldflags=${LDFLAGS} -o ./gitness ./cmd/gitness
 harness-build: generate ## Build the all-in-one gitness binary for harness embedded mode
 	@echo "Building Gitness Server for Harness"
 	go build -tags=harness -ldflags=${LDFLAGS} -o ./gitness ./cmd/gitness
 harness-build-pq: generate ## Build the all-in-one gitness binary for harness embedded mode using postgres
 	@echo "Building Gitness Server for Harness"
 	go build -tags=harness,pq -ldflags=${LDFLAGS} -o ./gitness ./cmd/gitness
 build-gitrpc: generate ## Build the gitrpc binary
 	@echo "Building GitRPC Server"
 	go build -ldflags=${LDFLAGS} -o ./gitrpcserver ./cmd/gitrpcserver
@ -101,6 +109,7 @@ test-env: stop ## Run test environment - this runs all services and the gitness
 image: ## Build the gitness docker image
 	@echo "Building Gitness Image"
 	@docker build \
 			--secret id=npmrc,src=${HOME}/.npmrc \
 			--build-arg GITNESS_VERSION=latest \
 			--build-arg GIT_COMMIT=${GIT_COMMIT} \
 			--build-arg GITHUB_ACCESS_TOKEN=${GITHUB_ACCESS_TOKEN} \
@ -108,6 +117,16 @@ image: ## Build the gitness docker image
 			 -t gitness:latest \
 			 -f ./docker/Dockerfile .
 gitrpc-image: ## Build the gitness gitrpc docker image
 	@echo "Building Gitness GitRPC Image"
 	@docker build \
 			--build-arg GITNESS_VERSION=latest \
 			--build-arg GIT_COMMIT=${GIT_COMMIT} \
 			--build-arg GITHUB_ACCESS_TOKEN=${GITHUB_ACCESS_TOKEN} \
 			--platform linux/amd64 \
 			 -t gitness-gitrpc:latest \
 			 -f ./docker/Dockerfile.gitrpc .
 e2e: generate test-env ## Run e2e tests
 	chmod +x wait-for-gitness.sh && ./wait-for-gitness.sh
 	go test -p 1 -v -coverprofile=e2e_cov.out ./tests/... -env=".env.local"
--- a/cmd/gitness/main.go
+++ b/cmd/gitness/main.go
@ -2,12 +2,14 @@
 // Use of this source code is governed by the Polyform Free Trial License
 // that can be found in the LICENSE.md file for this repository.
 //go:build !pq
 // +build !pq
 package main
 import (
 	"github.com/harness/gitness/cli"
 	_ "github.com/lib/pq"
 	_ "github.com/mattn/go-sqlite3"
 )
--- a/cmd/gitness/pg.go
+++ b/cmd/gitness/pg.go
@ -0,0 +1,18 @@
 // Copyright 2022 Harness Inc. All rights reserved.
 // Use of this source code is governed by the Polyform Free Trial License
 // that can be found in the LICENSE.md file for this repository.
 //go:build pq
 // +build pq
 package main
 import (
 	"github.com/harness/gitness/cli"
 	_ "github.com/lib/pq"
 )
 func main() {
 	cli.Command()
 }
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -1,4 +1,23 @@
-### Build operator
+### Build web
 FROM node:16 as web
 # Create app directory
 WORKDIR /usr/src/app
 COPY web/package.json ./
 COPY web/yarn.lock ./
 RUN --mount=type=secret,id=npmrc,target=/root/.npmrc yarn
 # If you are building your code for production
 # RUN npm ci --omit=dev
 COPY ./web .
 RUN yarn build && \
    yarn cache clean
 ### Build gitness
 FROM golang:1.19-alpine as builder
 RUN apk update \
@ -21,17 +40,28 @@ RUN make dep
 RUN make tools
 # COPY the source code as the last step
 COPY . .
-# set required build flags
+
-ENV CGO_ENABLED=1 \
+COPY --from=web /usr/src/app/dist /app/web/dist
    GOOS=linux \
    GOARCH=amd64
 # build
 ARG GIT_COMMIT
 ARG GITNESS_VERSION_MAJOR
 ARG GITNESS_VERSION_MINOR
 ARG GITNESS_VERSION_PATCH
-RUN make harness-build
+
 # set required build flags
 ARG sqlite
 RUN if [[ -z "$sqlite" ]] ; then \
    CGO_ENABLED=0 \
    GOOS=linux \
    GOARCH=amd64 \
    make harness-build-pq \
 ; else \
    CGO_ENABLED=1 \
    GOOS=linux \
    GOARCH=amd64 \
    make harness-build \
 ; fi
 ### Pull CA Certs
 FROM alpine:latest as cert-image
@ -39,21 +69,20 @@ FROM alpine:latest as cert-image
 RUN apk --update add ca-certificates
 ### Create final image
-FROM alpine/git:2.36.3 as final
+FROM us.gcr.io/platform-205701/ubi/ubi-go:8.7 as final
-RUN adduser -u 1001 -D -h /app iamuser
+USER root
 RUN mkdir /app && chown nobody:nobody /app
 USER nobody
 WORKDIR /app
-COPY --from=cert-image /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --chown=nobody:nobody --from=cert-image /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=builder /app/gitness /app/gitness
+COPY --chown=nobody:nobody --from=builder /app/gitness /app/gitness
 RUN chown -R 1001:1001 /app
 RUN chmod -R 700 /app/gitness
 EXPOSE 3000
 EXPOSE 3001
 USER 1001
 ENTRYPOINT [ "/app/gitness", "server" ]
--- a/docker/Dockerfile.gitrpc
+++ b/docker/Dockerfile.gitrpc
@ -40,24 +40,25 @@ FROM alpine:latest as cert-image
 RUN apk --update add ca-certificates
 ### Create final image
-FROM alpine/git:2.36.3 as final
+FROM us.gcr.io/platform-205701/ubi/ubi-go:8.7 as final
-RUN adduser -u 1001 -D -h /app iamuser
+USER root
 RUN microdnf update && \
    microdnf install git
 RUN mkdir /app && chown nobody:nobody /app
 USER nobody
 WORKDIR /app
-COPY --from=cert-image /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --chown=nobody:nobody --from=cert-image /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=builder /app/gitrpcserver /app/gitrpcserver
+COPY --chown=nobody:nobody --from=builder /app/gitrpcserver /app/gitrpcserver
-COPY --from=builder /app/githook /app/githook
+COPY --chown=nobody:nobody --from=builder /app/githook /app/githook
 RUN chown -R 1001:1001 /app
 RUN chmod -R 700 /app/gitrpcserver
 RUN chmod -R 700 /app/githook
 EXPOSE 3001
 USER 1001
 # configure gitrpc to use githook (as they come bundled in the image)
 ENV GITRPC_SERVER_GIT_HOOK_PATH="/app/githook"
--- a/internal/store/database/util.go
+++ b/internal/store/database/util.go
@ -9,9 +9,6 @@ import (
 	"fmt"
 	"github.com/harness/gitness/internal/store"
 	"github.com/lib/pq"
 	"github.com/mattn/go-sqlite3"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 )
@ -58,17 +55,3 @@ func processSQLErrorf(err error, format string, args ...interface{}) error {
 		return fallbackErr
 	}
 }
 func isSQLUniqueConstraintError(original error) bool {
 	var sqliteErr sqlite3.Error
 	if errors.As(original, &sqliteErr) {
 		return errors.Is(sqliteErr.ExtendedCode, sqlite3.ErrConstraintUnique)
 	}
 	var pqErr *pq.Error
 	if errors.As(original, &pqErr) {
 		return pqErr.Code == "23505" // unique_violation
 	}
 	return false
 }
--- a/internal/store/database/util_pq.go
+++ b/internal/store/database/util_pq.go
@ -0,0 +1,22 @@
 // Copyright 2022 Harness Inc. All rights reserved.
 // Use of this source code is governed by the Polyform Free Trial License
 // that can be found in the LICENSE.md file for this repository.
 //go:build pq
 // +build pq
 package database
 import (
 	"github.com/lib/pq"
 	"github.com/pkg/errors"
 )
 func isSQLUniqueConstraintError(original error) bool {
 	var pqErr *pq.Error
 	if errors.As(original, &pqErr) {
 		return pqErr.Code == "23505" // unique_violation
 	}
 	return false
 }
--- a/internal/store/database/util_sqlite.go
+++ b/internal/store/database/util_sqlite.go
@ -0,0 +1,22 @@
 // Copyright 2022 Harness Inc. All rights reserved.
 // Use of this source code is governed by the Polyform Free Trial License
 // that can be found in the LICENSE.md file for this repository.
 //go:build !pq
 // +build !pq
 package database
 import (
 	"github.com/mattn/go-sqlite3"
 	"github.com/pkg/errors"
 )
 func isSQLUniqueConstraintError(original error) bool {
 	var sqliteErr sqlite3.Error
 	if errors.As(original, &sqliteErr) {
 		return errors.Is(sqliteErr.ExtendedCode, sqlite3.ErrConstraintUnique)
 	}
 	return false
 }