forked from permitio/PDP
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
131 lines (105 loc) · 3.66 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
FROM python:3.10-alpine AS python-base
# install linux libraries necessary to compile some python packages
RUN apk update && \
apk add --no-cache bash build-base libffi-dev libressl-dev musl-dev zlib-dev gcompat
# BUILD STAGE ---------------------------------------
# split this stage to save time and reduce image size
# ---------------------------------------------------
FROM python-base AS build
WORKDIR /app
# install python deps
RUN pip install --upgrade pip
COPY requirements.txt requirements.txt
RUN pip install --user -r requirements.txt
COPY horizon setup.py MANIFEST.in ./
RUN python setup.py install --user
# OPA BUILD STAGE -----------------------------------
# build opa from source or download precompiled binary
# ---------------------------------------------------
FROM golang:bullseye AS opa_build
COPY custom* /custom
RUN if [ -f /custom/custom_opa.tar.gz ]; \
then \
cd /custom && \
tar xzf custom_opa.tar.gz && \
go build -o /opa && \
rm -rf /custom ; \
else \
case $(uname -m) in \
x86_64) \
curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static ; \
;; \
aarch64) \
curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_arm64_static ; \
;; \
*) \
echo "Unknown architecture." ; \
exit 1 ; \
;; \
esac ; \
fi
# MAIN IMAGE ----------------------------------------
# most of the time only this image should be built
# ---------------------------------------------------
FROM python-base
WORKDIR /app
RUN addgroup -S permit
RUN adduser -S -s /bin/bash -G permit -h /home/permit permit
# copy libraries from build stage
RUN mkdir /home/permit/.local
RUN mkdir /app/bin
COPY --from=build /root/.local /home/permit/.local
COPY --from=opa_build --chmod=755 /opa /app/bin/opa
# bash is needed for ./start/sh script
COPY scripts ./
RUN mkdir -p /config
RUN chown -R permit:permit /app/bin
RUN chown -R permit:permit /config
# copy wait-for-it (use only for development! e.g: docker compose)
COPY scripts/wait-for-it.sh /usr/wait-for-it.sh
RUN chmod +x /usr/wait-for-it.sh
# copy startup script
COPY ./scripts/start.sh ./start.sh
RUN chmod +x ./start.sh
RUN chown -R permit:permit /home/permit
RUN chown -R permit:permit /usr/
USER permit
# copy Kong route-to-resource translation table
COPY kong_routes.json /config/kong_routes.json
# install sidecar package
# copy gunicorn_config
COPY ./scripts/gunicorn_conf.py ./gunicorn_conf.py
# copy app code
COPY . ./
RUN pip uninstall -y pip setuptools
# Make sure scripts in .local are usable:
ENV PATH="/:/app/bin:/home/permit/.local/bin:$PATH"
# uvicorn config ------------------------------------
# WARNING: do not change the number of workers on the opal client!
# only one worker is currently supported for the client.
# number of uvicorn workers
ENV UVICORN_NUM_WORKERS=1
# uvicorn asgi app
ENV UVICORN_ASGI_APP="horizon.main:app"
# uvicorn port
ENV UVICORN_PORT=7000
# opal configuration --------------------------------
ENV OPAL_SERVER_URL="https://opal.permit.io"
ENV OPAL_LOG_DIAGNOSE="false"
ENV OPAL_LOG_TRACEBACK="false"
ENV OPAL_LOG_MODULE_EXCLUDE_LIST="[]"
ENV OPAL_INLINE_OPA_ENABLED="true"
ENV OPAL_INLINE_OPA_LOG_FORMAT="http"
# horizon configuration -----------------------------
# by default, the backend is at port 8000 on the docker host
# in prod, you must pass the correct url
ENV PDP_CONTROL_PLANE="https://api.permit.io"
ENV PDP_API_KEY="MUST BE DEFINED"
ENV PDP_REMOTE_CONFIG_ENDPOINT="/v2/pdps/me/config"
ENV PDP_REMOTE_STATE_ENDPOINT="/v2/pdps/me/state"
# expose sidecar port
EXPOSE 7000
# expose opa directly
EXPOSE 8181
# run gunicorn
CMD ["/app/start.sh"]