Merge pull request #3 from jianxiaoguo/main

chore(dockerfile): use drycc/base image

Author: duanhongyi

Makefile

@@ -63,6 +63,6 @@ test-integration:
 
 upload-coverage:
 	$(eval CI_ENV := $(shell curl -s https://codecov.io/env | bash))
-	docker run --rm ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test codecov --required
+	docker run --rm ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test /test/rootfs/bin/upload-coverage
 
 .PHONY: check-kubectl check-docker build docker-build docker-build-test deploy clean commit-hook full-clean test test-style test-unit test-functional test-integration upload-coverage

rootfs/Dockerfile

@@ -1,35 +1,47 @@
-FROM docker.io/library/python:3.9-alpine
+FROM docker.io/drycc/base:bullseye
 
-COPY requirements.txt /app/requirements.txt
+RUN adduser --system \
+	--shell /bin/bash \
+	--disabled-password \
+	--home /app \
+	--group \
+	drycc
 
-ENV PATH="/app/.venv/bin:${PATH}"
+ENV PYTHON_VERSION="3.10.2" \
+  HELM_VERSION="3.8.0"
 
 COPY . /app
 
 WORKDIR /app
-
-RUN apk add --update --virtual .build-deps \
-    musl-dev \
-    openssl-dev \
+RUN buildDeps='musl-dev openssl'; \
+    install-packages $buildDeps \
+  && install-stack python $PYTHON_VERSION \
+  && install-stack helm $HELM_VERSION && . init-stack \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
-  && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
-    | tr ',' '\n' \
-    | sort -u \
-    | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \
-    | xargs -rt apk add --no-cache --virtual .python-rundeps \
-  && apk add --update --virtual .helmbroker-rundeps \
-    $runDeps \
-    ca-certificates \
-    su-exec \
-    bash \
-    shadow \
-    curl \
-  && apk del .build-deps \
-  && chmod +x /app/bin/* \
-  && /app/bin/install
+  # cleanup
+  && scanelp /app/.venv/lib > runtime.txt \
+  && apt-get purge -y --auto-remove $buildDeps \
+  && install-packages $(< runtime.txt) \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf \
+        /usr/share/doc \
+        /usr/share/man \
+        /usr/share/info \
+        /usr/share/locale \
+        /var/lib/apt/lists/* \
+        /var/log/* \
+        /var/cache/debconf/* \
+        /etc/systemd \
+        /lib/lsb \
+        /lib/udev \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
+  && mkdir -p /usr/share/man/man{1..8}
 
-ENV PATH /app/.venv/bin:/app/bin:$PATH
-CMD ["/app/bin/boot"]
+USER drycc
+WORKDIR /app
+CMD ["PATH=/app/.venv/bin:\$PATH", "/app/bin/boot"]
 EXPOSE 8000

rootfs/Dockerfile.test

@@ -1,38 +1,50 @@
-FROM docker.io/library/python:3.9-alpine
+FROM docker.io/drycc/base:bullseye
 
-COPY requirements.txt /app/requirements.txt
+RUN adduser --system \
+	--shell /bin/bash \
+	--disabled-password \
+	--home /app \
+	--group \
+	drycc
 
-ENV PATH="/app/.venv/bin:${PATH}"
+ENV PYTHON_VERSION="3.10.2" \
+  HELM_VERSION="3.8.0" \
+  KUBECTL_VERSION="1.23.4"
 
 COPY . /app
-
 WORKDIR /app
 
-RUN apk add --update --virtual .build-deps \
-    musl-dev \
-    openssl-dev \
+RUN buildDeps='musl-dev openssl'; \
+  install-packages $buildDeps \
+  && install-stack python $PYTHON_VERSION \
+  && install-stack helm $HELM_VERSION \
+  && install-stack kubectl $KUBECTL_VERSION && . init-stack \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/dev_requirements.txt \
-  && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
-    | tr ',' '\n' \
-    | sort -u \
-    | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \
-    | xargs -rt apk add --no-cache --virtual .python-rundeps \
-  && apk add --update --virtual .helmbroker-rundeps \
-    $runDeps \
-    git \
-    ca-certificates \
-    su-exec \
-    bash \
-    shadow \
-    curl \
-  && apk del .build-deps \
-  && chmod +x /app/bin/* \
-  && /app/bin/install
-COPY . /app
+  # cleanup
+  && scanelp /app/.venv/lib > runtime.txt \
+  && apt-get purge -y --auto-remove $buildDeps \
+  && install-packages $(< runtime.txt) \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf \
+        /usr/share/doc \
+        /usr/share/man \
+        /usr/share/info \
+        /usr/share/locale \
+        /var/lib/apt/lists/* \
+        /var/log/* \
+        /var/cache/debconf/* \
+        /etc/systemd \
+        /lib/lsb \
+        /lib/udev \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
+  && mkdir -p /usr/share/man/man{1..8} \
 
-ENV PATH /app/.venv/bin:/app/bin:$PATH
+USER drycc
+WORKDIR /app
 CMD ["/app/bin/boot"]
 EXPOSE 8000

rootfs/bin/boot

@@ -5,7 +5,8 @@
 
 # fail hard and fast even on pipelines
 set -eo pipefail
-
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 # spawn a gunicorn server in the background
 echo ""
 echo "Starting up Gunicorn"

rootfs/bin/install

@@ -5,5 +5,6 @@
 
 # fail hard and fast even on pipelines
 set -eou pipefail
-
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 flake8 --show-source --exclude .venv,migrations

rootfs/bin/test-style

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+#
+# This script is designed to be run inside the container
+#
+
+# fail hard and fast even on pipelines
+set -eou pipefail
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
+
+codecov --required