-
Notifications
You must be signed in to change notification settings - Fork 4
/
Dockerfile
122 lines (100 loc) · 4.25 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# OPA BUILD STAGE -----------------------------------
# build opa from source or download precompiled binary
# ---------------------------------------------------
FROM golang:bullseye AS opa_build
COPY custom* /custom
RUN if [ -f /custom/custom_opa.tar.gz ]; \
then \
cd /custom && \
tar xzf custom_opa.tar.gz && \
go build -o /opa && \
rm -rf /custom ; \
else \
case $(uname -m) in \
x86_64) \
curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static ; \
;; \
aarch64) \
curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_arm64_static ; \
;; \
*) \
echo "Unknown architecture." ; \
exit 1 ; \
;; \
esac ; \
fi
# MAIN IMAGE ----------------------------------------
# most of the time only this image should be built
# ---------------------------------------------------
FROM python:3.10-alpine
WORKDIR /app
RUN addgroup -S permit -g 1001
RUN adduser -S -s /bin/bash -u 1000 -G permit -h /home/permit permit
# install linux libraries necessary to compile some python packages
RUN apk update && \
apk add --no-cache bash build-base libffi-dev libressl-dev musl-dev zlib-dev gcompat
# Copy custom opa binary
RUN mkdir /app/bin
RUN chown -R permit:permit /app/bin
COPY --from=opa_build --chmod=755 /opa /app/bin/opa
# bash is needed for ./start/sh script
COPY scripts ./
RUN mkdir -p /config
RUN chown -R permit:permit /config
# copy wait-for-it (use only for development! e.g: docker compose)
COPY scripts/wait-for-it.sh /usr/wait-for-it.sh
RUN chmod +x /usr/wait-for-it.sh
# copy startup script
COPY ./scripts/start.sh ./start.sh
RUN chmod +x ./start.sh
RUN chown -R permit:permit /home/permit
RUN chown -R permit:permit /usr/
USER permit
# copy Kong route-to-resource translation table
COPY kong_routes.json /config/kong_routes.json
# copy gunicorn_config
COPY ./scripts/gunicorn_conf.py ./gunicorn_conf.py
# install python dependencies
COPY ./requirements.txt ./requirements.txt
RUN pip install -r requirements.txt
RUN python -m pip uninstall -y pip setuptools
RUN rm -r /usr/local/lib/python3.10/ensurepip
# copy app code
COPY ./horizon ./horizon
# copy version file
COPY ./permit_pdp_version /app/permit_pdp_version
# Make sure scripts in .local are usable:
ENV PATH="/:/app/bin:/home/permit/.local/bin:$PATH"
# uvicorn config ------------------------------------
# WARNING: do not change the number of workers on the opal client!
# only one worker is currently supported for the client.
# number of uvicorn workers
ENV UVICORN_NUM_WORKERS=1
# uvicorn asgi app
ENV UVICORN_ASGI_APP="horizon.main:app"
# uvicorn port
ENV UVICORN_PORT=7000
# opal configuration --------------------------------
ENV OPAL_SERVER_URL="https://opal.permit.io"
ENV OPAL_LOG_DIAGNOSE="false"
ENV OPAL_LOG_TRACEBACK="false"
ENV OPAL_LOG_MODULE_EXCLUDE_LIST="[]"
ENV OPAL_INLINE_OPA_ENABLED="true"
ENV OPAL_INLINE_OPA_LOG_FORMAT="http"
# horizon configuration -----------------------------
# by default, the backend is at port 8000 on the docker host
# in prod, you must pass the correct url
ENV PDP_CONTROL_PLANE="https://api.permit.io"
ENV PDP_API_KEY="MUST BE DEFINED"
ENV PDP_REMOTE_CONFIG_ENDPOINT="/v2/pdps/me/config"
ENV PDP_REMOTE_STATE_ENDPOINT="/v2/pdps/me/state"
ENV PDP_VERSION_FILE_PATH="/app/permit_pdp_version"
# This is a default PUBLIC (not secret) key,
# and it is here as a safety measure on purpose.
ENV OPAL_AUTH_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDe2iQ+/E01P2W5/EZwD5NpRiSQ8/r/k18pFnym+vWCSNMWpd9UVpgOUWfA9CAX4oEo5G6RfVVId/epPH/qVSL87uh5PakkLZ3E+PWVnYtbzuFPs/lHZ9HhSqNtOQ3WcPDTcY/ST2jyib2z0sURYDMInSc1jnYKqPQ6YuREdoaNdPHwaTFN1tEKhQ1GyyhL5EDK97qU1ejvcYjpGm+EeE2sjauHYn2iVXa2UA9fC+FAKUwKqNcwRTf3VBLQTE6EHGWbxVzXv1Feo8lPZgL7Yu/UPgp7ivCZhZCROGDdagAfK9sveYjkKiWCLNUSpado/E5Vb+/1EVdAYj6fCzk45AdQzA9vwZefP0sVg7EuZ8VQvlz7cU9m+XYIeWqduN4Qodu87rtBYtSEAsru/8YDCXBDWlLJfuZb0p/klbte3TayKnQNSWD+tNYSJHrtA/3ZewP+tGDmtgLeB38NLy1xEsgd31v6ISOSCTHNS8ku9yWQXttv0/xRnuITr8a3TCLuqtUrNOhCx+nKLmYF2cyjYeQjOWWpn/Z6VkZvOa35jhG1ETI8IwE+t5zXqrf2s505mh18LwA1DhC8L/wHk8ZG7bnUe56QwxEo32myUBN8nHdu7XmPCVP8MWQNLh406QRAysishWhXVs/+0PbgfBJ/FxKP8BXW9zqzeIG+7b/yk8tRHQ=="
# expose sidecar port
EXPOSE 7000
# expose opa directly
EXPOSE 8181
# run gunicorn
CMD ["/app/start.sh"]