Switch to distroless image (#473)

* switch to distroless image

* update docker build/run commands and envvars

* remove commented code

* use nonroot image

* make write perms more fine grained

Author: skykanin

.dockerignore

@@ -0,0 +1,3 @@
+Dockerfile
+node_modules/
+tests/

Dockerfile

@@ -4,34 +4,18 @@ RUN apk add pnpm
 
 COPY . .
 
-RUN rm -rf node_modules && \
-    pnpm install && pnpm run build
-
-FROM node:20-alpine
-
-# Create a user with a specific UID, GID, and home directory
-ARG USERNAME=appuser
-ARG UID=1001
-ARG GID=1001
-ARG HOME_DIR=/home/appuser
-
-RUN addgroup -g ${GID} ${USERNAME}
-RUN adduser -D -u ${UID} -G ${USERNAME} -h ${HOME_DIR} ${USERNAME}
-RUN mkdir -p ${HOME_DIR} && chown -R ${UID}:${GID} ${HOME_DIR}
-WORKDIR ${HOME_DIR}/app
-
-COPY --from=builder /usr/local/app/dist ${HOME_DIR}/app/dist
-COPY package*.json server.js ./
-
-# Ensure appuser owns all files in /home/appuser/app
-RUN chown -R ${UID}:${GID} ${HOME_DIR}/app
+RUN pnpm install && pnpm run build
+RUN pnpm install --ignore-scripts vite-express
 
-RUN apk add pnpm
-USER ${USERNAME}
+FROM gcr.io/distroless/nodejs20-debian12:debug-nonroot
 
-RUN pnpm install --ignore-scripts vite-express
+COPY --from=builder --chown=nonroot:nonroot --chmod=777 /usr/local/app/dist /app/dist/
+COPY --from=builder --chown=nonroot:nonroot --chmod=555 /usr/local/app/node_modules /app/node_modules
+COPY --from=builder --chown=nonroot:nonroot --chmod=555 /usr/local/app/package*.json /usr/local/app/server.js /app/
 
+WORKDIR /app
+ENV NODE_ENV=production
 ENV PORT=8080
 EXPOSE 8080
 
-ENTRYPOINT ["sh", "-c", "./dist/vite-envs.sh && npm run prod"]
+ENTRYPOINT ["sh", "-c", "/busybox/sh ./dist/vite-envs.sh && /nodejs/bin/node server.js"]

Makefile

@@ -10,7 +10,7 @@ help:
 build: ## Build the app
 	pnpm install
 
-.PHONY: run-dev 
+.PHONY: run-dev
 run-dev: ## Run the app in dev mode
 	pnpm run dev
 
@@ -34,9 +34,9 @@ develop: ## Start the nix development shell
 
 .PHONY: build-local-docker
 build-docker-local: ## Build the docker container
-	docker build -t dapla-ctrl .
+	docker build --platform linux/amd64 -t dapla-ctrl:latest .
 
 include .env.local
 .PHONY: run-docker-local
 run-docker-local: ## Run the docker container
-	docker run -it -p 8080:8080 -e VITE_JWKS_URI=${VITE_JWKS_URI} dapla-ctrl
+	./bin/run-docker.sh

bin/run-docker.sh

@@ -0,0 +1,8 @@
+docker run --platform linux/amd64 \
+  --rm -it \
+  -p3000:3000 \
+  -e PORT=3000 \
+  -e DAPLA_TEAM_API_URL=https://dapla-team-api.intern.test.ssb.no \
+  -e DAPLA_CTRL_ADMIN_GROUPS=dapla-stat-developers,dapla-skyinfra-developers \
+  -e DAPLA_CTRL_DOCUMENTATION_URL=https://manual.dapla.ssb.no/statistikkere/dapla-ctrl.html \
+  dapla-ctrl:latest

flake.nix

@@ -18,8 +18,8 @@
           shellHook = ''
             export DAPLA_TEAM_API_URL=https://dapla-team-api.intern.test.ssb.no
             export PORT=3000
-            export DAPLA_CTRL_ADMIN_GROUPS=dapla-stat-developers,dapla-skyinfra-developers,dapla-utvik-developers
-            export DAPLA_CTRL_DOCUMENTATION_URL=https://statistics-norway.atlassian.net/wiki/x/EYC24g
+            export DAPLA_CTRL_ADMIN_GROUPS=dapla-stat-developers,dapla-skyinfra-developers
+            export DAPLA_CTRL_DOCUMENTATION_URL=https://manual.dapla.ssb.no/statistikkere/dapla-ctrl.html
           '';
           packages = with pkgs; [
             nixd