Skip to content

Commit

Permalink
chore: update webapp base image to use airbyte nginx image (#14687)
Browse files Browse the repository at this point in the history
Co-authored-by: Alex Buchanan <alex.buchanan@airbyte.io>
  • Loading branch information
colesnodgrass and abuchanan-airbyte committed Dec 3, 2024
1 parent d89d8f4 commit 61937bb
Show file tree
Hide file tree
Showing 15 changed files with 589 additions and 26 deletions.
10 changes: 4 additions & 6 deletions airbyte-webapp/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
ARG NGINX_IMAGE=nginxinc/nginx-unprivileged:alpine3.20
ARG NGINX_IMAGE=airbyte/nginx-unprivileged:alpine3.20-2
FROM ${NGINX_IMAGE}

ARG BUILD_DIR=bin/build
ARG NGINX_CONFIG=bin/nginx/default.conf.template

EXPOSE 8080

USER root
COPY --chown=nginx:nginx ${BUILD_DIR} /usr/share/nginx/html
COPY --chown=nginx:nginx ${NGINX_CONFIG} /etc/nginx/templates/default.conf.template

COPY ${BUILD_DIR} /usr/share/nginx/html
USER root

RUN <<EOF
find /usr/share/nginx/html -type d -exec chmod 755 '{}' \; -o -type f -exec chmod 644 '{}' \;
chown -R nginx:nginx /usr/share/nginx/html
EOF

COPY ${NGINX_CONFIG} /etc/nginx/templates/default.conf.template

USER nginx:nginx
9 changes: 3 additions & 6 deletions charts/airbyte/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -237,16 +237,13 @@ webapp:

# -- Security context for the container
podSecurityContext:
# gid=101(nginx)
fsGroup: 101
fsGroup: 1000

containerSecurityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
# uid=101(nginx)
runAsUser: 101
# gid=101(nginx)
runAsGroup: 101
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: false
capabilities:
drop: ["ALL"]
Expand Down
4 changes: 2 additions & 2 deletions charts/helm-tests/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ module github.com/airbytehq/airbyte-platform-internal/oss/charts/helm-tests
go 1.23.1

require (
github.com/gruntwork-io/terratest v0.46.14
github.com/stretchr/testify v1.8.4
github.com/gruntwork-io/terratest v0.47.2
github.com/stretchr/testify v1.9.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.30.0
k8s.io/apimachinery v0.30.0
Expand Down
4 changes: 4 additions & 0 deletions charts/helm-tests/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRa
github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78=
github.com/gruntwork-io/terratest v0.46.14 h1:nVT2JpOPLr7KbwOSNDP0GJffljH+Yu5833cwLorxRjs=
github.com/gruntwork-io/terratest v0.46.14/go.mod h1:L/IHbj195wnjfIFpZYWUhjwA3jm4O6ehO//xz7NxN8o=
github.com/gruntwork-io/terratest v0.47.2 h1:t6iWwsqJH7Gx0RwXleU/vjc+2c0JXRMdj3DxYXTBssQ=
github.com/gruntwork-io/terratest v0.47.2/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64=
github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI=
Expand Down Expand Up @@ -190,6 +192,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=
Expand Down
9 changes: 3 additions & 6 deletions charts/v2/airbyte/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -472,16 +472,13 @@ webapp:

# -- Security context for the container
podSecurityContext:
# gid=101(nginx)
fsGroup: 101
fsGroup: 1000

containerSecurityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
# uid=101(nginx)
runAsUser: 101
# gid=101(nginx)
runAsGroup: 101
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: false
capabilities:
drop: ["ALL"]
Expand Down
26 changes: 22 additions & 4 deletions docker/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -84,18 +84,36 @@ image.airbyte-mc: buildx.start
-f $(IMAGES_DIR)/airbyte-mc/Dockerfile . ; \
fi

image.airbyte-nginx: ## Build the airbyte/nginx image
image.airbyte-nginx: buildx.start
image.airbyte-nginx-slim: ## Build the airbyte/nginx-unprivileged image
image.airbyte-nginx-slim: buildx.start
@if [ "$(PUBLISH)" = "true" ]; then \
docker buildx build -t airbyte/nginx-alpine-slim:$(VERSION) \
--build-arg UID="1000" \
--build-arg GID="1000" \
--platform linux/amd64,linux/arm64 \
--push \
-f $(IMAGES_DIR)/airbyte-nginx/alpine-slim/Dockerfile $(IMAGES_DIR)/airbyte-nginx/alpine-slim/. ; \
else \
docker build -t airbyte/nginx-alpine-slim:$(VERSION) \
--build-arg UID="1000" \
--build-arg GID="1000" \
-f $(IMAGES_DIR)/airbyte-nginx/alpine-slim/Dockerfile $(IMAGES_DIR)/airbyte-nginx/alpine-slim/. ; \
fi

image.airbyte-nginx-unprivileged: ## Build the airbyte/nginx-unprivileged image
image.airbyte-nginx-unprivileged: buildx.start
@if [ "$(PUBLISH)" = "true" ]; then \
docker buildx build -t airbyte/nginx-unprivileged:$(VERSION) \
--build-arg IMAGE="airbyte/nginx-alpine-slim:1.27.2-alpine-slim-2" \
--build-arg UID="1000" \
--build-arg GID="1000" \
--platform linux/amd64,linux/arm64 \
--push \
-f $(IMAGES_DIR)/airbyte-nginx/Dockerfile . ; \
-f $(IMAGES_DIR)/airbyte-nginx/unprivileged/Dockerfile $(IMAGES_DIR)/airbyte-nginx/unprivileged/. ; \
else \
docker build -t airbyte/nginx-unprivileged:$(VERSION) \
--build-arg IMAGE="airbyte/nginx-alpine-slim:1.27.2-alpine-slim-2" \
--build-arg UID="1000" \
--build-arg GID="1000" \
-f $(IMAGES_DIR)/airbyte-nginx/Dockerfile . ; \
-f $(IMAGES_DIR)/airbyte-nginx/unprivileged/Dockerfile $(IMAGES_DIR)/airbyte-nginx/unprivileged/. ; \
fi
67 changes: 67 additions & 0 deletions docker/airbyte-nginx/alpine-slim/10-listen-on-ipv6-by-default.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
#!/bin/sh
# vim:sw=4:ts=4:et

set -e

entrypoint_log() {
if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
echo "$@"
fi
}

ME=$(basename "$0")
DEFAULT_CONF_FILE="etc/nginx/conf.d/default.conf"

# check if we have ipv6 available
if [ ! -f "/proc/net/if_inet6" ]; then
entrypoint_log "$ME: info: ipv6 not available"
exit 0
fi

if [ ! -f "/$DEFAULT_CONF_FILE" ]; then
entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE is not a file or does not exist"
exit 0
fi

# check if the file can be modified, e.g. not on a r/o filesystem
touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }

# check if the file is already modified, e.g. on a container restart
grep -q "listen \[::]\:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }

if [ -f "/etc/os-release" ]; then
. /etc/os-release
else
entrypoint_log "$ME: info: can not guess the operating system"
exit 0
fi

entrypoint_log "$ME: info: Getting the checksum of /$DEFAULT_CONF_FILE"

case "$ID" in
"debian")
CHECKSUM=$(dpkg-query --show --showformat='${Conffiles}\n' nginx | grep $DEFAULT_CONF_FILE | cut -d' ' -f 3)
echo "$CHECKSUM /$DEFAULT_CONF_FILE" | md5sum -c - >/dev/null 2>&1 || {
entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version"
exit 0
}
;;
"alpine")
CHECKSUM=$(apk manifest nginx 2>/dev/null| grep $DEFAULT_CONF_FILE | cut -d' ' -f 1 | cut -d ':' -f 2)
echo "$CHECKSUM /$DEFAULT_CONF_FILE" | sha1sum -c - >/dev/null 2>&1 || {
entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version"
exit 0
}
;;
*)
entrypoint_log "$ME: info: Unsupported distribution"
exit 0
;;
esac

# enable ipv6 on default.conf listen sockets
sed -i -E 's,listen 8080;,listen 8080;\n listen [::]:8080;,' /$DEFAULT_CONF_FILE

entrypoint_log "$ME: info: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE"

exit 0
15 changes: 15 additions & 0 deletions docker/airbyte-nginx/alpine-slim/15-local-resolvers.envsh
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/sh
# vim:sw=2:ts=2:sts=2:et

set -eu

LC_ALL=C
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0

NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf)

NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }"

export NGINX_LOCAL_RESOLVERS
78 changes: 78 additions & 0 deletions docker/airbyte-nginx/alpine-slim/20-envsubst-on-templates.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#!/bin/sh

set -e

ME=$(basename "$0")

entrypoint_log() {
if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
echo "$@"
fi
}

add_stream_block() {
local conffile="/etc/nginx/nginx.conf"

if grep -q -E "\s*stream\s*\{" "$conffile"; then
entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates"
else
# check if the file can be modified, e.g. not on a r/o filesystem
touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; }
entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf"
cat << END >> "$conffile"
# added by "$ME" on "$(date)"
stream {
include $stream_output_dir/*.conf;
}
END
fi
}

auto_envsubst() {
local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}"
local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}"
local filter="${NGINX_ENVSUBST_FILTER:-}"

local template defined_envs relative_path output_path subdir
defined_envs=$(printf '${%s} ' $(awk "END { for (name in ENVIRON) { print ( name ~ /${filter}/ ) ? name : \"\" } }" < /dev/null ))
[ -d "$template_dir" ] || return 0
if [ ! -w "$output_dir" ]; then
entrypoint_log "$ME: ERROR: $template_dir exists, but $output_dir is not writable"
return 0
fi
find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do
relative_path="${template#"$template_dir/"}"
output_path="$output_dir/${relative_path%"$suffix"}"
subdir=$(dirname "$relative_path")
# create a subdirectory where the template file exists
mkdir -p "$output_dir/$subdir"
entrypoint_log "$ME: Running envsubst on $template to $output_path"
envsubst "$defined_envs" < "$template" > "$output_path"
done

# Print the first file with the stream suffix, this will be false if there are none
if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then
mkdir -p "$stream_output_dir"
if [ ! -w "$stream_output_dir" ]; then
entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable"
return 0
fi
add_stream_block
find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do
relative_path="${template#"$template_dir/"}"
output_path="$stream_output_dir/${relative_path%"$stream_suffix"}"
subdir=$(dirname "$relative_path")
# create a subdirectory where the template file exists
mkdir -p "$stream_output_dir/$subdir"
entrypoint_log "$ME: Running envsubst on $template to $output_path"
envsubst "$defined_envs" < "$template" > "$output_path"
done
fi
}

auto_envsubst

exit 0
Loading

0 comments on commit 61937bb

Please sign in to comment.