Jean-Gabriel Gill-Couture
37e3c3847f
The build context for `podman build` was the workspace root — fine for cargo's path-deps, but `COPY . .` shipped 147 GB to the build daemon (target/, .claude/worktrees, .git, demos, network test data, manual_mint scratch). Tightens the .dockerignore to exclude the heavy items, dropping the context to ~180 MB. The callout Dockerfile was also single-stage with a host pre-built binary (`COPY target/release/harmony-nats-callout`), which conflicts with the new strict .dockerignore (target/ is now excluded). Rewrote to mirror the operator's multi-stage cargo-in-Docker shape — same builder + runtime images, same USER 65532 convention. Build script consequences: * No more host-side `cargo build --release -p harmony-nats-callout` step. Both images now build self-contained from the workspace context. * Two podman build invocations (operator + callout), then push. The k3d e2e harness (`fleet_auth_callout::build_and_load_callout_image`) was relying on the old single-stage Dockerfile via tempdir staging; it now writes its own minimal single-stage Dockerfile inline so the fast local-iteration path is unaffected by the production-shape change in `nats/callout/Dockerfile`. Also includes `topology.ensure_ready()` in fleet_staging_install (needed for cert-manager bootstrap on first apply). Verified: `podman build` for the callout completes successfully; operator build is the same shape and was mid-compile in testing.
54 lines
2.0 KiB
Docker
54 lines
2.0 KiB
Docker
# Multi-stage container build for harmony-nats-callout.
|
|
#
|
|
# Build context is the workspace root (the callout's Cargo.toml has
|
|
# `path = "../../..."` deps via nats-jwt + harmony, which only
|
|
# resolve when the whole workspace is in scope). Invoke from the
|
|
# repo root:
|
|
#
|
|
# podman build -f nats/callout/Dockerfile \
|
|
# -t hub.nationtech.io/harmony/harmony-nats-callout:<tag> .
|
|
#
|
|
# Mirrors `fleet/harmony-fleet-operator/Dockerfile` exactly: builder
|
|
# stage on `rust:1.94-slim-bookworm`, runtime stage on
|
|
# `debian:bookworm-slim` (matched glibc ABI). The earlier
|
|
# single-stage image required a host-side `cargo build --release`
|
|
# before podman build, which made the build context coupling
|
|
# fragile and forced an archlinux:base runtime to match the host's
|
|
# glibc.
|
|
|
|
FROM docker.io/rust:1.94-slim-bookworm AS builder
|
|
|
|
# pkg-config + libssl-dev cover transitive native-tls/openssl-sys
|
|
# deps; ca-certificates lets cargo fetch over TLS.
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
pkg-config \
|
|
ca-certificates \
|
|
libssl-dev \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
WORKDIR /app
|
|
COPY . .
|
|
|
|
RUN cargo build --release --locked -p harmony-nats-callout
|
|
|
|
FROM docker.io/library/debian:bookworm-slim
|
|
|
|
# ca-certificates: outbound TLS to the OIDC issuer (Zitadel).
|
|
# async-nats uses rustls, so libssl3 is not needed at runtime.
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
COPY --from=builder /app/target/release/harmony-nats-callout /usr/local/bin/harmony-nats-callout
|
|
|
|
# Non-root runtime, matching the harmony-fleet-operator convention.
|
|
# 65532 is the `nonroot` UID used by distroless + security-hardened
|
|
# base images. The Pod manifest sets `runAsNonRoot: true`; the
|
|
# image's USER directive is the portable mechanism that pairs with
|
|
# that flag without pinning a specific UID at the Pod level
|
|
# (OpenShift's restricted-v2 SCC assigns its own namespace-scoped
|
|
# UIDs).
|
|
USER 65532:65532
|
|
|
|
ENTRYPOINT ["/usr/local/bin/harmony-nats-callout"]
|