[Refactor] Better operator controllers

Dockerfile-initializer

@@ -1,49 +1,54 @@
+# Build Stage
 FROM elixir:1.15-alpine AS builder
 
 ENV MIX_ENV=prod
 
 WORKDIR /app
 
-RUN apk add --no-cache --update git build-base ca-certificates zstd gcc pkgconfig openssl-dev
+# Install build dependencies and tools
+RUN apk add --no-cache git build-base ca-certificates zstd gcc pkgconfig openssl-dev
 
+# Copy application code
 COPY spawn_initializer/ .
 
+# Install Elixir dependencies and build release
 RUN mix local.rebar --force \
     && mix local.hex --force \
     && mix deps.get \
     && mix release.init
 
-# Overriden at runtime
+# Environment variables for release
 ENV POD_IP="127.0.0.1"
-
-# This will be the basename of node
 ENV RELEASE_NAME="spawn_initializer"
-
-# This will be the full nodename
 ENV RELEASE_NODE="${RELEASE_NAME}@${POD_IP}"
 
-
+# Build the release
 RUN mix deps.get \
     && mix release spawn_initializer
 
-# ---- Application Stage ----
+# Runtime Stage
 FROM alpine:3.20
 
-RUN apk add --no-cache --update zstd ncurses-libs libstdc++ libgcc
+# Install runtime dependencies: OpenSSL, zstd, and necessary runtime libraries
+RUN apk add --no-cache openssl zstd ncurses-libs libstdc++ libgcc \
+    # Create a user with UID 1000 and set up the home directory
+    && adduser -D -u 1000 appuser \
+    && mkdir -p /app/.cache/bakeware/ /data \
+    && chown appuser:appuser /app /app/.cache /data \
+    && chmod 777 /app/.cache/bakeware/ /data
 
 WORKDIR /app
-RUN chown nobody /app
 
-# Set runner ENV
+# Set environment variables
 ENV MIX_ENV=prod
 ENV HOME=/app
 
-COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/bakeware/ ./
-
-RUN mkdir -p /app/.cache/bakeware/ && chmod 777 /app/.cache/bakeware/
-RUN touch /.erlang.cookie && chmod 777 /.erlang.cookie
-RUN touch /app/.erlang.cookie && chmod 777 /app/.erlang.cookie
+# Copy compiled release from builder stage
+COPY --from=builder --chown=1000:1000 /app/_build/${MIX_ENV}/rel/bakeware/ ./
 
-USER nobody
+# Create necessary files and set permissions
+RUN touch /.erlang.cookie && chmod 777 /.erlang.cookie \
+    && touch /app/.erlang.cookie && chmod 777 /app/.erlang.cookie
 
+# Set entrypoint
 ENTRYPOINT ["./spawn_initializer"]

Dockerfile-operator

@@ -1,12 +1,14 @@
+# Build Stage
 FROM elixir:1.15-alpine AS builder
 
 ENV MIX_ENV=prod
 
 WORKDIR /app
 
-RUN apk add --no-cache --update git build-base ca-certificates zstd gcc pkgconfig openssl-dev
+# Install build dependencies and tools
+RUN apk add --no-cache git build-base ca-certificates zstd gcc pkgconfig openssl-dev
 
-RUN mkdir config
+# Copy application code
 COPY config/ ./config
 COPY spawn_operator/ ./spawn_operator
 COPY spawn_statestores/ ./spawn_statestores
@@ -15,20 +17,15 @@ COPY priv/ ./priv
 COPY mix.exs .
 COPY mix.lock .
 
+# Install Elixir dependencies and build release
 RUN mix local.rebar --force \
     && mix local.hex --force \
     && mix deps.get \
     && mix release.init
 
 ENV RELEASE_DISTRIBUTION="name"
-
-# Overriden at runtime
 ENV POD_IP="127.0.0.1"
-
-# This will be the basename of node
 ENV RELEASE_NAME="spawn_operator"
-
-# This will be the full nodename
 ENV RELEASE_NODE="${RELEASE_NAME}@${POD_IP}"
 
 RUN echo "-setcookie ${NODE_COOKIE}" >> ./rel/vm.args.eex
@@ -37,24 +34,29 @@ RUN cd spawn_operator/spawn_operator \
     && mix deps.get \
     && mix release spawn_operator
 
-# ---- Application Stage ----
+# Runtime Stage
 FROM alpine:3.20
 
-RUN apk add --no-cache --update zstd ncurses-libs libstdc++ libgcc
+# Install runtime dependencies: OpenSSL, zstd, and necessary runtime libraries
+RUN apk add --no-cache openssl zstd ncurses-libs libstdc++ libgcc \
+    # Create a user with UID 1000 and set up the home directory
+    && adduser -D -u 1000 appuser \
+    && mkdir -p /app/.cache/bakeware/ /data \
+    && chown appuser:appuser /app /app/.cache /data \
+    && chmod 777 /app/.cache/bakeware/ /data
 
 WORKDIR /app
-RUN chown nobody /app
 
-# Set runner ENV
+# Set environment variables
 ENV MIX_ENV=prod
 ENV HOME=/app
 
-COPY --from=builder --chown=nobody:root /app/spawn_operator/spawn_operator/_build/${MIX_ENV}/rel/bakeware/ ./
-
-RUN mkdir -p /app/.cache/bakeware/ && chmod 777 /app/.cache/bakeware/
-RUN touch /.erlang.cookie && chmod 777 /.erlang.cookie
-RUN touch /app/.erlang.cookie && chmod 777 /app/.erlang.cookie
+# Copy compiled release from builder stage
+COPY --from=builder --chown=1000:1000 /app/spawn_operator/spawn_operator/_build/${MIX_ENV}/rel/bakeware/ ./
 
-USER nobody
+# Create necessary files and set permissions
+RUN touch /.erlang.cookie && chmod 777 /.erlang.cookie \
+    && touch /app/.erlang.cookie && chmod 777 /app/.erlang.cookie
 
-ENTRYPOINT [ "./spawn_operator", "start" ] 
+# Set entrypoint
+ENTRYPOINT ["./spawn_operator", "start"]

Dockerfile-proxy

@@ -1,64 +1,58 @@
+# Build Stage
 FROM elixir:1.15-alpine AS builder
 
 ENV MIX_ENV=prod
 
 WORKDIR /app
 
-RUN apk add --no-cache --update git build-base ca-certificates zstd gcc pkgconfig openssl-dev
+# Install build dependencies in a single layer
+RUN apk add --no-cache git build-base ca-certificates zstd gcc pkgconfig openssl-dev
 
-RUN mkdir config
+# Copy project files
 COPY config/ ./config
 COPY spawn_proxy/ ./spawn_proxy
 COPY lib/ ./lib
 COPY spawn_statestores/ ./spawn_statestores
 COPY priv/ ./priv
-COPY mix.exs .
-COPY mix.lock .
+COPY mix.exs mix.lock ./
 
+# Fetch dependencies, build release, and clean up build dependencies
 RUN mix local.rebar --force \
     && mix local.hex --force \
     && mix deps.get \
-    && mix release.init
-
-ENV RELEASE_DISTRIBUTION="name"
-
-# Overriden at runtime
-ENV POD_IP="127.0.0.1"
-
-# This will be the basename of node
-ENV RELEASE_NAME="proxy"
-
-# This will be the full nodename
-ENV RELEASE_NODE="${RELEASE_NAME}@${POD_IP}"
-
-#RUN echo "-setcookie ${NODE_COOKIE}" >> ./priv/rel/vm.args.eex
-
-RUN cd spawn_proxy/proxy \
+    && mix release.init \
+    && cd spawn_proxy/proxy \
     && mix deps.get \
-    && mix release proxy
+    && mix release proxy \
+    && apk del build-base gcc pkgconfig openssl-dev
 
-# ---- Application Stage ----
+# Application Stage
 FROM alpine:3.20
 
+# Set runner environment
+ENV MIX_ENV=prod
+ENV HOME=/app
+
+# Create a user with ID 1000
+RUN adduser -D -u 1000 appuser
+
 RUN apk add --no-cache --update zstd ncurses-libs libstdc++ libgcc protobuf
 
 WORKDIR /app
-RUN chown nobody /app
-
-# Set runner ENV
-ENV MIX_ENV=prod
-ENV HOME=/app
 
+# Copy the built release and configuration
 COPY rel/overlays/mtls.ssl.conf .
-COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/proxy ./
+COPY --from=builder --chown=1000:1000 /app/_build/${MIX_ENV}/rel/proxy ./
 
-RUN mkdir -p /app/.cache/bakeware/ && chmod 777 /app/.cache/bakeware/
-RUN mkdir -p /app/priv/generated_modules/ && chmod 777 /app/priv/generated_modules/
-RUN mkdir /data/ && chmod 777 /data/
-RUN touch /.erlang.cookie && chmod 777 /.erlang.cookie
-RUN touch /app/.erlang.cookie && chmod 777 /app/.erlang.cookie
+# Create necessary directories and files with appropriate permissions
+RUN mkdir -p /app/.cache/bakeware/ /data/ /app/priv/generated_modules/ && \
+    chown -R appuser /app/.cache/bakeware/ /data/ /app/priv/generated_modules/ && \
+    chmod 600 /app/priv/generated_modules/ && \
+    chmod 600 /data/ && \
+    touch /.erlang.cookie /app/.erlang.cookie && \
+    chown appuser /app/.erlang.cookie && \
+    chmod 600 /.erlang.cookie /app/.erlang.cookie
 
-USER nobody
+USER appuser
 
 ENTRYPOINT ["/app/bin/proxy", "start"]
-

Makefile

@@ -1,5 +1,5 @@
 version=1.4.2
-registry=eigr
+registry=ghcr.io/eigr
 
 CLUSTER_NAME=spawn-k8s
 K3D_KUBECONFIG_PATH?=./integration.yaml
@@ -44,6 +44,9 @@ build-proxy-image:
 	# When we migrate to new version of buildx we can do: docker buildx build -f Dockerfile-proxy --tag ${proxy-image} --attest type=provenance,mode=max .
 	docker build --no-cache -f Dockerfile-proxy -t ${proxy-image} .
 
+build-proxy-initializer:
+	docker build --no-cache -f Dockerfile-initializer -t ${proxy-initializer} .
+
 build-operator-image:
 	docker build --no-cache -f Dockerfile-operator -t ${operator-image} .
 

examples/security/acl/host.yaml

@@ -9,7 +9,7 @@ metadata:
     spawn-eigr.io/sidecar-http-port: "9001"
     spawn-eigr.io/sidecar-pubsub-adapter: "nats"
     spawn-eigr.io/sidecar-pubsub-nats-hosts: "nats://spawn-nats:4222"
-    spawn-eigr.io/sidecar-image-tag: "docker.io/eigr/spawn-proxy:1.4.2"
+    spawn-eigr.io/sidecar-image-tag: "ghcr.io/eigr/spawn-proxy:1.4.2"
 spec:
   autoscaler:
     max: 3

examples/security/authentication/basic/host.yaml

@@ -34,7 +34,7 @@ metadata:
     spawn-eigr.io/sidecar-http-port: "9001"
     spawn-eigr.io/sidecar-pubsub-adapter: "nats"
     spawn-eigr.io/sidecar-pubsub-nats-hosts: "nats://spawn-nats:4222"
-    spawn-eigr.io/sidecar-image-tag: "docker.io/eigr/spawn-proxy:1.4.2"
+    spawn-eigr.io/sidecar-image-tag: "ghcr.io/eigr/spawn-proxy:1.4.2"
 spec:
   autoscaler:
     max: 3

examples/security/authentication/jwt/host.yaml

@@ -11,7 +11,7 @@ metadata:
     spawn-eigr.io/sidecar-http-port: "9001"
     spawn-eigr.io/sidecar-pubsub-adapter: "nats"
     spawn-eigr.io/sidecar-pubsub-nats-hosts: "nats://spawn-nats:4222"
-    spawn-eigr.io/sidecar-image-tag: "docker.io/eigr/spawn-proxy:1.4.2"
+    spawn-eigr.io/sidecar-image-tag: "ghcr.io/eigr/spawn-proxy:1.4.2"
 spec:
   autoscaler:
     max: 3

examples/simple/host-simple.yaml

@@ -14,7 +14,7 @@ metadata:
     # Optional. Here I`m using Nats Broker without authentication
     spawn-eigr.io/sidecar-pubsub-adapter: "nats"
     spawn-eigr.io/sidecar-pubsub-nats-hosts: "nats://spawn-nats:4222"
-    spawn-eigr.io/sidecar-image-tag: "docker.io/eigr/spawn-proxy:1.4.2"
+    spawn-eigr.io/sidecar-image-tag: "ghcr.io/eigr/spawn-proxy:1.4.2"
 spec:
   host:
     image: eigr/spawn-springboot-examples:0.5.3 # Mandatory

examples/simple/host.yaml

@@ -22,7 +22,7 @@ metadata:
     spawn-eigr.io/sidecar-mode: "sidecar"
 
     # Optional
-    spawn-eigr.io/sidecar-image-tag: "docker.io/eigr/spawn-proxy:1.4.2"
+    spawn-eigr.io/sidecar-image-tag: "ghcr.io/eigr/spawn-proxy:1.4.2"
 
     # Optional. Default 9001
     spawn-eigr.io/sidecar-http-port: "9001"

lib/actors/security/tls/initializer.ex

@@ -7,7 +7,7 @@ defmodule Actors.Security.Tls.Initializer do
     - args:
         - eval
         - Kompost.Webhooks.bootstrap_tls(:prod, "tls-certs")
-      image: docker.io/eigr/spawn-proxy:1.4.2
+      image: ghcr.io/eigr/spawn-proxy:1.4.2
       name: init-certificates
   serviceAccountName: kompost
   volumes:

spawn_initializer/lib/spawn_initializer/tls/initializer.ex

@@ -7,7 +7,7 @@ defmodule SpawnInitializer.Tls.Initializer do
     - args:
         - eval
         - SpawnInitializer.Tls.Initializer.bootstrap_tls(:prod, "tls-certs")
-      image: docker.io/eigr/spawn-proxy:1.4.2
+      image: ghcr.io/eigr/spawn-proxy:1.4.2
       name: init-certificates
   serviceAccountName: kompost
   volumes:

spawn_operator/spawn_operator/config/config.exs

@@ -1,7 +1,7 @@
 import Config
 
 config :spawn_operator,
-  proxy_image: "docker.io/eigr/spawn-proxy:1.4.2"
+  proxy_image: "ghcr.io/eigr/spawn-proxy:1.4.2"
 
 config :bonny,
   # Add each Controller module for this operator to load here