mirror of
https://github.com/Infisical/infisical.git
synced 2025-03-15 10:29:43 +00:00
185 lines
4.5 KiB
Docker
185 lines
4.5 KiB
Docker
ARG POSTHOG_HOST=https://app.posthog.com
|
|
ARG POSTHOG_API_KEY=posthog-api-key
|
|
ARG INTERCOM_ID=intercom-id
|
|
ARG CAPTCHA_SITE_KEY=captcha-site-key
|
|
|
|
FROM node:20-slim AS base
|
|
|
|
FROM base AS frontend-dependencies
|
|
WORKDIR /app
|
|
|
|
COPY frontend/package.json frontend/package-lock.json ./
|
|
|
|
# Install dependencies
|
|
RUN npm ci --only-production --ignore-scripts
|
|
|
|
# Rebuild the source code only when needed
|
|
FROM base AS frontend-builder
|
|
WORKDIR /app
|
|
|
|
# Copy dependencies
|
|
COPY --from=frontend-dependencies /app/node_modules ./node_modules
|
|
# Copy all files
|
|
COPY /frontend .
|
|
|
|
ENV NODE_ENV production
|
|
ARG POSTHOG_HOST
|
|
ENV VITE_POSTHOG_HOST $POSTHOG_HOST
|
|
ARG POSTHOG_API_KEY
|
|
ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
|
|
ARG INTERCOM_ID
|
|
ENV VITE_INTERCOM_ID $INTERCOM_ID
|
|
ARG INFISICAL_PLATFORM_VERSION
|
|
ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
|
|
ARG CAPTCHA_SITE_KEY
|
|
ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
|
|
|
|
# Build
|
|
RUN npm run build
|
|
|
|
# Production image
|
|
FROM base AS frontend-runner
|
|
WORKDIR /app
|
|
|
|
RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
|
|
|
|
COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
|
|
|
|
USER non-root-user
|
|
|
|
##
|
|
## BACKEND
|
|
##
|
|
FROM base AS backend-build
|
|
|
|
ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
|
|
|
|
RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
|
|
|
|
WORKDIR /app
|
|
|
|
# Required for pkcs11js and ODBC
|
|
RUN apt-get update && apt-get install -y \
|
|
python3 \
|
|
make \
|
|
g++ \
|
|
unixodbc \
|
|
unixodbc-dev \
|
|
freetds-dev \
|
|
freetds-bin \
|
|
tdsodbc \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Configure ODBC
|
|
RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
|
|
|
|
COPY backend/package*.json ./
|
|
RUN npm ci --only-production
|
|
|
|
COPY /backend .
|
|
COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
|
|
RUN npm i -D tsconfig-paths
|
|
RUN npm run build
|
|
|
|
# Production stage
|
|
FROM base AS backend-runner
|
|
|
|
ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
|
|
|
|
WORKDIR /app
|
|
|
|
# Required for pkcs11js and ODBC
|
|
RUN apt-get update && apt-get install -y \
|
|
python3 \
|
|
make \
|
|
g++ \
|
|
unixodbc \
|
|
unixodbc-dev \
|
|
freetds-dev \
|
|
freetds-bin \
|
|
tdsodbc \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Configure ODBC
|
|
RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
|
|
|
|
COPY backend/package*.json ./
|
|
RUN npm ci --only-production
|
|
|
|
COPY --from=backend-build /app .
|
|
|
|
RUN mkdir frontend-build
|
|
|
|
# Production stage
|
|
FROM base AS production
|
|
|
|
# Install necessary packages including ODBC
|
|
RUN apt-get update && apt-get install -y \
|
|
ca-certificates \
|
|
curl \
|
|
git \
|
|
python3 \
|
|
make \
|
|
g++ \
|
|
unixodbc \
|
|
unixodbc-dev \
|
|
freetds-dev \
|
|
freetds-bin \
|
|
tdsodbc \
|
|
openssh-client \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Configure ODBC in production
|
|
RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
|
|
|
|
# Install Infisical CLI
|
|
RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
|
|
&& apt-get update && apt-get install -y infisical=0.31.1 \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
|
|
|
|
# Give non-root-user permission to update SSL certs
|
|
RUN chown -R non-root-user /etc/ssl/certs
|
|
RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
|
|
RUN chmod -R u+rwx /etc/ssl/certs
|
|
RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
|
|
RUN chown non-root-user /usr/sbin/update-ca-certificates
|
|
RUN chmod u+rx /usr/sbin/update-ca-certificates
|
|
|
|
## set pre baked keys
|
|
ARG POSTHOG_API_KEY
|
|
ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
|
|
ARG INTERCOM_ID=intercom-id
|
|
ENV INTERCOM_ID=$INTERCOM_ID
|
|
ARG CAPTCHA_SITE_KEY
|
|
ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
|
|
|
|
WORKDIR /
|
|
|
|
COPY --from=backend-runner /app /backend
|
|
|
|
COPY --from=frontend-runner /app ./backend/frontend-build
|
|
|
|
ARG INFISICAL_PLATFORM_VERSION
|
|
ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
|
|
|
|
ENV PORT 8080
|
|
ENV HOST=0.0.0.0
|
|
ENV HTTPS_ENABLED false
|
|
ENV NODE_ENV production
|
|
ENV STANDALONE_BUILD true
|
|
ENV STANDALONE_MODE true
|
|
ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
|
|
|
|
WORKDIR /backend
|
|
|
|
ENV TELEMETRY_ENABLED true
|
|
|
|
EXPOSE 8080
|
|
EXPOSE 443
|
|
|
|
USER non-root-user
|
|
|
|
CMD ["./standalone-entrypoint.sh"]
|