infra(container): pull envs from Infisical

- Secrets and none secret values - At app startup time inside the container Infisical CLI injects values into the app.
docqai · Oct 28, 2023 · a1be494 · a1be494
1 parent 0741e89
commit a1be494
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,14 @@
 ARG BUILDPLATFORM=linux/amd64
 ARG BUILDTAG=3.11-slim-buster
+ARG PIPNOCACHE=--no-cache
 
 FROM --platform=$BUILDPLATFORM python:$BUILDTAG as test
 
 WORKDIR /home/user/app
 
 ENV PATH=$PATH:/home/user/.local/bin
 
-RUN pip install --no-cache poetry poethepoet
+RUN pip install ${PIPNOCACHE} poetry poethepoet
 RUN poetry config --no-cache
 COPY pyproject.toml .
 COPY poetry.lock .
@@ -35,6 +36,10 @@ CMD ["test"]
 
 FROM --platform=$BUILDPLATFORM python:$BUILDTAG as prod
 
+RUN apt-get update && apt-get install -y bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+  && apt-get update && apt-get install -y infisical
+
 RUN addgroup --system user && adduser --system user --ingroup user
 USER user
 
@@ -44,9 +49,13 @@ COPY --chown=user:user --from=test /home/user/app/requirements.txt requirements.
 COPY --chown=user:user --from=test /home/user/app/dist dist
 COPY --chown=user:user web web
 
-RUN pip install --no-cache -r requirements.txt dist/*.whl --user
+RUN pip install -r $PIPNOCACHE requirements.txt dist/*.whl --user
+
+ENV INFISICAL_DISABLE_UPDATE_CHECK=true
+
 
-ENTRYPOINT ["python", "-m", "streamlit", "run"]
-CMD ["web/index.py", "--browser.gatherUsageStats", "false"]
+#ENTRYPOINT ["python", "-m", "streamlit", "run"]
+#CMD ["web/index.py", "--browser.gatherUsageStats", "false"]
 
+ENTRYPOINT infisical run --env=${INFISICAL_ENV_NAME} -- python -m streamlit run web/index.py --browser.gatherUsageStats false
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "docq"
-version = "0.4.2"
+version = "0.4.3"
 description = "Docq.AI - private and secure knowledge insight on your data."
 authors = ["Docq.AI Team <[email protected]>"]
 maintainers = ["Docq.AI Team <[email protected]>"]
@@ -157,6 +157,23 @@ args = [
     { name = "target", default = "prod" },
 ]
 
+[tool.poe.tasks.docker-build-pipcached]
+cmd = """
+docker build 
+--build-arg TESTBUILD=$test \
+--build-arg BUILDTAG=$build_tag \
+--build-arg BUILDPLATFORM=$build_platform \
+--build-arg PIPNOCACHE= \
+--target $target \
+-t docq:$target-$build_tag ."""
+help = "Build a docker image to test the project in an isolated environment"
+args = [
+    { name = "test", default = false, type = "boolean" },
+    { name = "build-tag", default = "3.11-slim-buster" },
+    { name = "build-platform", default = "linux/amd64" },
+    { name = "target", default = "prod" },
+]
+
 [tool.poe.tasks.docker-run]
 cmd = """
 docker run \
@@ -172,3 +189,20 @@ args = [
     { name = "target", default = "prod" },
     { name = "port", default = 8501, type = "integer" },
 ]
+
+[tool.poe.tasks.docker-run-infisical]
+cmd = """
+docker run \
+-it
+--rm \
+--name docq \
+--env INFISICAL_TOKEN=$INFISICAL_TOKEN \
+--env INFISICAL_ENV_NAME=stage
+-p $port:$port \
+docq:$target-$build_tag """
+help = "Run the docker image"
+args = [
+    { name = "build-tag", default = "3.11-slim-buster" },
+    { name = "target", default = "prod" },
+    { name = "port", default = 8501, type = "integer" },
+]