feat: add support for docker build secrets

supportingami · Mar 8, 2024 · 9445bf9 · 9445bf9
1 parent 0e5e47b
commit 9445bf9
Show file tree

Hide file tree

Showing 11 changed files with 63 additions and 52 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,13 +1,10 @@
-**/node_modules
-
 .github
 .vscode
 .yarn/install-state.gz
 
 # Backend
 backend/.cache
 backend/.tmp
-backend/node_modules
 backend/sami-dev.db
 backend/.env
 backend/public/uploads
@@ -26,8 +23,15 @@ frontend/.vercel
 frontend/out
 frontend/.env
 
-scripts/node_modules
-
 .dockerignore
 docker-compose.yml
 service-account.json
+
+
+# Ignore all node_modules
+# NOTE - implies all images will install own node_modules
+**/node_modules
+node_modules
+backend/node_modules
+frontend/node_modules
+scripts/node_modules
diff --git a/.gitignore b/.gitignore
@@ -31,3 +31,5 @@ data/*
 scripts/input
 scripts/output
 .vercel
+
+service.yaml
diff --git a/backend/package.json b/backend/package.json
@@ -13,7 +13,6 @@
   },
   "dependencies": {
     "@_sh/strapi-plugin-ckeditor": "^1.1.3",
-    "@strapi-community/strapi-provider-upload-google-cloud-storage": "^4.10.5",
     "@strapi/plugin-graphql": "4.20.3",
     "@strapi/plugin-i18n": "4.20.3",
     "@strapi/plugin-users-permissions": "4.20.3",

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -58,6 +58,8 @@ services:
       # Load docker configuration
       - NODE_ENV=docker
       - DATA_DIR=/app/data/db
+      # Local config (required if deploying to cloud run)
+      # - STRAPI_READONLY_TOKEN=
 
     healthcheck:
       test: "wget --no-verbose --tries=1 --spider http://localhost:1337 || exit 1"
@@ -122,8 +124,9 @@ services:
       - ./docker/data/uploads:/data/uploads
       - ./backend/config/service-account.json:/service-account.json
     environment:
-      - GCS_BUCKET_NAME=sami_website
       - GCS_PROJECT=sami-website-365718
+      - GCS_BUCKET_NAME=sami_website_db
+      - GCS_PUBLIC_BUCKET_NAME=sami_website_public
       - GCSFUSE_MNT=/mnt/gcs
       - UNISON_MNT=/data
       - GOOGLE_APPLICATION_CREDENTIALS=/service-account.json

diff --git a/docker/backend.dockerfile b/docker/backend.dockerfile
@@ -1,34 +1,48 @@
+# syntax = docker/dockerfile:1.2
 # yarn scripts docker build --only backend
 
+# Sources
+# https://docs.strapi.io/dev-docs/installation/docker
+
 # Global args (available to FROM statement also when defined this way)
 # https://github.com/docker/cli/issues/2762
 ARG BASE_TAG=0.0.0
 ARG ENV_NAME=development 
 
 # Setup Buildx builder
-# syntax=docker/dockerfile:1
 FROM docker
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
 RUN docker buildx version
 
 # Use extra step just to copy base image files as cannot pass variable to `COPY --from` statement
 FROM samicharity/base:${BASE_TAG} as builder
-WORKDIR /app
-# TODO - prune node_modules if not required at runtime
-COPY . .
+# Copy minimal files to allow backend workspace to be accessed using yarn
+COPY ./.yarn ./.yarn
+ENV YARN_CACHE_FOLDER=/app/.yarn/cache
+COPY ./package.json ./yarn.lock ./.yarnrc.yml ./
+COPY ./backend/package.json ./backend/package.json
+RUN yarn workspaces focus --production backend 
+# Mount .env as secret to not persist after build (passed with docker-compose) and build
+# This is required as strapi inlines certain env config into build
+# NOTE - mount must be included in every instruction that requires secret
+# https://docs.render.com/docker-secrets
+RUN --mount=type=secret,id=_env,dst=/backend/.env yarn workspace backend build
 
-# Backend should already be built, so just copy over
-# https://docs.strapi.io/dev-docs/installation/docker
 
-FROM node:20-alpine
+
+
+FROM node:20.7.0-alpine
 
 RUN apk add --no-cache vips-dev \
     && rm -rf /var/cache/apk/* && rm -rf /tmp/*
 
+# TODO - strapi build size reductions (possible partial node_modules trim)
+# https://forum.strapi.io/t/reducing-strapi-docker-image-size/2971/8
+
 ENV NODE_ENV=${ENV_NAME}
 
 WORKDIR /app
-COPY --from=builder /app/backend/ ./
+COPY --from=builder /app/backend .
 ENV PATH /app/node_modules/.bin:$PATH
 ENV HOST 0.0.0.0
 EXPOSE 1337

diff --git a/docker/base.dockerfile b/docker/base.dockerfile
@@ -6,7 +6,7 @@ FROM docker
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
 RUN docker buildx version
 
-FROM node:20-alpine as base
+FROM node:20.7.0-alpine as base
 
 WORKDIR /app
 
@@ -21,9 +21,10 @@ COPY ./scripts/package.json ./scripts/package.json
 
 ENV PATH /app/node_modules/.bin:$PATH
 
-RUN yarn install --immutable
+# RUN yarn install --immutable
 
 COPY . .
 
+# Debug
 
-# docker start
+# docker run --rm -it samicharity/base:latest /bin/sh          
diff --git a/docker/frontend.dockerfile b/docker/frontend.dockerfile
@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.2
 # yarn build --only frontend
 
 # Global args (available to FROM statement also when defined this way)
@@ -9,22 +10,28 @@ FROM docker
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
 RUN docker buildx version
 
+
 # Use extra step just to copy base image files as cannot pass variable to `COPY --from` statement
 FROM samicharity/base:${BASE_TAG} as builder
-WORKDIR /app
+# Copy minimal files to allow backend workspace to be accessed using yarn
+COPY ./.yarn ./.yarn
+ENV YARN_CACHE_FOLDER=/app/.yarn/cache
+COPY ./package.json ./yarn.lock ./.yarnrc.yml ./
+COPY ./fronend/package.json ./fronend/package.json
+RUN yarn workspaces focus --production fronend 
 # TODO - prune node_modules if not required at runtime
-COPY . .
+
 
 # Run app
-FROM node:20-alpine as frontend
+FROM node:20.7.0-alpine as frontend
 WORKDIR /app
 RUN yarn global add pm2 && yarn cache clean
 
 # RUN addgroup -g 1001 -S nodejs
 # RUN adduser -S nextjs -u 1001
 
 ENV PATH /app/node_modules/.bin:$PATH
-COPY --from=builder /app/frontend/ ./
+COPY --from=builder /app/frontend .
 
 # TODO - copy env and get nextjs package json script and trim
 # https://nextjs.org/docs/deployment

diff --git a/docs/deployment.md b/docs/deployment.md
@@ -59,7 +59,8 @@ Instead it is better to include GCSFuse support directly within the container im
 
 **TODO**
 
-===
+- Consider using https://github.com/strapi-community/strapi-tool-dockerize
+- # Consider modifying and pushing to https://github.com/strapi-community/strapi-tool-deployify
 
 # Old Docs (To Review)
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sami-website",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "license": "see license.md",
   "workspaces": [
     "backend",

diff --git a/scripts/src/commands/docker/build.ts b/scripts/src/commands/docker/build.ts
@@ -52,14 +52,6 @@ class DockerBuildCmd {
     }
     if (buildTargets.includes("backend")) {
       console.log(chalk.blue("Building strapi admin..."));
-      // prefer spawn over execa due to memory issues on server
-      spawnSync(`yarn workspace backend build`, {
-        cwd: PATHS.rootDir,
-        shell: true,
-        stdio: "inherit",
-        // ensure docker config files used
-        env: { NODE_ENV: "docker", NODE_OPTIONS: "--max_old_space_size=2048" },
-      });
       await this.buildBackend();
       // TODO - ensure backend bootstrapped and populate keys to docker/data .env
     }
@@ -87,7 +79,8 @@ class DockerBuildCmd {
   private async buildBackend() {
     console.log(chalk.blue("Building backend..."));
     const tags = this.getTags("backend", true);
-    const args = `${tags} --build-arg "ENV_NAME=development" --build-arg "BASE_TAG=${BASE_TAG}"`;
+    const secrets = this.getSecrets();
+    const args = `${tags} --build-arg "ENV_NAME=development" --build-arg "BASE_TAG=${BASE_TAG}" ${secrets}`;
     const cmd = `docker build --file docker/backend.dockerfile ${args} .`;
     console.log(chalk.gray(cmd));
     await execa(cmd, { stdio: "inherit", shell: true, cwd: PATHS.rootDir });
@@ -124,4 +117,9 @@ class DockerBuildCmd {
     }
     return `--tag ${tags.join(" --tag ")}`;
   }
+
+  // Pass .env files as build secrets to use as required
+  private getSecrets() {
+    return `--secret id=_env,src=config/docker.env`;
+  }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -1963,7 +1963,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@google-cloud/storage@npm:^6.10.0, @google-cloud/storage@npm:^6.9.5":
+"@google-cloud/storage@npm:^6.9.5":
   version: 6.12.0
   resolution: "@google-cloud/storage@npm:6.12.0"
   dependencies:
@@ -4316,16 +4316,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@strapi-community/strapi-provider-upload-google-cloud-storage@npm:^4.10.5":
-  version: 4.10.5
-  resolution: "@strapi-community/strapi-provider-upload-google-cloud-storage@npm:4.10.5"
-  dependencies:
-    "@google-cloud/storage": "npm:^6.10.0"
-    slugify: "npm:^1.6.6"
-  checksum: 10/7fd7c481cfb8b67bc7695aea1ecfbba67a4d1693087e8084703dd7e38e750f3e3fa789f94e3e060f1e04f53cb816dfe607b01260d1789cf704081d13f4824d16
-  languageName: node
-  linkType: hard
-
 "@strapi/admin@npm:4.20.3":
   version: 4.20.3
   resolution: "@strapi/admin@npm:4.20.3"
@@ -7705,7 +7695,6 @@ __metadata:
   resolution: "backend@workspace:backend"
   dependencies:
     "@_sh/strapi-plugin-ckeditor": "npm:^1.1.3"
-    "@strapi-community/strapi-provider-upload-google-cloud-storage": "npm:^4.10.5"
     "@strapi/plugin-graphql": "npm:4.20.3"
     "@strapi/plugin-i18n": "npm:4.20.3"
     "@strapi/plugin-users-permissions": "npm:4.20.3"
@@ -21133,13 +21122,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"slugify@npm:^1.6.6":
-  version: 1.6.6
-  resolution: "slugify@npm:1.6.6"
-  checksum: 10/d0737cdedc834c50f74227bc1a1cf4f449f3575893f031b0e8c59f501c73526c866a23e47261b262c7acdaaaaf30d6f9e8aaae22772b3f56e858ac84c35efa7b
-  languageName: node
-  linkType: hard
-
 "smart-buffer@npm:^4.2.0":
   version: 4.2.0
   resolution: "smart-buffer@npm:4.2.0"