chore: working logic

spectrocloud · Mar 24, 2024 · 762be19 · 762be19
1 parent c3b5cac
commit 762be19
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 36 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,8 @@
 FROM node:18-alpine AS modules
 WORKDIR /app
 COPY . .
-RUN npm ci && npm run build && \
-adduser -u 1002 -D appuser appuser
+RUN adduser -u 1002 -h /home/appuser -D appuser appuser && \
+npm ci && npm run build
 
 
 FROM node:18-alpine AS production

diff --git a/Dockerfile.Caddy b/Dockerfile.Caddy
@@ -24,19 +24,19 @@ ENV QUERY_K8S_API ""
 
 COPY --from=modules /etc/passwd /etc/passwd
 COPY --from=modules /etc/group /etc/group
-COPY --from=modules --chown=appuser:appuser /home/appuser/ /home/appuser/
-COPY --from=modules --chown=appuser:appuser /app/node_modules ./node_modules
-COPY --from=modules --chown=appuser:appuser /app/build ./build
-COPY --from=modules --chown=appuser:appuser /app/package.json ./package.json
-COPY --from=caddy --chown=appuser:appuser /usr/bin/caddy /usr/bin/caddy
-COPY --from=modules --chown=appuser:appuser /app/Caddyfile /etc/caddy/Caddyfile
-COPY --from=modules --chown=appuser:appuser /app/scripts/service-ip.sh /app/service-ip.sh
+COPY --from=modules --chown=1002:1002 /home/appuser/ /home/appuser/
+COPY --from=modules --chown=1002:1002 /app/node_modules ./node_modules
+COPY --from=modules --chown=1002:1002 /app/build ./build
+COPY --from=modules --chown=1002:1002 /app/package.json ./package.json
+COPY --from=caddy --chown=1002:1002 /usr/bin/caddy /usr/bin/caddy
+COPY --from=modules --chown=1002:1002 /app/Caddyfile /etc/caddy/Caddyfile
+COPY --from=modules --chown=1002:1002 /app/scripts/service-ip.sh /app/service-ip.sh
 
 RUN apk update && apk upgrade && apk add --no-cache curl ca-certificates bash jq && \
-mkdir -p /var/log/caddy/ && chown -R appuser:appuser /var/log/caddy/ && \
-chmod -R 700 /var/log/caddy/ && touch /app/.env && chown appuser:appuser /app/.env
+mkdir -p /var/log/caddy/ && chown -R 1002:1002 /var/log/caddy/ && \
+chmod -R 700 /var/log/caddy/ && touch /app/.env && chown 1002:1002 /app/.env
 
 USER appuser
 EXPOSE 8080 3000
-CMD ["/bin/bash", "-c", "/app/service-ip.sh && source /app/.env && REACT_APP_API_URI=$API_URI REACT_APP_API_VERSION=$API_VERSION npx react-inject-env set && \
+CMD ["/bin/bash", "-c", "/app/service-ip.sh && source /app/.env && REACT_APP_API_URI=$API_URI REACT_APP_API_VERSION=$API_VERSION REACT_APP_TOKEN=$TOKEN npx react-inject-env set && \
 caddy run --config /etc/caddy/Caddyfile --adapter caddyfile"]
diff --git a/README.md b/README.md
@@ -66,6 +66,15 @@ hello universe application into a Kubernetes cluster or similar architectures an
 docker run -p 8080:8080 -p 3000:3000  -e SVC_URI="http://myprivate.api.address.example:3000" -e API_URI="http://myloadbalancer.example:3000"  ghcr.io/spectrocloud/hello-universe:1.1.0-proxy
 ```
 
+#### Reverse Proxy Environment Variables
+
+| Variable        | Description                                                                                                                                                                             | Default |
+| --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `SVC_URI`       | The URI to the service API, such as the internal Kubernetes container hostname of the API service.                                                                                      | `""`    |
+| `API_URI`       | The fully qualified hostname and port of the API server. In a reverse proxy setting, set this to the service loadbalancer. If `QUERY_K8S_API` set to `true`, leve this parameter empty. | `""`    |
+| `TOKEN`         | The API authorization token. This is only used if the API is configured for authorization.                                                                                              | `""`    |
+| `QUERY_K8S_API` | Set to `true` to query the Kubernetes API for the service hostname. This is useful when the service is deployed in a Kubernetes cluster.                                                | `false` |
+
 ## Image Verification
 
 We sign our images through [Cosign](https://docs.sigstore.dev/signing/quickstart/). Review the [Image Verification](./docs/image-verification.md) page to learn more.

diff --git a/deployment/k8s.yaml b/deployment/k8s.yaml
@@ -175,13 +175,13 @@ spec:
             httpGet:
               path: /api/v1/health
               port: 3000
-            initialDelaySeconds: 20
+            initialDelaySeconds: 15
             periodSeconds: 3
           readinessProbe:
             httpGet:
               path: /api/v1/health
               port: 3000
-            initialDelaySeconds: 15
+            initialDelaySeconds: 10
             periodSeconds: 3
 ---
 apiVersion: v1
@@ -221,7 +221,8 @@ spec:
             ["/bin/sh", "-c", "echo 'sleeping for 30 seconds' && sleep 30"]
       containers:
         - name: ui
-          image: ghcr.io/spectrocloud/hello-universe:1.1.0-proxy
+          image: ghcr.io/spectrocloud/hello-universe:1.1.2-proxy
+          imagePullPolicy: Always
           ports:
             - containerPort: 8080
               name: ui
@@ -246,23 +247,23 @@ spec:
             requests:
               memory: "500Mi"
               cpu: "500m"
-          # securityContext:
-          #   allowPrivilegeEscalation: false
-          #   runAsNonRoot: true
-          #   capabilities:
-          #     drop:
-          #       - ALL
-          #   seccompProfile:
-          #     type: "RuntimeDefault"
-          # livenessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: 80
-          #   initialDelaySeconds: 10
-          #   periodSeconds: 3
-          # readinessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: 80
-          #   initialDelaySeconds: 5
-          #   periodSeconds: 3
+            # securityContext:
+            #   allowPrivilegeEscalation: false
+            #   runAsNonRoot: true
+            #   capabilities:
+            #     drop:
+            #       - ALL
+            seccompProfile:
+              type: "RuntimeDefault"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 20
+            periodSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 15
+            periodSeconds: 3
diff --git a/scripts/service-ip.sh b/scripts/service-ip.sh
@@ -3,6 +3,7 @@
 # This script is used to query the Kubernetes API for the hostname of the hello-universe service
 # and set the API_URI environment variable to the service IP.
 # The script is only executed if the QUERY_K8S_API environment variable is set.
+# Inspired by https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/
 #########################################
 
 if [ -n "$QUERY_K8S_API" ]; then
@@ -35,7 +36,7 @@ HELLO_UNIVERSE_SERVICE=$(curl --silent --cacert ${CACERT} --header "Authorizatio
   # Set API_URI only if QUERY_K8S_API is not empty
   echo "Setting API_URI to ${HELLO_UNIVERSE_SERVICE}:3000"
   export API_URI=$HELLO_UNIVERSE_SERVICE:3000
-  echo "export API_URI=${HELLO_UNIVERSE_SERVICE}:3000" > /app/.env
+  echo "export API_URI=http://${HELLO_UNIVERSE_SERVICE}:3000" > /app/.env