Dockerfile.api

FROM debian:latest AS deps

ARG KUBESEAL_VERSION=0.27.2
ARG TARGETARCH
ENV KUBESEAL_BINARY=/deps/kubeseal \
    PRIVATE_KEY=/dev/null \
    PUBLIC_KEY=/deps/cert.pem

WORKDIR /deps

RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y openssl curl && \
    apt-get clean
RUN openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout "$PRIVATE_KEY" -out "$PUBLIC_KEY" -subj "/CN=sealed-secret/O=sealed-secret"
RUN curl -Lsf -o - "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION}/kubeseal-${KUBESEAL_VERSION}-linux-${TARGETARCH}.tar.gz" | \
    tar -xzf - && \
    chmod 0755 "${KUBESEAL_BINARY}"

FROM python:3.12-slim

USER root

ARG APP_PATH="/kubeseal-webgui"
ARG APP_PORT=5000
ARG KUBESEAL_VERSION=${KUBESEAL_VERSION}

RUN adduser --gid 0 --home "${APP_PATH}" --disabled-password app \
    && chmod 0750 "${APP_PATH}"

RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get clean


USER app

ENV UVICORN_PORT=${APP_PORT} \
    UVICORN_HOST=0.0.0.0 \
    UVICORN_NO_DATE_HEADER=1 \
    UVICORN_NO_SERVER_HEADER=1 \
    KUBESEAL_BINARY=/tmp/kubeseal

EXPOSE ${APP_PORT}

WORKDIR ${APP_PATH}

COPY api src/

RUN python3 -m venv "${APP_PATH}" && \
    . "${APP_PATH}/bin/activate" && \
    pip install --no-cache-dir 'uvicorn' 'wheel' 'setuptools' && \
    pip install --no-cache-dir --upgrade 'pip' 'uvicorn' 'wheel' 'setuptools' && \
    pip install --no-cache-dir src/ && \
    install --mode=755 --group=0 ./src/bin/* "${APP_PATH}/bin/"

ENV PATH="${PATH}:${APP_PATH}/bin:${APP_PATH}/.local/bin"

COPY --from=deps /deps/* /tmp/

CMD [ "uvicorn", "--log-config", "src/config/logging_config.yaml", "kubeseal_webgui_api.app:app"]