-
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
104 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,119 +1,168 @@ | ||
# syntax=docker/dockerfile:1 | ||
|
||
# Stage 1: Build website | ||
FROM --platform=${BUILDPLATFORM} docker.io/node:20 as website-builder | ||
FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder | ||
|
||
ENV NODE_ENV=production | ||
|
||
WORKDIR /work/website | ||
|
||
RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \ | ||
--mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \ | ||
--mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \ | ||
npm ci --include=dev | ||
|
||
COPY ./website /work/website/ | ||
COPY ./blueprints /work/blueprints/ | ||
COPY ./SECURITY.md /work/ | ||
|
||
ENV NODE_ENV=production | ||
WORKDIR /work/website | ||
RUN npm ci --include=dev && npm run build-docs-only | ||
RUN npm run build-docs-only | ||
|
||
# Stage 2: Build webui | ||
FROM --platform=${BUILDPLATFORM} docker.io/node:20 as web-builder | ||
FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder | ||
|
||
ENV NODE_ENV=production | ||
|
||
WORKDIR /work/web | ||
|
||
RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \ | ||
--mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \ | ||
--mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \ | ||
npm ci --include=dev | ||
|
||
COPY ./web /work/web/ | ||
COPY ./website /work/website/ | ||
# COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api | ||
|
||
ENV NODE_ENV=production | ||
WORKDIR /work/web | ||
RUN npm ci --include=dev && npm run build | ||
RUN npm run build | ||
|
||
# Stage 3: Poetry to requirements.txt export | ||
FROM docker.io/python:3.11.3-slim-bullseye AS poetry-locker | ||
# Stage 3: Build go proxy | ||
FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder | ||
|
||
WORKDIR /work | ||
COPY ./pyproject.toml /work | ||
COPY ./poetry.lock /work | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
ARG TARGETVARIANT | ||
|
||
RUN pip install --no-cache-dir poetry && \ | ||
poetry export -f requirements.txt --output requirements.txt && \ | ||
poetry export -f requirements.txt --dev --output requirements-dev.txt | ||
ARG GOOS=$TARGETOS | ||
ARG GOARCH=$TARGETARCH | ||
|
||
# Stage 4: Build go proxy | ||
FROM docker.io/golang:1.20.4-bullseye AS go-builder | ||
WORKDIR /go/src/goauthentik.io | ||
|
||
WORKDIR /work | ||
RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \ | ||
--mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \ | ||
--mount=type=cache,target=/go/pkg/mod \ | ||
go mod download | ||
|
||
COPY --from=web-builder /work/web/robots.txt /work/web/robots.txt | ||
COPY --from=web-builder /work/web/security.txt /work/web/security.txt | ||
COPY ./cmd /go/src/goauthentik.io/cmd | ||
COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib | ||
COPY ./web/static.go /go/src/goauthentik.io/web/static.go | ||
COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt | ||
COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt | ||
COPY ./internal /go/src/goauthentik.io/internal | ||
COPY ./go.mod /go/src/goauthentik.io/go.mod | ||
COPY ./go.sum /go/src/goauthentik.io/go.sum | ||
|
||
COPY ./cmd /work/cmd | ||
COPY ./web/static.go /work/web/static.go | ||
COPY ./internal /work/internal | ||
COPY ./go.mod /work/go.mod | ||
COPY ./go.sum /work/go.sum | ||
ENV CGO_ENABLED=0 | ||
|
||
RUN go build -o /work/authentik ./cmd/server/ | ||
RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ | ||
--mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ | ||
GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server | ||
|
||
# Stage 5: MaxMind GeoIP | ||
FROM ghcr.io/maxmind/geoipupdate:v5.1 as geoip | ||
# Stage 4: MaxMind GeoIP | ||
FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.0 as geoip | ||
|
||
ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City" | ||
ENV GEOIPUPDATE_VERBOSE="true" | ||
ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID" | ||
ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY" | ||
|
||
USER root | ||
RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \ | ||
--mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \ | ||
mkdir -p /usr/share/GeoIP && \ | ||
/bin/sh -c "\ | ||
export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \ | ||
export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \ | ||
/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0 \ | ||
" | ||
/bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0" | ||
|
||
# Stage 5: Python dependencies | ||
FROM docker.io/python:3.11.5-bookworm AS python-deps | ||
|
||
WORKDIR /ak-root/poetry | ||
|
||
ENV VENV_PATH="/ak-root/venv" \ | ||
POETRY_VIRTUALENVS_CREATE=false \ | ||
PATH="/ak-root/venv/bin:$PATH" | ||
|
||
RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache | ||
|
||
RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \ | ||
apt-get update && \ | ||
# Required for installing pip packages | ||
apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev | ||
|
||
RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \ | ||
--mount=type=bind,target=./poetry.lock,src=./poetry.lock \ | ||
--mount=type=cache,target=/root/.cache/pip \ | ||
--mount=type=cache,target=/root/.cache/pypoetry \ | ||
python -m venv /ak-root/venv/ && \ | ||
pip3 install --upgrade pip && \ | ||
pip3 install poetry && \ | ||
pip3 install psycopg2-binary && \ | ||
poetry install --only=main --no-ansi --no-interaction | ||
|
||
# Stage 6: Run | ||
FROM docker.io/python:3.11.3-slim-bullseye AS final-image | ||
FROM docker.io/python:3.11.5-slim-bookworm AS final-image | ||
|
||
ARG GIT_BUILD_HASH | ||
ARG VERSION | ||
ENV GIT_BUILD_HASH=$GIT_BUILD_HASH | ||
|
||
LABEL org.opencontainers.image.url https://goauthentik.io | ||
LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info. | ||
LABEL org.opencontainers.image.source https://github.com/goauthentik/authentik | ||
LABEL org.opencontainers.image.version ${VERSION} | ||
LABEL org.opencontainers.image.revision ${GIT_BUILD_HASH} | ||
|
||
WORKDIR / | ||
|
||
ARG GIT_BUILD_HASH | ||
ENV GIT_BUILD_HASH=$GIT_BUILD_HASH | ||
|
||
COPY --from=poetry-locker /work/requirements.txt / | ||
COPY --from=poetry-locker /work/requirements-dev.txt / | ||
COPY --from=geoip /usr/share/GeoIP /geoip | ||
|
||
# We cannot cache this layer otherwise we'll end up with a bigger image | ||
RUN apt-get update && \ | ||
# Required for installing pip packages | ||
apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev && \ | ||
# Required for runtime | ||
apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \ | ||
apt-get install -y dumb-init && \ | ||
apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 && \ | ||
# Required for bootstrap & healtcheck | ||
apt-get install -y --no-install-recommends runit && \ | ||
pip install --no-cache-dir -r /requirements.txt && \ | ||
apt-get remove --purge -y build-essential pkg-config libxmlsec1-dev && \ | ||
apt-get autoremove --purge -y && \ | ||
apt-get clean && \ | ||
rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \ | ||
adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \ | ||
mkdir -p /certs /media /blueprints && \ | ||
mkdir -p /authentik/.ssh && \ | ||
chown authentik:authentik /certs /media /authentik/.ssh | ||
mkdir -p /ak-root && \ | ||
chown authentik:authentik /certs /media /authentik/.ssh /ak-root | ||
|
||
COPY ./authentik/ /authentik | ||
COPY ./pyproject.toml / | ||
COPY ./poetry.lock / | ||
COPY ./schemas /schemas | ||
COPY ./locale /locale | ||
COPY ./tests /tests | ||
COPY ./manage.py / | ||
COPY ./blueprints /blueprints | ||
COPY ./lifecycle/ /lifecycle | ||
COPY --from=go-builder /work/authentik /bin/authentik | ||
COPY --from=go-builder /go/authentik /bin/authentik | ||
COPY --from=python-deps /ak-root/venv /ak-root/venv | ||
COPY --from=web-builder /work/web/dist/ /web/dist/ | ||
COPY --from=web-builder /work/web/authentik/ /web/authentik/ | ||
COPY --from=website-builder /work/website/help/ /website/help/ | ||
COPY --from=geoip /usr/share/GeoIP /geoip | ||
|
||
USER 1000 | ||
|
||
ENV TMPDIR /dev/shm/ | ||
ENV PYTHONUNBUFFERED 1 | ||
ENV PATH "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/lifecycle" | ||
ENV TMPDIR=/dev/shm/ \ | ||
PYTHONDONTWRITEBYTECODE=1 \ | ||
PYTHONUNBUFFERED=1 \ | ||
PATH="/ak-root/venv/bin:/lifecycle:$PATH" \ | ||
VENV_PATH="/ak-root/venv" \ | ||
POETRY_VIRTUALENVS_CREATE=false | ||
|
||
HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "/lifecycle/ak", "healthcheck" ] | ||
HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ] | ||
|
||
ENTRYPOINT [ "/usr/local/bin/dumb-init", "--", "/lifecycle/ak" ] | ||
ENTRYPOINT [ "dumb-init", "--", "ak" ] |