-
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
55 additions
and
103 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,167 +1,119 @@ | ||
| # syntax=docker/dockerfile:1 | ||
|
|
||
| # Stage 1: Build website | ||
| FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder | ||
|
|
||
| ENV NODE_ENV=production | ||
|
|
||
| WORKDIR /work/website | ||
|
|
||
| RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \ | ||
| --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \ | ||
| --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \ | ||
| npm ci --include=dev | ||
| FROM --platform=${BUILDPLATFORM} docker.io/node:20 as website-builder | ||
|
|
||
| COPY ./website /work/website/ | ||
| COPY ./blueprints /work/blueprints/ | ||
| COPY ./SECURITY.md /work/ | ||
|
|
||
| RUN npm run build-docs-only | ||
|
|
||
| # Stage 2: Build webui | ||
| FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder | ||
|
|
||
| ENV NODE_ENV=production | ||
| WORKDIR /work/website | ||
| RUN npm ci --include=dev && npm run build-docs-only | ||
|
|
||
| WORKDIR /work/web | ||
|
|
||
| RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \ | ||
| --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \ | ||
| --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \ | ||
| npm ci --include=dev | ||
| # Stage 2: Build webui | ||
| FROM --platform=${BUILDPLATFORM} docker.io/node:20 as web-builder | ||
|
|
||
| COPY ./web /work/web/ | ||
| COPY ./website /work/website/ | ||
| # COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api | ||
|
|
||
| RUN npm run build | ||
| ENV NODE_ENV=production | ||
| WORKDIR /work/web | ||
| RUN npm ci --include=dev && npm run build | ||
|
|
||
| # Stage 3: Build go proxy | ||
| FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder | ||
| # Stage 3: Poetry to requirements.txt export | ||
| FROM docker.io/python:3.11.3-slim-bullseye AS poetry-locker | ||
|
|
||
| ARG TARGETOS | ||
| ARG TARGETARCH | ||
| ARG TARGETVARIANT | ||
| WORKDIR /work | ||
| COPY ./pyproject.toml /work | ||
| COPY ./poetry.lock /work | ||
|
|
||
| ARG GOOS=$TARGETOS | ||
| ARG GOARCH=$TARGETARCH | ||
| RUN pip install --no-cache-dir poetry && \ | ||
| poetry export -f requirements.txt --output requirements.txt && \ | ||
| poetry export -f requirements.txt --dev --output requirements-dev.txt | ||
|
|
||
| WORKDIR /go/src/goauthentik.io | ||
| # Stage 4: Build go proxy | ||
| FROM docker.io/golang:1.20.4-bullseye AS go-builder | ||
|
|
||
| RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \ | ||
| --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \ | ||
| --mount=type=cache,target=/go/pkg/mod \ | ||
| go mod download | ||
| WORKDIR /work | ||
|
|
||
| COPY ./cmd /go/src/goauthentik.io/cmd | ||
| COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib | ||
| COPY ./web/static.go /go/src/goauthentik.io/web/static.go | ||
| COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt | ||
| COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt | ||
| COPY ./internal /go/src/goauthentik.io/internal | ||
| COPY ./go.mod /go/src/goauthentik.io/go.mod | ||
| COPY ./go.sum /go/src/goauthentik.io/go.sum | ||
| COPY --from=web-builder /work/web/robots.txt /work/web/robots.txt | ||
| COPY --from=web-builder /work/web/security.txt /work/web/security.txt | ||
|
|
||
| ENV CGO_ENABLED=0 | ||
| COPY ./cmd /work/cmd | ||
| COPY ./web/static.go /work/web/static.go | ||
| COPY ./internal /work/internal | ||
| COPY ./go.mod /work/go.mod | ||
| COPY ./go.sum /work/go.sum | ||
|
|
||
| RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ | ||
| --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ | ||
| GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server | ||
| RUN go build -o /work/authentik ./cmd/server/ | ||
|
|
||
| # Stage 4: MaxMind GeoIP | ||
| FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.0 as geoip | ||
| # Stage 5: MaxMind GeoIP | ||
| FROM ghcr.io/maxmind/geoipupdate:v5.1 as geoip | ||
|
|
||
| ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City" | ||
| ENV GEOIPUPDATE_VERBOSE="true" | ||
| ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID" | ||
| ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY" | ||
|
|
||
| USER root | ||
| RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \ | ||
| --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \ | ||
| mkdir -p /usr/share/GeoIP && \ | ||
| /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0" | ||
|
|
||
| # Stage 5: Python dependencies | ||
| FROM docker.io/python:3.11.5-bookworm AS python-deps | ||
|
|
||
| WORKDIR /ak-root/poetry | ||
|
|
||
| ENV VENV_PATH="/ak-root/venv" \ | ||
| POETRY_VIRTUALENVS_CREATE=false \ | ||
| PATH="/ak-root/venv/bin:$PATH" | ||
|
|
||
| RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache | ||
|
|
||
| RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \ | ||
| apt-get update && \ | ||
| # Required for installing pip packages | ||
| apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev | ||
|
|
||
| RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \ | ||
| --mount=type=bind,target=./poetry.lock,src=./poetry.lock \ | ||
| --mount=type=cache,target=/root/.cache/pip \ | ||
| --mount=type=cache,target=/root/.cache/pypoetry \ | ||
| python -m venv /ak-root/venv/ && \ | ||
| pip3 install --upgrade pip && \ | ||
| pip3 install poetry && \ | ||
| poetry install --only=main --no-ansi --no-interaction | ||
| /bin/sh -c "\ | ||
| export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \ | ||
| export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \ | ||
| /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0 \ | ||
| " | ||
|
|
||
| # Stage 6: Run | ||
| FROM docker.io/python:3.11.5-slim-bookworm AS final-image | ||
|
|
||
| ARG GIT_BUILD_HASH | ||
| ARG VERSION | ||
| ENV GIT_BUILD_HASH=$GIT_BUILD_HASH | ||
| FROM docker.io/python:3.11.3-slim-bullseye AS final-image | ||
|
|
||
| LABEL org.opencontainers.image.url https://goauthentik.io | ||
| LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info. | ||
| LABEL org.opencontainers.image.source https://github.com/goauthentik/authentik | ||
| LABEL org.opencontainers.image.version ${VERSION} | ||
| LABEL org.opencontainers.image.revision ${GIT_BUILD_HASH} | ||
|
|
||
| WORKDIR / | ||
|
|
||
| # We cannot cache this layer otherwise we'll end up with a bigger image | ||
| ARG GIT_BUILD_HASH | ||
| ENV GIT_BUILD_HASH=$GIT_BUILD_HASH | ||
|
|
||
| COPY --from=poetry-locker /work/requirements.txt / | ||
| COPY --from=poetry-locker /work/requirements-dev.txt / | ||
| COPY --from=geoip /usr/share/GeoIP /geoip | ||
|
|
||
| RUN apt-get update && \ | ||
| # Required for installing pip packages | ||
| apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev && \ | ||
| # Required for runtime | ||
| apt-get install -y dumb-init && \ | ||
| apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 && \ | ||
| apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \ | ||
| # Required for bootstrap & healtcheck | ||
| apt-get install -y --no-install-recommends runit && \ | ||
| pip install --no-cache-dir -r /requirements.txt && \ | ||
| apt-get remove --purge -y build-essential pkg-config libxmlsec1-dev && \ | ||
| apt-get autoremove --purge -y && \ | ||
| apt-get clean && \ | ||
| rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \ | ||
| adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \ | ||
| mkdir -p /certs /media /blueprints && \ | ||
| mkdir -p /authentik/.ssh && \ | ||
| mkdir -p /ak-root && \ | ||
| chown authentik:authentik /certs /media /authentik/.ssh /ak-root | ||
| chown authentik:authentik /certs /media /authentik/.ssh | ||
|
|
||
| COPY ./authentik/ /authentik | ||
| COPY ./pyproject.toml / | ||
| COPY ./poetry.lock / | ||
| COPY ./schemas /schemas | ||
| COPY ./locale /locale | ||
| COPY ./tests /tests | ||
| COPY ./manage.py / | ||
| COPY ./blueprints /blueprints | ||
| COPY ./lifecycle/ /lifecycle | ||
| COPY --from=go-builder /go/authentik /bin/authentik | ||
| COPY --from=python-deps /ak-root/venv /ak-root/venv | ||
| COPY --from=go-builder /work/authentik /bin/authentik | ||
| COPY --from=web-builder /work/web/dist/ /web/dist/ | ||
| COPY --from=web-builder /work/web/authentik/ /web/authentik/ | ||
| COPY --from=website-builder /work/website/help/ /website/help/ | ||
| COPY --from=geoip /usr/share/GeoIP /geoip | ||
|
|
||
| USER 1000 | ||
|
|
||
| ENV TMPDIR=/dev/shm/ \ | ||
| PYTHONDONTWRITEBYTECODE=1 \ | ||
| PYTHONUNBUFFERED=1 \ | ||
| PATH="/ak-root/venv/bin:/lifecycle:$PATH" \ | ||
| VENV_PATH="/ak-root/venv" \ | ||
| POETRY_VIRTUALENVS_CREATE=false | ||
| ENV TMPDIR /dev/shm/ | ||
| ENV PYTHONUNBUFFERED 1 | ||
| ENV PATH "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/lifecycle" | ||
|
|
||
| HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ] | ||
| HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "/lifecycle/ak", "healthcheck" ] | ||
|
|
||
| ENTRYPOINT [ "dumb-init", "--", "ak" ] | ||
| ENTRYPOINT [ "/usr/local/bin/dumb-init", "--", "/lifecycle/ak" ] |