-
Notifications
You must be signed in to change notification settings - Fork 43
Expand file tree
/
Copy pathDockerfile.ssl
More file actions
57 lines (51 loc) · 2.88 KB
/
Copy pathDockerfile.ssl
File metadata and controls
57 lines (51 loc) · 2.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Stage 1: Build React app
# Pin node:20-alpine by digest for reproducible builds. Update with:
# docker pull node:20-alpine
# docker inspect node:20-alpine --format '{{index .RepoDigests 0}}'
FROM node:20-alpine@sha256:f598378b5240225e6beab68fa9f356db1fb8efe55173e6d4d8153113bb8f333c AS builder
WORKDIR /app
COPY package*.json ./
# --ignore-scripts: refuse to run (possibly malicious) postinstall from deps.
# sphere's direct deps don't need postinstall; if a future dep does, wire it
# explicitly rather than relaxing this.
RUN npm ci --ignore-scripts
COPY . .
# Build-once, promote-many: bake sentinel placeholders (not real values) so the
# image is environment-agnostic; deploy/entrypoint.sh rewrites them to the real
# per-env values at container start. See deploy/runtime-config.sh for the
# runtime env contract. Override an ARG only to pin a literal at build time.
ARG VITE_SPHERE_API_URL=__RUNTIME_SPHERE_API_URL__
ARG VITE_WALLET_API_URL=__RUNTIME_WALLET_API_URL__
ARG VITE_REQUIRE_WALLET_API=__RUNTIME_REQUIRE_WALLET_API__
ARG VITE_AGGREGATOR_API_KEY=__RUNTIME_AGGREGATOR_API_KEY__
ARG VITE_DEV_PORTAL_URL=__RUNTIME_DEV_PORTAL_URL__
# Subscription vars have NO placeholders on purpose — they are runtime-provided
# via window.__SPHERE_RUNTIME_CONFIG__ (/runtime-config.js, written at container
# start by sphere-runtime-config). See the note in the main Dockerfile.
ARG BASE_PATH=/
ENV VITE_SPHERE_API_URL=$VITE_SPHERE_API_URL \
VITE_WALLET_API_URL=$VITE_WALLET_API_URL \
VITE_REQUIRE_WALLET_API=$VITE_REQUIRE_WALLET_API \
VITE_AGGREGATOR_API_KEY=$VITE_AGGREGATOR_API_KEY \
VITE_DEV_PORTAL_URL=$VITE_DEV_PORTAL_URL \
BASE_PATH=$BASE_PATH
RUN npm run build
# Stage 2: ssl-manager base + nginx + tini
# Pin digest for reproducible builds. Update with:
# docker pull ghcr.io/unicitynetwork/ssl-manager:latest
# docker inspect ghcr.io/unicitynetwork/ssl-manager:latest --format '{{index .RepoDigests 0}}'
FROM ghcr.io/unicitynetwork/ssl-manager@sha256:d73f7df00a38fa3feae88ed2d5d21db68a5d748573441b23d86f30381d6719ae
# - tini: PID-1 reaps zombie children spawned by ssl-setup (ssl-http-proxy,
# ssl-renew, certbot forks). Bash alone doesn't reap them reliably.
# - nginx: static-file server.
# - curl: used by run-sphere.sh's app_health_check; without it the probe
# silently reports "fail" even when the service is healthy.
RUN apt-get update && apt-get install -y --no-install-recommends tini nginx curl && \
apt-get clean && rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/dist /usr/share/nginx/html
COPY deploy/entrypoint.sh /usr/local/bin/sphere-entrypoint
COPY deploy/runtime-config.sh /usr/local/bin/sphere-runtime-config
RUN chmod +x /usr/local/bin/sphere-entrypoint /usr/local/bin/sphere-runtime-config
EXPOSE 8080 443
# tini as PID 1 forwards signals to the entrypoint and reaps orphaned children.
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/sphere-entrypoint"]