From e4035192f9a4e321de52e144e9c782e7f0b6e0bd Mon Sep 17 00:00:00 2001
From: MoritzWeber <kontakt@moritz-weber.net>
Date: Mon, 24 Jul 2023 17:57:29 +0200
Subject: [PATCH 1/5] build: Add support for non-root base images

---
 backend/Dockerfile   | 2 ++
 docs/user/Dockerfile | 4 +++-
 frontend/Dockerfile  | 2 ++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index bcf466e74..9ef8f1a62 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -7,6 +7,8 @@ FROM $BASE_IMAGE
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ENV SHELL=/bin/bash
 
+USER root
+
 RUN apt-get update && \
     apt-get upgrade --yes && \
     apt-get install --yes \
diff --git a/docs/user/Dockerfile b/docs/user/Dockerfile
index e5428604f..513edd3dd 100644
--- a/docs/user/Dockerfile
+++ b/docs/user/Dockerfile
@@ -1,9 +1,11 @@
 # SPDX-FileCopyrightText: Copyright DB Netz AG and the capella-collab-manager contributors
 # SPDX-License-Identifier: Apache-2.0
 
-ARG BASE_IMAGE=python:3.10
+ARG BASE_IMAGE=python:3.11-bookworm
 FROM $BASE_IMAGE as build
 
+USER root
+
 RUN pip install -U pip && \
     pip install mkdocs-material
 
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index ccd3588fc..4ddf62073 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -4,6 +4,8 @@
 ARG BASE_IMAGE=node:18
 FROM $BASE_IMAGE as build
 
+USER root
+
 ARG CONFIGURATION=production
 RUN npm install -g npm@latest
 

From a4f92abb483f56fc3eb9dc30de7b39b87e96f86d Mon Sep 17 00:00:00 2001
From: MoritzWeber <kontakt@moritz-weber.net>
Date: Mon, 24 Jul 2023 19:24:04 +0200
Subject: [PATCH 2/5] build: Always install kubectl, change gpg key source

We're expecting a python3.11 image, kubectl should not be
installed. In some restricted environments, kubectl can
only be installed via a custom registry. For these
environments, a build argument `https://apt.kubernetes.io/`
can be passed.
---
 backend/Dockerfile                    | 14 ++++++-------
 ci-templates/gitlab/image-builder.yml | 29 +++++++++++++++++++++++----
 2 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index 9ef8f1a62..275610556 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -18,16 +18,14 @@ RUN apt-get update && \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
+ARG KUBECTL_APT_REMOTE=https://apt.kubernetes.io/
+
 # Install kubectl if not available in base image
 # kubectl is needed for the list files endpoint
-RUN kubectl_installed="yes"; dpkg -s kubectl || kubectl_installed="no"; \
-    if [[ "$kubectl_installed" == "no" ]]; \
-    then \
-    mkdir -p /etc/apt/keyrings; \
-    curl -fsSLo /etc/apt/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg; \
-    echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list; \
-    apt-get update && apt-get install -y kubectl && rm -rf /var/lib/apt/lists/*; \
-    fi
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /etc/apt/keyrings/kubernetes-archive-keyring.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] $KUBECTL_APT_REMOTE kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list && \
+    apt-get update && apt-get install -y kubectl && rm -rf /var/lib/apt/lists/*
 
 EXPOSE 8000
 COPY . /tmp/backend
diff --git a/ci-templates/gitlab/image-builder.yml b/ci-templates/gitlab/image-builder.yml
index d4304a340..6942f64e6 100644
--- a/ci-templates/gitlab/image-builder.yml
+++ b/ci-templates/gitlab/image-builder.yml
@@ -27,6 +27,7 @@ variables:
   DOCKER_BUILD_ARGS: "--no-cache"
   DOCKER_BUILDKIT: "1"
   BASE_IMAGE: "debian:bullseye"
+  KUBECTL_APT_REMOTE: "https://apt.kubernetes.io/"
 
 default:
   image: $DOCKER_REGISTRY/base
@@ -82,7 +83,11 @@ frontend:
     - mv ../environment.prod.ts frontend/src/environments
     - npm i undici
     - python frontend/fetch-version.py
-    - docker build ${DOCKER_BUILD_ARGS} -t ${IMAGE}:${DOCKER_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} frontend
+    - >
+      docker build ${DOCKER_BUILD_ARGS} \
+        -t ${IMAGE}:${DOCKER_TAG} \
+        --build-arg BASE_IMAGE=${BASE_IMAGE} \
+        frontend
     - *push
 
 backend:
@@ -95,7 +100,13 @@ backend:
     - IMAGE=${DOCKER_REGISTRY}/${BACKEND_IMAGE_NAME:?}
     - *docker
     - python backend/generate_git_archival.py
-    - docker build ${DOCKER_BUILD_ARGS} -t ${IMAGE}:${DOCKER_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} backend
+    - >
+      docker build \
+        ${DOCKER_BUILD_ARGS} \
+        -t ${IMAGE}:${DOCKER_TAG} \
+        --build-arg BASE_IMAGE=${BASE_IMAGE} \
+        --build-arg KUBECTL_APT_REMOTE="${KUBECTL_APT_REMOTE}" \
+        backend
     - *push
 
 docs:
@@ -107,7 +118,12 @@ docs:
     - *prepare
     - IMAGE=${DOCKER_REGISTRY}/${DOCS_IMAGE_NAME:?}
     - *docker
-    - docker build ${DOCKER_BUILD_ARGS} -t ${IMAGE}:${DOCKER_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} docs/user
+    - >
+      docker build \
+        ${DOCKER_BUILD_ARGS} \
+        -t ${IMAGE}:${DOCKER_TAG} \
+        --build-arg BASE_IMAGE=${BASE_IMAGE} \
+        docs/user
     - *push
 
 guacamole:
@@ -119,5 +135,10 @@ guacamole:
     - *prepare
     - IMAGE=${DOCKER_REGISTRY}/${GUACAMOLE_IMAGE_NAME:?}
     - *docker
-    - docker build ${DOCKER_BUILD_ARGS} -t ${IMAGE}:${DOCKER_TAG} --build-arg BASE_IMAGE=guacamole/guacamole guacamole
+    - >
+      docker build \
+        ${DOCKER_BUILD_ARGS} \
+        -t ${IMAGE}:${DOCKER_TAG} \
+        --build-arg BASE_IMAGE=guacamole/guacamole \
+        guacamole
     - *push

From 12ca4cb4f1b511f77b3a1062a97ecd04d0afb8ad Mon Sep 17 00:00:00 2001
From: MoritzWeber <kontakt@moritz-weber.net>
Date: Tue, 25 Jul 2023 14:25:21 +0200
Subject: [PATCH 3/5] refactor: Use debian-slim image instead of python image

Some companies only have access to the general debian images,
not to Python images.

As we're installing kubectl and python, the debian image
also provides more flexibility.
---
 backend/Dockerfile                    | 14 +++++++++++++-
 ci-templates/gitlab/image-builder.yml |  2 +-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index 275610556..e39488107 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: Copyright DB Netz AG and the capella-collab-manager contributors
 # SPDX-License-Identifier: Apache-2.0
 
-ARG BASE_IMAGE=python:3.11-bookworm
+ARG BASE_IMAGE=debian:bookworm-slim
 FROM $BASE_IMAGE
 
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
@@ -16,6 +16,10 @@ RUN apt-get update && \
     unzip \
     libpq-dev \
     curl \
+    python3 \
+    python3-pip \
+    python3-venv \
+    gnupg \
     && rm -rf /var/lib/apt/lists/*
 
 ARG KUBECTL_APT_REMOTE=https://apt.kubernetes.io/
@@ -32,6 +36,14 @@ COPY . /tmp/backend
 COPY .git_archival.txt /tmp/.git_archival.txt
 COPY startup.sh /opt/.startup.sh
 
+# Activate venv
+RUN ln -s $(which python3.11) /usr/bin/python && \
+    ln -sf $(which python3.11) /usr/bin/python3 && \
+    python -m venv /opt/.venv
+ENV _OLD_VIRTUAL_PATH="$PATH"
+ENV VIRTUAL_ENV=/opt/.venv
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
 WORKDIR /tmp/backend
 RUN --mount=type=cache,id=capella-collaboration-backend-dependencies,target=/root/.cache/pip,sharing=locked \
     pip install ".[psycopg2]"
diff --git a/ci-templates/gitlab/image-builder.yml b/ci-templates/gitlab/image-builder.yml
index 6942f64e6..f2cfe17b0 100644
--- a/ci-templates/gitlab/image-builder.yml
+++ b/ci-templates/gitlab/image-builder.yml
@@ -26,7 +26,7 @@ variables:
   GUACAMOLE_IMAGE_NAME: "capella/collab/guacamole"
   DOCKER_BUILD_ARGS: "--no-cache"
   DOCKER_BUILDKIT: "1"
-  BASE_IMAGE: "debian:bullseye"
+  BASE_IMAGE: "debian:bookworm"
   KUBECTL_APT_REMOTE: "https://apt.kubernetes.io/"
 
 default:

From 1113eba0d0b2c97f33c155cf801c9549b5f407f7 Mon Sep 17 00:00:00 2001
From: MoritzWeber <kontakt@moritz-weber.net>
Date: Tue, 25 Jul 2023 14:40:10 +0200
Subject: [PATCH 4/5] refactor: Remove psycopg2 installation from source

https://github.com/psycopg/psycopg2/issues/1360 is resolved.
Installation from source no longer needed.
---
 backend/Dockerfile     | 2 +-
 backend/pyproject.toml | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index e39488107..0c9688d72 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -46,7 +46,7 @@ ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
 WORKDIR /tmp/backend
 RUN --mount=type=cache,id=capella-collaboration-backend-dependencies,target=/root/.cache/pip,sharing=locked \
-    pip install ".[psycopg2]"
+    pip install .
 
 RUN mkdir -p /var/log/backend && \
     chmod -R 777 /var/log/backend
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
index 1f4413678..72848c612 100644
--- a/backend/pyproject.toml
+++ b/backend/pyproject.toml
@@ -66,9 +66,6 @@ dev = [
   "pytest-cov",
   "aioresponses"
 ]
-psycopg2 = [
-  "psycopg2", # Need when running in a Docker container with AArch64: https://github.com/psycopg/psycopg2/issues/1360
-]
 
 [project.entry-points."capellacollab.authentication.providers"]
 oauth = "capellacollab.core.authentication.provider.oauth"

From 8d902367e59f5ece8292881d992897d47d25b74d Mon Sep 17 00:00:00 2001
From: MoritzWeber <kontakt@moritz-weber.net>
Date: Tue, 25 Jul 2023 14:49:27 +0200
Subject: [PATCH 5/5] fix: Add Git LFS to backend image

Git is required to fetch the current status of
Git repositories.
---
 backend/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index 0c9688d72..351b8132d 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -20,6 +20,7 @@ RUN apt-get update && \
     python3-pip \
     python3-venv \
     gnupg \
+    git-lfs \
     && rm -rf /var/lib/apt/lists/*
 
 ARG KUBECTL_APT_REMOTE=https://apt.kubernetes.io/