Use multistage build for gateway

[psschwei]

No description provided.

[Tansito]

@akihikokuroda could you take a look to this PR? I would like a double check apart from my side around this change 🙏

Regardless of my only comment I see everything fine but I would like another review from Aki if it's possible.

[akihikokuroda]

I wonder why this APP image is necessary. What is the difference between copying back the ${MICRO_IMAGE_DIR}/ into the BASE image and the APP image?

[psschwei]

The BASE image still has things like a package manager and a shell that the gateway really doesn't need, whereas scratch / APP is empty except for what we explicitly add to it. So that does two things: (a) it reduces the number of components that we have to manage for CVEs, and (b) it reduces the threat vectors for that particular container.

[akihikokuroda]

I may be wrong but I read

COPY --from=BASE / ${MICRO_IMAGE_DIR}

copies everything in the BASE to ${MICRO_IMAGE_DIR} directory and

COPY --from=BUILD ${MICRO_IMAGE_DIR}/ .

copies everything in the BASE + additional pieces to the APP
So everything in the BASE is copied to APP. Where am I misunderstanding?

[psschwei]

You could be right... I'm just copying from what another team already did and didn't look too closely at what they were doing, I just assumed it worked since it had already gone through review.

[akihikokuroda]

Is the setuptools unnecessary after all or is the right version in ubi9-micro:9.4-15?

[psschwei]

I was assuming that the scratch image doesn't have setuptools so it shouldn't need to be updated. but maybe it will be?

[akihikokuroda]

I'm not sure. Scan will tell us :-)

[psschwei]

all hail general scan 😆

[akihikokuroda]

I don't see any major issues.