refactor: atlantis-image build pipeline and docker images

Atlantis built and maintained two separate docker images, atlantis and
atlantis-base. This made cutting releases cumbersome and had
inefficiencies in the docker image layers.

This PR condenses the workflow into a single job and Dockerfile once
again by utilizing multi-stage builds more heavily and Docker build targeting.

.github/workflows/atlantis-image.yml

@@ -10,6 +10,7 @@ on:
   pull_request:
     paths:
       - 'Dockerfile'
+      - 'docker-entrypoint.sh'
       - '.github/workflows/atlantis-image.yml'
   workflow_dispatch:
 
@@ -47,6 +48,7 @@ jobs:
         images: |
           atlantis
         labels: |
+          authors="Anubhav Mishra, Luke Kysow"
           org.opencontainers.image.licenses=Apache-2.0
         tags: |
           type=ref,event=branch
@@ -69,12 +71,12 @@ jobs:
         cache-from: type=gha
         cache-to: type=gha,mode=max
         context: .
-        build-args: ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }}
         platforms: linux/arm64/v8,linux/amd64,linux/arm/v7
         push: ${{ github.event_name != 'pull_request' }}
         tags: |
           ghcr.io/${{ github.repository_owner }}/atlantis:dev${{ env.IMAGE_SUFFIX }}
           ghcr.io/${{ github.repository_owner }}/atlantis:dev-${{ matrix.image_type }}
+        target: ${{ matrix.image_type }}
         labels: ${{ steps.meta.outputs.labels }}
 
     # Publish release to container registry
@@ -93,7 +95,6 @@ jobs:
         cache-from: type=gha
         cache-to: type=gha,mode=max
         context: .
-        build-args: ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }}
         platforms: linux/arm64/v8,linux/amd64,linux/arm/v7
         push: ${{ github.event_name != 'pull_request' }}
         # release version is the name of the tag i.e. v0.10.0
@@ -107,4 +108,5 @@ jobs:
           ${{ env.IMAGE_BASE }}:${{ env.RELEASE_VERSION }}-${{ matrix.image_type }}
           ${{ env.IMAGE_BASE }}:${{ env.RELEASE_TAG }}${{ env.IMAGE_SUFFIX }}
           ${{ env.IMAGE_BASE }}:${{ env.RELEASE_TAG }}-${{ matrix.image_type }}
+        target: ${{ matrix.image_type }}
         labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -1,30 +1,104 @@
-ARG ATLANTIS_BASE=ghcr.io/runatlantis/atlantis-base
-ARG ATLANTIS_BASE_TAG_DATE=latest
-ARG ATLANTIS_BASE_TAG_TYPE=alpine
+# syntax=docker/dockerfile:1
+# what distro is the image being built for
+ARG ALPINE_TAG=3.17.0
+ARG DEBIAN_TAG=bullseye-20221219-slim
 
-# Stage 1: build artifact
-
-FROM golang:1.19.5-alpine AS builder
+# Stage 1: build artifact and download deps
+FROM golang:1.19.4-alpine AS builder
 
 WORKDIR /app
 COPY . /app
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -v -o atlantis .
 
-# Stage 2
-# The runatlantis/atlantis-base is created by docker-base/Dockerfile
-FROM ${ATLANTIS_BASE}:${ATLANTIS_BASE_TAG_DATE}-${ATLANTIS_BASE_TAG_TYPE} AS base
+FROM debian:${DEBIAN_TAG} as deps
 
 # Get the architecture the image is being built for
 ARG TARGETPLATFORM
 
+# Install packages needed for building/verifying dependencies
+# hadolint ignore=DL3008,SC2261
+WORKDIR /tmp/build
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates>=20210119 \
+        curl>=7.74 \
+        git>=1:2.30 \
+        unzip>=6.0 \
+        bash>=5.1 \
+        openssh-server>=1:8.4p1 \
+        libcap2>=1:2.44 \
+        dumb-init>=1.2 \
+        gnupg>=2.2 \
+        openssl>=1.1.1n
+
+# install conftest
+# renovate: datasource=github-releases depName=open-policy-agent/conftest
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+ENV DEFAULT_CONFTEST_VERSION=0.38.0
+RUN AVAILABLE_CONFTEST_VERSIONS="${DEFAULT_CONFTEST_VERSION}" && \
+    case ${TARGETPLATFORM} in \
+        "linux/amd64") CONFTEST_ARCH=x86_64 ;; \
+        "linux/arm64") CONFTEST_ARCH=arm64 ;; \
+        # There is currently no compiled version of conftest for armv7
+        "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \
+    esac && \
+    for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \
+        curl -LOs https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz && \
+        curl -LOs https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt && \
+        sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \
+        mkdir -p /usr/local/bin/cft/versions/${VERSION} && \
+        tar -C /usr/local/bin/cft/versions/${VERSION} -xzf conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz && \
+        ln -s /usr/local/bin/cft/versions/${VERSION}/conftest /usr/local/bin/conftest && \
+        rm conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz && \
+        rm checksums.txt; \
+    done
+
+# install gosu
+# We use gosu to step down from root and run as the atlantis user
+# renovate: datasource=github-releases depName=tianon/gosu
+ENV GOSU_VERSION=1.16
+
+RUN case ${TARGETPLATFORM} in \
+        "linux/amd64") GOSU_ARCH=amd64 ;; \
+        "linux/arm64") GOSU_ARCH=arm64 ;; \
+        "linux/arm/v7") GOSU_ARCH=armhf ;; \
+    esac && \
+    curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \
+    curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \
+    for server in $(shuf -e ipv4.pool.sks-keyservers.net \
+                            hkp://p80.pool.sks-keyservers.net:80 \
+                            keyserver.ubuntu.com \
+                            hkp://keyserver.ubuntu.com:80 \
+                            pgp.mit.edu) ; do \
+        gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
+    done && \
+    gpg --batch --verify gosu.asc gosu && \
+    chmod +x gosu && \
+    cp gosu /bin && \
+    gosu --version
+
+# install git-lfs
+# renovate: datasource=github-releases depName=git-lfs/git-lfs
+ENV GIT_LFS_VERSION=3.3.0
+
+RUN case ${TARGETPLATFORM} in \
+        "linux/amd64") GIT_LFS_ARCH=amd64 ;; \
+        "linux/arm64") GIT_LFS_ARCH=arm64 ;; \
+        "linux/arm/v7") GIT_LFS_ARCH=arm ;; \
+    esac && \
+    curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \
+    tar --strip-components=1 -xf git-lfs.tar.gz && \
+    chmod +x git-lfs && \
+    mv git-lfs /usr/bin/git-lfs && \
+    git-lfs --version
+
 # install terraform binaries
 # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
 ENV DEFAULT_TERRAFORM_VERSION=1.3.7
 
-# In the official Atlantis image we only have the latest of each Terraform version.
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+# In the official Atlantis image, we only have the latest of each Terraform version.
 RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 ${DEFAULT_TERRAFORM_VERSION}" && \
     case "${TARGETPLATFORM}" in \
         "linux/amd64") TERRAFORM_ARCH=amd64 ;; \
@@ -44,34 +118,86 @@ RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 ${DEFAULT_TERRAFORM_VERSION
     done && \
     ln -s "/usr/local/bin/tf/versions/${DEFAULT_TERRAFORM_VERSION}/terraform" /usr/local/bin/terraform
 
-# renovate: datasource=github-releases depName=open-policy-agent/conftest
-ENV DEFAULT_CONFTEST_VERSION=0.38.0
 
-RUN AVAILABLE_CONFTEST_VERSIONS="${DEFAULT_CONFTEST_VERSION}" && \
-    case ${TARGETPLATFORM} in \
-        "linux/amd64") CONFTEST_ARCH=x86_64 ;; \
-        "linux/arm64") CONFTEST_ARCH=arm64 ;; \
-        # There is currently no compiled version of conftest for armv7
-        "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \
-    esac && \
-    for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \
-        curl -LOs https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz && \
-        curl -LOs https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt && \
-        sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \
-        mkdir -p /usr/local/bin/cft/versions/${VERSION} && \
-        tar -C /usr/local/bin/cft/versions/${VERSION} -xzf conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz && \
-        ln -s /usr/local/bin/cft/versions/${VERSION}/conftest /usr/local/bin/conftest${VERSION} && \
-        rm conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz && \
-        rm checksums.txt; \
-    done
+# Stage 2 - Alpine
+# Creating the individual distro builds using targets
+FROM alpine:${ALPINE_TAG} AS alpine
 
-RUN ln -s /usr/local/bin/cft/versions/${DEFAULT_CONFTEST_VERSION}/conftest /usr/local/bin/conftest
+# atlantis user for gosu and OpenShift compatibility
+RUN addgroup atlantis && \
+    adduser -S -G atlantis atlantis && \
+    adduser atlantis root && \
+    chown atlantis:root /home/atlantis/ && \
+    chmod g=u /home/atlantis/ && \
+    chmod g=u /etc/passwd
 
 # copy binary
 COPY --from=builder /app/atlantis /usr/local/bin/atlantis
+# copy terraform
+# TODO: figure out better way to copy versions over, maybe just track one version
+COPY --from=deps /usr/local/bin/terraform /usr/local/bin/terraform
+COPY --from=deps /usr/local/bin/terraform1.2.9 /usr/local/bin/terraform1.2.9
+COPY --from=deps /usr/local/bin/terraform1.1.9 /usr/local/bin/terraform1.1.9
+COPY --from=deps /usr/local/bin/terraform1.0.11 /usr/local/bin/terraform1.0.11
+# copy deps
+COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest
+COPY --from=deps /bin/gosu /bin/gosu
+COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
+# copy docker entrypoint
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+# Install packages needed for running Atlantis.
+# We place this last as it will bust less docker layer caches when packages update
+RUN apk add --no-cache \
+        ca-certificates~=20220614 \
+        curl~=7.87 \
+        git~=2.38 \
+        unzip~=6.0 \
+        bash~=5.2 \
+        openssh~=9.1_p1 \
+        libcap~=2.66 \
+        dumb-init~=1.2 \
+        gcompat~=1.1
 
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["server"]
+
+# Stage 2 - Debian
+FROM debian:${DEBIAN_TAG} AS debian
+
+# copy binary
+COPY --from=builder /app/atlantis /usr/local/bin/atlantis
+# copy terraform
+# TODO: figure out better way to copy versions over, maybe just track one version
+COPY --from=deps /usr/local/bin/terraform /usr/local/bin/terraform
+COPY --from=deps /usr/local/bin/terraform1.2.9 /usr/local/bin/terraform1.2.9
+COPY --from=deps /usr/local/bin/terraform1.1.9 /usr/local/bin/terraform1.1.9
+COPY --from=deps /usr/local/bin/terraform1.0.11 /usr/local/bin/terraform1.0.11
+# copy deps
+COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest
+COPY --from=deps /bin/gosu /bin/gosu
+COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
 # copy docker entrypoint
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
+# Install packages needed for running Atlantis.
+# We place this last as it will bust less docker layer caches when packages update
+# hadolint ignore explanation
+# DL3008 (pin versions using "=") - Ignored to avoid failing the build
+# SC2261 (multiple redirections) - This is a bug https://github.com/hadolint/hadolint/issues/782
+# hadolint ignore=DL3008,SC2261
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        ca-certificates>=20210119 \
+        curl>=7.74 \
+        git>=1:2.30 \
+        unzip>=6.0 \
+        bash>=5.1 \
+        openssh-server>=1:8.4p1 \
+        libcap2>=1:2.44 \
+        dumb-init>=1.2 && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server"]

Dockerfile.dev

@@ -1,7 +1,3 @@
 FROM ghcr.io/runatlantis/atlantis:latest
 COPY atlantis /usr/local/bin/atlantis
-# TODO: remove this once we get this in the base image
-# renovate: datasource=github-releases depName=open-policy-agent/conftest
-ENV DEFAULT_CONFTEST_VERSION=0.38.0
-
 WORKDIR /atlantis/src