-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(atlantis-image): recombine with atlantis-base #3001
refactor(atlantis-image): recombine with atlantis-base #3001
Conversation
8769a21
to
4d29519
Compare
how will the update flow look like? if we need to update or add a TF version? |
The same way it is right now, you'll update the Dockerfile. I purposefully left the image tags as ARGs and not ENVs incase we decide on a solution to pass in tags via the GHA workflow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the contribution. I had a few comments
4d29519
to
39e6484
Compare
Dockerfile
Outdated
RUN apk add --no-cache \ | ||
ca-certificates~=20220614 \ | ||
curl~=7.87 \ | ||
git~=2.38 \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does git~=2.38
allow the latest git 2.39 to be installed without using the separate package repo?
Ref: #2998
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I doesn't appear to: https://jubianchi.github.io/semver-check/#/~%3D2.38/2.39.0
Looks like we might have to do git~=2
which honestly is weird to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems ok to me, as long as it picks up the latest git security patch. If you're not comfortable with ~2, let's raise the pin to ~2.39.
b63bc34
to
db22d76
Compare
# Install packages needed for building/verifying dependencies | ||
# hadolint ignore=DL3008,SC2261 | ||
WORKDIR /tmp/build | ||
RUN apt-get update \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are these lines repeated on 180? Couldn't we install these packages just once in the debian release?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I can improve this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Revisiting this, we re-install twice because we throw away the builder image which has more package installs, and this is a slimmed down install for the actual release image.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But now we have 2 places where we need to make sure these dependencies are up to date... Seems like extra maintenance and an easy thing to bump in one section and forget to bump in another
@@ -56,6 +63,7 @@ jobs: | |||
images: | | |||
${{ env.DOCKER_REPO }} | |||
labels: | | |||
org.opencontainers.image.authors="Anubhav Mishra, Luke Kysow" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: This label seems no longer relevant as these authors are no longer actively maintaining the repo. I think we can omit this in the future
context: . | ||
platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 | ||
push: ${{ github.event_name != 'pull_request' }} | ||
tags: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems incorrect. We started using the metadata tags in a recent pr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this entire block can be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \ | ||
# In the official Atlantis image, we only have the latest of each Terraform version. | ||
RUN AVAILABLE_TERRAFORM_VERSIONS="1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why was the shell argument removed?
@@ -1,7 +1,3 @@ | |||
FROM ghcr.io/runatlantis/atlantis:latest | |||
COPY atlantis /usr/local/bin/atlantis |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the comments below, I don't think this image is needed anymore.
openssl>=1.1.1n | ||
|
||
# install conftest | ||
# renovate: datasource=github-releases depName=open-policy-agent/conftest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This renovate comment should be directly before the conftest line
@GenPage @jamengual could you folks give this one more review and please put in a follow up to address the above comments |
Also it looks like this pr was merged without approval. Im unsure how that happened. @lkysow please check repo settings when time permits. I think we need to remove pr approvers when new commits are pushed |
It appears that when runatlantis#3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
It appears that when runatlantis#3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
It appears that when runatlantis#3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
It appears that when runatlantis#3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
It appears that when runatlantis#3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
It appears that when #3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
* refactor: atlantis-image build pipeline and docker images Atlantis built and maintained two separate docker images, atlantis and atlantis-base. This made cutting releases cumbersome and had inefficiencies in the docker image layers. This PR condenses the workflow into a single job and Dockerfile once again by utilizing multi-stage builds more heavily and Docker build targeting. * fix: apply @nitrocode suggestions from code review * feat: hadolint * fix: DL4006 on go mod graph * fix: version regressions --------- Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>
It appears that when #3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
) * refactor: atlantis-image build pipeline and docker images Atlantis built and maintained two separate docker images, atlantis and atlantis-base. This made cutting releases cumbersome and had inefficiencies in the docker image layers. This PR condenses the workflow into a single job and Dockerfile once again by utilizing multi-stage builds more heavily and Docker build targeting. * fix: apply @nitrocode suggestions from code review * feat: hadolint * fix: DL4006 on go mod graph * fix: version regressions --------- Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>
It appears that when runatlantis#3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
) * refactor: atlantis-image build pipeline and docker images Atlantis built and maintained two separate docker images, atlantis and atlantis-base. This made cutting releases cumbersome and had inefficiencies in the docker image layers. This PR condenses the workflow into a single job and Dockerfile once again by utilizing multi-stage builds more heavily and Docker build targeting. * fix: apply @nitrocode suggestions from code review * feat: hadolint * fix: DL4006 on go mod graph * fix: version regressions --------- Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>
It appears that when runatlantis#3001 combined the Dockerfiles, the bit that adds the `atlantis` user was not added to the Debian build stage Also correct some trailing spaces and missing EOL in `docker-compose.yml`
Atlantis built and maintained two separate docker images, atlantis and atlantis-base. This made cutting releases cumbersome and had inefficiencies in the docker image layers.
This PR condenses the workflow into a single job and Dockerfile once again by utilizing multi-stage builds more heavily and Docker build targeting.
what
why
tests
DOCKER_BUILDKIT=1 docker build -f Dockerfile --platform linux/amd64 --target alpine -t atlanits-alpine .
DOCKER_BUILDKIT=1 docker build -f Dockerfile --platform linux/amd64 --target debian -t atlanits-debian .
references
~=
and>=
package constraints #2896