chore: update webapp base image to use airbyte nginx image (#14687)

Co-authored-by: Alex Buchanan <[email protected]>

Author: colesnodgrass

airbyte-webapp/Dockerfile

@@ -1,20 +1,18 @@
-ARG NGINX_IMAGE=nginxinc/nginx-unprivileged:alpine3.20
+ARG NGINX_IMAGE=airbyte/nginx-unprivileged:alpine3.20-2
 FROM ${NGINX_IMAGE}
 
 ARG BUILD_DIR=bin/build
 ARG NGINX_CONFIG=bin/nginx/default.conf.template
 
 EXPOSE 8080
 
-USER root
+COPY --chown=nginx:nginx ${BUILD_DIR} /usr/share/nginx/html
+COPY --chown=nginx:nginx ${NGINX_CONFIG} /etc/nginx/templates/default.conf.template
 
-COPY ${BUILD_DIR} /usr/share/nginx/html
+USER root
 
 RUN <<EOF
 find /usr/share/nginx/html -type d -exec chmod 755 '{}' \; -o -type f -exec chmod 644 '{}' \;
-chown -R nginx:nginx /usr/share/nginx/html
 EOF
 
-COPY ${NGINX_CONFIG} /etc/nginx/templates/default.conf.template
-
 USER nginx:nginx

charts/airbyte/values.yaml

@@ -237,16 +237,13 @@ webapp:
 
   # -- Security context for the container
   podSecurityContext:
-    # gid=101(nginx)
-    fsGroup: 101
+    fsGroup: 1000
 
   containerSecurityContext:
     allowPrivilegeEscalation: false 
     runAsNonRoot: true
-    # uid=101(nginx)
-    runAsUser: 101
-    # gid=101(nginx)
-    runAsGroup: 101
+    runAsUser: 1000
+    runAsGroup: 1000
     readOnlyRootFilesystem: false
     capabilities:
       drop: ["ALL"]

charts/helm-tests/go.mod

@@ -3,8 +3,8 @@ module github.com/airbytehq/airbyte-platform-internal/oss/charts/helm-tests
 go 1.23.1
 
 require (
-	github.com/gruntwork-io/terratest v0.46.14
-	github.com/stretchr/testify v1.8.4
+	github.com/gruntwork-io/terratest v0.47.2
+	github.com/stretchr/testify v1.9.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.30.0
 	k8s.io/apimachinery v0.30.0

charts/helm-tests/go.sum

@@ -83,6 +83,8 @@ github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRa
 github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78=
 github.com/gruntwork-io/terratest v0.46.14 h1:nVT2JpOPLr7KbwOSNDP0GJffljH+Yu5833cwLorxRjs=
 github.com/gruntwork-io/terratest v0.46.14/go.mod h1:L/IHbj195wnjfIFpZYWUhjwA3jm4O6ehO//xz7NxN8o=
+github.com/gruntwork-io/terratest v0.47.2 h1:t6iWwsqJH7Gx0RwXleU/vjc+2c0JXRMdj3DxYXTBssQ=
+github.com/gruntwork-io/terratest v0.47.2/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI=
@@ -190,6 +192,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
 github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
 github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=

charts/v2/airbyte/values.yaml

@@ -472,16 +472,13 @@ webapp:
 
   # -- Security context for the container
   podSecurityContext:
-    # gid=101(nginx)
-    fsGroup: 101
+    fsGroup: 1000
 
   containerSecurityContext:
     allowPrivilegeEscalation: false 
     runAsNonRoot: true
-    # uid=101(nginx)
-    runAsUser: 101
-    # gid=101(nginx)
-    runAsGroup: 101
+    runAsUser: 1000
+    runAsGroup: 1000
     readOnlyRootFilesystem: false
     capabilities:
       drop: ["ALL"]

docker/Makefile

@@ -84,18 +84,36 @@ image.airbyte-mc: buildx.start
 			-f $(IMAGES_DIR)/airbyte-mc/Dockerfile . ; \
 	fi
 
-image.airbyte-nginx: ## Build the airbyte/nginx image
-image.airbyte-nginx: buildx.start
+image.airbyte-nginx-slim: ## Build the airbyte/nginx-unprivileged image
+image.airbyte-nginx-slim: buildx.start
+	@if [ "$(PUBLISH)" = "true" ]; then \
+		docker buildx build -t airbyte/nginx-alpine-slim:$(VERSION) \
+			--build-arg UID="1000" \
+			--build-arg GID="1000" \
+			--platform linux/amd64,linux/arm64 \
+			--push \
+			-f $(IMAGES_DIR)/airbyte-nginx/alpine-slim/Dockerfile $(IMAGES_DIR)/airbyte-nginx/alpine-slim/. ; \
+	else \
+		docker build -t airbyte/nginx-alpine-slim:$(VERSION) \
+			--build-arg UID="1000" \
+			--build-arg GID="1000" \
+			-f $(IMAGES_DIR)/airbyte-nginx/alpine-slim/Dockerfile $(IMAGES_DIR)/airbyte-nginx/alpine-slim/. ; \
+	fi
+
+image.airbyte-nginx-unprivileged: ## Build the airbyte/nginx-unprivileged image
+image.airbyte-nginx-unprivileged: buildx.start
 	@if [ "$(PUBLISH)" = "true" ]; then \
 		docker buildx build -t airbyte/nginx-unprivileged:$(VERSION) \
+			--build-arg IMAGE="airbyte/nginx-alpine-slim:1.27.2-alpine-slim-2" \
 			--build-arg UID="1000" \
 			--build-arg GID="1000" \
 			--platform linux/amd64,linux/arm64 \
 			--push \
-			-f $(IMAGES_DIR)/airbyte-nginx/Dockerfile . ; \
+			-f $(IMAGES_DIR)/airbyte-nginx/unprivileged/Dockerfile $(IMAGES_DIR)/airbyte-nginx/unprivileged/. ; \
 	else \
 		docker build -t airbyte/nginx-unprivileged:$(VERSION) \
+			--build-arg IMAGE="airbyte/nginx-alpine-slim:1.27.2-alpine-slim-2" \
 			--build-arg UID="1000" \
 			--build-arg GID="1000" \
-			-f $(IMAGES_DIR)/airbyte-nginx/Dockerfile . ; \
+			-f $(IMAGES_DIR)/airbyte-nginx/unprivileged/Dockerfile $(IMAGES_DIR)/airbyte-nginx/unprivileged/. ; \
 	fi

docker/airbyte-nginx/alpine-slim/10-listen-on-ipv6-by-default.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+set -e
+
+entrypoint_log() {
+    if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+        echo "$@"
+    fi
+}
+
+ME=$(basename "$0")
+DEFAULT_CONF_FILE="etc/nginx/conf.d/default.conf"
+
+# check if we have ipv6 available
+if [ ! -f "/proc/net/if_inet6" ]; then
+    entrypoint_log "$ME: info: ipv6 not available"
+    exit 0
+fi
+
+if [ ! -f "/$DEFAULT_CONF_FILE" ]; then
+    entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE is not a file or does not exist"
+    exit 0
+fi
+
+# check if the file can be modified, e.g. not on a r/o filesystem
+touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }
+
+# check if the file is already modified, e.g. on a container restart
+grep -q "listen  \[::]\:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
+
+if [ -f "/etc/os-release" ]; then
+    . /etc/os-release
+else
+    entrypoint_log "$ME: info: can not guess the operating system"
+    exit 0
+fi
+
+entrypoint_log "$ME: info: Getting the checksum of /$DEFAULT_CONF_FILE"
+
+case "$ID" in
+    "debian")
+        CHECKSUM=$(dpkg-query --show --showformat='${Conffiles}\n' nginx | grep $DEFAULT_CONF_FILE | cut -d' ' -f 3)
+        echo "$CHECKSUM  /$DEFAULT_CONF_FILE" | md5sum -c - >/dev/null 2>&1 || {
+            entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version"
+            exit 0
+        }
+        ;;
+    "alpine")
+        CHECKSUM=$(apk manifest nginx 2>/dev/null| grep $DEFAULT_CONF_FILE | cut -d' ' -f 1 | cut -d ':' -f 2)
+        echo "$CHECKSUM  /$DEFAULT_CONF_FILE" | sha1sum -c - >/dev/null 2>&1 || {
+            entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version"
+            exit 0
+        }
+        ;;
+    *)
+        entrypoint_log "$ME: info: Unsupported distribution"
+        exit 0
+        ;;
+esac
+
+# enable ipv6 on default.conf listen sockets
+sed -i -E 's,listen       8080;,listen       8080;\n    listen  [::]:8080;,' /$DEFAULT_CONF_FILE
+
+entrypoint_log "$ME: info: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE"
+
+exit 0

docker/airbyte-nginx/alpine-slim/15-local-resolvers.envsh

@@ -0,0 +1,15 @@
+#!/bin/sh
+# vim:sw=2:ts=2:sts=2:et
+
+set -eu
+
+LC_ALL=C
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+[ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0
+
+NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf)
+
+NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }"
+
+export NGINX_LOCAL_RESOLVERS

docker/airbyte-nginx/alpine-slim/20-envsubst-on-templates.sh

@@ -0,0 +1,78 @@
+#!/bin/sh
+
+set -e
+
+ME=$(basename "$0")
+
+entrypoint_log() {
+  if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+    echo "$@"
+  fi
+}
+
+add_stream_block() {
+  local conffile="/etc/nginx/nginx.conf"
+
+  if grep -q -E "\s*stream\s*\{" "$conffile"; then
+    entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates"
+  else
+    # check if the file can be modified, e.g. not on a r/o filesystem
+    touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; }
+    entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf"
+    cat << END >> "$conffile"
+# added by "$ME" on "$(date)"
+stream {
+  include $stream_output_dir/*.conf;
+}
+END
+  fi
+}
+
+auto_envsubst() {
+  local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
+  local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
+  local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+  local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}"
+  local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}"
+  local filter="${NGINX_ENVSUBST_FILTER:-}"
+
+  local template defined_envs relative_path output_path subdir
+  defined_envs=$(printf '${%s} ' $(awk "END { for (name in ENVIRON) { print ( name ~ /${filter}/ ) ? name : \"\" } }" < /dev/null ))
+  [ -d "$template_dir" ] || return 0
+  if [ ! -w "$output_dir" ]; then
+    entrypoint_log "$ME: ERROR: $template_dir exists, but $output_dir is not writable"
+    return 0
+  fi
+  find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do
+    relative_path="${template#"$template_dir/"}"
+    output_path="$output_dir/${relative_path%"$suffix"}"
+    subdir=$(dirname "$relative_path")
+    # create a subdirectory where the template file exists
+    mkdir -p "$output_dir/$subdir"
+    entrypoint_log "$ME: Running envsubst on $template to $output_path"
+    envsubst "$defined_envs" < "$template" > "$output_path"
+  done
+
+  # Print the first file with the stream suffix, this will be false if there are none
+  if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then
+    mkdir -p "$stream_output_dir"
+    if [ ! -w "$stream_output_dir" ]; then
+      entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable"
+      return 0
+    fi
+    add_stream_block
+    find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do
+      relative_path="${template#"$template_dir/"}"
+      output_path="$stream_output_dir/${relative_path%"$stream_suffix"}"
+      subdir=$(dirname "$relative_path")
+      # create a subdirectory where the template file exists
+      mkdir -p "$stream_output_dir/$subdir"
+      entrypoint_log "$ME: Running envsubst on $template to $output_path"
+      envsubst "$defined_envs" < "$template" > "$output_path"
+    done
+  fi
+}
+
+auto_envsubst
+
+exit 0