From bb162ea88e6214efc0718cb4f13dff40b5d3f4f3 Mon Sep 17 00:00:00 2001
From: Daniel Freiling <ddfreiling@gmail.com>
Date: Mon, 26 Aug 2024 17:21:31 +0200
Subject: [PATCH] chor: update docker image for production use

production image must be built manually
production cert must be mounted at runtime
---
 .dockerignore                        |  3 ++-
 .gitignore                           |  2 +-
 ci/Dockerfile                        | 17 +++++++++++------
 ci/README.md                         |  4 ++--
 ci/build.sh                          |  2 +-
 ci/helm-chart/config/config.yaml.tpl |  4 ++--
 test/config.yaml                     | 20 ++++++++++----------
 7 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index d70b1984..f4f8a411 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1,3 @@
 ci
-!ci/htpasswd
+!test/.htpasswd
+!license/libuserkey.a
diff --git a/.gitignore b/.gitignore
index e0b83238..5ebeff7c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,7 +12,7 @@ debug
 *.yaml
 !test/config.yaml
 !test/config.localhost.yaml
-!ci/htpasswd
+!test/.htpasswd
 !ci/**/*.yaml
 **/manage/config.js
 frontend/manage/node_modules/*
diff --git a/ci/Dockerfile b/ci/Dockerfile
index 6dff5f65..8e3c35be 100644
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@@ -1,7 +1,7 @@
 ###############
 # Build image #
 ###############
-FROM --platform=$BUILDPLATFORM golang:1.22-alpine as builder
+FROM golang:1.22-bookworm as builder
 
 WORKDIR /lcp
 
@@ -9,27 +9,30 @@ COPY . /lcp/.
 
 ENV GOPATH=/lcp/build
 
-RUN apk add build-base
+RUN apt-get update && apt-get -y install build-essential && apt-get clean
 
 # Needed for sqlite3 lib
 ENV CGO_CFLAGS="-D_LARGEFILE64_SOURCE"
+ENV CGO_ENABLED=1
+ENV GOOS=linux
+ENV GOARCH=amd64
 
-RUN CGO_ENABLED=1 go build -o $GOPATH/bin/ ./lcpserver
+RUN go build -o $GOPATH/bin/ ./lcpserver
 RUN go build -o $GOPATH/bin/ ./lsdserver
 RUN go build -o $GOPATH/bin/ ./lcpencrypt
 
 #######################
 # Runtime image (LCP) #
 #######################
-FROM alpine:latest as runtime-lcp
+FROM debian:bookworm-slim as runtime-lcp
 LABEL org.opencontainers.image.source https://github.com/notalib/readium-lcp-server
 WORKDIR /app
 
 # Add non-root user
 ARG UID=1001
 ARG GID=1001
-RUN addgroup --gid $GID app && \
-    adduser --disabled-password -G app --uid $UID lcp
+RUN groupadd --gid $GID app && \
+    adduser --disabled-password -gid $GID --uid $UID lcp
 
 RUN mkdir -p /data/db && \
     mkdir -p /data/files && chown -R $UID:$GID /data
@@ -43,6 +46,8 @@ COPY test/cert/privkey-edrlab-test.pem /app/cert/edrlab.key
 COPY test/config.localhost.yaml /app/config.yaml
 COPY test/.htpasswd /app/.htpasswd
 
+# RUN ls -al /app && sleep 600
+
 # Run as non-root LCP user
 USER lcp
 
diff --git a/ci/README.md b/ci/README.md
index 63e3f7b0..15861949 100644
--- a/ci/README.md
+++ b/ci/README.md
@@ -22,13 +22,13 @@ docker compose up -d
 Simple config for local testing. Assumes you will expose ports 8989-8990 on localhost.
 
 #### htpasswd
-Placeholder htpasswd is just `admin` as username and `Test1234` as password.
+Placeholder .htpasswd is just `admin` as username and `Test1234` as password.
 
 ### Overriding with volumes
 
 You should not run the default config in production. To change the config, simply use volume mounts to override the following files:
 * `/app/config.yaml`
-* `/app/htpasswd`
+* `/app/.htpasswd`
 * `/app/certs`
 
 Basically the config.yaml decides the location of all other files and which ports to use, so modify it wisely.
diff --git a/ci/build.sh b/ci/build.sh
index 336e1d77..866fc9d7 100755
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -2,4 +2,4 @@
 
 # Helper script for building all images for multiple architectures
 # NOTE: May not be possible on all types of machines
-docker buildx bake --set *.platform=linux/amd64,linux/arm64
+docker buildx bake --set '*.platform=linux/amd64'
diff --git a/ci/helm-chart/config/config.yaml.tpl b/ci/helm-chart/config/config.yaml.tpl
index c49dab13..70d8b99b 100644
--- a/ci/helm-chart/config/config.yaml.tpl
+++ b/ci/helm-chart/config/config.yaml.tpl
@@ -29,8 +29,8 @@ storage:
 {{- end }}
 certificate:
     # theses test certificates are provided in the test/cert folder of the codebase
-    cert: "/app/cert/{{ .Values.certName }}.crt"
-    private_key: "/app/cert/{{ .Values.certName }}.key"
+    cert: "/app/cert/{{ .Values.production.certName }}.crt"
+    private_key: "/app/cert/{{ .Values.production.certName }}.key"
 license:
     links:
         # leave the url as-is (after <LSD_SERVER> has been resolved)
diff --git a/test/config.yaml b/test/config.yaml
index 190a532f..5efa6bb5 100644
--- a/test/config.yaml
+++ b/test/config.yaml
@@ -13,7 +13,7 @@
 lcp:
     # the public url a client app will use to access the License Server (optional)
     public_base_url:  "http://<LCP_SERVER>:<PORT>"
-lcp_update_auth: 
+lcp_update_auth:
     # login and password used by the Status Server to access the License Server
     username: "<adm_username>"
     password: "<adm_password>"
@@ -21,7 +21,7 @@ lcp_update_auth:
 lsd:
     # the public url a client app will use to access the Status Server
     public_base_url:  "https://<PUBLIC_LSD_SERVER>"
-lsd_notify_auth: 
+lsd_notify_auth:
     # login and password used by the License Server to access the Status Server
     username: "<adm_username>"
     password: "<adm_password>"
@@ -33,10 +33,10 @@ profile: "basic"
 lcp:
     # the port on which the License Server will be running
     port: <PORT>
-    # replace this dsn if you're not using SQLite 
+    # replace this dsn if you're not using SQLite
     database: "sqlite3://file:<LCP_HOME>/db/lcp.sqlite?cache=shared&mode=rwc"
     # authentication file of the License Server. Here we use the same file for the License Server and Status Server
-    auth_file: "<LCP_HOME>/config/htpasswd"
+    auth_file: "<LCP_HOME>/config/.htpasswd"
 # uncomment if lcpencrypt does not manage the storage of encrypted publications
 #storage:
 #    filesystem:
@@ -48,7 +48,7 @@ certificate:
 license:
     links:
         # leave the url as-is (after <LSD_SERVER> has been resolved)
-        status: "http://<LSD_SERVER>/licenses/{license_id}/status"     
+        status: "http://<LSD_SERVER>/licenses/{license_id}/status"
         # the url of a REAL html page, that indicates how the user can get back his passphrase if forgotten
         hint: "<CUSTOM_HINT_PAGE_URL>"
 
@@ -58,13 +58,13 @@ license:
 lsd:
     # the port on which the Status Server will be running
     port: <PORT>
-    # replace this dsn if you're not using SQLite 
+    # replace this dsn if you're not using SQLite
     database: "sqlite3://<LCP_HOME>/db/lsd.sqlite?cache=shared&mode=rwc"
     # authentication file of the Status Server. Here we use the same file for the License Server and Status Server
-    auth_file: "<LCP_HOME>/config/htpasswd"
-    # in this example, the License Gateway is developed so that adding a license id 
-    # to the host name gives access to a fresh license.   
-    # Keep {license_id} as-is; this is a template. 
+    auth_file: "<LCP_HOME>/config/.htpasswd"
+    # in this example, the License Gateway is developed so that adding a license id
+    # to the host name gives access to a fresh license.
+    # Keep {license_id} as-is; this is a template.
     # Read the doc to know more about how to develop a License Gateway.
     license_link_url: "http://<GATEWAY>/{license_id}"
 license_status: