vikingowl
7780c3378b
- Replace raw k8s manifests with a full Helm chart (deploy/helm/) - Add CloudNativePG cluster with PostGIS extensions and hcloud-volumes storage - Add DragonflyDB (Redis-compatible) cache via operator CRD - Add migration Job as Helm pre-install/pre-upgrade hook - Add NetworkPolicy restricting ingress to nginx-gateway, egress to DB/cache/DNS/HTTPS - Add ServiceAccount with automountServiceAccountToken disabled - Use HTTPRoute (Gateway API) instead of Ingress to match cluster setup - Fix Dockerfile: explicit UID 65534, add golang-migrate CLI for migration Job - Update CI: push immutable SHA tags, deploy via helm upgrade --install --atomic
35 lines
760 B
Docker
35 lines
760 B
Docker
FROM golang:1.25-alpine AS builder
|
|
|
|
RUN apk add --no-cache git ca-certificates
|
|
|
|
# Install golang-migrate CLI with postgres driver (pure Go, no CGO needed)
|
|
RUN go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/migrate@v4.18.1
|
|
|
|
WORKDIR /app
|
|
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
|
|
COPY . .
|
|
|
|
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o /api ./cmd/api
|
|
|
|
FROM alpine:3.21
|
|
|
|
RUN apk add --no-cache ca-certificates tzdata
|
|
|
|
# UID 65534 = nobody on Alpine, matches podSecurityContext.runAsUser
|
|
RUN adduser -D -u 65534 -g '' nonroot
|
|
|
|
WORKDIR /app
|
|
|
|
COPY --from=builder /api .
|
|
COPY --from=builder /go/bin/migrate /usr/local/bin/migrate
|
|
COPY migrations/ ./migrations/
|
|
|
|
USER nonroot:nonroot
|
|
|
|
EXPOSE 8080
|
|
|
|
ENTRYPOINT ["./api"]
|