Proposal to refine docker deployment #1302
Triggered by my challenges using KeyTransparency's (KT's) docker-compose (#1300)
This is a proposal to streamline the use of docker-compose and the container images.
It will not (yet) work as-is.
0. CI|CD Key Transparency Server often unavailable
The CI|CD deployment rarely works and the KT server (
1. Go Modules
The use of Go Modules (appears to) cause problems with the docker-compose builds. The Dockerfiles were being referenced from
2. Disconnect KT and Trillian
Currently KT's docker-compose will rebuild Trillian images as-needed. I think this is too strong a dependency and that -- ideally -- KT should reference "golden" images for the Trillian components through a repository, e.g.
3. Switch to Distroless
Trillian's images are built using Distroless. Recommend switching KT's. This reduces the resulting image sizes and -- as a consequence -- reduces the scope of vulnerabilities.
There is one downside to this. The
4. Sequencer configuration issue
@DazWilkin Thank you very much for giving the Docker files some much needed love.
@gdbelvin in issue #1300 I was receiving build errors. The error results from the build's context not having a
I suspect the break was either Modules being added to Trillian|KT, or KT's Dockerfiles being changed to root from