Use Poetry and UBI base image (#101)

Uses Red Hat Universal Base Image minimal base image and Python 3.9 instead. Dependencies and the app itself are installed using Poetry. Drops `cacert_url` image build variable because it can be replaced by overriding `REQUESTS_CA_BUNDLE` environment variable or mounting CA bundle as `/etc/pki/tls/certs/ca-bundle.crt`. Fixes any issues reported by Hadolint. Enables dependabot to update dependencies regularly on GitHub.
release-engineering · Feb 13, 2023 · 6300fe6 · 6300fe6
1 parent f671cf9
commit 6300fe6
Show file tree

Hide file tree

Showing 21 changed files with 1,213 additions and 292 deletions.
diff --git a/.copr/Makefile b/.copr/Makefile
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,8 @@
+.git/
+.tox/
+.*_cache/
+__pycache__/
+dist/
+htmlcov/
+*.egg-info/
+Dockerfile
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
diff --git a/.github/workflows/gating.yaml b/.github/workflows/gating.yaml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.6"]
+        python-version: ["3.9"]
 
     steps:
       - uses: actions/checkout@v3
@@ -30,9 +30,7 @@ jobs:
           pip install tox
 
       - name: Test with tox
-        run: |
-          PY=py$(echo ${{ matrix.python-version }} | tr -d ".")
-          tox -e ${PY}
+        run: tox -e py
 
       - name: Run coveralls-python
         env:
@@ -59,6 +57,35 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  linters:
+    name: Linters
+    strategy:
+      matrix:
+        tox_env:
+          - bandit
+          - black
+          - lint
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: "3.9"
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install libkrb5-dev
+          python -m pip install --upgrade pip
+          pip install tox
+
+      - name: Test '${{ matrix.tox_env }}' with tox
+        run: tox -e ${{ matrix.tox_env }}
+
   hadolint:
     name: Hadolint
     runs-on: ubuntu-latest
@@ -88,7 +115,7 @@ jobs:
       GH_REGISTRY: ghcr.io/${{ github.actor }}
     strategy:
       matrix:
-        python-version: ["3.6"]
+        python-version: ["3.9"]
 
     steps:
       - uses: actions/checkout@v3
@@ -98,6 +125,14 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry tox
+
+      - name: Update the Application Version
+        run: poetry version "$(./get-version.sh)"
+
       - name: Get image tag from git branch
         id: get-image-tag
         run: |
@@ -114,6 +149,8 @@ jobs:
             ${{ github.ref == 'refs/heads/master' && 'latest' || '' }}
             ${{ github.sha }}
           containerfiles: Dockerfile
+          build-args: |
+            GITHUB_SHA=${{ github.sha }}
 
       - name: Log in to the image registry
         if: github.event_name == 'push' && github.actor != 'dependabot[bot]'

diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,8 @@
 .tox
 /.cache
 .coverage
+coverage.xml
+htmlcov
 build/*
 dist/*
 doc/build/*

diff --git a/.tito/packages/.readme b/.tito/packages/.readme
diff --git a/.tito/packages/product-listings-manager b/.tito/packages/product-listings-manager
diff --git a/.tito/templates/__init__.py.in b/.tito/templates/__init__.py.in
diff --git a/.tito/tito.props b/.tito/tito.props
diff --git a/Dockerfile b/Dockerfile
@@ -1,49 +1,82 @@
-FROM registry.fedoraproject.org/fedora:36
+FROM registry.access.redhat.com/ubi8/ubi:8.7 as builder
+
+# hadolint ignore=DL3033,DL4006,SC2039,SC3040
+RUN set -exo pipefail \
+    && mkdir -p /mnt/rootfs \
+    # install builder dependencies
+    && yum install -y \
+        --setopt install_weak_deps=false \
+        --nodocs \
+        gcc \
+        krb5-devel \
+        python39 \
+        python39-devel \
+    # install runtime dependencies
+    && yum install -y \
+        --installroot=/mnt/rootfs \
+        --releasever=8 \
+        --setopt install_weak_deps=false \
+        --nodocs \
+        python39 \
+    && yum --installroot=/mnt/rootfs clean all \
+    && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \
+    # https://python-poetry.org/docs/master/#installing-with-the-official-installer
+    && curl -sSL https://install.python-poetry.org | python3 - \
+    && python3 -m venv /venv
+
+ENV \
+    PIP_DEFAULT_TIMEOUT=100 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PYTHONFAULTHANDLER=1 \
+    PYTHONHASHSEED=random \
+    PYTHONUNBUFFERED=1
+
+WORKDIR /build
+COPY . .
+# hadolint ignore=SC1091
+RUN set -ex \
+    && export PATH=/root/.local/bin:$PATH \
+    && . /venv/bin/activate \
+    && pip install --no-cache-dir -r requirements.txt \
+    && poetry build --format=wheel \
+    && version=$(poetry version --short) \
+    && pip install --no-cache-dir dist/product_listings_manager-"$version"-py3*.whl \
+    && deactivate \
+    && mv /venv /mnt/rootfs \
+    && mkdir -p /mnt/rootfs/src/docker \
+    && cp -v docker/docker-entrypoint.sh /mnt/rootfs/src/docker
+
+# --- Final image
+FROM scratch
+ARG GITHUB_SHA
 LABEL \
     name="product-listings-manager" \
     vendor="product-listings-manager developers" \
+    summary="Product Listings Manager application" \
+    description="HTTP API for finding product listings and interacting with data in composedb." \
+    maintainer="Red Hat, Inc." \
     license="MIT" \
-    build-date=""
+    url="https://github.com/release-engineering/product-listings-manager" \
+    vcs-type="git" \
+    vcs-ref=$GITHUB_SHA \
+    io.k8s.display-name="Product Listings Manager"
 
-RUN yum -y install \
-        --setopt=install_weak_deps=false \
-        --setopt=tsflags=nodocs \
-        git-core \
-        python3 \
-        python3-flask \
-        python3-flask-restful \
-        python3-flask-sqlalchemy \
-        python3-gunicorn \
-        python3-koji \
-        python3-pip \
-        python3-psycopg2 \
-        python3-sqlalchemy
+ENV \
+    PYTHONFAULTHANDLER=1 \
+    PYTHONHASHSEED=random \
+    PYTHONUNBUFFERED=1 \
+    WEB_CONCURRENCY=8
 
-WORKDIR /var/www/product-listings-manager
-
-# Restore working tree from current git commit in container.
-COPY .git .git
-RUN git reset --hard HEAD \
-    && git checkout HEAD
-
-# Clean up.
-RUN yum -y remove git-core \
-    && yum -y clean all \
-    && rm -rf /var/cache/yum \
-    && rm -rf /tmp/*
-
-ARG cacert_url
-RUN if [ -n "$cacert_url" ]; then \
-        cd /etc/pki/ca-trust/source/anchors \
-        && curl -O --insecure $cacert_url \
-        && update-ca-trust extract; \
-    fi
+COPY --from=builder /mnt/rootfs/ /
+COPY --from=builder /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
+WORKDIR /src
 
 USER 1001
-EXPOSE 5000
-
-ENTRYPOINT [ \
-    "/usr/bin/gunicorn-3", \
+EXPOSE 8080
+ENTRYPOINT ["/src/docker/docker-entrypoint.sh"]
+CMD [ \
+    "gunicorn", \
     "--bind=0.0.0.0:5000", \
     "--access-logfile=-", \
     "--enable-stdio-inheritance", \

diff --git a/MANIFEST.in b/MANIFEST.in
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+. /venv/bin/activate
+exec "$@"
diff --git a/get-version.sh b/get-version.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -eu
+
+if [[ $GITHUB_REF =~ ^ref/tags/v ]]; then
+    echo "${GITHUB_REF#refs/tags/v}"
+else
+    last_version=$(poetry version --short)
+    echo "$last_version+git.${GITHUB_SHA:0:7}"
+fi