Use Poetry and UBI 8.5 base image

Uses Red Hat Universal Base Image 8.5 minimal base image and Python 3.9 instead. Dependencies and the app itself are installed using Poetry. Drops `cacert_url` image build variable because it can be replaced by overriding `REQUESTS_CA_BUNDLE` environment variable or mounting CA bundle as `/etc/pki/tls/certs/ca-bundle.crt`. Fixes any issues reported by Hadolint. Enables dependabot to update dependencies regularly on GitHub.
release-engineering · Oct 25, 2022 · 76b059e · 76b059e
1 parent f671cf9
commit 76b059e
Show file tree

Hide file tree

Showing 18 changed files with 967 additions and 290 deletions.
diff --git a/.copr/Makefile b/.copr/Makefile
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,8 @@
+.git/
+.tox/
+.*_cache/
+__pycache__/
+dist/
+htmlcov/
+*.egg-info/
+Dockerfile
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
diff --git a/.github/workflows/gating.yaml b/.github/workflows/gating.yaml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.6"]
+        python-version: ["3.9"]
 
     steps:
       - uses: actions/checkout@v3
@@ -30,9 +30,7 @@ jobs:
           pip install tox
 
       - name: Test with tox
-        run: |
-          PY=py$(echo ${{ matrix.python-version }} | tr -d ".")
-          tox -e ${PY}
+        run: tox -e py
 
       - name: Run coveralls-python
         env:
@@ -59,6 +57,33 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  linters:
+    name: Linters
+    strategy:
+      matrix:
+        tox_env:
+          - bandit
+          - black
+          - lint
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: "3.9"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install tox
+
+      - name: Test '${{ matrix.tox_env }}' with tox
+        run: tox -e ${{ matrix.tox_env }}
+
   hadolint:
     name: Hadolint
     runs-on: ubuntu-latest
@@ -88,7 +113,7 @@ jobs:
       GH_REGISTRY: ghcr.io/${{ github.actor }}
     strategy:
       matrix:
-        python-version: ["3.6"]
+        python-version: ["3.9"]
 
     steps:
       - uses: actions/checkout@v3
@@ -98,6 +123,14 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry tox tox-gh-actions
+
+      - name: Update the Application Version
+        run: poetry version "$(./get-version.sh)"
+
       - name: Get image tag from git branch
         id: get-image-tag
         run: |
@@ -114,6 +147,8 @@ jobs:
             ${{ github.ref == 'refs/heads/master' && 'latest' || '' }}
             ${{ github.sha }}
           containerfiles: Dockerfile
+          build-args: |
+            GITHUB_SHA=${{ github.sha }}
 
       - name: Log in to the image registry
         if: github.event_name == 'push' && github.actor != 'dependabot[bot]'

diff --git a/.tito/packages/.readme b/.tito/packages/.readme
diff --git a/.tito/packages/product-listings-manager b/.tito/packages/product-listings-manager
diff --git a/.tito/templates/__init__.py.in b/.tito/templates/__init__.py.in
diff --git a/.tito/tito.props b/.tito/tito.props
diff --git a/Dockerfile b/Dockerfile
@@ -1,49 +1,82 @@
-FROM registry.fedoraproject.org/fedora:36
+FROM registry.access.redhat.com/ubi8/ubi:8.5 as builder
+
+# hadolint ignore=DL3033,DL4006,SC2039,SC3040
+RUN set -exo pipefail \
+    && mkdir -p /mnt/rootfs \
+    # install builder dependencies
+    && yum install -y \
+        --setopt install_weak_deps=false \
+        --nodocs \
+        gcc \
+        krb5-devel \
+        python39 \
+        python39-devel \
+    # install runtime dependencies
+    && yum install -y \
+        --installroot=/mnt/rootfs \
+        --releasever=8 \
+        --setopt install_weak_deps=false \
+        --nodocs \
+        python39 \
+    && yum --installroot=/mnt/rootfs clean all \
+    && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \
+    # https://python-poetry.org/docs/master/#installing-with-the-official-installer
+    && curl -sSL https://install.python-poetry.org | python3 - \
+    && python3 -m venv /venv
+
+ENV \
+    PIP_DEFAULT_TIMEOUT=100 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PYTHONFAULTHANDLER=1 \
+    PYTHONHASHSEED=random \
+    PYTHONUNBUFFERED=1
+
+WORKDIR /build
+COPY . .
+# hadolint ignore=SC1091
+RUN set -ex \
+    && export PATH=/root/.local/bin:$PATH \
+    && . /venv/bin/activate \
+    && pip install --no-cache-dir -r requirements.txt \
+    && poetry build --format=wheel \
+    && version=$(poetry version --short) \
+    && pip install --no-cache-dir dist/product_listings_manager-"$version"-py3*.whl \
+    && deactivate \
+    && mv /venv /mnt/rootfs \
+    && mkdir -p /mnt/rootfs/src/docker \
+    && cp -v docker/docker-entrypoint.sh /mnt/rootfs/src/docker
+
+# --- Final image
+FROM scratch
+ARG GITHUB_SHA
 LABEL \
     name="product-listings-manager" \
     vendor="product-listings-manager developers" \
+    summary="Product Listings Manager application" \
+    description="HTTP API for finding product listings and interacting with data in composedb." \
+    maintainer="Red Hat, Inc." \
     license="MIT" \
-    build-date=""
+    url="https://github.com/release-engineering/product-listings-manager" \
+    vcs-type="git" \
+    vcs-ref=$GITHUB_SHA \
+    io.k8s.display-name="Product Listings Manager"
 
-RUN yum -y install \
-        --setopt=install_weak_deps=false \
-        --setopt=tsflags=nodocs \
-        git-core \
-        python3 \
-        python3-flask \
-        python3-flask-restful \
-        python3-flask-sqlalchemy \
-        python3-gunicorn \
-        python3-koji \
-        python3-pip \
-        python3-psycopg2 \
-        python3-sqlalchemy
+ENV \
+    PYTHONFAULTHANDLER=1 \
+    PYTHONHASHSEED=random \
+    PYTHONUNBUFFERED=1 \
+    WEB_CONCURRENCY=8
 
-WORKDIR /var/www/product-listings-manager
-
-# Restore working tree from current git commit in container.
-COPY .git .git
-RUN git reset --hard HEAD \
-    && git checkout HEAD
-
-# Clean up.
-RUN yum -y remove git-core \
-    && yum -y clean all \
-    && rm -rf /var/cache/yum \
-    && rm -rf /tmp/*
-
-ARG cacert_url
-RUN if [ -n "$cacert_url" ]; then \
-        cd /etc/pki/ca-trust/source/anchors \
-        && curl -O --insecure $cacert_url \
-        && update-ca-trust extract; \
-    fi
+COPY --from=builder /mnt/rootfs/ /
+COPY --from=builder /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
+WORKDIR /src
 
 USER 1001
-EXPOSE 5000
-
-ENTRYPOINT [ \
-    "/usr/bin/gunicorn-3", \
+EXPOSE 8080
+ENTRYPOINT ["/src/docker/docker-entrypoint.sh"]
+CMD [ \
+    "gunicorn", \
     "--bind=0.0.0.0:5000", \
     "--access-logfile=-", \
     "--enable-stdio-inheritance", \

diff --git a/MANIFEST.in b/MANIFEST.in
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e
+
+if [ -z "$GREENWAVE_CONFIG"]; then
+    if [ -f /etc/greenwave/settings.py ]; then
+        export GREENWAVE_CONFIG=/etc/greenwave/settings.py
+    elif [ -f /src/conf/settings.py ]; then
+        export GREENWAVE_CONFIG=/src/conf/settings.py
+    else
+        export GREENWAVE_CONFIG=/src/conf/settings.py.example
+    fi
+fi
+
+if [ -z "$GREENWAVE_SUBJECT_TYPES_DIR"]; then
+    if [ -d /etc/greenwave/subject_types ]; then
+        export GREENWAVE_SUBJECT_TYPES_DIR=/etc/greenwave/subject_types
+    else
+        export GREENWAVE_SUBJECT_TYPES_DIR=/src/conf/subject_types
+    fi
+fi
+
+if [ -z "$GREENWAVE_POLICIES_DIR"]; then
+    if [ -d /etc/greenwave/policies ]; then
+        export GREENWAVE_POLICIES_DIR=/etc/greenwave/policies
+    else
+        export GREENWAVE_POLICIES_DIR=/src/conf/policies
+    fi
+fi
+
+. /venv/bin/activate
+exec "$@"
diff --git a/get-version.sh b/get-version.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# SPDX-License-Identifier: GPL-2.0+
+
+# Prints the current version based on the current git revision.
+
+set -e
+
+name=greenwave
+
+if [[ -n "$GITHUB_SHA" ]]; then
+    if [[ $GITHUB_REF =~ ^ref/tags/$name- ]]; then
+        echo "${GITHUB_REF#refs/tags/$name-}"
+    else
+        last_version=$(poetry version --short)
+        echo "$last_version+git.${GITHUB_SHA:0:7}"
+    fi
+    exit
+fi
+
+if [ "$(git tag | wc -l)" -eq 0 ] ; then
+    # never been tagged since the project is just starting out
+    lastversion="0.0"
+    revbase=""
+else
+    lasttag="$(git describe --abbrev=0 HEAD)"
+    lastversion="${lasttag##${name}-}"
+    revbase="^$lasttag"
+fi
+if [ "$(git rev-list $revbase HEAD | wc -l)" -eq 0 ] ; then
+    # building a tag
+    version="$lastversion"
+else
+    # git builds count as a pre-release of the next version
+    version="$lastversion"
+    version="${version%%[a-z]*}" # strip non-numeric suffixes like "rc1"
+    # increment the last portion of the version
+    version="${version%.*}.$((${version##*.} + 1))"
+    commitcount=$(git rev-list $revbase HEAD | wc -l)
+    commitsha=$(git rev-parse --short HEAD)
+    version="${version}.dev${commitcount}+git.${commitsha}"
+fi
+
+echo $version