diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 2dcf360c..685278ed 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,10 +1,7 @@ { "name": "gateway-api-build-container", "build": { - "dockerfile": "../infrastructure/images/build-container/Dockerfile", - "args": { - "INCLUDE_DEV_CERTS": "true" - } + "dockerfile": "../infrastructure/images/build-container/Dockerfile" }, "customizations": { "vscode": { diff --git a/.vscode/cspell-dictionary.txt b/.vscode/cspell-dictionary.txt index 85932785..a8e45c77 100644 --- a/.vscode/cspell-dictionary.txt +++ b/.vscode/cspell-dictionary.txt @@ -1,8 +1,25 @@ +addgroup +adduser asid +buildx +chsh +doas fhir getstructuredrecord GPCAPIM gpconnect -searchset +linters +musllinux +nonroot +nopass +pipx proxygen +pyenv +PYTHONPATH +searchset +tfstate +tfvars usefixtures +usermod +virtualenv +zstd diff --git a/Makefile b/Makefile index 16da7fd5..198e2aa3 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,6 @@ endif IMAGE_NAME := ${IMAGE_REPOSITORY}:${IMAGE_TAG} COMMIT_VERSION := $(shell git rev-parse --short HEAD) BUILD_DATE := $(shell date -u +"%Y%m%d") -INCLUDE_DEV_CERTS ?= ${DEV_CERTS_INCLUDED} # ============================================================================== # Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc. @@ -42,25 +41,13 @@ build-gateway-api: dependencies @rm -rf ../infrastructure/images/gateway-api/resources/build/ @mkdir ../infrastructure/images/gateway-api/resources/build/ @cp -r ./target/gateway-api ../infrastructure/images/gateway-api/resources/build/ - # If dev certificates are present inside the dev container, copy them into - # the gateway-api image build context so they can be installed there too. - @if [ -d "/resources/dev-certificates" ]; then \ - rm -rf ../infrastructure/images/gateway-api/resources/dev-certificates; \ - mkdir -p ../infrastructure/images/gateway-api/resources/dev-certificates; \ - cp -r /resources/dev-certificates/* ../infrastructure/images/gateway-api/resources/dev-certificates/; \ - fi # Remove temporary build artefacts once build has completed @rm -rf target && rm -rf dist .PHONY: build build: build-gateway-api # Build the project artefact @Pipeline @echo "Building Docker x86 image using Docker. Utilising python version: ${PYTHON_VERSION} ..." - @if [[ -n "$${IN_BUILD_CONTAINER}" ]]; then \ - echo "building with dev certs ..." ; \ - $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} --build-arg INCLUDE_DEV_CERTS=${INCLUDE_DEV_CERTS} -t ${IMAGE_NAME} infrastructure/images/gateway-api - else \ - $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api - fi + $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api @echo "Docker image '${IMAGE_NAME}' built successfully!" publish: # Publish the project artefact @Pipeline @@ -99,11 +86,6 @@ stop: @$(docker) stop gateway-api || echo "No Gateway API container currently running." config:: # Configure development environment (main) @Configuration - # Configure poetry to trust dev certificate if specified - @if [[ -n "$${DEV_CERTS_INCLUDED}" ]]; then \ - echo "Configuring poetry to trust the dev certificate..." ; \ - poetry config certificates.PyPI.cert /etc/ssl/cert.pem ; \ - fi make _install-dependencies # ============================================================================== diff --git a/README.md b/README.md index a237a767..b7d88fe0 100644 --- a/README.md +++ b/README.md @@ -109,8 +109,6 @@ The project is configured to run inside a [Dev Container](https://containers.dev The dev container sits on the same network, `gateway-local`, as [the `gateway-api` container](infrastructure/README.md#docker-images), if deployed. Docker DNS will resolve to the deployed Gateway API. > [!NOTE] -> **Certificates:** If additional certificates are needed, add them to `infrastructure/images/build-container/resources/dev-certificates` and set the `INCLUDE_DEV_CERTS` Docker build argument to `true`. -> > **WSL users:** Configure the Dev Containers extension with `{"dev.containers.executeInWSL": true}`, clone the repository into the WSL filesystem, connect VS Code to WSL first, then open the repository folder and build the container. ### Prerequisites diff --git a/infrastructure/README.md b/infrastructure/README.md index 4994b8ec..dd92267a 100644 --- a/infrastructure/README.md +++ b/infrastructure/README.md @@ -33,7 +33,7 @@ The `preview/` environment creates an isolated, per-branch deployment of the Gat Key input variables: | Variable | Description | Default | -|---|---|---| +| --- | --- | --- | | `branch_name` | Git branch name — used to derive the hostname and resource names | *(required)* | | `image_tag` | Docker image tag to deploy; defaults to `branch_name` if empty | `""` | | `base_domain` | Base domain for the preview URL | `dev.endpoints.clinical-data-gateway.national.nhs.uk` | @@ -70,7 +70,6 @@ A dev container image used by CI/CD pipelines, based on the VS Code Alpine base - Python (via asdf) - Docker CLI and Buildx - Linters and checkers: vale, hadolint (via npm/markdownlint), ShellCheck -- Development certificate support for machines behind corporate proxies ## Terraform Operations diff --git a/infrastructure/images/build-container/Dockerfile b/infrastructure/images/build-container/Dockerfile index 062b0569..798b3b8c 100644 --- a/infrastructure/images/build-container/Dockerfile +++ b/infrastructure/images/build-container/Dockerfile @@ -5,27 +5,10 @@ ENV PYTHON_VERSION="3.14" ENV ASDF_DOWNLOAD_URL="https://github.com/asdf-vm/asdf/releases/download/v0.18.0" ENV EDITORCONFIG_DOWNLOAD_URL="https://github.com/editorconfig-checker/editorconfig-checker/releases/download/v3.4.1" -ARG INCLUDE_DEV_CERTS -ARG DEV_CERT_FILENAME - -# Add development certificates to node if provided. -ENV NODE_EXTRA_CA_CERTS=${INCLUDE_DEV_CERTS:+/etc/ssl/certs/ca-certificates.crt} -ENV DEV_CERTS_INCLUDED=$INCLUDE_DEV_CERTS - ENV IN_BUILD_CONTAINER=true COPY resources/ /resources -# Install required certificates for dev machines. -RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] ; then \ - cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ - update-ca-certificates; \ - - cp -r /resources/dev-certificates/* /etc/ssl/certs/; \ -else \ - rm -r /resources/dev-certificates; \ -fi - RUN apk update && \ apk add --no-cache --update bash \ # Required to manage user permissions. @@ -52,20 +35,19 @@ RUN apk update && \ readline-dev \ sqlite-dev \ tk-dev \ - zstd-dev - -# Configure doas to allow members of the wheel group to run commands as root. -RUN echo "permit :wheel" >> /etc/doas.conf \ - && echo "permit nopass :wheel as root cmd apk" >> /etc/doas.conf \ - && echo "permit nopass :wheel as root cmd docker" >> /etc/doas.conf \ + zstd-dev && \ + # Configure doas to allow members of the wheel group to run commands as root. + echo "permit :wheel" >> /etc/doas.conf && \ + echo "permit nopass :wheel as root cmd apk" >> /etc/doas.conf && \ + echo "permit nopass :wheel as root cmd docker" >> /etc/doas.conf && \ # Change default shell to bash for root user. - && chsh -s /bin/bash root + chsh -s /bin/bash root # Ensure pyenv is on the PATH ENV PYENV_ROOT="/.pyenv" ENV PATH="$PYENV_ROOT/bin:$PATH" -# Install Python (via pyenv) and intialize it. +# Install Python (via pyenv) and initialize it. RUN curl --proto "=https" -fsSL https://pyenv.run | bash && \ /.pyenv/bin/pyenv install ${PYTHON_VERSION} && \ /.pyenv/bin/pyenv global ${PYTHON_VERSION} && \ @@ -80,7 +62,7 @@ ENV ASDF_DATA_DIR="/.asdf" RUN mkdir /asdf WORKDIR /asdf -# If we're running on an arm64 architecture download the arm64 executeable. +# If we're running on an arm64 architecture download the arm64 executable. RUN if [ "$(uname -m)" = "aarch64" ] ; then \ echo "Installing ARM asdf executable..." && \ wget -O asdf.tar.gz "$ASDF_DOWNLOAD_URL/asdf-v0.18.0-linux-arm64.tar.gz"; \ diff --git a/infrastructure/images/gateway-api/Dockerfile b/infrastructure/images/gateway-api/Dockerfile index 1a5c94b2..00cf681f 100644 --- a/infrastructure/images/gateway-api/Dockerfile +++ b/infrastructure/images/gateway-api/Dockerfile @@ -2,21 +2,9 @@ ARG PYTHON_VERSION=invalid FROM python:${PYTHON_VERSION}-alpine3.23 AS gateway-api -# Controls whether dev certificates (if present) are installed into this image. -ARG INCLUDE_DEV_CERTS=false - COPY resources/ /resources -# Install required certificates for dev machines. -RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -d /resources/dev-certificates ]; then \ - cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ - update-ca-certificates; \ - cp -r /resources/dev-certificates/* /etc/ssl/certs/; \ - else \ - rm -rf /resources/dev-certificates || true; \ - fi && \ - - apk upgrade --no-cache && \ +RUN apk upgrade --no-cache && \ pip install --no-cache-dir --upgrade pip && \ addgroup -S nonroot && \ adduser -S gateway_api_user -G nonroot