refactor(atlantis-image): recombine with atlantis-base (#3001)

* refactor: atlantis-image build pipeline and docker images

Atlantis built and maintained two separate docker images, atlantis and
atlantis-base. This made cutting releases cumbersome and had
inefficiencies in the docker image layers.

This PR condenses the workflow into a single job and Dockerfile once
again by utilizing multi-stage builds more heavily and Docker build targeting.

* fix: apply @nitrocode suggestions from code review
* feat: hadolint
* fix: DL4006 on go mod graph
* fix: version regressions

---------

Co-authored-by: nitrocode <[email protected]>

Author: GenPage

.github/workflows/atlantis-base.yml

@@ -10,6 +10,7 @@ on:
   pull_request:
     paths:
       - 'Dockerfile'
+      - 'docker-entrypoint.sh'
       - '.github/workflows/atlantis-image.yml'
   workflow_dispatch:
 
@@ -32,6 +33,12 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
+    # Lint the Dockerfile first before setting anything up
+    - name: Lint Dockerfile
+      uses: hadolint/hadolint-action@master
+      with:
+        dockerfile: "Dockerfile"
+
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v2
       with:
@@ -56,6 +63,7 @@ jobs:
         images: |
           ${{ env.DOCKER_REPO }}
         labels: |
+          org.opencontainers.image.authors="Anubhav Mishra, Luke Kysow"
           org.opencontainers.image.licenses=Apache-2.0
         tags: |
           # semver
@@ -86,6 +94,22 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
+    # Publish dev image to container registry
+    - name: Build and push atlantis:dev${{ env.IMAGE_SUFFIX }} image
+      if: ${{ contains(fromJson('["push", "pull_request"]'), github.event_name) }}
+      uses: docker/build-push-action@v3
+      with:
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        context: .
+        platforms: linux/arm64/v8,linux/amd64,linux/arm/v7
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: |
+          ghcr.io/${{ github.repository_owner }}/atlantis:dev${{ env.IMAGE_SUFFIX }}
+          ghcr.io/${{ github.repository_owner }}/atlantis:dev-${{ matrix.image_type }}
+        target: ${{ matrix.image_type }}
+        labels: ${{ steps.meta.outputs.labels }}
+
     # Publish release to container registry
     - name: Populate release version
       if: contains(fromJson('["push", "pull_request"]'), github.event_name)
@@ -106,5 +130,6 @@ jobs:
         platforms: linux/arm64/v8,linux/amd64,linux/arm/v7
         push: ${{ env.PUSH }}
         tags: ${{ steps.meta.outputs.tags }}
+        target: ${{ matrix.image_type }}
         labels: ${{ steps.meta.outputs.labels }}
         outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}

.github/workflows/atlantis-image.yml

@@ -1,8 +1,9 @@
-ARG ATLANTIS_BASE=ghcr.io/runatlantis/atlantis-base
-ARG ATLANTIS_BASE_TAG_DATE=latest
-ARG ATLANTIS_BASE_TAG_TYPE=alpine
+# syntax=docker/dockerfile:1
+# what distro is the image being built for
+ARG ALPINE_TAG=3.17.1
+ARG DEBIAN_TAG=11.6-slim
 
-# Stage 1: build artifact
+# Stage 1: build artifact and download deps
 
 FROM golang:1.20.2-alpine AS builder
 
@@ -19,28 +20,102 @@ WORKDIR /app
 # https://github.com/montanaflynn/golang-docker-cache
 # https://github.com/golang/go/issues/27719
 COPY go.mod go.sum ./
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN go mod graph | awk '{if ($1 !~ "@") print $2}' | xargs go get
 
 COPY . /app
-
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     CGO_ENABLED=0 go build -trimpath -ldflags "-s -w -X 'main.version=${ATLANTIS_VERSION}' -X 'main.commit=${ATLANTIS_COMMIT}' -X 'main.date=${ATLANTIS_DATE}'" -v -o atlantis .
 
-# Stage 2
-# The runatlantis/atlantis-base is created by docker-base/Dockerfile
-FROM ${ATLANTIS_BASE}:${ATLANTIS_BASE_TAG_DATE}-${ATLANTIS_BASE_TAG_TYPE} AS base
+FROM debian:${DEBIAN_TAG} as deps
 
 # Get the architecture the image is being built for
 ARG TARGETPLATFORM
+WORKDIR /tmp/build
+
+# Install packages needed for building/verifying dependencies
+# hadolint ignore=DL3008,SC2261
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates>=20210119 \
+        curl>=7.74 \
+        git>=1:2.30 \
+        unzip>=6.0 \
+        bash>=5.1 \
+        openssh-server>=1:8.4p1 \
+        libcap2>=1:2.44 \
+        dumb-init>=1.2 \
+        gnupg>=2.2 \
+        openssl>=1.1.1n
+
+# install conftest
+# renovate: datasource=github-releases depName=open-policy-agent/conftest
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+ENV DEFAULT_CONFTEST_VERSION=0.40.0
+RUN AVAILABLE_CONFTEST_VERSIONS=${DEFAULT_CONFTEST_VERSION} && \
+    case ${TARGETPLATFORM} in \
+        "linux/amd64") CONFTEST_ARCH=x86_64 ;; \
+        "linux/arm64") CONFTEST_ARCH=arm64 ;; \
+        # There is currently no compiled version of conftest for armv7
+        "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \
+    esac && \
+    for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \
+        curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
+        curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt" && \
+        sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \
+        mkdir -p "/usr/local/bin/cft/versions/${VERSION}" && \
+        tar -C "/usr/local/bin/cft/versions/${VERSION}" -xzf "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
+        ln -s "/usr/local/bin/cft/versions/${VERSION}/conftest" /usr/local/bin/conftest && \
+        rm "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
+        rm checksums.txt; \
+    done
+
+# install gosu
+# We use gosu to step down from root and run as the atlantis user
+# renovate: datasource=github-releases depName=tianon/gosu
+ENV GOSU_VERSION=1.16
+
+RUN case ${TARGETPLATFORM} in \
+        "linux/amd64") GOSU_ARCH=amd64 ;; \
+        "linux/arm64") GOSU_ARCH=arm64 ;; \
+        "linux/arm/v7") GOSU_ARCH=armhf ;; \
+    esac && \
+    curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \
+    curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \
+    for server in $(shuf -e ipv4.pool.sks-keyservers.net \
+                            hkp://p80.pool.sks-keyservers.net:80 \
+                            keyserver.ubuntu.com \
+                            hkp://keyserver.ubuntu.com:80 \
+                            pgp.mit.edu) ; do \
+        gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
+    done && \
+    gpg --batch --verify gosu.asc gosu && \
+    chmod +x gosu && \
+    cp gosu /bin && \
+    gosu --version
+
+# install git-lfs
+# renovate: datasource=github-releases depName=git-lfs/git-lfs
+ENV GIT_LFS_VERSION=3.3.0
+
+RUN case ${TARGETPLATFORM} in \
+        "linux/amd64") GIT_LFS_ARCH=amd64 ;; \
+        "linux/arm64") GIT_LFS_ARCH=arm64 ;; \
+        "linux/arm/v7") GIT_LFS_ARCH=arm ;; \
+    esac && \
+    curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \
+    tar --strip-components=1 -xf git-lfs.tar.gz && \
+    chmod +x git-lfs && \
+    mv git-lfs /usr/bin/git-lfs && \
+    git-lfs --version
 
 # install terraform binaries
 # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
 ENV DEFAULT_TERRAFORM_VERSION=1.4.4
 
-# In the official Atlantis image we only have the latest of each Terraform version.
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \
+# In the official Atlantis image, we only have the latest of each Terraform version.
+RUN AVAILABLE_TERRAFORM_VERSIONS="1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \
     case "${TARGETPLATFORM}" in \
         "linux/amd64") TERRAFORM_ARCH=amd64 ;; \
         "linux/arm64") TERRAFORM_ARCH=arm64 ;; \
@@ -59,34 +134,79 @@ RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_V
     done && \
     ln -s "/usr/local/bin/tf/versions/${DEFAULT_TERRAFORM_VERSION}/terraform" /usr/local/bin/terraform
 
-# renovate: datasource=github-releases depName=open-policy-agent/conftest
-ENV DEFAULT_CONFTEST_VERSION=0.40.0
 
-RUN AVAILABLE_CONFTEST_VERSIONS="${DEFAULT_CONFTEST_VERSION}" && \
-    case "${TARGETPLATFORM}" in \
-        "linux/amd64") CONFTEST_ARCH=x86_64 ;; \
-        "linux/arm64") CONFTEST_ARCH=arm64 ;; \
-        # There is currently no compiled version of conftest for armv7
-        "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \
-    esac && \
-    for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \
-        curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
-        curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt" && \
-        sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \
-        mkdir -p "/usr/local/bin/cft/versions/${VERSION}" && \
-        tar -C "/usr/local/bin/cft/versions/${VERSION}" -xzf "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
-        ln -s "/usr/local/bin/cft/versions/${VERSION}/conftest" "/usr/local/bin/conftest${VERSION}" && \
-        rm "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
-        rm checksums.txt; \
-    done
+# Stage 2 - Alpine
+# Creating the individual distro builds using targets
+FROM alpine:${ALPINE_TAG} AS alpine
 
-RUN ln -s /usr/local/bin/cft/versions/${DEFAULT_CONFTEST_VERSION}/conftest /usr/local/bin/conftest
+# atlantis user for gosu and OpenShift compatibility
+RUN addgroup atlantis && \
+    adduser -S -G atlantis atlantis && \
+    adduser atlantis root && \
+    chown atlantis:root /home/atlantis/ && \
+    chmod g=u /home/atlantis/ && \
+    chmod g=u /etc/passwd
 
 # copy binary
 COPY --from=builder /app/atlantis /usr/local/bin/atlantis
+# copy terraform
+COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/
+# copy deps
+COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest
+COPY --from=deps /bin/gosu /bin/gosu
+COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
+# copy docker entrypoint
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+# Install packages needed for running Atlantis.
+# We place this last as it will bust less docker layer caches when packages update
+RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main/ \
+        git~=2.40 && \
+    apk add --no-cache \
+        ca-certificates~=20220614 \
+        curl~=7.87 \
+        unzip~=6.0 \
+        bash~=5.2 \
+        openssh~=9.1_p1 \
+        libcap~=2.66 \
+        dumb-init~=1.2 \
+        gcompat~=1.1
 
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["server"]
+
+# Stage 2 - Debian
+FROM debian:${DEBIAN_TAG} AS debian
+
+# copy binary
+COPY --from=builder /app/atlantis /usr/local/bin/atlantis
+# copy terraform
+COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/
+# copy deps
+COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest
+COPY --from=deps /bin/gosu /bin/gosu
+COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
 # copy docker entrypoint
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
+# Install packages needed for running Atlantis.
+# We place this last as it will bust less docker layer caches when packages update
+# hadolint ignore explanation
+# DL3008 (pin versions using "=") - Ignored to avoid failing the build
+# SC2261 (multiple redirections) - This is a bug https://github.com/hadolint/hadolint/issues/782
+# hadolint ignore=DL3008,SC2261
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        ca-certificates>=20210119 \
+        curl>=7.74 \
+        git>=1:2.30 \
+        unzip>=6.0 \
+        bash>=5.1 \
+        openssh-server>=1:8.4p1 \
+        libcap2>=1:2.44 \
+        dumb-init>=1.2 && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server"]

Dockerfile

@@ -1,7 +1,3 @@
 FROM ghcr.io/runatlantis/atlantis:latest
 COPY atlantis /usr/local/bin/atlantis
-# TODO: remove this once we get this in the base image
-# renovate: datasource=github-releases depName=open-policy-agent/conftest
-ENV DEFAULT_CONFTEST_VERSION=0.40.0
-
 WORKDIR /atlantis/src