Revert "refactor(atlantis-image): recombine with atlantis-base (#3001)"

This reverts commit 310aff8.

.github/workflows/atlantis-base.yml

@@ -0,0 +1,98 @@
+name: atlantis-base
+
+on:
+  push:
+    paths:
+      - 'docker-base/Dockerfile.*'
+      - '.github/workflows/atlantis-base.yml'
+    branches:
+      - "main"
+  pull_request:
+    paths:
+      - 'docker-base/Dockerfile.*'
+      - '.github/workflows/atlantis-base.yml'
+  workflow_dispatch:
+
+defaults:
+  run:
+    working-directory: docker-base
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        image_type: [alpine, debian]
+    runs-on: ubuntu-22.04
+    env:
+      DOCKERFILE: "Dockerfile.${{ matrix.image_type }}"
+      IMAGE_BASE: ghcr.io/${{ github.repository_owner }}/atlantis-base
+      IMAGE_SUFFIX: ${{ matrix.image_type != 'alpine' && format('-{0}', matrix.image_type) || '' }}
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v2
+      with:
+        image: tonistiigi/binfmt:latest
+        platforms: arm64,arm
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+      # related issues for pinning buildkit
+      # https://github.com/docker/build-push-action/issues/761
+      # https://github.com/containerd/containerd/issues/7972
+      # https://github.com/containerd/containerd/pull/6995
+      with:
+        driver-opts: |
+          image=moby/buildkit:v0.10.6
+
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v4
+      with:
+        images: |
+          atlantis
+        labels: |
+          org.opencontainers.image.licenses=Apache-2.0
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+
+    - name: Login to Packages Container registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Populate release version
+      run: echo "RELEASE_VERSION=$(date +"%Y.%m.%d")" >> $GITHUB_ENV
+
+    - name: Build and push atlantis-base:${{ env.RELEASE_VERSION }}${{ env.IMAGE_SUFFIX }} image
+      uses: docker/build-push-action@v4
+      with:
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        context: docker-base
+        build-args: ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }}
+        file: docker-base/${{ env.DOCKERFILE }}
+        platforms: linux/arm64/v8,linux/amd64,linux/arm/v7
+        push: ${{ github.event_name != 'pull_request' }}
+        # release version is the YYYYMMDD date of the build i.e. 20301210
+        # release version also has the image type appended i.e. 20301210-alpine
+        # release tag is latest i.e. latest
+        # release tag also has the image type appended i.e. latest-alpine
+        # if it's Dec 10, 2030 and alpine, it will do 20301210, 20301210-alpine, latest, latest-alpine
+        # if it's Dec 10, 2030 and debian, it will do 20301210-debian, latest-debian
+        tags: |
+          ${{ env.IMAGE_BASE }}:${{ env.RELEASE_VERSION }}${{ env.IMAGE_SUFFIX }}
+          ${{ env.IMAGE_BASE }}:${{ env.RELEASE_VERSION }}-${{ matrix.image_type }}
+          ${{ env.IMAGE_BASE }}:latest${{ env.IMAGE_SUFFIX }}
+          ${{ env.IMAGE_BASE }}:latest-${{ matrix.image_type }}
+        labels: ${{ steps.meta.outputs.labels }}

.github/workflows/atlantis-image.yml

@@ -10,7 +10,6 @@ on:
   pull_request:
     paths:
       - 'Dockerfile'
-      - 'docker-entrypoint.sh'
       - '.github/workflows/atlantis-image.yml'
   workflow_dispatch:
 
@@ -33,12 +32,6 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
-    # Lint the Dockerfile first before setting anything up
-    - name: Lint Dockerfile
-      uses: hadolint/hadolint-action@master
-      with:
-        dockerfile: "Dockerfile"
-
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v2
       with:
@@ -63,7 +56,6 @@ jobs:
         images: |
           ${{ env.DOCKER_REPO }}
         labels: |
-          org.opencontainers.image.authors="Anubhav Mishra, Luke Kysow"
           org.opencontainers.image.licenses=Apache-2.0
         tags: |
           # semver
@@ -94,22 +86,6 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
-    # Publish dev image to container registry
-    - name: Build and push atlantis:dev${{ env.IMAGE_SUFFIX }} image
-      if: ${{ contains(fromJson('["push", "pull_request"]'), github.event_name) }}
-      uses: docker/build-push-action@v3
-      with:
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-        context: .
-        platforms: linux/arm64/v8,linux/amd64,linux/arm/v7
-        push: ${{ github.event_name != 'pull_request' }}
-        tags: |
-          ghcr.io/${{ github.repository_owner }}/atlantis:dev${{ env.IMAGE_SUFFIX }}
-          ghcr.io/${{ github.repository_owner }}/atlantis:dev-${{ matrix.image_type }}
-        target: ${{ matrix.image_type }}
-        labels: ${{ steps.meta.outputs.labels }}
-
     # Publish release to container registry
     - name: Populate release version
       if: contains(fromJson('["push", "pull_request"]'), github.event_name)
@@ -130,6 +106,5 @@ jobs:
         platforms: linux/arm64/v8,linux/amd64,linux/arm/v7
         push: ${{ env.PUSH }}
         tags: ${{ steps.meta.outputs.tags }}
-        target: ${{ matrix.image_type }}
         labels: ${{ steps.meta.outputs.labels }}
         outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}

Dockerfile

@@ -1,9 +1,8 @@
-# syntax=docker/dockerfile:1
-# what distro is the image being built for
-ARG ALPINE_TAG=3.17.1
-ARG DEBIAN_TAG=11.6-slim
+ARG ATLANTIS_BASE=ghcr.io/runatlantis/atlantis-base
+ARG ATLANTIS_BASE_TAG_DATE=latest
+ARG ATLANTIS_BASE_TAG_TYPE=alpine
 
-# Stage 1: build artifact and download deps
+# Stage 1: build artifact
 
 FROM golang:1.20.2-alpine AS builder
 
@@ -20,102 +19,28 @@ WORKDIR /app
 # https://github.com/montanaflynn/golang-docker-cache
 # https://github.com/golang/go/issues/27719
 COPY go.mod go.sum ./
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN go mod graph | awk '{if ($1 !~ "@") print $2}' | xargs go get
 
 COPY . /app
+
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     CGO_ENABLED=0 go build -trimpath -ldflags "-s -w -X 'main.version=${ATLANTIS_VERSION}' -X 'main.commit=${ATLANTIS_COMMIT}' -X 'main.date=${ATLANTIS_DATE}'" -v -o atlantis .
 
-FROM debian:${DEBIAN_TAG} as deps
+# Stage 2
+# The runatlantis/atlantis-base is created by docker-base/Dockerfile
+FROM ${ATLANTIS_BASE}:${ATLANTIS_BASE_TAG_DATE}-${ATLANTIS_BASE_TAG_TYPE} AS base
 
 # Get the architecture the image is being built for
 ARG TARGETPLATFORM
-WORKDIR /tmp/build
-
-# Install packages needed for building/verifying dependencies
-# hadolint ignore=DL3008,SC2261
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-        ca-certificates>=20210119 \
-        curl>=7.74 \
-        git>=1:2.30 \
-        unzip>=6.0 \
-        bash>=5.1 \
-        openssh-server>=1:8.4p1 \
-        libcap2>=1:2.44 \
-        dumb-init>=1.2 \
-        gnupg>=2.2 \
-        openssl>=1.1.1n
-
-# install conftest
-# renovate: datasource=github-releases depName=open-policy-agent/conftest
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-ENV DEFAULT_CONFTEST_VERSION=0.40.0
-RUN AVAILABLE_CONFTEST_VERSIONS=${DEFAULT_CONFTEST_VERSION} && \
-    case ${TARGETPLATFORM} in \
-        "linux/amd64") CONFTEST_ARCH=x86_64 ;; \
-        "linux/arm64") CONFTEST_ARCH=arm64 ;; \
-        # There is currently no compiled version of conftest for armv7
-        "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \
-    esac && \
-    for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \
-        curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
-        curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt" && \
-        sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \
-        mkdir -p "/usr/local/bin/cft/versions/${VERSION}" && \
-        tar -C "/usr/local/bin/cft/versions/${VERSION}" -xzf "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
-        ln -s "/usr/local/bin/cft/versions/${VERSION}/conftest" /usr/local/bin/conftest && \
-        rm "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
-        rm checksums.txt; \
-    done
-
-# install gosu
-# We use gosu to step down from root and run as the atlantis user
-# renovate: datasource=github-releases depName=tianon/gosu
-ENV GOSU_VERSION=1.16
-
-RUN case ${TARGETPLATFORM} in \
-        "linux/amd64") GOSU_ARCH=amd64 ;; \
-        "linux/arm64") GOSU_ARCH=arm64 ;; \
-        "linux/arm/v7") GOSU_ARCH=armhf ;; \
-    esac && \
-    curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \
-    curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \
-    for server in $(shuf -e ipv4.pool.sks-keyservers.net \
-                            hkp://p80.pool.sks-keyservers.net:80 \
-                            keyserver.ubuntu.com \
-                            hkp://keyserver.ubuntu.com:80 \
-                            pgp.mit.edu) ; do \
-        gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
-    done && \
-    gpg --batch --verify gosu.asc gosu && \
-    chmod +x gosu && \
-    cp gosu /bin && \
-    gosu --version
-
-# install git-lfs
-# renovate: datasource=github-releases depName=git-lfs/git-lfs
-ENV GIT_LFS_VERSION=3.3.0
-
-RUN case ${TARGETPLATFORM} in \
-        "linux/amd64") GIT_LFS_ARCH=amd64 ;; \
-        "linux/arm64") GIT_LFS_ARCH=arm64 ;; \
-        "linux/arm/v7") GIT_LFS_ARCH=arm ;; \
-    esac && \
-    curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \
-    tar --strip-components=1 -xf git-lfs.tar.gz && \
-    chmod +x git-lfs && \
-    mv git-lfs /usr/bin/git-lfs && \
-    git-lfs --version
 
 # install terraform binaries
 # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
 ENV DEFAULT_TERRAFORM_VERSION=1.4.4
 
-# In the official Atlantis image, we only have the latest of each Terraform version.
-RUN AVAILABLE_TERRAFORM_VERSIONS="1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \
+# In the official Atlantis image we only have the latest of each Terraform version.
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \
     case "${TARGETPLATFORM}" in \
         "linux/amd64") TERRAFORM_ARCH=amd64 ;; \
         "linux/arm64") TERRAFORM_ARCH=arm64 ;; \
@@ -134,79 +59,34 @@ RUN AVAILABLE_TERRAFORM_VERSIONS="1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}
     done && \
     ln -s "/usr/local/bin/tf/versions/${DEFAULT_TERRAFORM_VERSION}/terraform" /usr/local/bin/terraform
 
+# renovate: datasource=github-releases depName=open-policy-agent/conftest
+ENV DEFAULT_CONFTEST_VERSION=0.40.0
 
-# Stage 2 - Alpine
-# Creating the individual distro builds using targets
-FROM alpine:${ALPINE_TAG} AS alpine
+RUN AVAILABLE_CONFTEST_VERSIONS="${DEFAULT_CONFTEST_VERSION}" && \
+    case "${TARGETPLATFORM}" in \
+        "linux/amd64") CONFTEST_ARCH=x86_64 ;; \
+        "linux/arm64") CONFTEST_ARCH=arm64 ;; \
+        # There is currently no compiled version of conftest for armv7
+        "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \
+    esac && \
+    for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \
+        curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
+        curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt" && \
+        sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \
+        mkdir -p "/usr/local/bin/cft/versions/${VERSION}" && \
+        tar -C "/usr/local/bin/cft/versions/${VERSION}" -xzf "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
+        ln -s "/usr/local/bin/cft/versions/${VERSION}/conftest" "/usr/local/bin/conftest${VERSION}" && \
+        rm "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \
+        rm checksums.txt; \
+    done
 
-# atlantis user for gosu and OpenShift compatibility
-RUN addgroup atlantis && \
-    adduser -S -G atlantis atlantis && \
-    adduser atlantis root && \
-    chown atlantis:root /home/atlantis/ && \
-    chmod g=u /home/atlantis/ && \
-    chmod g=u /etc/passwd
+RUN ln -s /usr/local/bin/cft/versions/${DEFAULT_CONFTEST_VERSION}/conftest /usr/local/bin/conftest
 
 # copy binary
 COPY --from=builder /app/atlantis /usr/local/bin/atlantis
-# copy terraform
-COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/
-# copy deps
-COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest
-COPY --from=deps /bin/gosu /bin/gosu
-COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
-# copy docker entrypoint
-COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-
-# Install packages needed for running Atlantis.
-# We place this last as it will bust less docker layer caches when packages update
-RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main/ \
-        git~=2.40 && \
-    apk add --no-cache \
-        ca-certificates~=20220614 \
-        curl~=7.87 \
-        unzip~=6.0 \
-        bash~=5.2 \
-        openssh~=9.1_p1 \
-        libcap~=2.66 \
-        dumb-init~=1.2 \
-        gcompat~=1.1
 
-ENTRYPOINT ["docker-entrypoint.sh"]
-CMD ["server"]
-
-# Stage 2 - Debian
-FROM debian:${DEBIAN_TAG} AS debian
-
-# copy binary
-COPY --from=builder /app/atlantis /usr/local/bin/atlantis
-# copy terraform
-COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/
-# copy deps
-COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest
-COPY --from=deps /bin/gosu /bin/gosu
-COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
 # copy docker entrypoint
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
-# Install packages needed for running Atlantis.
-# We place this last as it will bust less docker layer caches when packages update
-# hadolint ignore explanation
-# DL3008 (pin versions using "=") - Ignored to avoid failing the build
-# SC2261 (multiple redirections) - This is a bug https://github.com/hadolint/hadolint/issues/782
-# hadolint ignore=DL3008,SC2261
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        ca-certificates>=20210119 \
-        curl>=7.74 \
-        git>=1:2.30 \
-        unzip>=6.0 \
-        bash>=5.1 \
-        openssh-server>=1:8.4p1 \
-        libcap2>=1:2.44 \
-        dumb-init>=1.2 && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server"]

Dockerfile.dev

@@ -1,3 +1,7 @@
 FROM ghcr.io/runatlantis/atlantis:latest
 COPY atlantis /usr/local/bin/atlantis
+# TODO: remove this once we get this in the base image
+# renovate: datasource=github-releases depName=open-policy-agent/conftest
+ENV DEFAULT_CONFTEST_VERSION=0.40.0
+
 WORKDIR /atlantis/src