Skip to content

Commit 63f5811

Browse files
tangowithfoxtrotjustindbaurEeebru
authored
feat: non-root self hosted images for standard deployment (#5701)
* Use IHttpMessageHandlerFactory For HTTP Communication Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * feat: allow custom app-id.json location for rootless Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * fix: new build context wont allow copying git context * feat: allow images to run as non-root user * fix: build failures caused by bad merge * build: we don't need to copy the `.git` dir * Revert "build: we don't need to copy the `.git` dir" This reverts commit 32c2f62. * Use `IHttpClientFactory` in more places * update build workflow * fix: compatibility with the existin run.sh script * fix: compatibility with existing run.sh script * Add SelfHosted GlobalSettings for Setup * Fix my build error * Add other services * Add IConfiguration * fix: missing gosu command for rootful mode * fix: try using .net core certificate handling * fix: add `SSL_CERT_DIR` to remaining images * Remove X509ChainCustomization activation code * Revert "Use IHttpMessageHandlerFactory For HTTP Communication" This reverts commit c93be6d. * Revert "fix: build failures caused by bad merge" This reverts commit 3e46394. * Revert "Use `IHttpClientFactory` in more places" This reverts commit 284501a. * remove unused code * re-add error log for installation id * remove missing error message in log * build: remove duplicate docker+qemu setup steps Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> * build: optimize for simpler builds over caching * build: restore previous method for getting the GIT_HASH * fix: add missing build args to remaining images * fix: rm extraneous source revision id arg * fmt: apply consistent spacing and rm redundant WORKDIR directive * build: update migrator to use simpler build; apply consistent spacing * fix: merge conflicts; simplify changes * fix: add publish branch check back --------- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com>
1 parent 0b2b573 commit 63f5811

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

41 files changed

+1025
-458
lines changed

.github/workflows/build.yml

Lines changed: 61 additions & 105 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ env:
1919
jobs:
2020
lint:
2121
name: Lint
22-
runs-on: ubuntu-22.04
22+
runs-on: ubuntu-24.04
2323
steps:
2424
- name: Check out repo
2525
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -33,46 +33,62 @@ jobs:
3333
run: dotnet format --verify-no-changes
3434

3535
build-artifacts:
36-
name: Build artifacts
37-
runs-on: ubuntu-22.04
36+
name: Build Docker images
37+
runs-on: ubuntu-24.04
3838
needs:
3939
- lint
4040
outputs:
4141
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
42+
permissions:
43+
security-events: write
44+
id-token: write
4245
strategy:
4346
fail-fast: false
4447
matrix:
4548
include:
4649
- project_name: Admin
4750
base_path: ./src
51+
dotnet: true
4852
node: true
4953
- project_name: Api
5054
base_path: ./src
55+
dotnet: true
56+
- project_name: Attachments
57+
base_path: ./util
5158
- project_name: Billing
5259
base_path: ./src
60+
dotnet: true
5361
- project_name: Events
5462
base_path: ./src
63+
dotnet: true
5564
- project_name: EventsProcessor
5665
base_path: ./src
66+
dotnet: true
5767
- project_name: Icons
5868
base_path: ./src
69+
dotnet: true
5970
- project_name: Identity
6071
base_path: ./src
72+
dotnet: true
73+
- project_name: MsSql
74+
base_path: ./util
6175
- project_name: MsSqlMigratorUtility
6276
base_path: ./util
6377
dotnet: true
78+
- project_name: Nginx
79+
base_path: ./util
6480
- project_name: Notifications
6581
base_path: ./src
82+
dotnet: true
6683
- project_name: Scim
6784
base_path: ./bitwarden_license/src
6885
dotnet: true
69-
- project_name: Server
70-
base_path: ./util
7186
- project_name: Setup
7287
base_path: ./util
88+
dotnet: true
7389
- project_name: Sso
7490
base_path: ./bitwarden_license/src
75-
node: true
91+
dotnet: true
7692
steps:
7793
- name: Check secrets
7894
id: check-secrets
@@ -87,6 +103,18 @@ jobs:
87103
with:
88104
ref: ${{ github.event.pull_request.head.sha }}
89105

106+
- name: Check branch to publish
107+
env:
108+
PUBLISH_BRANCHES: "main,rc,hotfix-rc"
109+
id: publish-branch-check
110+
run: |
111+
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
112+
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
113+
echo "is_publish_branch=true" >> $GITHUB_ENV
114+
else
115+
echo "is_publish_branch=false" >> $GITHUB_ENV
116+
fi
117+
90118
- name: Set up .NET
91119
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
92120

@@ -115,6 +143,7 @@ jobs:
115143
116144
- name: Publish project
117145
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
146+
if: ${{ matrix.dotnet }}
118147
run: |
119148
echo "Publish"
120149
dotnet publish -c "Release" -o obj/build-output/publish
@@ -128,87 +157,18 @@ jobs:
128157
129158
- name: Upload project artifact
130159
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
160+
if: ${{ matrix.dotnet }}
131161
with:
132162
name: ${{ matrix.project_name }}.zip
133163
path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
134164
if-no-files-found: error
135165

136-
build-docker:
137-
name: Build Docker images
138-
runs-on: ubuntu-22.04
139-
permissions:
140-
security-events: write
141-
id-token: write
142-
needs:
143-
- build-artifacts
144-
if: ${{ needs.build-artifacts.outputs.has_secrets == 'true' }}
145-
strategy:
146-
fail-fast: false
147-
matrix:
148-
include:
149-
- project_name: Admin
150-
base_path: ./src
151-
dotnet: true
152-
- project_name: Api
153-
base_path: ./src
154-
dotnet: true
155-
- project_name: Attachments
156-
base_path: ./util
157-
- project_name: Billing
158-
base_path: ./src
159-
dotnet: true
160-
- project_name: Events
161-
base_path: ./src
162-
dotnet: true
163-
- project_name: EventsProcessor
164-
base_path: ./src
165-
dotnet: true
166-
- project_name: Icons
167-
base_path: ./src
168-
dotnet: true
169-
- project_name: Identity
170-
base_path: ./src
171-
dotnet: true
172-
- project_name: MsSql
173-
base_path: ./util
174-
- project_name: MsSqlMigratorUtility
175-
base_path: ./util
176-
dotnet: true
177-
- project_name: Nginx
178-
base_path: ./util
179-
- project_name: Notifications
180-
base_path: ./src
181-
dotnet: true
182-
- project_name: Scim
183-
base_path: ./bitwarden_license/src
184-
dotnet: true
185-
- project_name: Server
186-
base_path: ./util
187-
dotnet: true
188-
- project_name: Setup
189-
base_path: ./util
190-
dotnet: true
191-
- project_name: Sso
192-
base_path: ./bitwarden_license/src
193-
dotnet: true
194-
steps:
195-
- name: Check out repo
196-
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
197-
with:
198-
ref: ${{ github.event.pull_request.head.sha }}
166+
########## Set up Docker ##########
167+
- name: Set up QEMU emulators
168+
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
199169

200-
- name: Check branch to publish
201-
env:
202-
PUBLISH_BRANCHES: "main,rc,hotfix-rc"
203-
id: publish-branch-check
204-
run: |
205-
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
206-
207-
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
208-
echo "is_publish_branch=true" >> $GITHUB_ENV
209-
else
210-
echo "is_publish_branch=false" >> $GITHUB_ENV
211-
fi
170+
- name: Set up Docker Buildx
171+
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
212172

213173
########## ACRs ##########
214174
- name: Log in to Azure - production subscription
@@ -277,26 +237,24 @@ jobs:
277237
fi
278238
echo "tags=$TAGS" >> $GITHUB_OUTPUT
279239
280-
- name: Get build artifact
281-
if: ${{ matrix.dotnet }}
282-
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
283-
with:
284-
name: ${{ matrix.project_name }}.zip
285-
286-
- name: Set up build artifact
287-
if: ${{ matrix.dotnet }}
288-
run: |
289-
mkdir -p ${{ matrix.base_path}}/${{ matrix.project_name }}/obj/build-output/publish
290-
unzip ${{ matrix.project_name }}.zip \
291-
-d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish
240+
- name: Generate image full name
241+
id: cache-name
242+
env:
243+
PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
244+
run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:buildcache" >> $GITHUB_OUTPUT
292245

293246
- name: Build Docker image
294-
id: build-docker
247+
id: build-artifacts
295248
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
296249
with:
297-
context: ${{ matrix.base_path }}/${{ matrix.project_name }}
250+
cache-from: type=registry,ref=${{ steps.cache-name.outputs.name }}
251+
cache-to: type=registry,ref=${{ steps.cache-name.outputs.name}},mode=max
252+
context: .
298253
file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
299-
platforms: linux/amd64
254+
platforms: |
255+
linux/amd64,
256+
linux/arm/v7,
257+
linux/arm64
300258
push: true
301259
tags: ${{ steps.image-tags.outputs.tags }}
302260
secrets: |
@@ -309,7 +267,7 @@ jobs:
309267
- name: Sign image with Cosign
310268
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
311269
env:
312-
DIGEST: ${{ steps.build-docker.outputs.digest }}
270+
DIGEST: ${{ steps.build-artifacts.outputs.digest }}
313271
TAGS: ${{ steps.image-tags.outputs.tags }}
314272
run: |
315273
IFS="," read -a tags <<< "${TAGS}"
@@ -336,8 +294,8 @@ jobs:
336294

337295
upload:
338296
name: Upload
339-
runs-on: ubuntu-22.04
340-
needs: build-docker
297+
runs-on: ubuntu-24.04
298+
needs: build-artifacts
341299
steps:
342300
- name: Check out repo
343301
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -512,7 +470,7 @@ jobs:
512470

513471
build-mssqlmigratorutility:
514472
name: Build MSSQL migrator utility
515-
runs-on: ubuntu-22.04
473+
runs-on: ubuntu-24.04
516474
needs:
517475
- lint
518476
defaults:
@@ -568,9 +526,9 @@ jobs:
568526
if: |
569527
github.event_name != 'pull_request'
570528
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
571-
runs-on: ubuntu-22.04
529+
runs-on: ubuntu-24.04
572530
needs:
573-
- build-docker
531+
- build-artifacts
574532
steps:
575533
- name: Log in to Azure - CI subscription
576534
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -604,7 +562,7 @@ jobs:
604562
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
605563
runs-on: ubuntu-22.04
606564
needs:
607-
- build-docker
565+
- build-artifacts
608566
steps:
609567
- name: Log in to Azure - CI subscription
610568
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -638,7 +596,6 @@ jobs:
638596
name: Setup Ephemeral Environment
639597
needs:
640598
- build-artifacts
641-
- build-docker
642599
if: |
643600
needs.build-artifacts.outputs.has_secrets == 'true'
644601
&& github.event_name == 'pull_request'
@@ -656,7 +613,6 @@ jobs:
656613
needs:
657614
- lint
658615
- build-artifacts
659-
- build-docker
660616
- upload
661617
- build-mssqlmigratorutility
662618
- self-host-build

Directory.Build.props

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,5 +69,4 @@
6969
</AssemblyAttribute>
7070
</ItemGroup>
7171
</Target>
72-
73-
</Project>
72+
</Project>

bitwarden_license/src/Scim/.dockerignore

Lines changed: 0 additions & 4 deletions
This file was deleted.

bitwarden_license/src/Scim/Dockerfile

Lines changed: 47 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,50 @@
1+
###############################################
2+
# Build stage #
3+
###############################################
4+
FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build
5+
6+
# Docker buildx supplies the value for this arg
7+
ARG TARGETPLATFORM
8+
9+
# Determine proper runtime value for .NET
10+
# We put the value in a file to be read by later layers.
11+
RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
12+
RID=linux-x64 ; \
13+
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
14+
RID=linux-arm64 ; \
15+
elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
16+
RID=linux-arm ; \
17+
fi \
18+
&& echo "RID=$RID" > /tmp/rid.txt
19+
20+
# Copy required project files
21+
WORKDIR /source
22+
COPY . ./
23+
24+
# Restore project dependencies and tools
25+
WORKDIR /source/bitwarden_license/src/Scim
26+
RUN . /tmp/rid.txt && dotnet restore -r $RID
27+
28+
# Build project
29+
RUN . /tmp/rid.txt && dotnet publish \
30+
-c release \
31+
--no-restore \
32+
--self-contained \
33+
/p:PublishSingleFile=true \
34+
-r $RID \
35+
-o out
36+
37+
###############################################
38+
# App stage #
39+
###############################################
140
FROM mcr.microsoft.com/dotnet/aspnet:8.0
241

42+
ARG TARGETPLATFORM
343
LABEL com.bitwarden.product="bitwarden"
44+
ENV ASPNETCORE_ENVIRONMENT=Production
45+
ENV ASPNETCORE_URLS=http://+:5000
46+
ENV SSL_CERT_DIR=/etc/bitwarden/ca-certificates
47+
EXPOSE 5000
448

549
RUN apt-get update \
650
&& apt-get install -y --no-install-recommends \
@@ -9,11 +53,10 @@ RUN apt-get update \
953
krb5-user \
1054
&& rm -rf /var/lib/apt/lists/*
1155

12-
ENV ASPNETCORE_URLS http://+:5000
56+
# Copy app from the build stage
1357
WORKDIR /app
14-
EXPOSE 5000
15-
COPY obj/build-output/publish .
16-
COPY entrypoint.sh /
58+
COPY --from=build /source/bitwarden_license/src/Scim/out /app
59+
COPY ./bitwarden_license/src/Scim/entrypoint.sh /entrypoint.sh
1760
RUN chmod +x /entrypoint.sh
1861

1962
HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1

0 commit comments

Comments
 (0)