2026-02-04 01:02:18 +00:00
|
|
|
# Multi-stage build for provisioning-orchestrator
|
|
|
|
|
# Generated from Nickel template - DO NOT EDIT DIRECTLY
|
|
|
|
|
# Source: provisioning/schemas/platform/templates/docker/Dockerfile.chef.ncl
|
2025-10-07 10:59:52 +01:00
|
|
|
|
2026-02-04 01:02:18 +00:00
|
|
|
# ============================================================================
|
|
|
|
|
# Stage 1: PLANNER - Generate dependency recipe
|
|
|
|
|
# ============================================================================
|
|
|
|
|
FROM rust:1.82-trixie AS planner
|
|
|
|
|
|
|
|
|
|
WORKDIR /workspace
|
|
|
|
|
|
|
|
|
|
# Install cargo-chef
|
|
|
|
|
RUN cargo install cargo-chef --version 0.1.67
|
|
|
|
|
|
|
|
|
|
# Copy workspace manifests
|
|
|
|
|
COPY Cargo.toml Cargo.lock ./
|
|
|
|
|
COPY crates ./crates
|
|
|
|
|
COPY daemon-cli ./daemon-cli
|
|
|
|
|
COPY secretumvault ./secretumvault
|
|
|
|
|
COPY prov-ecosystem ./prov-ecosystem
|
|
|
|
|
COPY stratumiops ./stratumiops
|
|
|
|
|
|
|
|
|
|
# Generate recipe.json (dependency graph)
|
|
|
|
|
RUN cargo chef prepare --recipe-path recipe.json --bin provisioning-orchestrator
|
|
|
|
|
|
|
|
|
|
# ============================================================================
|
|
|
|
|
# Stage 2: CACHER - Build dependencies only
|
|
|
|
|
# ============================================================================
|
|
|
|
|
FROM rust:1.82-trixie AS cacher
|
2026-01-08 21:32:59 +00:00
|
|
|
|
|
|
|
|
WORKDIR /workspace
|
2025-10-07 10:59:52 +01:00
|
|
|
|
|
|
|
|
# Install build dependencies
|
|
|
|
|
RUN apt-get update && apt-get install -y \
|
|
|
|
|
pkg-config \
|
|
|
|
|
libssl-dev \
|
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
2026-02-04 01:02:18 +00:00
|
|
|
# Install cargo-chef
|
|
|
|
|
RUN cargo install cargo-chef --version 0.1.67
|
|
|
|
|
|
|
|
|
|
# sccache disabled
|
|
|
|
|
|
|
|
|
|
# Copy recipe from planner
|
|
|
|
|
COPY --from=planner /workspace/recipe.json recipe.json
|
|
|
|
|
|
|
|
|
|
# Build dependencies - This layer will be cached
|
feat(platform): control plane — NATS JetStream + SurrealDB + SOLID enforcement
New crates
- platform-nats: async_nats JetStream bridge; pull/push consumers, explicit ACK,
subject prefixing under provisioning.>, 6 stream definitions on startup
- platform-db: SurrealDB pool (embedded RocksDB solo, Surreal<Mem> tests,
WebSocket server multi-user); migrate() with DEFINE TABLE IF NOT EXISTS DDL
Service integrations
- orchestrator: NATS pub on task state transitions, execution_logs → SurrealDB,
webhook handler (HMAC-SHA256), AuditCollector (batch INSERT, 100-event/1s flush)
- control-center: solo_auth_middleware (intentional bypass, --mode solo only),
NATS session events, WebSocket bridge via JetStream subscription (no polling)
- vault-service: NATS lease flow; credentials over HTTPS only (lease_id in NATS);
SurrealDB storage backend with MVCC retry + exponential backoff
- secretumvault: complete SurrealDB backend replacing HashMap; 9 unit + 19 integration tests
- extension-registry: NATS lifecycle events, vault:// credential resolver with TTL cache,
cache invalidation via provisioning.workspace.*.deploy.done
Clippy workspace clean
cargo clippy --workspace -- -D warnings: 0 errors
Patterns fixed: derivable_impls (#[default] on enum variants), excessive_nesting
(let-else, boolean arithmetic in retain, extracted helpers), io_error_other,
redundant_closure, iter_kv_map, manual_range_contains, pathbuf_instead_of_path
2026-02-17 23:58:14 +00:00
|
|
|
RUN cargo chef cook --release --recipe-path recipe.json
|
2026-02-04 01:02:18 +00:00
|
|
|
|
|
|
|
|
# ============================================================================
|
|
|
|
|
# Stage 3: BUILDER - Build source code
|
|
|
|
|
# ============================================================================
|
|
|
|
|
FROM rust:1.82-trixie AS builder
|
2025-10-07 10:59:52 +01:00
|
|
|
|
2026-01-08 21:32:59 +00:00
|
|
|
WORKDIR /workspace
|
2025-10-07 10:59:52 +01:00
|
|
|
|
2026-02-04 01:02:18 +00:00
|
|
|
# Install build dependencies
|
|
|
|
|
RUN apt-get update && apt-get install -y \
|
|
|
|
|
pkg-config \
|
|
|
|
|
libssl-dev \
|
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
|
|
|
|
# sccache disabled
|
|
|
|
|
|
|
|
|
|
# Copy cached dependencies from cacher stage
|
|
|
|
|
COPY --from=cacher /workspace/target target
|
|
|
|
|
COPY --from=cacher /usr/local/cargo /usr/local/cargo
|
|
|
|
|
|
|
|
|
|
# Copy source code
|
|
|
|
|
COPY Cargo.toml Cargo.lock ./
|
|
|
|
|
COPY crates ./crates
|
|
|
|
|
COPY daemon-cli ./daemon-cli
|
|
|
|
|
COPY secretumvault ./secretumvault
|
|
|
|
|
COPY prov-ecosystem ./prov-ecosystem
|
|
|
|
|
COPY stratumiops ./stratumiops
|
|
|
|
|
|
|
|
|
|
# Build release binary with parallelism
|
|
|
|
|
ENV CARGO_BUILD_JOBS=4
|
feat(platform): control plane — NATS JetStream + SurrealDB + SOLID enforcement
New crates
- platform-nats: async_nats JetStream bridge; pull/push consumers, explicit ACK,
subject prefixing under provisioning.>, 6 stream definitions on startup
- platform-db: SurrealDB pool (embedded RocksDB solo, Surreal<Mem> tests,
WebSocket server multi-user); migrate() with DEFINE TABLE IF NOT EXISTS DDL
Service integrations
- orchestrator: NATS pub on task state transitions, execution_logs → SurrealDB,
webhook handler (HMAC-SHA256), AuditCollector (batch INSERT, 100-event/1s flush)
- control-center: solo_auth_middleware (intentional bypass, --mode solo only),
NATS session events, WebSocket bridge via JetStream subscription (no polling)
- vault-service: NATS lease flow; credentials over HTTPS only (lease_id in NATS);
SurrealDB storage backend with MVCC retry + exponential backoff
- secretumvault: complete SurrealDB backend replacing HashMap; 9 unit + 19 integration tests
- extension-registry: NATS lifecycle events, vault:// credential resolver with TTL cache,
cache invalidation via provisioning.workspace.*.deploy.done
Clippy workspace clean
cargo clippy --workspace -- -D warnings: 0 errors
Patterns fixed: derivable_impls (#[default] on enum variants), excessive_nesting
(let-else, boolean arithmetic in retain, extracted helpers), io_error_other,
redundant_closure, iter_kv_map, manual_range_contains, pathbuf_instead_of_path
2026-02-17 23:58:14 +00:00
|
|
|
RUN cargo build --release --package provisioning-orchestrator
|
2026-02-04 01:02:18 +00:00
|
|
|
|
|
|
|
|
# ============================================================================
|
|
|
|
|
# Stage 4: RUNTIME - Minimal runtime image
|
|
|
|
|
# ============================================================================
|
|
|
|
|
FROM debian:trixie-slim
|
2025-10-07 10:59:52 +01:00
|
|
|
|
|
|
|
|
# Install runtime dependencies
|
|
|
|
|
RUN apt-get update && apt-get install -y \
|
|
|
|
|
ca-certificates \
|
|
|
|
|
curl \
|
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
|
|
|
|
# Create non-root user
|
|
|
|
|
RUN useradd -m -u 1000 provisioning && \
|
2026-02-04 01:02:18 +00:00
|
|
|
mkdir -p /data /var/log/provisioning-orchestrator && \
|
|
|
|
|
chown -R provisioning:provisioning /data /var/log/provisioning-orchestrator
|
2025-10-07 10:59:52 +01:00
|
|
|
|
|
|
|
|
# Copy binary from builder
|
2026-01-08 21:32:59 +00:00
|
|
|
COPY --from=builder /workspace/target/release/provisioning-orchestrator /usr/local/bin/provisioning-orchestrator
|
|
|
|
|
RUN chmod +x /usr/local/bin/provisioning-orchestrator
|
2025-10-07 10:59:52 +01:00
|
|
|
|
2026-02-04 01:02:18 +00:00
|
|
|
COPY crates/provisioning-orchestrator/config.defaults.toml /etc/provisioning/config.defaults.toml
|
2025-10-07 10:59:52 +01:00
|
|
|
|
|
|
|
|
# Switch to non-root user
|
|
|
|
|
USER provisioning
|
|
|
|
|
WORKDIR /app
|
|
|
|
|
|
2026-02-04 01:02:18 +00:00
|
|
|
# Expose service port
|
|
|
|
|
EXPOSE 9090
|
2025-10-07 10:59:52 +01:00
|
|
|
|
2026-02-04 01:02:18 +00:00
|
|
|
# Environment variables
|
2025-10-07 10:59:52 +01:00
|
|
|
ENV RUST_LOG=info
|
|
|
|
|
ENV DATA_DIR=/data
|
|
|
|
|
|
|
|
|
|
# Health check
|
|
|
|
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
|
2026-02-04 01:02:18 +00:00
|
|
|
CMD curl -f http://localhost:9090/health || exit 1
|
2025-10-07 10:59:52 +01:00
|
|
|
|
|
|
|
|
# Run the binary
|
|
|
|
|
CMD ["provisioning-orchestrator"]
|