chor: update docker image for production use

production image must be built manually
production cert must be mounted at runtime

.dockerignore

@@ -1,2 +1,3 @@
 ci
-!ci/htpasswd
+!test/.htpasswd
+!license/libuserkey.a

.gitignore

@@ -12,7 +12,7 @@ debug
 *.yaml
 !test/config.yaml
 !test/config.localhost.yaml
-!ci/htpasswd
+!test/.htpasswd
 !ci/**/*.yaml
 **/manage/config.js
 frontend/manage/node_modules/*

ci/Dockerfile

@@ -1,35 +1,38 @@
 ###############
 # Build image #
 ###############
-FROM --platform=$BUILDPLATFORM golang:1.22-alpine as builder
+FROM golang:1.22-bookworm as builder
 
 WORKDIR /lcp
 
 COPY . /lcp/.
 
 ENV GOPATH=/lcp/build
 
-RUN apk add build-base
+RUN apt-get update && apt-get -y install build-essential && apt-get clean
 
 # Needed for sqlite3 lib
 ENV CGO_CFLAGS="-D_LARGEFILE64_SOURCE"
+ENV CGO_ENABLED=1
+ENV GOOS=linux
+ENV GOARCH=amd64
 
-RUN CGO_ENABLED=1 go build -o $GOPATH/bin/ ./lcpserver
+RUN go build -o $GOPATH/bin/ ./lcpserver
 RUN go build -o $GOPATH/bin/ ./lsdserver
 RUN go build -o $GOPATH/bin/ ./lcpencrypt
 
 #######################
 # Runtime image (LCP) #
 #######################
-FROM alpine:latest as runtime-lcp
+FROM debian:bookworm-slim as runtime-lcp
 LABEL org.opencontainers.image.source https://github.com/notalib/readium-lcp-server
 WORKDIR /app
 
 # Add non-root user
 ARG UID=1001
 ARG GID=1001
-RUN addgroup --gid $GID app && \
-    adduser --disabled-password -G app --uid $UID lcp
+RUN groupadd --gid $GID app && \
+    adduser --disabled-password -gid $GID --uid $UID lcp
 
 RUN mkdir -p /data/db && \
     mkdir -p /data/files && chown -R $UID:$GID /data
@@ -43,6 +46,8 @@ COPY test/cert/privkey-edrlab-test.pem /app/cert/edrlab.key
 COPY test/config.localhost.yaml /app/config.yaml
 COPY test/.htpasswd /app/.htpasswd
 
+# RUN ls -al /app && sleep 600
+
 # Run as non-root LCP user
 USER lcp
 

ci/README.md

@@ -22,13 +22,13 @@ docker compose up -d
 Simple config for local testing. Assumes you will expose ports 8989-8990 on localhost.
 
 #### htpasswd
-Placeholder htpasswd is just `admin` as username and `Test1234` as password.
+Placeholder .htpasswd is just `admin` as username and `Test1234` as password.
 
 ### Overriding with volumes
 
 You should not run the default config in production. To change the config, simply use volume mounts to override the following files:
 * `/app/config.yaml`
-* `/app/htpasswd`
+* `/app/.htpasswd`
 * `/app/certs`
 
 Basically the config.yaml decides the location of all other files and which ports to use, so modify it wisely.

ci/build.sh

@@ -2,4 +2,4 @@
 
 # Helper script for building all images for multiple architectures
 # NOTE: May not be possible on all types of machines
-docker buildx bake --set *.platform=linux/amd64,linux/arm64
+docker buildx bake --set '*.platform=linux/amd64'

ci/helm-chart/config/config.yaml.tpl

@@ -29,8 +29,8 @@ storage:
 {{- end }}
 certificate:
     # theses test certificates are provided in the test/cert folder of the codebase
-    cert: "/app/cert/{{ .Values.certName }}.crt"
-    private_key: "/app/cert/{{ .Values.certName }}.key"
+    cert: "/app/cert/{{ .Values.production.certName }}.crt"
+    private_key: "/app/cert/{{ .Values.production.certName }}.key"
 license:
     links:
         # leave the url as-is (after <LSD_SERVER> has been resolved)

test/config.yaml

@@ -13,15 +13,15 @@
 lcp:
     # the public url a client app will use to access the License Server (optional)
     public_base_url:  "http://<LCP_SERVER>:<PORT>"
-lcp_update_auth: 
+lcp_update_auth:
     # login and password used by the Status Server to access the License Server
     username: "<adm_username>"
     password: "<adm_password>"
 
 lsd:
     # the public url a client app will use to access the Status Server
     public_base_url:  "https://<PUBLIC_LSD_SERVER>"
-lsd_notify_auth: 
+lsd_notify_auth:
     # login and password used by the License Server to access the Status Server
     username: "<adm_username>"
     password: "<adm_password>"
@@ -33,10 +33,10 @@ profile: "basic"
 lcp:
     # the port on which the License Server will be running
     port: <PORT>
-    # replace this dsn if you're not using SQLite 
+    # replace this dsn if you're not using SQLite
     database: "sqlite3://file:<LCP_HOME>/db/lcp.sqlite?cache=shared&mode=rwc"
     # authentication file of the License Server. Here we use the same file for the License Server and Status Server
-    auth_file: "<LCP_HOME>/config/htpasswd"
+    auth_file: "<LCP_HOME>/config/.htpasswd"
 # uncomment if lcpencrypt does not manage the storage of encrypted publications
 #storage:
 #    filesystem:
@@ -48,7 +48,7 @@ certificate:
 license:
     links:
         # leave the url as-is (after <LSD_SERVER> has been resolved)
-        status: "http://<LSD_SERVER>/licenses/{license_id}/status"     
+        status: "http://<LSD_SERVER>/licenses/{license_id}/status"
         # the url of a REAL html page, that indicates how the user can get back his passphrase if forgotten
         hint: "<CUSTOM_HINT_PAGE_URL>"
 
@@ -58,13 +58,13 @@ license:
 lsd:
     # the port on which the Status Server will be running
     port: <PORT>
-    # replace this dsn if you're not using SQLite 
+    # replace this dsn if you're not using SQLite
     database: "sqlite3://<LCP_HOME>/db/lsd.sqlite?cache=shared&mode=rwc"
     # authentication file of the Status Server. Here we use the same file for the License Server and Status Server
-    auth_file: "<LCP_HOME>/config/htpasswd"
-    # in this example, the License Gateway is developed so that adding a license id 
-    # to the host name gives access to a fresh license.   
-    # Keep {license_id} as-is; this is a template. 
+    auth_file: "<LCP_HOME>/config/.htpasswd"
+    # in this example, the License Gateway is developed so that adding a license id
+    # to the host name gives access to a fresh license.
+    # Keep {license_id} as-is; this is a template.
     # Read the doc to know more about how to develop a License Gateway.
     license_link_url: "http://<GATEWAY>/{license_id}"
 license_status: