From ca543bd0d54be71ac5b6395daf98dd63b1ea6718 Mon Sep 17 00:00:00 2001
From: Chris Burr <christopher.burr@cern.ch>
Date: Wed, 25 Oct 2023 10:25:02 +0200
Subject: [PATCH 1/2] Add server-base image

---
 README.md                   |  4 +++
 server-base/Dockerfile      | 19 ++++++++++++++
 server-base/entrypoint.sh   | 12 +++++++++
 server-base/environment.yml | 49 +++++++++++++++++++++++++++++++++++++
 4 files changed, 84 insertions(+)
 create mode 100644 server-base/Dockerfile
 create mode 100644 server-base/entrypoint.sh
 create mode 100644 server-base/environment.yml

diff --git a/README.md b/README.md
index b0bc009..71d31db 100644
--- a/README.md
+++ b/README.md
@@ -7,3 +7,7 @@ This repository contains the recipes and CI for building the base images used by
 ### secret-generation
 
 This image is used by the [helm chart](https://github.com/DIRACGrid/diracx-charts) to run batch jobs within the cluster that automatically generate kubernetes secrets.
+
+### server-base
+
+This image is used as the base of the diracx service image.
diff --git a/server-base/Dockerfile b/server-base/Dockerfile
new file mode 100644
index 0000000..acc8146
--- /dev/null
+++ b/server-base/Dockerfile
@@ -0,0 +1,19 @@
+FROM registry.cern.ch/docker.io/mambaorg/micromamba
+
+# Copying in ENTRYPOINT script and environment specification
+COPY --chown=$MAMBA_USER:$MAMBA_USER environment.yml entrypoint.sh /
+RUN chmod 755 /entrypoint.sh
+
+RUN micromamba install --yes --file /environment.yml --name=base && \
+    micromamba clean --all --yes --force-pkgs-dirs
+
+ARG MAMBA_DOCKERFILE_ACTIVATE=1
+
+# In many clusters the container is ran as a random uid for security reasons.
+# If we mark the conda directory as group 0 and give it group write permissions
+# then we're still able to manage the environment from inside the container.
+USER 0
+RUN chown -R $MAMBA_USER:0 /opt/conda && chmod -R g=u /opt/conda
+USER $MAMBA_USER
+
+ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/server-base/entrypoint.sh b/server-base/entrypoint.sh
new file mode 100644
index 0000000..4d57850
--- /dev/null
+++ b/server-base/entrypoint.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+
+# TODO: This is a workaround until this is released
+# https://github.com/DaanDeMeyer/reproc/pull/103
+# or that this is merged
+# https://github.com/conda-forge/reproc-feedstock/pull/10
+ulimit -n 8192
+
+eval "$(micromamba shell hook --shell=posix)"
+micromamba activate base
+exec "$@"
diff --git a/server-base/environment.yml b/server-base/environment.yml
new file mode 100644
index 0000000..9d3df74
--- /dev/null
+++ b/server-base/environment.yml
@@ -0,0 +1,49 @@
+name: diracx
+channels:
+  - diracgrid
+  - conda-forge
+  - nodefaults
+dependencies:
+  - authlib
+  - aiohttp
+  - aiomysql
+  - aiosqlite
+  - azure-core
+  - cachetools
+  ########
+  # Building the docker image on some system may fail
+  # as long as this bug is still present
+  # https://github.com/DaanDeMeyer/reproc/pull/103
+  # or that this is merged
+  # https://github.com/conda-forge/reproc-feedstock/pull/10
+  # If it does, we need to comment out `dirac-grid` here
+  # and install it via pip
+  - dirac-grid
+  - m2crypto >=0.38.0
+  - python-gfal2
+  - importlib_resources
+  #######
+  - email-validator
+  - fastapi
+  - git
+  - gitpython
+  - httpx
+  - isodate
+  - opensearch-py
+  - pydantic =1.10.10
+  - pyjwt
+  - python
+  - coverage
+  - python-dotenv
+  - python-jose
+  - python-multipart
+  - pyyaml
+  - requests
+  - rich
+  - sqlalchemy
+  - typer
+  - uvicorn
+  - aiobotocore
+  - botocore
+  - git
+  - pip

From 200eb51d5b8e0a3dac3d02cea54d5d9d353a76cd Mon Sep 17 00:00:00 2001
From: Chris Burr <christopher.burr@cern.ch>
Date: Wed, 25 Oct 2023 10:25:09 +0200
Subject: [PATCH 2/2] Build containers in CI

---
 .github/dependabot.yml     |  7 +++++++
 .github/workflows/main.yml | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/main.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..6fddca0
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000..a4a03f9
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,38 @@
+name: images
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes:  30
+    strategy:
+      fail-fast: false
+      matrix:
+        image-name: ["server-base", "secret-generation"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.image-name }}
+          push: ${{ github.event_name == 'push' && github.repository == 'DIRACGrid/container-images' && github.ref_name == 'main' }}
+          tags: ghcr.io/diracgrid/diracx/${{ matrix.image-name }}:latest
+          platforms: linux/amd64,linux/arm64