feat(mbe, ebe): dockerize mbe/ebe#25
Conversation
mohammadalfaiyazbitgo
force-pushed
the
WP-4681/dockerize-onprem
branch
from
fa02de1 to
165e75c
Compare
mohammadalfaiyazbitgo
changed the title
mohammadalfaiyazbitgo
force-pushed
the
WP-4681/dockerize-onprem
branch
from
165e75c to
d83afdf
Compare
There was a problem hiding this comment.
We should have different dockerfiles for both the apps to keep the dependencies limited to their app. Enclaved express should have a very light dockerfile.
Also, please lets add a docker-compose to ease up local dev, but you can do it in a follow-up.
| org.opencontainers.image.revision=${VCS_REF} | ||
|
|
||
| # Set runtime environment | ||
| ENV NODE_ENV=production \ |
There was a problem hiding this comment.
why is this being hardcoded to production?
They have the same dependencies, they only difference I can see is that they expose different ports |
mohammadalfaiyazbitgo
force-pushed
the
WP-4681/dockerize-onprem
branch
from
d83afdf to
613c04c
Compare
There was a problem hiding this comment.
Pull Request Overview
Adds Docker and Podman support for both Master Express and Enclaved Express, including container build scripts, self-signed certificates, and updated health endpoint handling.
- Introduce Dockerfile and
.dockerignorefor multi-stage container build - Add self-signed test and enclaved certificates into
certs/for mTLS - Update health router to map
response.body.statusandtimestampinstead of raw body - Extend
package.jsonscripts andREADME.mdwith Podman container instructions
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/masterBitgoExpress/routers/enclavedExpressHealth.ts | Map enclaved response shape and update io-ts type |
| package.json | Add container:build script to build Podman image |
| certs/test-ssl-key.pem | Add self-signed private key for Master Express |
| certs/test-ssl-cert.pem | Add self-signed certificate for Master Express |
| certs/enclaved-express-key.pem | Add private key for Enclaved Express |
| certs/enclaved-express-cert.pem | Add certificate for Enclaved Express |
| README.md | Document Podman container build and run commands |
| Dockerfile | Define multi-stage Dockerfile for build & production |
| .dockerignore | Exclude unnecessary files from Docker build context |
Comments suppressed due to low confidence (3)
README.md:180
- [nitpick] When passing build arguments via Yarn scripts, you need to separate flags with
--, e.g.,yarn container:build -- --build-arg PORT=3080.
yarn container:build --build-arg PORT=3080
src/masterBitgoExpress/routers/enclavedExpressHealth.ts:14
- [nitpick] Rather than leaving a TODO, consider extracting this common response type into a shared module now to avoid duplication and drift between services.
// TODO: Move to common definition between enclavedExpress and masterExpress
src/masterBitgoExpress/routers/enclavedExpressHealth.ts:81
- [nitpick] The mapping from
response.bodyto the newenclavedResponseshape hasn't been covered by tests. Please add or update tests to verify thestatusandtimestampare propagated correctly.
enclavedResponse: {
| org.opencontainers.image.revision=${VCS_REF} | ||
|
|
||
| # Set runtime environment | ||
| ENV NODE_ENV={NODE_ENV} \ |
There was a problem hiding this comment.
The production stage uses ENV NODE_ENV={NODE_ENV} which will literally set the value to {NODE_ENV}. It should use ENV NODE_ENV=${NODE_ENV} to interpolate the build argument correctly.
| ENV NODE_ENV={NODE_ENV} \ | |
| ENV NODE_ENV=${NODE_ENV} \ |
| USER bitgo | ||
|
|
||
| # Expose port from build arg | ||
| EXPOSE ${PORT} |
There was a problem hiding this comment.
The PORT build argument isn't declared or exported in the production stage, so EXPOSE ${PORT} may not work as expected. Consider adding ARG PORT and ENV PORT=${PORT} in the production stage.
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
There was a problem hiding this comment.
Committing private keys into the repository can lead to security risks. Consider generating these keys at build or runtime, or storing them in a secure secrets store instead of version control.
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
There was a problem hiding this comment.
This private key is also committed to version control. For security, keys should be generated or injected at runtime rather than stored in the repo.
mohammadalfaiyazbitgo
force-pushed
the
WP-4681/dockerize-onprem
branch
from
613c04c to
9269b99
Compare
Ticket: WP-4681