# catalyst-api — Catalyst-Zero's provisioner backend.
#
# This image needs helm + kubectl on PATH because internal/bootstrap exec's
# them when installing the 11-component bootstrap kit into a freshly-
# provisioned Sovereign. We use Alpine + the static binaries so the runtime
# stays small (~80MB) while still having both tools available.
FROM docker.io/library/golang:1.23-alpine AS build
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /catalyst-api ./cmd/api
# catalyst-dns helper — invoked by the OpenTofu module's null_resource.dns_pool
# via local-exec at Phase-0 apply time. Lives at /usr/local/bin/catalyst-dns
# in the runtime image so the OpenTofu run (which executes inside this same
# container — the catalyst-api Pod is also the OpenTofu runner) can shell out
# to it. See infra/hetzner/main.tf comments around null_resource.dns_pool.
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /catalyst-dns ./cmd/catalyst-dns

FROM docker.io/library/alpine:3.20

# kubectl + helm must be on PATH so internal/bootstrap can exec them when
# installing the 11-component bootstrap kit. Pin versions for reproducible
# bootstraps; the K8s minor must match what the wizard provisions.
ARG KUBECTL_VERSION=v1.31.4
ARG HELM_VERSION=v3.16.3

RUN apk add --no-cache ca-certificates curl bash \
    && curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl \
    && chmod +x /usr/local/bin/kubectl \
    && curl -fsSL "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" | tar xz -C /tmp \
    && mv /tmp/linux-amd64/helm /usr/local/bin/helm \
    && rm -rf /tmp/linux-amd64 \
    && chmod +x /usr/local/bin/helm

COPY --from=build /catalyst-api /catalyst-api
COPY --from=build /catalyst-dns /usr/local/bin/catalyst-dns
# Alpine 3.20 already ships UID 65534 as `nobody`. Reuse that rather than
# creating a duplicate `nonroot` account (adduser would fail with
# "uid '65534' in use"). The numeric form satisfies runAsNonRoot in K8s.
USER 65534:65534
EXPOSE 8080
ENTRYPOINT ["/catalyst-api"]
