FDMAP-1349: Decouple Repositories & Build New Docker Images

[omarfq-maxar]

Add Dockerfile for Container-Native Deployment

Overview

This PR introduces a production-ready Dockerfile and comprehensive documentation for openmaps-auth, enabling container-native deployment to Kubernetes. This is part of the broader OpenMaps modernization initiative to migrate from legacy RPM-based deployments to modern Docker + Helm + Kubernetes architecture.

Changes

New Files

Dockerfile

• Base Image: python:3.10-slim
• Application Server: Gunicorn with 4 workers, 2 threads per worker
• Port: 8080 (HTTP)
• User: Non-root execution as auth:auth (UID/GID 999)
• Dependencies: PostgreSQL client, libpq-dev for psycopg2
• Security: Minimal runtime dependencies, no build tools in final image

Key Features:

• Production-ready WSGI server configuration
• Health check endpoint support
• Environment-based configuration
• Secure defaults (non-root, minimal packages)

docs/DOCKER_BUILD.md

Comprehensive documentation covering:

• Container architecture and design decisions
• Dockerfile structure and rationale
• Build and deployment process
• Kubernetes integration (ConfigMaps, Secrets, Deployments)
• Integration with MapEdit authentication flow
• Database schema and migrations
• Health checks and monitoring
• Security best practices
• Troubleshooting guide

Deployment

Build & Push to ECR (already done)

# Authenticate to ECR
aws ecr get-login-password --region us-east-1 | \
  docker login --username AWS --password-stdin \
  664418996761.dkr.ecr.us-east-1.amazonaws.com

# Build with semantic version tag
VERSION=0.8.14
docker build -t 664418996761.dkr.ecr.us-east-1.amazonaws.com/openmaps/auth:${VERSION} .

# Push to ECR
docker push 664418996761.dkr.ecr.us-east-1.amazonaws.com/openmaps/auth:${VERSION}

Kubernetes Deployment

The image is deployed via the openmaps Helm chart with:

• ConfigMap: Non-sensitive configuration (database host, OAuth issuer, etc.)
• Secret: Sensitive data (database password, OAuth credentials, session secret)
• Init Containers: Database readiness check, schema migrations
• Health Checks: Liveness and readiness probes on /health endpoint
• Resources: 256Mi-512Mi memory, 100m-500m CPU

Configuration

Required Environment Variables

# Database
POSTGRES_HOST=openmaps-postgres
POSTGRES_PORT=5432
POSTGRES_DB=auth
POSTGRES_USER=auth
POSTGRES_PASSWORD=<secret>

# Login.gov OAuth
LOGINGOV_CLIENT_ID=<client-id>
LOGINGOV_PRIVATE_KEY=<private-key>
LOGINGOV_REDIRECT_URI=https://dev.fm-maxarmaps.com/auth/callback
LOGINGOV_ISSUER=https://idp.int.identitysandbox.gov

# Application
FLASK_ENV=production
SECRET_KEY=<secret>
SESSION_COOKIE_SECURE=true
SESSION_COOKIE_HTTPONLY=true
SESSION_COOKIE_SAMESITE=Lax

Integration with MapEdit

The auth service integrates with MapEdit for session-based authentication:

1. User visits MapEdit → Redirected to /auth/login
2. Auth service → Redirects to login.gov
3. User authenticates → login.gov redirects to /auth/callback
4. Auth service → Creates session, redirects to MapEdit
5. MapEdit → Validates session via /auth/validate endpoint

Security Improvements

• ✅ Non-root execution: Container runs as auth:auth user (UID/GID 999)
• ✅ Minimal attack surface: Only runtime dependencies in final image
• ✅ Secure session cookies: HTTPS-only, HttpOnly, SameSite=Lax
• ✅ Secrets management: All sensitive data in Kubernetes Secrets
• ✅ Database migrations: Automated via init containers

Testing

Local Testing

# Build locally
docker build -t openmaps-auth:local .

# Run with environment variables
docker run -p 8080:8080 \
  -e POSTGRES_HOST=localhost \
  -e POSTGRES_PASSWORD=secret \
  -e LOGINGOV_CLIENT_ID=test \
  openmaps-auth:local

Health Check

curl http://localhost:8080/health
# Expected: {"status": "healthy"}

Migration Notes

Version Tagging

• Old Format: 2024.01.15-1.el9 (RPM-based)
• New Format: 0.8.14 (Semantic versioning)

Deployment Target

• Platform: AWS EKS
• Kubernetes: 1.33
• Base OS: AL2023 (Amazon Linux 2023)
• Namespace: vantormaps-dev (dev), vantormaps-stg (staging), vantormaps-prod (production)

Checklist

• Dockerfile created with production-ready configuration
• Non-root user execution
• Comprehensive documentation added
• Build process documented
• Deployment process documented
• Integration with MapEdit documented
• Security best practices implemented
• Health check endpoint documented
• Troubleshooting guide included
• Image successfully built and pushed to ECR
• Deployed and tested on AWS EKS dev cluster

Breaking Changes

None. This PR only adds new files and does not modify existing application code.

Backward Compatibility

The Dockerfile is designed to work with the existing Flask application without any code changes. The application continues to support the same authentication flows and API endpoints.