Add Dockerfile

[TheFrozenFire]

User description

Change description

Add a Dockerfile so that duplo-jit can be easily built and run in a container instead of on the host machine. This minimizes the need to trust the security of the duplo-jit codebase in obtaining JIT tokens.

Example ~/.aws/config:

[profile duplo]
region=us-west-2
credential_process=docker run duplo-jit aws --admin --host https://<environment>.duplocloud.net --token ...

Type of change

• Bug fix (fixes an issue)
• New feature (adds functionality)

Checklists

Development

• Pull requests may not be submitted to the master branch (use develop instead) - or they will be closed.
• Lint rules pass locally
• Application changes have been tested thoroughly
• Automated tests covering modified code pass

Security

• Security impact of change has been considered
• Code follows company security practices and guidelines

Code review

• Pull request has a descriptive title and context useful to a reviewer.
• "Ready for review" label attached and reviewers assigned
• Changes have been reviewed by at least one other contributor
• Pull request linked to task tracker where applicable

---

Type

enhancement

---

Description

• Introduced a Dockerfile to containerize duplo-jit, facilitating deployment and minimizing host machine dependencies.
• Compilation of the application is handled in a golang:latest builder image, ensuring a clean, reproducible build environment.
• The final image is based on debian:stable-slim, with ca-certificates installed, ensuring minimal size and secure connections.
• The duplo-jit and duplo-aws-credential-process binaries are copied to the final image, with duplo-jit set as the entrypoint.

---

Changes walkthrough

Relevant files

Enhancement

Dockerfile Add Dockerfile for Containerized Deployment                            Dockerfile Use golang:latest as the builder image to compile the application. Copy the application code into the builder image and compile it using make. Use debian:stable-slim as the final image for a smaller footprint. Install ca-certificates in the final image to ensure HTTPS connections can be established. Copy the compiled duplo-jit and duplo-aws-credential-process binaries from the builder to the final image. Set duplo-jit as the entrypoint of the container. +15/-0

---

✨ PR-Agent usage:
Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

[sonarqubecloud]

Quality Gate failed

Failed conditions
3 Security Hotspots

See analysis details on SonarCloud

[qodo-merge-pro]

PR Description updated to latest commit (a54a55e)

• Copy walkthrough table to "Files Changed" Tab

[qodo-merge-pro]

PR Review

⏱️ Estimated effort to review [1-5]	2, because the PR is straightforward, involving the addition of a Dockerfile for containerization of an application. The Dockerfile is simple and follows common patterns for multi-stage builds. However, ensuring the Dockerfile correctly builds and runs the application requires some domain-specific knowledge and testing.
🧪 Relevant tests	No
🔍 Possible issues	Possible Optimization: Using a specific version of the golang image instead of latest to ensure reproducible builds.
	Possible Security Concern: The final image is based on debian:stable-slim but does not update packages at runtime, which might leave the image vulnerable to known issues fixed after the image was built.
🔒 Security concerns	No explicit security concerns are introduced in the PR code itself, but the practice of using latest tags for base images and not updating the base image's packages at runtime could potentially introduce vulnerabilities.

Code feedback:

---

relevant file	Dockerfile
suggestion	Consider pinning the golang image to a specific version instead of using latest. This ensures that the build environment is consistent and reproducible across different builds and environments. For example, use golang:1.18 instead of golang:latest. [important]
relevant line	FROM golang:latest AS builder

---

relevant file	Dockerfile
suggestion	It's a good practice to periodically update the base image and packages within your Dockerfile to catch any security updates. Consider adding a step to update packages in the debian:stable-slim image, or use a base image that is regularly updated for security patches. [medium]
relevant line	FROM debian:stable-slim

---

---

✨ Review tool usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be added by configuring the tool.

The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.

• When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

• With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

See the review usage page for a comprehensive guide on using this tool.