# Multi-stage build using Red Hat Hummingbird's secure Node.js base image
FROM quay.io/hummingbird/nodejs:latest-builder AS builder
# Install OpenSSL for certificate generation
USER root
RUN dnf install -y openssl
# Set working directory and change ownership
WORKDIR /app
RUN chown -R 65532:0 /app
# Switch to non-root user
USER 65532
# Copy local source code instead of cloning from GitHub
COPY --chown=65532:0 package*.json ./
COPY --chown=65532:0 . .
# Install dependencies (set npm cache to writable location)
RUN npm ci --only=production --cache=/app/.npm
# Generate SSL certificates for HTTPS server
RUN mkdir -p cert && \
openssl req -x509 -newkey rsa:4096 -keyout cert/localhost.key -out cert/localhost.crt -days 365 -nodes \
-subj "/C=US/ST=Local/L=Local/O=Local/OU=Local/CN=localhost"
# Production stage using minimal Hummingbird image
FROM quay.io/hummingbird/nodejs:latest
# Set working directory
WORKDIR /app
# Copy application files and dependencies from builder stage
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package.json ./package.json
COPY --from=builder /app/index.js ./index.js
COPY --from=builder /app/auth.js ./auth.js
COPY --from=builder /app/mcp.json ./mcp.json
COPY --from=builder /app/mcp-server.js ./mcp-server.js
COPY --from=builder /app/tools ./tools
COPY --from=builder /app/thrift ./thrift
COPY --from=builder /app/cert ./cert
# Expose the HTTPS port
EXPOSE 3443
# Set environment variables
ENV NODE_ENV=production
# Health check - using root endpoint (/) to match the actual server route
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
CMD /usr/bin/node -e "const https = require('https'); const options = { hostname: 'localhost', port: 3443, path: '/', method: 'GET', rejectUnauthorized: false }; const req = https.request(options, (res) => { process.exit(res.statusCode === 200 ? 0 : 1); }); req.on('error', () => process.exit(1)); req.end();"
# Start the application
ENTRYPOINT ["/usr/bin/node"]
CMD ["index.js"]
