# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# Multi-stage Containerfile for deploying the Genkit endpoints sample
# (REST + gRPC).
#
# Uses a distroless runtime image for a minimal, secure production image:
# - No shell, no package manager, no OS utilities
# - Runs as non-root by default (:nonroot tag, uid 65534)
# - ~50 MB base vs ~150 MB for python:3.13-slim
#
# The builder stage uses python:3.13-slim so that the installed
# site-packages (including C extensions) are binary-compatible with the
# distroless runtime, which ships Debian 13 (trixie) Python 3.13.
#
# Usage (podman preferred, docker also works):
# podman build -f Containerfile -t genkit-endpoints .
# podman run -p 8080:8080 -p 50051:50051 -e GEMINI_API_KEY=<key> genkit-endpoints
#
# To use python:3.13-slim as the runtime instead (larger but includes a
# shell for debugging):
# Replace the runtime FROM line below with:
# FROM python:3.13-slim AS runtime
# And replace the CMD line with:
# ENTRYPOINT ["python3", "-m", "src"]
# ── Builder ──────────────────────────────────────────────────────────
# Install dependencies into a virtual environment using uv.
# Python 3.13 is used here to match the distroless runtime version.
FROM python:3.13-slim AS builder
WORKDIR /app
# Install uv for fast dependency resolution.
COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
# Copy only the dependency file first for better layer caching.
COPY pyproject.toml ./
# Install dependencies into a virtual environment.
RUN uv venv /app/.venv && \
uv pip install --python /app/.venv/bin/python -r pyproject.toml
# ── Runtime (distroless) ─────────────────────────────────────────────
# gcr.io/distroless/python3-debian13:nonroot provides:
# - Python 3.13 runtime (Debian 13 trixie, same as the builder)
# - No shell, no package manager, no setuid binaries
# - Runs as uid 65534 (nonroot) by default
FROM gcr.io/distroless/python3-debian13:nonroot
WORKDIR /app
# Prevent Python from writing .pyc files and enable unbuffered
# stdout/stderr so logs appear immediately in Cloud Logging /
# container logs.
ENV PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1
# Copy installed packages from the builder's virtual environment.
COPY --from=builder /app/.venv/lib/python3.13/site-packages /app/site-packages
# Copy application code, prompt files, proto definitions, and gunicorn config.
COPY src/ ./src/
COPY prompts/ ./prompts/
COPY protos/ ./protos/
COPY gunicorn.conf.py ./
# Make installed packages discoverable by Python.
ENV PYTHONPATH="/app/site-packages"
# Cloud Run / App Engine set PORT; default to 8080.
ENV PORT=8080
ENV GRPC_PORT=50051
EXPOSE 8080 50051
# The distroless image sets ENTRYPOINT to python3.
# Pass "-m src" via CMD to run the application package.
CMD ["-m", "src"]
