Docker container with flask + gunicorn

Author: nanomad

.github/workflows/build_dev_images.yml

@@ -0,0 +1,72 @@
+name: 'build dev images'
+
+on:
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"
+
+# TODO: only request needed permissions
+permissions: write-all
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    env:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
+      # support dockerhub organizations. If none is present, use the dockerhub username
+      DOCKERHUB_ORGANIZATION: ${{ secrets.DOCKERHUB_ORGANIZATION == null && secrets.DOCKERHUB_USERNAME || secrets.DOCKERHUB_ORGANIZATION }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set env
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        if: env.DOCKERHUB_USERNAME != null
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_PASSWORD }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - id: lowercase-repository
+        name: lowercase repository
+        uses: ASzc/change-string-case-action@v6
+        with:
+          string: ${{ github.repository }}
+
+      - name: Build and push (GHCR only)
+        uses: docker/build-push-action@v5
+        if: env.DOCKERHUB_ORGANIZATION == null
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: |
+            ghcr.io/${{ steps.lowercase-repository.outputs.lowercase }}/saic-python-api-proxy:dev
+            ghcr.io/${{ steps.lowercase-repository.outputs.lowercase }}/saic-python-api-proxy:${{ env.RELEASE_VERSION }}
+
+      - name: Build and push (GHCR + DockerHub)
+        uses: docker/build-push-action@v5
+        if: env.DOCKERHUB_ORGANIZATION != null
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: |
+            ghcr.io/${{ steps.lowercase-repository.outputs.lowercase }}/saic-python-api-proxy:dev
+            ghcr.io/${{ steps.lowercase-repository.outputs.lowercase }}/saic-python-api-proxy:${{ env.RELEASE_VERSION }}
+            ${{ secrets.DOCKERHUB_ORGANIZATION != null && format('{0}/saic-python-api-proxy:dev', secrets.DOCKERHUB_ORGANIZATION)}}
+            ${{ secrets.DOCKERHUB_ORGANIZATION != null && format('{0}/saic-python-api-proxy:{1}', secrets.DOCKERHUB_ORGANIZATION, env.RELEASE_VERSION)}}

.github/workflows/build_stable_images.yml

@@ -0,0 +1,72 @@
+name: 'build stable images'
+
+on:
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+
+# TODO: only request needed permissions
+permissions: write-all
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    env:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
+      # support dockerhub organizations. If none is present, use the dockerhub username
+      DOCKERHUB_ORGANIZATION: ${{ secrets.DOCKERHUB_ORGANIZATION == null && secrets.DOCKERHUB_USERNAME || secrets.DOCKERHUB_ORGANIZATION }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set env
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        if: env.DOCKERHUB_USERNAME != null
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_PASSWORD }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - id: lowercase-repository
+        name: lowercase repository
+        uses: ASzc/change-string-case-action@v6
+        with:
+          string: ${{ github.repository }}
+
+      - name: Build and push (GHCR only)
+        uses: docker/build-push-action@v5
+        if: env.DOCKERHUB_ORGANIZATION == null
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: |
+            ghcr.io/${{ steps.lowercase-repository.outputs.lowercase }}/saic-python-api-proxy:latest
+            ghcr.io/${{ steps.lowercase-repository.outputs.lowercase }}/saic-python-api-proxy:${{ env.RELEASE_VERSION }}
+
+      - name: Build and push (GHCR + DockerHub)
+        uses: docker/build-push-action@v5
+        if: env.DOCKERHUB_ORGANIZATION != null
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: |
+            ghcr.io/${{ steps.lowercase-repository.outputs.lowercase }}/saic-python-api-proxy:latest
+            ghcr.io/${{ steps.lowercase-repository.outputs.lowercase }}/saic-python-api-proxy:${{ env.RELEASE_VERSION }}
+            ${{ secrets.DOCKERHUB_ORGANIZATION != null && format('{0}/saic-python-api-proxy:latest', secrets.DOCKERHUB_ORGANIZATION)}}
+            ${{ secrets.DOCKERHUB_ORGANIZATION != null && format('{0}/saic-python-api-proxy:{1}', secrets.DOCKERHUB_ORGANIZATION, env.RELEASE_VERSION)}}

Dockerfile

@@ -0,0 +1,62 @@
+# `python-base` sets up all our shared environment variables
+FROM python:3.12-slim as python-base
+
+    # python
+ENV PYTHONUNBUFFERED=1 \
+    # prevents python creating .pyc files
+    PYTHONDONTWRITEBYTECODE=1 \
+    \
+    # pip
+    PIP_NO_CACHE_DIR=off \
+    PIP_DISABLE_PIP_VERSION_CHECK=on \
+    PIP_DEFAULT_TIMEOUT=100 \
+    \
+    # poetry
+    # https://python-poetry.org/docs/configuration/#using-environment-variables
+    POETRY_VERSION=1.8.3 \
+    # make poetry install to this location
+    POETRY_HOME="/opt/poetry" \
+    # make poetry create the virtual environment in the project's root
+    # it gets named `.venv`
+    POETRY_VIRTUALENVS_IN_PROJECT=true \
+    # do not ask any interactive question
+    POETRY_NO_INTERACTION=1 \
+    \
+    # paths
+    # this is where our requirements + virtual environment will live
+    PYSETUP_PATH="/opt/pysetup" \
+    VENV_PATH="/opt/pysetup/.venv"
+
+
+# prepend poetry and venv to path
+ENV PATH="$POETRY_HOME/bin:$VENV_PATH/bin:$PATH"
+
+
+# `builder-base` stage is used to build deps + create our virtual environment
+FROM python-base as builder-base
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y \
+        # deps for installing poetry
+        curl \
+        # deps for building python deps
+        build-essential
+
+# install poetry - respects $POETRY_VERSION & $POETRY_HOME
+RUN curl -sSL https://install.python-poetry.org | python
+
+# copy project requirement files here to ensure they will be cached.
+WORKDIR $PYSETUP_PATH
+COPY poetry.lock pyproject.toml ./
+
+# install runtime deps - uses $POETRY_VIRTUALENVS_IN_PROJECT internally
+RUN poetry install --no-dev
+
+
+FROM python-base as production
+ENV FLASK_ENV=production
+COPY --from=builder-base $PYSETUP_PATH $PYSETUP_PATH
+COPY . /app/
+WORKDIR /app
+
+EXPOSE 8080
+CMD ["gunicorn", "--bind", "0.0.0.0:8080", "main:app"]

README.md

@@ -1,2 +1,11 @@
 # saic-python-api-proxy
+
 A python based API proxy for the new SAIC API to allow sharing the same access token across multiple applications
+
+## Configuration
+
+| ENV variable   | Description                                                                                            |
+|----------------|--------------------------------------------------------------------------------------------------------|
+| SAIC_REST_URI  | SAIC API URI. Default is the European Production endpoint: https://gateway-mg-eu.soimt.com/api.app/v1/ |
+| SAIC_REGION    | SAIC API region. Default is eu.                                                                        |
+| SAIC_TENANT_ID | SAIC API tenant ID. Default is 459771.                                                                 |

api.py

@@ -0,0 +1,32 @@
+from flask import Blueprint
+
+from proxy import passthrough, proxy_login
+
+api = Blueprint('api', __name__, url_prefix='/api.app/v1')
+
+
+@api.route('/', defaults={'path': ''})
+@api.route('/<path:path>', methods=['GET'])
+async def do_get(path):
+    return await passthrough(path=path)
+
+
+@api.route('/', defaults={'path': ''}, methods=['POST'])
+@api.route('/<path:path>', methods=['POST'])
+async def do_post(path):
+    if path == 'oauth/token':
+        return await proxy_login(path=path)
+    else:
+        return await passthrough(path=path)
+
+
+@api.route('/', defaults={'path': ''}, methods=['DELETE'])
+@api.route('/<path:path>', methods=['DELETE'])
+async def do_delete(path):
+    return await passthrough(path=path)
+
+
+@api.route('/', defaults={'path': ''}, methods=['PUT'])
+@api.route('/<path:path>', methods=['PUT'])
+async def do_put(path):
+    return await passthrough(path=path)

default_settings.py

@@ -0,0 +1,17 @@
+from flask import Config
+
+SAIC_REST_URI = 'https://gateway-mg-eu.soimt.com/api.app/v1/'
+SAIC_REGION = 'eu'
+SAIC_TENANT_ID = '459771'
+
+
+def get_api_uri(config: Config) -> str:
+    return config.get('SAIC_REST_URI')
+
+
+def get_region(config: Config) -> str:
+    return config.get('SAIC_REGION')
+
+
+def get_tenant_id(config: Config) -> str:
+    return config.get('SAIC_TENANT_ID')

docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  saic-python-api-proxy:
+    build:
+      context: .
+    image: "saicismartapi/saic-python-api-proxy:latest"
+    container_name: "saic-python-api-proxy"
+    ports:
+      - "8080:8080"
+    environment:
+      - SAIC_REST_URI=${SAIC_REST_URI}
+      - SAIC_REGION=${SAIC_REGION}
+      - SAIC_TENANT_ID=${SAIC_TENANT_ID}