# organization-controller — slice C1 of EPIC-0 #1095.
#
# A Catalyst-built Go binary that reconciles Organization CRs into
# vCluster + Keycloak group + Gitea Org + base RBAC. Per
# docs/INVIOLABLE-PRINCIPLES.md the image is statically compiled, runs
# as a non-root numeric UID, and ships nothing beyond the binary + CA
# bundle.
#
# Build context: this Containerfile is invoked with the repository ROOT
# as the build context.
#
# Slice CC1 (#1095) consolidated the 5 Group C controllers under a
# single shared go.mod at core/controllers/go.mod and shared helpers
# under core/controllers/internal/. The COPY layout below mirrors that.
#
# Two stages:
#   build  — golang:1.23-alpine
#   final  — alpine:3.20 minimal runtime (CA certs + the binary)

FROM docker.io/library/golang:1.23-alpine AS build
WORKDIR /workspace

# Stage 1: cache module downloads — go.mod/go.sum at the shared root.
COPY core/controllers/go.mod core/controllers/go.sum core/controllers/
WORKDIR /workspace/core/controllers
RUN go mod download

# Stage 2: copy source + build.
WORKDIR /workspace
COPY core/controllers/internal /workspace/core/controllers/internal
# Slice CC2 (#1095) consolidated the gitea HTTP client + render +
# validate helpers under core/controllers/pkg. The org-controller
# imports github.com/openova-io/openova/core/controllers/pkg/gitea —
# without this COPY the `go build` step fails with `no required module
# provides package github.com/openova-io/openova/core/controllers/pkg/gitea`.
# qa-loop iter-8 Fix #42 follow-up: latent bug in the bot-generated
# Containerfile (PR #1252's first build surfaced it).
COPY core/controllers/pkg /workspace/core/controllers/pkg
COPY core/controllers/organization /workspace/core/controllers/organization

WORKDIR /workspace/core/controllers/organization
RUN CGO_ENABLED=0 GOOS=linux go build \
    -ldflags="-s -w" \
    -o /organization-controller ./cmd

# Stage 3: minimal runtime.
FROM docker.io/library/alpine:3.20
RUN apk add --no-cache ca-certificates tzdata

COPY --from=build /organization-controller /organization-controller

# Alpine 3.20 already ships UID 65534 as `nobody`. The numeric form
# satisfies runAsNonRoot=true + runAsUser=65534 in the chart's
# Deployment.
USER 65534:65534

EXPOSE 8080 8081

ENTRYPOINT ["/organization-controller"]
