From e004be22e354fe7cfd3c45659e67a0592b302729 Mon Sep 17 00:00:00 2001
From: = <akhilmhdh@gmail.com>
Date: Tue, 4 Mar 2025 23:55:13 +0530
Subject: [PATCH] feat: updated docker image and resolved build error

---
 Dockerfile.standalone-infisical  | 67 ++++++++++++++++----------------
 backend/src/lib/gateway/index.ts | 30 +++++++-------
 2 files changed, 47 insertions(+), 50 deletions(-)

diff --git a/Dockerfile.standalone-infisical b/Dockerfile.standalone-infisical
index 9cb479d777..7da4a6caf0 100644
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@@ -3,13 +3,10 @@ ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key
 
-FROM  node:20-alpine AS base
+FROM node:20-slim AS base
 
 FROM base AS frontend-dependencies
 
-# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
-RUN apk add --no-cache libc6-compat
-
 WORKDIR /app
 
 COPY frontend/package.json frontend/package-lock.json  ./
@@ -45,8 +42,8 @@ RUN npm run build
 FROM base AS frontend-runner
 WORKDIR /app
 
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user
 
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
@@ -56,21 +53,23 @@ USER non-root-user
 ## BACKEND
 ##
 FROM base AS backend-build
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
 
 WORKDIR /app
 
 # Install all required dependencies for build
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
-    freetds-dev
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -86,18 +85,19 @@ FROM base AS backend-runner
 WORKDIR /app
 
 # Install all required dependencies for runtime
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
-    freetds-dev
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -109,34 +109,35 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 
-RUN apk add --upgrade --no-cache ca-certificates
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.31.1 && apk add --no-cache git
-
-WORKDIR /
-
-# Install all required runtime dependencies
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    bash \
+    curl \
+    git \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
     freetds-dev \
-    bash \
-    curl \
-    git \
-    openssh
+    openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
 
 # Configure ODBC in production
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 # Setup user permissions
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs \
+  && useradd --system --uid 1001 --gid nodejs non-root-user
 
 # Give non-root-user permission to update SSL certs
 RUN chown -R non-root-user /etc/ssl/certs
@@ -154,9 +155,7 @@ ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
-
 COPY --from=backend-runner /app /backend
-
 COPY --from=frontend-runner /app ./backend/frontend-build
 
 ARG INFISICAL_PLATFORM_VERSION
diff --git a/backend/src/lib/gateway/index.ts b/backend/src/lib/gateway/index.ts
index 7fe65d67f6..a6cf76f185 100644
--- a/backend/src/lib/gateway/index.ts
+++ b/backend/src/lib/gateway/index.ts
@@ -1,9 +1,7 @@
 /* eslint-disable no-await-in-loop */
 import crypto from "node:crypto";
 import net from "node:net";
-
-import { QUICClient } from "@infisical/quic";
-import { CryptoError } from "@infisical/quic/dist/native";
+import quic from "@infisical/quic";
 
 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
@@ -29,7 +27,7 @@ const createQuicConnection = async (
   identityId: string,
   orgId: string
 ) => {
-  const client = await QUICClient.createQUICClient({
+  const client = await quic.QUICClient.createQUICClient({
     host: relayHost,
     port: relayPort,
     config: {
@@ -39,24 +37,24 @@ const createQuicConnection = async (
       applicationProtos: ["infisical-gateway"],
       verifyPeer: true,
       verifyCallback: async (certs) => {
-        if (!certs || certs.length === 0) return CryptoError.CertificateRequired;
+        if (!certs || certs.length === 0) return quic.native.CryptoError.CertificateRequired;
         const serverCertificate = new crypto.X509Certificate(Buffer.from(certs[0]));
         const caCertificate = new crypto.X509Certificate(tlsOptions.ca);
         const isValidServerCertificate = serverCertificate.checkIssued(caCertificate);
-        if (!isValidServerCertificate) return CryptoError.BadCertificate;
+        if (!isValidServerCertificate) return quic.native.CryptoError.BadCertificate;
 
         const subjectDetails = parseSubjectDetails(serverCertificate.subject);
         if (subjectDetails.OU !== "Gateway" || subjectDetails.CN !== identityId || subjectDetails.O !== orgId) {
-          return CryptoError.CertificateUnknown;
+          return quic.native.CryptoError.CertificateUnknown;
         }
 
         if (new Date() > new Date(serverCertificate.validTo) || new Date() < new Date(serverCertificate.validFrom)) {
-          return CryptoError.CertificateExpired;
+          return quic.native.CryptoError.CertificateExpired;
         }
 
         const formatedRelayHost =
           process.env.NODE_ENV === "development" ? relayHost.replace("host.docker.internal", "127.0.0.1") : relayHost;
-        if (!serverCertificate.checkIP(formatedRelayHost)) return CryptoError.BadCertificate;
+        if (!serverCertificate.checkIP(formatedRelayHost)) return quic.native.CryptoError.BadCertificate;
       },
       maxIdleTimeout: 90000,
       keepAliveIntervalTime: 30000
@@ -90,14 +88,14 @@ export const pingGatewayAndVerify = async ({
   orgId
 }: TPingGatewayAndVerifyDTO) => {
   let lastError: Error | null = null;
-  const quic = await createQuicConnection(relayHost, relayPort, tlsOptions, identityId, orgId).catch((err) => {
+  const quicClient = await createQuicConnection(relayHost, relayPort, tlsOptions, identityId, orgId).catch((err) => {
     throw new BadRequestError({
       error: err as Error
     });
   });
   for (let attempt = 1; attempt <= maxRetries; attempt += 1) {
     try {
-      const stream = quic.connection.newStream("bidi");
+      const stream = quicClient.connection.newStream("bidi");
       const pingWriter = stream.writable.getWriter();
       await pingWriter.write(Buffer.from("PING\n"));
       pingWriter.releaseLock();
@@ -131,7 +129,7 @@ export const pingGatewayAndVerify = async ({
         });
       }
     } finally {
-      await quic.destroy();
+      await quicClient.destroy();
     }
   }
 
@@ -164,7 +162,7 @@ const setupProxyServer = async ({
   identityId: string;
   orgId: string;
 }): Promise<TProxyServer> => {
-  const quic = await createQuicConnection(relayHost, relayPort, tlsOptions, identityId, orgId).catch((err) => {
+  const quicClient = await createQuicConnection(relayHost, relayPort, tlsOptions, identityId, orgId).catch((err) => {
     throw new BadRequestError({
       error: err as Error
     });
@@ -179,7 +177,7 @@ const setupProxyServer = async ({
         clientConn.setKeepAlive(true, 30000); // 30 seconds
         clientConn.setNoDelay(true);
 
-        const stream = quic.connection.newStream("bidi");
+        const stream = quicClient.connection.newStream("bidi");
         // Send FORWARD-TCP command
         const forwardWriter = stream.writable.getWriter();
         await forwardWriter.write(Buffer.from(`FORWARD-TCP ${targetHost}:${targetPort}\n`));
@@ -272,7 +270,7 @@ const setupProxyServer = async ({
     });
 
     server.on("close", async () => {
-      await quic?.destroy();
+      await quicClient?.destroy();
     });
 
     /* eslint-enable */
@@ -291,7 +289,7 @@ const setupProxyServer = async ({
         port: address.port,
         cleanup: async () => {
           server.close();
-          await quic?.destroy();
+          await quicClient?.destroy();
         }
       });
     });