chore: use UBI 9

.dockerignore

@@ -2,9 +2,15 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+_http
+Dockerfile
+.dockerignore
+node_modules
+npm-debug.log
+README.md
+.next
 .git
 .gitignore
-/node_modules
 .vscode
 .github
-_http
+.idea

Dockerfile

@@ -1,72 +1,50 @@
 # SPDX-FileCopyrightText: 2024 PNED G.I.E.
 #
 # SPDX-License-Identifier: Apache-2.0
-FROM node:20-alpine AS base
+FROM registry.access.redhat.com/ubi9/nodejs-20-minimal:1-57 AS base
 
 # Install dependencies only when needed
 FROM base AS deps
-# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
-RUN apk add --no-cache libc6-compat
+USER 0
 WORKDIR /app
 
-# Install dependencies based on the preferred package manager
-COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
-RUN \
-  if [ -f yarn.lock ]; then yarn --frozen-lockfile; \
-  elif [ -f package-lock.json ]; then npm ci; \
-  elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i --frozen-lockfile; \
-  else echo "Lockfile not found." && exit 1; \
-  fi
-
+# Install dependencies based on the available lock file
+COPY package.json ./
+COPY package-lock.json ./
+RUN  npm ci --ignore-scripts
 
 # Rebuild the source code only when needed
 FROM base AS builder
+USER 0
 WORKDIR /app
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
 
-# Next.js collects completely anonymous telemetry data about general usage.
-# Learn more here: https://nextjs.org/telemetry
-# Uncomment the following line in case you want to disable telemetry during the build.
+# Optional: Disable telemetry
 # ENV NEXT_TELEMETRY_DISABLED 1
 
-RUN \
-  if [ -f yarn.lock ]; then yarn run build; \
-  elif [ -f package-lock.json ]; then npm run build; \
-  elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm run build; \
-  else echo "Lockfile not found." && exit 1; \
-  fi
+RUN npm run build
 
 # Production image, copy all the files and run next
 FROM base AS runner
+USER 0
 WORKDIR /app
 
 ENV NODE_ENV production
-# Uncomment the following line in case you want to disable telemetry during runtime.
+# Optional: Disable telemetry at runtime
 # ENV NEXT_TELEMETRY_DISABLED 1
 
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 nextjs
-
 COPY --from=builder /app/src/public ./public
 
-# Set the correct permission for prerender cache
-RUN mkdir .next
-RUN chown nextjs:nodejs .next
-
-# Automatically leverage output traces to reduce image size
-# https://nextjs.org/docs/advanced-features/output-file-tracing
-COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
-COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+# Ensure no write permissions for executable directories
+COPY --from=builder --chown=1001:1001 /app/.next/standalone ./
+COPY --from=builder --chown=1001:1001 /app/.next/static ./.next/static
 
-USER nextjs
+USER 1001
 
 EXPOSE 3000
 
 ENV PORT 3000
-# set hostname to localhost
 ENV HOSTNAME "0.0.0.0"
 
-# server.js is created by next build from the standalone output
-# https://nextjs.org/docs/pages/api-reference/next-config-js/output
-CMD ["node", "server.js"]
+CMD ["node", "server.js"]

docker-compose.yml

@@ -8,15 +8,8 @@ services:
     build:
       context: .
     restart: unless-stopped
-    environment:
-      - NEXT_PUBLIC_CKAN_URL=https://ckan-test.healthdata.nl
-      - NEXT_PUBLIC_DAAM_URL=http://localhost:8080
-      - NEXTAUTH_URL=http://localhost:3000
-      - NEXTAUTH_SECRET=your-secret
-      - KEYCLOAK_CLIENT_ID=ckan
-      - KEYCLOAK_ISSUER_URL=https://keycloak-test.healthdata.nl/realms/ckan
-      - END_SESSION_URL=https://keycloak-test.healthdata.nl/realms/ckan/protocol/openid-connect/logout
-      - REFRESH_TOKEN_URL=https://keycloak-test.healthdata.nl/realms/ckan/protocol/openid-connect/token
+    env_file:
+      - .env.local
     healthcheck:
       test:
         [