# syntax=docker/dockerfile:1
# Build stage for getting Envoy binary
FROM envoyproxy/envoy:v1.34-latest AS envoy-binary

# Build stage for getting dumb-init
FROM debian:bookworm-slim AS dumb-init-builder
RUN apt-get update && apt-get install -y wget && wget -O /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 && chmod +x /usr/bin/dumb-init

# Build stage for getting SpiceDB binary
FROM authzed/spicedb:latest AS spicedb-binary

# Build stage for sparkle
FROM golang:1.24-alpine AS build
ENV CGO_ENABLED=0
WORKDIR /app
COPY . ./
RUN go build -mod=vendor -o /bin/sparkled ./cmd/sparkled/main.go
RUN go build -mod=vendor -o /bin/authzd ./cmd/authzd/main.go
WORKDIR /app/vendor/github.com/xlgmokha/minit
RUN go build -o /bin/minit main.go

# Final stage
FROM gcr.io/distroless/base-debian12:debug-nonroot
EXPOSE 10000
WORKDIR /
USER root
RUN ["/busybox/sh", "-c", "ln -s /busybox/sh /bin/sh"]
USER nonroot
COPY --from=dumb-init-builder /usr/bin/dumb-init /bin/dumb-init
COPY --from=envoy-binary /usr/local/bin/envoy /bin/envoy
COPY --from=spicedb-binary /usr/local/bin/spicedb /bin/spicedb
COPY --from=build /app/Procfile.production /Procfile
COPY --from=build /app/bin/envoy-shim /bin/envoy-shim
COPY --from=build /app/etc/envoy /etc/envoy
COPY --from=build /app/etc/authzd /etc/authzd
COPY --from=build /app/public /public
COPY --from=build /bin/authzd /bin/authzd
COPY --from=build /bin/minit /bin/minit
COPY --from=build /bin/sparkled /bin/sparkled

ENTRYPOINT ["/bin/dumb-init", "--"]
CMD ["/bin/minit", "-f", "/Procfile"]