feat(infra) Phase 7 A1 — Dockerfiles for Web and Api#220
Merged
Conversation
src/PinballWizard.Web/Dockerfile: - Multi-stage (sdk:10.0 → aspnet:10.0); non-root pinwiz user; port 8080 - Restore stage copies only csproj + props for layer cache; publish stage copies full src/. Separate restore + publish (no --no-restore) so that transitive packages not in CPM (e.g. Microsoft.Extensions.Telemetry.Abstractions) are resolved by the publish restore pass using the already-warm global cache. - AzureAd placeholder GUIDs baked as ENV vars (Instance/TenantId/ClientId) to satisfy AddMicrosoftIdentityWebApp MergedOptionsValidation on anonymous routes without enabling real OIDC — same pattern as lighthouse.yml CI. - ASPNETCORE_FORWARDEDHEADERS_ENABLED=true so ACA X-Forwarded-* headers are trusted (TLS terminated at the ACA ingress, not in the container). src/PinballWizard.Api/Dockerfile: - Same multi-stage structure; no Web.Client or AzureAd env vars needed. - Internal ACA ingress (external=false) — only called by the Web app via Aspire service discovery within the ACA environment. Smoke tested locally: - docker build passes for both - docker run pinwiz-web:smoke-test → GET /alive returns HTTP 200
Minimum allowed line rate is |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds production Dockerfiles for
PinballWizard.Web(Blazor Web App) andPinballWizard.Api(SSE/JSON host). These are the first step toward replacing the ACA placeholder images provisioned in PR #218 (A0).Web Dockerfile
mcr.microsoft.com/dotnet/aspnet:10.0(notruntime— Kestrel required)--no-restoreon publish:Microsoft.Extensions.Telemetry.Abstractionsis a transitive dep ofMicrosoft.Extensions.Http.Resilience 10.5.0not declared in CPM —--no-restorecausedNETSDK1064; removing it lets publish do a fast re-verify against the already-warm global package cachelighthouse.ymlCI; satisfiesAddMicrosoftIdentityWebAppMergedOptionsValidationon anonymous routes without enabling real OIDCASPNETCORE_FORWARDEDHEADERS_ENABLED=true— ACA terminates TLS at ingress; container receives plain HTTPpinwiz— GID/UID auto-assigned (not hardcoded) to avoidgroupadd: GID already existson the aspnet base imageApi Dockerfile
services__pinwiz-api__http__0)Smoke test
Next
A2 —
deploy.ymlGitHub Actions workflow (OIDC auth,az acr build,az containerapp update). Requires operator B3 (OIDC federated credential in Entra) before it can authenticate.🤖 Generated with Claude Code