get to prod tasks
This commit is contained in:
75
tasks/web-production/15-docker-infra.md
Normal file
75
tasks/web-production/15-docker-infra.md
Normal file
@@ -0,0 +1,75 @@
|
||||
# 15. Docker & Infrastructure Optimization
|
||||
|
||||
meta:
|
||||
id: web-production-15
|
||||
feature: web-production
|
||||
priority: P2
|
||||
depends_on: []
|
||||
tags: [infrastructure, docker, production]
|
||||
|
||||
objective:
|
||||
- Optimize Docker images and infrastructure for production deployment with security and efficiency
|
||||
|
||||
deliverables:
|
||||
- Multi-stage optimized Dockerfile for web app
|
||||
- Docker Compose for local production simulation
|
||||
- Infrastructure as Code (Terraform or Pulumi)
|
||||
- Security scanning for Docker images
|
||||
|
||||
steps:
|
||||
1. Create optimized Dockerfile for web app:
|
||||
- Multi-stage build (deps → build → runtime)
|
||||
- Use node:22-alpine for minimal image size
|
||||
- Run as non-root user
|
||||
- Copy only necessary files to runtime stage
|
||||
- Health check in Dockerfile
|
||||
2. Optimize scheduler Dockerfile:
|
||||
- Reduce image size (currently copies many files)
|
||||
- Use .dockerignore to exclude unnecessary files
|
||||
- Pin base image versions
|
||||
3. Create docker-compose.prod.yml:
|
||||
- Web app service with replicas
|
||||
- Redis service with persistence
|
||||
- PostgreSQL service (or external)
|
||||
- Nginx reverse proxy with SSL termination
|
||||
- Watchtower for automatic updates
|
||||
4. Add security scanning:
|
||||
- Trivy or Snyk scan in CI pipeline
|
||||
- Fail build on CRITICAL vulnerabilities
|
||||
- Weekly automated scan of production images
|
||||
5. Implement Infrastructure as Code:
|
||||
- Terraform configuration for AWS/GCP/Vultr
|
||||
- VPC, subnets, security groups
|
||||
- ECS/Fargate or Kubernetes deployment
|
||||
- Load balancer with SSL
|
||||
- RDS/Cloud SQL for PostgreSQL
|
||||
- ElastiCache/Memorystore for Redis
|
||||
6. Add environment-specific configs:
|
||||
- Production nginx.conf with rate limiting
|
||||
- SSL certificate management (Let's Encrypt)
|
||||
- Firewall rules
|
||||
|
||||
tests:
|
||||
- Integration: Build image, verify size <200MB
|
||||
- Security: Trivy scan shows no CRITICAL vulnerabilities
|
||||
- Deploy: Terraform apply creates infrastructure
|
||||
|
||||
acceptance_criteria:
|
||||
- Web Docker image <200MB compressed
|
||||
- Scheduler Docker image <150MB compressed
|
||||
- No CRITICAL vulnerabilities in image scans
|
||||
- docker-compose.prod.yml runs full stack locally
|
||||
- Terraform creates reproducible infrastructure
|
||||
- Nginx reverse proxy with SSL and rate limiting
|
||||
- Non-root user running containers
|
||||
|
||||
validation:
|
||||
- `docker images` → web image <200MB
|
||||
- `trivy image kordant-web` → no CRITICAL
|
||||
- `docker-compose -f docker-compose.prod.yml up` → full stack running
|
||||
- `terraform plan` → no unexpected changes
|
||||
|
||||
notes:
|
||||
- Current scheduler/Dockerfile copies many source files — optimize with .dockerignore
|
||||
- Consider using distroless images for even smaller footprint
|
||||
- Use AWS Fargate or Google Cloud Run for serverless containers
|
||||
Reference in New Issue
Block a user