76 lines
2.6 KiB
Markdown
76 lines
2.6 KiB
Markdown
# 15. Docker & Infrastructure Optimization
|
|
|
|
meta:
|
|
id: web-production-15
|
|
feature: web-production
|
|
priority: P2
|
|
depends_on: []
|
|
tags: [infrastructure, docker, production]
|
|
|
|
objective:
|
|
- Optimize Docker images and infrastructure for production deployment with security and efficiency
|
|
|
|
deliverables:
|
|
- Multi-stage optimized Dockerfile for web app
|
|
- Docker Compose for local production simulation
|
|
- Infrastructure as Code (Terraform or Pulumi)
|
|
- Security scanning for Docker images
|
|
|
|
steps:
|
|
1. Create optimized Dockerfile for web app:
|
|
- Multi-stage build (deps → build → runtime)
|
|
- Use node:22-alpine for minimal image size
|
|
- Run as non-root user
|
|
- Copy only necessary files to runtime stage
|
|
- Health check in Dockerfile
|
|
2. Optimize scheduler Dockerfile:
|
|
- Reduce image size (currently copies many files)
|
|
- Use .dockerignore to exclude unnecessary files
|
|
- Pin base image versions
|
|
3. Create docker-compose.prod.yml:
|
|
- Web app service with replicas
|
|
- Redis service with persistence
|
|
- PostgreSQL service (or external)
|
|
- Nginx reverse proxy with SSL termination
|
|
- Watchtower for automatic updates
|
|
4. Add security scanning:
|
|
- Trivy or Snyk scan in CI pipeline
|
|
- Fail build on CRITICAL vulnerabilities
|
|
- Weekly automated scan of production images
|
|
5. Implement Infrastructure as Code:
|
|
- Terraform configuration for AWS/GCP/Vultr
|
|
- VPC, subnets, security groups
|
|
- ECS/Fargate or Kubernetes deployment
|
|
- Load balancer with SSL
|
|
- RDS/Cloud SQL for PostgreSQL
|
|
- ElastiCache/Memorystore for Redis
|
|
6. Add environment-specific configs:
|
|
- Production nginx.conf with rate limiting
|
|
- SSL certificate management (Let's Encrypt)
|
|
- Firewall rules
|
|
|
|
tests:
|
|
- Integration: Build image, verify size <200MB
|
|
- Security: Trivy scan shows no CRITICAL vulnerabilities
|
|
- Deploy: Terraform apply creates infrastructure
|
|
|
|
acceptance_criteria:
|
|
- Web Docker image <200MB compressed
|
|
- Scheduler Docker image <150MB compressed
|
|
- No CRITICAL vulnerabilities in image scans
|
|
- docker-compose.prod.yml runs full stack locally
|
|
- Terraform creates reproducible infrastructure
|
|
- Nginx reverse proxy with SSL and rate limiting
|
|
- Non-root user running containers
|
|
|
|
validation:
|
|
- `docker images` → web image <200MB
|
|
- `trivy image kordant-web` → no CRITICAL
|
|
- `docker-compose -f docker-compose.prod.yml up` → full stack running
|
|
- `terraform plan` → no unexpected changes
|
|
|
|
notes:
|
|
- Current scheduler/Dockerfile copies many source files — optimize with .dockerignore
|
|
- Consider using distroless images for even smaller footprint
|
|
- Use AWS Fargate or Google Cloud Run for serverless containers
|