feat(dockerfile): migrate to scratch-based image (#143)

* feat: migrate to scratch-based Docker image

- Replace alpine base with scratch for minimal 16MB image
- Remove docker_start.sh (no shell in scratch)
- Use ENTRYPOINT + CMD for direct binary execution
- Add CA certificates for HTTPS connections to LAPI
- Add docker/README.md with comprehensive usage documentation

* fix: create runtime directories for scratch image

- Add /run/crowdsec-spoa/ for Unix socket
- Add /var/log/crowdsec-spoa/ for log files
- Use .keep files to ensure empty directories are copied to scratch

* fix: correct Docker image name to crowdsecurity/spoa-bouncer

* feat: add Docker-optimized config with environment variables

- Add config/crowdsec-spoa-bouncer.docker.yaml with stdout logging
- Support env vars: CROWDSEC_KEY, CROWDSEC_URL, LOG_LEVEL, etc.
- Enable Prometheus by default on port 6060
- Update Dockerfile to use Docker config and expose both ports
- Update README with comprehensive environment variables table

* fix: use ENV defaults instead of shell syntax for env vars

- StrictExpand doesn't support ${VAR:-default} syntax
- Set default values via ENV in Dockerfile
- Simplify docker.yaml to use plain ${VAR} substitution
- Update README to clarify only CROWDSEC_KEY is required

* docs: pin image versions in Docker examples

Address Copilot review: use pinned versions instead of :latest
- haproxy:3.1
- curlimages/curl:8.11.1

* fix: restore VOLUME declarations for Lua and HTML customization

Address Copilot review: keep volumes for user customization even though
documentation examples were simplified

* docs: remove GOMEMLIMIT from README examples

* docs: reorder config sections - custom config before env vars

Custom configuration file is the primary method, environment variables
are a convenience layer for simple deployments.

Author: LaurenceJJones

Dockerfile

@@ -4,43 +4,53 @@ FROM golang:${GOVERSION}-alpine AS build
 
 WORKDIR /go/src/cs-spoa-bouncer
 
-RUN apk add --update --no-cache make git
+RUN apk add --update --no-cache make git ca-certificates
 COPY . .
 
 RUN make build DOCKER_BUILD=1
 
-FROM alpine:latest
-COPY --from=build /go/src/cs-spoa-bouncer/crowdsec-spoa-bouncer /usr/local/bin/crowdsec-spoa-bouncer
-COPY --from=build /go/src/cs-spoa-bouncer/config/crowdsec-spoa-bouncer.yaml /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml
-COPY --from=build /go/src/cs-spoa-bouncer/docker/docker_start.sh /docker_start.sh
+# Create directory structure for scratch image (with .keep files so COPY works)
+RUN mkdir -p /run/crowdsec-spoa /var/log/crowdsec-spoa && \
+    touch /run/crowdsec-spoa/.keep /var/log/crowdsec-spoa/.keep
 
-# Set permissions for config file and binary
-RUN chmod 644 /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml && \
-    chmod 755 /usr/local/bin/crowdsec-spoa-bouncer
+# Final minimal image
+FROM scratch
 
-## Add the same haproxy user as the official haproxy image
-RUN addgroup -g 99 -S haproxy && adduser -S -D -H -u 99 -h /var/lib/haproxy -s /sbin/nologin -G haproxy -g haproxy haproxy
-## Add worker user
-RUN addgroup -S crowdsec-spoa && adduser -S -D -H -s /sbin/nologin -g crowdsec-spoa crowdsec-spoa
+# Default environment variables (can be overridden at runtime)
+ENV LOG_MODE=stdout \
+    LOG_LEVEL=info \
+    CROWDSEC_URL=http://crowdsec:8080/ \
+    UPDATE_FREQUENCY=10s \
+    INSECURE_SKIP_VERIFY=false \
+    LISTEN_TCP=0.0.0.0:9000 \
+    PROMETHEUS_ENABLED=true \
+    PROMETHEUS_ADDR=0.0.0.0 \
+    PROMETHEUS_PORT=6060
 
-## Create a socket for the spoa to inherit crowdsec-spoa:haproxy user from official haproxy image
-RUN mkdir -p /run/crowdsec-spoa/ && chown crowdsec-spoa:haproxy /run/crowdsec-spoa/ && chmod 770 /run/crowdsec-spoa/
+# Copy CA certificates for HTTPS connections to LAPI
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-## Copy Lua files (matching Debian/RPM paths)
-RUN mkdir -p /usr/lib/crowdsec-haproxy-spoa-bouncer/lua
-COPY --from=build /go/src/cs-spoa-bouncer/lua/* /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
+# Copy the static binary
+COPY --from=build /go/src/cs-spoa-bouncer/crowdsec-spoa-bouncer /crowdsec-spoa-bouncer
 
-## Copy templates (matching Debian/RPM paths)
-RUN mkdir -p /var/lib/crowdsec-haproxy-spoa-bouncer/html
-COPY --from=build /go/src/cs-spoa-bouncer/templates/* /var/lib/crowdsec-haproxy-spoa-bouncer/html/
+# Copy Docker-optimized config file
+COPY --from=build /go/src/cs-spoa-bouncer/config/crowdsec-spoa-bouncer.docker.yaml /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml
 
-RUN chown -R root:haproxy /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+# Copy Lua files for HAProxy integration
+COPY --from=build /go/src/cs-spoa-bouncer/lua/ /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
 
-VOLUME [ "/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/", "/var/lib/crowdsec-haproxy-spoa-bouncer/html/" ]
+# Copy HTML templates for ban/captcha pages
+COPY --from=build /go/src/cs-spoa-bouncer/templates/ /var/lib/crowdsec-haproxy-spoa-bouncer/html/
 
-RUN chmod +x /docker_start.sh
+# Copy runtime directories (required for Unix socket and logs)
+COPY --from=build /run/crowdsec-spoa/ /run/crowdsec-spoa/
+COPY --from=build /var/log/crowdsec-spoa/ /var/log/crowdsec-spoa/
 
-# Run as user
-USER crowdsec-spoa
+# Declare volumes for customizable content
+VOLUME /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
+VOLUME /var/lib/crowdsec-haproxy-spoa-bouncer/html/
 
-ENTRYPOINT ["/docker_start.sh"]
+EXPOSE 9000 6060
+
+ENTRYPOINT ["/crowdsec-spoa-bouncer"]
+CMD ["-c", "/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml"]

config/crowdsec-spoa-bouncer.docker.yaml

@@ -0,0 +1,39 @@
+## Docker-optimized configuration for CrowdSec SPOA Bouncer
+## Environment variables can override settings: ${VAR_NAME}
+## If a variable is not set, the default value is used.
+
+## Log configuration
+## stdout is recommended for Docker (use `docker logs` to view)
+log_mode: ${LOG_MODE}
+log_level: ${LOG_LEVEL}
+
+## LAPI configuration
+api_url: ${CROWDSEC_URL}
+api_key: ${CROWDSEC_KEY}
+update_frequency: ${UPDATE_FREQUENCY}
+insecure_skip_verify: ${INSECURE_SKIP_VERIFY}
+
+## SPOA listener configuration
+listen_tcp: ${LISTEN_TCP}
+#listen_unix: ${LISTEN_UNIX}
+
+## GeoIP databases (optional, mount as volumes)
+#asn_database_path: /var/lib/crowdsec/data/GeoLite2-ASN.mmdb
+#city_database_path: /var/lib/crowdsec/data/GeoLite2-City.mmdb
+
+## Global AppSec configuration (optional)
+#appsec_url: ${APPSEC_URL}
+#appsec_timeout: ${APPSEC_TIMEOUT}
+
+## Prometheus metrics endpoint
+prometheus:
+  enabled: ${PROMETHEUS_ENABLED}
+  listen_addr: ${PROMETHEUS_ADDR}
+  listen_port: ${PROMETHEUS_PORT}
+
+## pprof debug endpoint (disabled by default)
+## WARNING: Only enable for debugging, exposes internal runtime data
+#pprof:
+#  enabled: false
+#  listen_addr: 0.0.0.0
+#  listen_port: 6070

docker/README.md

@@ -0,0 +1,199 @@
+# CrowdSec HAProxy SPOA Bouncer Docker Image
+
+This is a minimal scratch-based Docker image containing only the statically-linked bouncer binary and essential files.
+
+## Image Contents
+
+```
+/crowdsec-spoa-bouncer                              # The bouncer binary
+/etc/ssl/certs/ca-certificates.crt                  # CA certs for HTTPS to LAPI
+/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml   # Default config
+/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/         # Lua files for HAProxy
+/var/lib/crowdsec-haproxy-spoa-bouncer/html/        # Ban/captcha templates
+```
+
+## Quick Start
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  -e CROWDSEC_KEY=your-api-key \
+  -e CROWDSEC_URL=http://crowdsec:8080/ \
+  -p 9000:9000 \
+  -p 6060:6060 \
+  crowdsecurity/spoa-bouncer
+```
+
+## Configuration
+
+### Custom Configuration File
+
+Mount your own configuration file for full control:
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  -v /path/to/your/config.yaml:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml:ro \
+  -p 9000:9000 \
+  crowdsecurity/spoa-bouncer
+```
+
+Or specify a different config path:
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  -v /path/to/config.yaml:/config.yaml:ro \
+  -p 9000:9000 \
+  crowdsecurity/spoa-bouncer -c /config.yaml
+```
+
+### Environment Variables
+
+For simple deployments, the default configuration supports environment variables:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `CROWDSEC_KEY` | **required** | API key for CrowdSec LAPI |
+| `CROWDSEC_URL` | `http://crowdsec:8080/` | CrowdSec LAPI URL |
+| `LOG_MODE` | `stdout` | Log output: `stdout` or `file` |
+| `LOG_LEVEL` | `info` | Log level: `trace`, `debug`, `info`, `warn`, `error` |
+| `UPDATE_FREQUENCY` | `10s` | How often to poll LAPI for decisions |
+| `INSECURE_SKIP_VERIFY` | `false` | Skip TLS verification for LAPI |
+| `LISTEN_TCP` | `0.0.0.0:9000` | TCP listener address |
+| `PROMETHEUS_ENABLED` | `true` | Enable Prometheus metrics |
+| `PROMETHEUS_ADDR` | `0.0.0.0` | Prometheus listen address |
+| `PROMETHEUS_PORT` | `6060` | Prometheus listen port |
+
+**Note:** Default values are set in the Docker image. Only `CROWDSEC_KEY` must be provided.
+
+### Unix Socket (Recommended for Same-Host HAProxy)
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  -v /path/to/config.yaml:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml:ro \
+  -v /run/crowdsec-spoa:/run/crowdsec-spoa \
+  crowdsecurity/spoa-bouncer
+```
+
+Ensure the socket directory exists and has appropriate permissions for HAProxy to connect.
+
+## Docker Compose Example
+
+```yaml
+services:
+  crowdsec-spoa-bouncer:
+    image: crowdsecurity/spoa-bouncer
+    restart: unless-stopped
+    environment:
+      - CROWDSEC_KEY=${CROWDSEC_API_KEY}
+      - CROWDSEC_URL=http://crowdsec:8080/
+      - LOG_LEVEL=info
+    ports:
+      - "6060:6060"  # Prometheus metrics
+    networks:
+      - crowdsec
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+
+  haproxy:
+    image: haproxy:3.1
+    volumes:
+      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - crowdsec
+    depends_on:
+      - crowdsec-spoa-bouncer
+
+networks:
+  crowdsec:
+```
+
+## Running as Non-Root
+
+The scratch image runs as root by default. To run as a specific user:
+
+```bash
+docker run -d \
+  --user 1000:1000 \
+  --name crowdsec-spoa-bouncer \
+  -p 9000:9000 \
+  crowdsecurity/spoa-bouncer
+```
+
+Note: Ensure mounted volumes have appropriate permissions for the specified user.
+
+## Health Checks
+
+Prometheus metrics are enabled by default on port 6060. Since this is a scratch image with no shell, use external health checks:
+
+```yaml
+# Docker Compose with healthcheck via curl sidecar
+services:
+  crowdsec-spoa-bouncer:
+    image: crowdsecurity/spoa-bouncer
+    environment:
+      - CROWDSEC_KEY=${API_KEY}
+    # Use depends_on with service_healthy for dependent services
+
+  healthcheck:
+    image: curlimages/curl:8.11.1
+    command: ["sh", "-c", "while true; do curl -sf http://crowdsec-spoa-bouncer:6060/metrics > /dev/null && echo healthy || echo unhealthy; sleep 30; done"]
+    depends_on:
+      - crowdsec-spoa-bouncer
+```
+
+Or check from the host:
+
+```bash
+curl -sf http://localhost:6060/metrics > /dev/null && echo "healthy" || echo "unhealthy"
+```
+
+## Ports
+
+| Port | Default | Description |
+|------|---------|-------------|
+| 9000 | Yes | SPOA TCP listener |
+| 6060 | Yes | Prometheus metrics (enabled by default) |
+| 6070 | No | pprof debug endpoint (disabled by default) |
+
+## Troubleshooting
+
+### View Logs
+
+```bash
+docker logs -f crowdsec-spoa-bouncer
+```
+
+### Debug Mode
+
+Set the `LOG_LEVEL` environment variable:
+
+```bash
+docker run -e LOG_LEVEL=debug -e CROWDSEC_KEY=... crowdsecurity/spoa-bouncer
+```
+
+### Connection Issues
+
+1. Verify LAPI is reachable from the container
+2. Check API key is correct
+3. Ensure HAProxy can reach the SPOA listener (TCP port or Unix socket)
+
+## Building the Image
+
+```bash
+docker build -t crowdsecurity/spoa-bouncer .
+```
+
+### Build Arguments
+
+| Argument | Default | Description |
+|----------|---------|-------------|
+| GOVERSION | 1.25 | Go version for build stage |
+