Skip to content

Improving the FRIDGE API build process and fixing issue with Minio STS token expiry #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
craddm merged 7 commits into from
Mar 18, 2026
Merged

Improving the FRIDGE API build process and fixing issue with Minio STS token expiry #161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0512dc2
Add dockerignore file for FRIDGE API
craddm Jan 30, 2026
7ff07de
Reorder build image to do a multi-stage build
craddm Jan 30, 2026
79b2ddf
Cache token after successful refresh only
craddm Jan 30, 2026
b8af524
Merge branch 'main' into api/minio-sts-fixes
craddm Feb 19, 2026
f422087
Merge branch 'main' into api/minio-sts-fixes
craddm Mar 4, 2026
c00a665
Merge branch 'main' into api/minio-sts-fixes
craddm Mar 9, 2026
98d6272
Merge branch 'main' into api/minio-sts-fixes
craddm Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions fridge-job-api/.dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
__pycache__/
*.pyc
*.pyo
.venv/
README.md
.python-version
package-lock.json
18 changes: 8 additions & 10 deletions fridge-job-api/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,21 @@
FROM ghcr.io/astral-sh/uv:python3.13-bookworm

RUN groupadd -g 1001 appuser && useradd -m -u 1001 -g appuser appuser
FROM ghcr.io/astral-sh/uv:python3.13-bookworm AS builder

WORKDIR /app
# Install dependencies
RUN --mount=type=cache,target=/root/.cache/uv \
--mount=type=bind,source=uv.lock,target=uv.lock \
--mount=type=bind,source=pyproject.toml,target=pyproject.toml \
uv sync --locked --no-install-project --no-editable
ADD . /app

COPY . /app
RUN uv sync --locked --no-editable
# Sync the project
RUN --mount=type=cache,target=/root/.cache/uv \
uv sync --locked --no-editable
# --mount=type=cache,target=/root/.cache/uv \

# Place executables in the environment at the front of the path
FROM python:3.13-slim-bookworm
RUN groupadd -g 1001 appuser && useradd -m -u 1001 -g appuser appuser
WORKDIR /app
COPY --from=builder --chown=appuser:appuseer /app /app
ENV PATH="/app/.venv/bin:$PATH"
ENTRYPOINT []

RUN chown -R appuser:appuser /app
USER appuser
CMD ["fastapi", "run", "--host", "0.0.0.0", "app/main.py"]
8 changes: 5 additions & 3 deletions fridge-job-api/app/minio_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,6 @@ def handle_sts_auth(self):
# Read service account token
sa_token = Path(self.SA_TOKEN_FILE).read_text().strip()

# Cache the token used here for change detection
self._last_token = sa_token

ssl_context = ssl.create_default_context(cafile=self.KUBE_CA_CRT)

# Create urllib3 client which accepts kube CA cert
Expand All @@ -104,6 +101,8 @@ def handle_sts_auth(self):
secret_key = credentials.find("sts:SecretAccessKey", ns).text
session_token = credentials.find("sts:SessionToken", ns).text

# Cache the token used here for change detection
self._last_token = sa_token
return access_key, secret_key, session_token

def _token_has_changed(self):
Expand All @@ -129,6 +128,9 @@ def _refresh_token(self):
print("Minio client token refreshed successfully")
else:
print("Failed to refresh Minio client token")
raise HTTPException(
status_code=500, detail="Failed to refresh Minio token"
)
except Exception as e:
print(f"Failed to refresh Minio client token: {e}")
raise HTTPException(
Expand Down
Loading