fix: dockerfile and startup script for orion proxy

[hanshal101]

This PR introduces a multi-stage Dockerfile and a corresponding start_proxy.sh entrypoint script to build and run the orion service in a containerized environment.

This provides a standardized, reproducible, and secure way to deploy the application.

@YaoZengzeng let me know if anything more is to be added here!

[kmesh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kmesh-bot]

Welcome @hanshal101! It looks like this is your first PR to kmesh-net/orion 🎉

[gemini-code-assist]

Summary of Changes

Hello @hanshal101, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on containerizing the orion proxy service to enable standardized, reproducible, and secure deployments. It achieves this by introducing a multi-stage Dockerfile for efficient image building and a robust startup script that supports dynamic configuration.

Highlights

• Dockerfile Optimization: Refactored the Dockerfile into a multi-stage build process, significantly reducing the final image size and improving build efficiency through better layer caching for Rust dependencies.
• Dynamic Configuration: Enhanced the start_proxy.sh script to support dynamic configuration of the control plane IP via an environment variable, making deployments more flexible and adaptable.
• Standardized Deployment: Introduced a clear entrypoint script and a well-defined Docker image for the orion proxy, ensuring standardized, reproducible, and secure deployments in containerized environments.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a multi-stage Dockerfile and startup script for the Orion proxy, improving containerization. I've identified a few issues, including the base image tag, the use of .dockerignore, running as a non-root user, and the configuration replacement logic in the startup script.

[gemini-code-assist]

The sed command attempts to replace CONTROL_PLANE_IP in /etc/orion/orion-runtime.yaml, but this placeholder might not exist in the configuration file. Verify that orion-runtime.yaml contains the CONTROL_PLANE_IP placeholder. If it doesn't, the sed command will have no effect, and the control plane IP will not be configured as intended.

[gemini-code-assist]

The base image tag rust:1.84 may not be valid or the latest. Using an invalid or outdated tag can cause build failures or introduce unexpected behavior. Verify the correct tag for the Rust builder image and consider using a specific versioned tag (e.g., rust:1.79.0-bookworm) or a floating tag (e.g., rust:1-bookworm) to balance stability and updates.

[gemini-code-assist]

The COPY . . command copies the entire project into the Docker image, including potentially sensitive or unnecessary files. Create a .dockerignore file to exclude files and directories not needed for the build, such as .git, target/, and editor-specific files. This reduces image size and improves build caching.

[gemini-code-assist]

The container currently runs as the root user. For enhanced security, create a dedicated non-root user and group for the application and switch to that user before running the application. Ensure the new user has the necessary permissions on /etc/orion/orion-runtime.yaml.

RUN groupadd --system orion && useradd --system --no-create-home --gid orion orion && chown -R orion:orion /etc/orion
USER orion