From be4122508707522482b2127187f9679c78cdaa96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Ren=C3=A9=20White=20Enciso?=
 <jrenewhite@gmail.com>
Date: Sun, 8 Mar 2026 14:34:12 -0600
Subject: [PATCH] chore(thalos-bff): add container run assets

Why: align BFF runtime packaging and remove cross-repo proto coupling in container builds.

What: add Docker assets and runbook, map /health, and vendor grpc proto locally.

Rule: keep technical intent only and avoid orchestration references.
---
 .dockerignore                                 |  9 +++++
 Dockerfile                                    | 22 ++++++++++++
 docs/runbooks/containerization.md             | 26 ++++++++++++++
 src/Thalos.Bff.Rest/Program.cs                |  1 +
 .../Protos/identity_runtime.proto             | 35 +++++++++++++++++++
 src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj    |  2 +-
 6 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 .dockerignore
 create mode 100644 Dockerfile
 create mode 100644 docs/runbooks/containerization.md
 create mode 100644 src/Thalos.Bff.Rest/Protos/identity_runtime.proto

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..636f769
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,9 @@
+**/bin/
+**/obj/
+.vs/
+TestResults/
+.git/
+.repo-tasks/
+.repo-context/
+.tasks/
+.agile/
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..1e0a6e4
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:1.7
+ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0
+ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0
+
+FROM ${SDK_IMAGE} AS build
+ARG NUGET_FEED_URL=http://192.168.10.100:3000/api/packages/AgileWebs/nuget/index.json
+ARG NUGET_FEED_USERNAME=
+ARG NUGET_FEED_TOKEN=
+WORKDIR /src
+COPY . .
+
+RUN if [ -n "$NUGET_FEED_USERNAME" ] && [ -n "$NUGET_FEED_TOKEN" ]; then       dotnet nuget add source "$NUGET_FEED_URL"         --name gitea-org         --username "$NUGET_FEED_USERNAME"         --password "$NUGET_FEED_TOKEN"         --store-password-in-clear-text         --allow-insecure-connections         --configfile /root/.nuget/NuGet/NuGet.Config;     fi
+
+RUN dotnet restore "src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj" --configfile /root/.nuget/NuGet/NuGet.Config
+RUN dotnet publish "src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj" -c Release -o /app/publish /p:UseAppHost=false --no-restore
+
+FROM ${RUNTIME_IMAGE} AS runtime
+WORKDIR /app
+ENV ASPNETCORE_URLS=http://+:8080     ASPNETCORE_ENVIRONMENT=Production
+EXPOSE 8080
+COPY --from=build /app/publish .
+ENTRYPOINT ["dotnet", "Thalos.Bff.Rest.dll"]
diff --git a/docs/runbooks/containerization.md b/docs/runbooks/containerization.md
new file mode 100644
index 0000000..2fcfd16
--- /dev/null
+++ b/docs/runbooks/containerization.md
@@ -0,0 +1,26 @@
+# Containerization Runbook
+
+## Image Build
+
+If the repo consumes internal packages from Gitea, pass feed credentials as build args.
+
+```bash
+docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/thalos-bff:dev .
+```
+
+## Local Run
+
+```bash
+docker run --rm -p 8080:8080 --name thalos-bff agilewebs/thalos-bff:dev
+```
+
+## Health Probe
+
+- Path: `/health`
+- Fallback path: `/healthz`
+- Port: `8080`
+
+## Runtime Notes
+
+- Requires `ThalosService__GrpcAddress` to target thalos-service in distributed runs.
+- gRPC client contract protobuf is vendored at `src/Thalos.Bff.Rest/Protos/identity_runtime.proto` to keep image builds repo-local.
diff --git a/src/Thalos.Bff.Rest/Program.cs b/src/Thalos.Bff.Rest/Program.cs
index 0c31b59..b26c0ec 100644
--- a/src/Thalos.Bff.Rest/Program.cs
+++ b/src/Thalos.Bff.Rest/Program.cs
@@ -69,6 +69,7 @@ app.MapPost($"{EndpointConventions.ApiPrefix}/session/refresh", async (
 });
 
 app.MapHealthChecks("/healthz");
+app.MapHealthChecks("/health");
 
 app.Run();
 
diff --git a/src/Thalos.Bff.Rest/Protos/identity_runtime.proto b/src/Thalos.Bff.Rest/Protos/identity_runtime.proto
new file mode 100644
index 0000000..02b620b
--- /dev/null
+++ b/src/Thalos.Bff.Rest/Protos/identity_runtime.proto
@@ -0,0 +1,35 @@
+syntax = "proto3";
+
+option csharp_namespace = "Thalos.Service.Grpc";
+
+package thalos.service.grpc;
+
+service IdentityRuntime {
+  rpc IssueIdentityToken (IssueIdentityTokenGrpcRequest) returns (IssueIdentityTokenGrpcResponse);
+  rpc EvaluateIdentityPolicy (EvaluateIdentityPolicyGrpcRequest) returns (EvaluateIdentityPolicyGrpcResponse);
+}
+
+message IssueIdentityTokenGrpcRequest {
+  string subject_id = 1;
+  string tenant_id = 2;
+  string provider = 3;
+  string external_token = 4;
+}
+
+message IssueIdentityTokenGrpcResponse {
+  string token = 1;
+  int32 expires_in_seconds = 2;
+}
+
+message EvaluateIdentityPolicyGrpcRequest {
+  string subject_id = 1;
+  string tenant_id = 2;
+  string permission_code = 3;
+  string provider = 4;
+}
+
+message EvaluateIdentityPolicyGrpcResponse {
+  string subject_id = 1;
+  string permission_code = 2;
+  bool is_allowed = 3;
+}
diff --git a/src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj b/src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj
index 657bf5c..8a3f335 100644
--- a/src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj
+++ b/src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj
@@ -15,7 +15,7 @@
     </PackageReference>
   </ItemGroup>
   <ItemGroup>
-    <Protobuf Include="..\..\..\thalos-service\src\Thalos.Service.Grpc\Protos\identity_runtime.proto" GrpcServices="Client" Link="Protos\identity_runtime.proto" />
+    <Protobuf Include="Protos\identity_runtime.proto" GrpcServices="Client" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\Thalos.Bff.Application\Thalos.Bff.Application.csproj" />