01 — Containerization (Docker)

Focus: Docker. How BitVault’s deployables become small, secure, reproducible, multi-arch images — the artifact every later stage promotes. Image build/sign/scan pipelines are in 07; this doc is the image design.


1. What we containerize

Per ADR-0001 the system is a modular monolith with extractable workers, so the image set is small:

Image Contents Base
bitvaultd the control-plane binary (all modules in v1) distroless static / scratch
bitvault-worker async workers (indexer, notifier, GC, scrubber, packer) — first extraction distroless static / scratch
bitvault-web Next.js server (SSR) distroless nodejs
(CLI) shipped as a signed static binary (+ optional image), not a deploy artifact

One Go codebase → multiple binaries → multiple tiny images; the worker image is the same code with a different entrypoint until it is truly extracted.


2. Image design rules


3. Tagging & identity


4. Supply-chain properties (built in 07)

Every published image carries: an SBOM (syft), a passing vulnerability scan (trivy/grype), a keyless cosign signature (sigstore/OIDC), and SLSA provenance. Clusters verify the signature at admission before running it (ADR-0032). The image is not just small — it is attestable.


5. Self-host parity

The same images run under Docker Compose for self-host (ADR-0012); distroless + static binaries make the self-host footprint tiny and dependency-free.


6. Tradeoffs / Alternatives / Scaling

Tradeoffs. Distroless/scratch images are tiny and have a minimal attack surface but have no shell → no kubectl exec debugging. Mitigation: ephemeral debug containers (kubectl debug) attach a toolbox without bloating the image; structured logs + traces (ADR-0013) reduce the need to shell in.

Alternatives considered.

Scaling concerns.

References