forked from Kong/kubernetes-ingress-controller
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
157 lines (123 loc) · 4.73 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
### Standard binary
# Build the manager binary
FROM golang:1.20.1 as builder
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
RUN printf "Building for TARGETPLATFORM=${TARGETPLATFORM}" \
&& printf ", TARGETARCH=${TARGETARCH}" \
&& printf ", TARGETOS=${TARGETOS}" \
&& printf ", TARGETVARIANT=${TARGETVARIANT} \n" \
&& printf "With 'uname -s': $(uname -s) and 'uname -m': $(uname -m)"
WORKDIR /workspace
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
COPY pkg/ pkg/
COPY internal/ internal/
COPY Makefile .
# Build
ARG TAG
ARG COMMIT
ARG REPO_INFO
RUN CGO_ENABLED=0 GOOS=linux GOARCH="${TARGETARCH}" GO111MODULE=on make _build
### FIPS 140-2 binary
# Build the manager binary
# https://github.com/golang/go/tree/dev.boringcrypto/misc/boring#building-from-docker
FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:1.18.10b7 as builder-fips
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
RUN printf "Building for TARGETPLATFORM=${TARGETPLATFORM}" \
&& printf ", TARGETARCH=${TARGETARCH}" \
&& printf ", TARGETOS=${TARGETOS}" \
&& printf ", TARGETVARIANT=${TARGETVARIANT} \n" \
&& printf "With 'uname -s': $(uname -s) and 'uname -m': $(uname -m)"
WORKDIR /workspace
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
COPY pkg/ pkg/
COPY internal/ internal/
# Build
ARG TAG
ARG COMMIT
ARG REPO_INFO
RUN CGO_ENABLED=0 GOOS=linux GOARCH="${TARGETARCH}" GO111MODULE=on make _build.fips
### RHEL
# Build UBI image
FROM registry.access.redhat.com/ubi8/ubi AS redhat
ARG TAG
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
LABEL name="Kong Ingress Controller" \
vendor="Kong" \
version="$TAG" \
release="1" \
url="https://github.com/Kong/kubernetes-ingress-controller" \
summary="Kong for Kubernetes Ingress" \
description="Use Kong for Kubernetes Ingress. Configure plugins, health checking, load balancing and more in Kong for Kubernetes Services, all using Custom Resource Definitions (CRDs) and Kubernetes-native tooling."
# Create the user (ID 1000) and group that will be used in the
# running container to run the process as an unprivileged user.
RUN groupadd --system kic && \
adduser --system kic -g kic -u 1000
COPY --from=builder /workspace/bin/manager .
COPY LICENSE /licenses/
COPY LICENSES /licenses/
# Run yum update to prevent vulnerable packages getting into the final image
# and preventing publishing on Redhat connect registry.
RUN yum update -y
# Perform any further action as an unprivileged user.
USER 1000
# Run the compiled binary.
ENTRYPOINT ["/manager"]
### distroless FIPS 140-2
FROM gcr.io/distroless/static:nonroot AS distroless-fips
WORKDIR /
COPY --from=builder-fips /workspace/manager .
USER 65532:65532
ENTRYPOINT ["/manager"]
### RHEL FIPS 140-2
FROM registry.access.redhat.com/ubi8/ubi AS redhat-fips
ARG TAG
LABEL name="Kong Ingress Controller" \
vendor="Kong" \
version="$TAG" \
release="1" \
url="https://github.com/Kong/kubernetes-ingress-controller" \
summary="Kong for Kubernetes Ingress" \
description="Use Kong for Kubernetes Ingress. Configure plugins, health checking, load balancing and more in Kong for Kubernetes Services, all using Custom Resource Definitions (CRDs) and Kubernetes-native tooling."
# Create the user (ID 1000) and group that will be used in the
# running container to run the process as an unprivileged user.
RUN groupadd --system kic && \
adduser --system kic -g kic -u 1000
COPY --from=builder-fips /workspace/manager .
COPY LICENSE /licenses/
# Perform any further action as an unprivileged user.
USER 1000
# Run the compiled binary.
ENTRYPOINT ["/manager"]
### Distroless/default
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot AS distroless
ARG TAG
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
LABEL name="Kong Ingress Controller" \
vendor="Kong" \
version="$TAG" \
release="1" \
url="https://github.com/Kong/kubernetes-ingress-controller" \
summary="Kong for Kubernetes Ingress" \
description="Use Kong for Kubernetes Ingress. Configure plugins, health checking, load balancing and more in Kong for Kubernetes Services, all using Custom Resource Definitions (CRDs) and Kubernetes-native tooling."
WORKDIR /
COPY --from=builder /workspace/bin/manager .
USER 65532:65532
ENTRYPOINT ["/manager"]