diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b63b0160..935d650e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,12 @@ ## main / unreleased +* [CHANGE] The docker base images are now based off distroless images rather than Alpine. #149 + * The standard base image is now `gcr.io/distroless/static-debian12:nonroot`. + * The boringcrypto base image is now `gcr.io/distroless/base-nossl-debian12:nonroot` (for glibc). + ## v0.16.0 + * [ENHANCEMENT] If the POST to prepare-shutdown fails for any replica, attempt to undo the operation by issuing an HTTP DELETE to prepare-shutdown for all target replicas. #146 ## v0.15.0 diff --git a/Dockerfile b/Dockerfile index 47a245928..22a6a17d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,5 @@ +ARG BASEIMAGE + FROM golang:1.22-bookworm AS build ARG TARGETOS @@ -8,17 +10,11 @@ COPY . /src/rollout-operator WORKDIR /src/rollout-operator RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} make ${BUILDTARGET} -FROM alpine:3.19 -RUN apk add --no-cache ca-certificates gcompat +FROM ${BASEIMAGE} COPY --from=build /src/rollout-operator/rollout-operator /bin/rollout-operator ENTRYPOINT [ "/bin/rollout-operator" ] -# Create rollout-operator user to run as non-root. -RUN addgroup -g 10000 -S rollout-operator && \ - adduser -u 10000 -S rollout-operator -G rollout-operator -USER rollout-operator:rollout-operator - ARG revision LABEL org.opencontainers.image.title="rollout-operator" \ org.opencontainers.image.source="https://github.com/grafana/rollout-operator" \ diff --git a/Makefile b/Makefile index d21423f93..19063ee15 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,10 @@ GOARCH ?= $(shell go env GOARCH) DONT_FIND := -name vendor -prune -o -name .git -prune -o -name .cache -prune -o -name .pkg -prune GO_FILES := $(shell find . $(DONT_FIND) -o -type f -name '*.go' -print) +BASE_IMAGE=gcr.io/distroless/static-debian12:nonroot +# Boringcrypto has a different base image for glibc +BORINGCRYPTO_BASE_IMAGE=gcr.io/distroless/base-nossl-debian12:nonroot + .DEFAULT_GOAL := rollout-operator # Adapted from https://www.thapaliya.com/en/writings/well-documented-makefiles/ @@ -31,23 +35,23 @@ rollout-operator-boringcrypto: $(GO_FILES) ## Build the rollout-operator binary .PHONY: build-image build-image: clean ## Build the rollout-operator image - docker buildx build --load --platform linux/amd64 --build-arg revision=$(GIT_REVISION) -t rollout-operator:latest -t rollout-operator:$(IMAGE_TAG) . + docker buildx build --load --platform linux/amd64 --build-arg revision=$(GIT_REVISION) --build-arg BASEIMAGE=$(BASE_IMAGE) -t rollout-operator:latest -t rollout-operator:$(IMAGE_TAG) . .PHONY: build-image-boringcrypto build-image-boringcrypto: clean ## Build the rollout-operator image with boringcrypto # Tags with the regular image repo for integration testing - docker buildx build --load --platform linux/amd64 --build-arg revision=$(GIT_REVISION) --build-arg BUILDTARGET=rollout-operator-boringcrypto -t rollout-operator:latest -t rollout-operator:$(IMAGE_TAG) . + docker buildx build --load --platform linux/amd64 --build-arg revision=$(GIT_REVISION) --build-arg BASEIMAGE=$(BORINGCRYPTO_BASE_IMAGE) --build-arg BUILDTARGET=rollout-operator-boringcrypto -t rollout-operator:latest -t rollout-operator:$(IMAGE_TAG) . .PHONY: publish-images publish-images: publish-standard-image publish-boringcrypto-image ## Build and publish both the standard and boringcrypto images .PHONY: publish-standard-image publish-standard-image: clean ## Build and publish only the standard rollout-operator image - docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg revision=$(GIT_REVISION) --build-arg BUILDTARGET=rollout-operator -t $(IMAGE_PREFIX)/rollout-operator:$(IMAGE_TAG) . + docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg revision=$(GIT_REVISION) --build-arg BASEIMAGE=$(BASE_IMAGE) --build-arg BUILDTARGET=rollout-operator -t $(IMAGE_PREFIX)/rollout-operator:$(IMAGE_TAG) . .PHONY: publish-boringcrypto-image publish-boringcrypto-image: clean ## Build and publish only the boring-crypto rollout-operator image - docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg revision=$(GIT_REVISION) --build-arg BUILDTARGET=rollout-operator-boringcrypto -t $(IMAGE_PREFIX)/rollout-operator-boringcrypto:$(IMAGE_TAG) . + docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg revision=$(GIT_REVISION) --build-arg BASEIMAGE=$(BORINGCRYPTO_BASE_IMAGE) --build-arg BUILDTARGET=rollout-operator-boringcrypto -t $(IMAGE_PREFIX)/rollout-operator-boringcrypto:$(IMAGE_TAG) . .PHONY: test test: ## Run tests diff --git a/integration/mock-service/Dockerfile b/integration/mock-service/Dockerfile index 422d85d60..52d966c9e 100644 --- a/integration/mock-service/Dockerfile +++ b/integration/mock-service/Dockerfile @@ -1,13 +1,8 @@ -FROM alpine:3.19 +FROM gcr.io/distroless/static-debian12:nonroot COPY mock-service /bin/mock-service ENTRYPOINT [ "/bin/mock-service" ] -# Create mock-service user to run as non-root. -RUN addgroup -g 10000 -S mock-service && \ - adduser -u 10000 -S mock-service -G mock-service -USER mock-service:mock-service - ARG revision LABEL org.opencontainers.image.title="mock-service" \ org.opencontainers.image.source="https://github.com/grafana/rollout-operator/integration/mock-service" \