feat: add distroless images (#1114)

Dockerfile-alpine → .docker/Dockerfile-alpine

@@ -1,6 +1,3 @@
-# To compile this image manually run:
-#
-# $ make docker
 FROM alpine:3.18
 
 RUN addgroup -S ory; \

.docker/Dockerfile-build

@@ -0,0 +1,29 @@
+# Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342
+FROM golang:1.20-bullseye AS builder
+
+WORKDIR /go/src/github.com/ory/oathkeeper
+
+RUN apt-get update && apt-get upgrade -y
+
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+ENV CGO_ENABLED 0
+ENV GO111MODULE on
+
+RUN go mod download
+
+COPY . .
+
+RUN go build -o /usr/bin/oathkeeper .
+
+#########################
+
+FROM gcr.io/distroless/static-debian11:nonroot AS runner
+
+COPY --from=builder --chown=nonroot:nonroot /usr/bin/oathkeeper /usr/bin/oathkeeper
+
+EXPOSE 4455 4456
+
+ENTRYPOINT ["oathkeeper"]
+CMD ["serve"]

.docker/Dockerfile-distroless-static

@@ -0,0 +1,7 @@
+FROM gcr.io/distroless/static-debian11:nonroot
+
+COPY --chown=nonroot:nonroot oathkeeper /usr/bin/oathkeeper
+EXPOSE 4455 4456
+
+ENTRYPOINT ["oathkeeper"]
+CMD ["oathkeeper"]

.github/workflows/cve-scan.yaml

@@ -32,7 +32,7 @@ jobs:
         uses: anchore/scan-action@v3
         id: grype-scan
         with:
-          image: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine
+          image: oryd/oathkeeper:${{ env.SHA_SHORT }}
           fail-build: true
           severity-cutoff: high
           add-cpes-if-none: true
@@ -52,7 +52,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine
+          image-ref: oryd/oathkeeper:${{ env.SHA_SHORT }}
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
@@ -63,15 +63,15 @@ jobs:
         uses: erzz/[email protected]
         if: ${{ always() }}
         with:
-          image: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine
+          image: oryd/oathkeeper:${{ env.SHA_SHORT }}
           exit-code: 42
           failure-threshold: high
       - name: Hadolint
         uses: hadolint/[email protected]
         id: hadolint
         if: ${{ always() }}
         with:
-          dockerfile: Dockerfile-alpine
+          dockerfile: .docker/Dockerfile-build
           verbose: true
           format: "json"
           failure-threshold: "error"

.goreleaser.yml

@@ -17,6 +17,7 @@ variables:
   buildinfo_hash: "github.com/ory/oathkeeper/x.Commit"
   buildinfo_tag: "github.com/ory/oathkeeper/x.Version"
   buildinfo_date: "github.com/ory/oathkeeper/x.Date"
-  dockerfile: "./Dockerfile-alpine"
+  dockerfile_alpine: ".docker/Dockerfile-alpine"
+  dockerfile_static: ".docker/Dockerfile-distroless-static"
 
 project_name: oathkeeper

Makefile

@@ -82,10 +82,7 @@ install:
 
 .PHONY: docker
 docker:
-	CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG} --progress=plain .
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG}-alpine --progress=plain -f Dockerfile-alpine .
-	rm oathkeeper
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG} --progress=plain -f .docker/Dockerfile-build . 
 
 docs/cli: .bin/clidoc
 	clidoc .