From 8ac1dac6c34f6e1cdf5a5e7a1a699c5951333d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20B=C5=82aszczyk?= Date: Tue, 4 Jul 2023 10:31:22 +0200 Subject: [PATCH] feat: add distroless images (#1114) --- .../Dockerfile-alpine | 3 -- .docker/Dockerfile-build | 29 +++++++++++++++++++ .docker/Dockerfile-distroless-static | 7 +++++ .github/workflows/cve-scan.yaml | 8 ++--- .goreleaser.yml | 3 +- Dockerfile | 20 ------------- Dockerfile-dc | 26 ----------------- Makefile | 5 +--- 8 files changed, 43 insertions(+), 58 deletions(-) rename Dockerfile-alpine => .docker/Dockerfile-alpine (83%) create mode 100644 .docker/Dockerfile-build create mode 100644 .docker/Dockerfile-distroless-static delete mode 100644 Dockerfile delete mode 100644 Dockerfile-dc diff --git a/Dockerfile-alpine b/.docker/Dockerfile-alpine similarity index 83% rename from Dockerfile-alpine rename to .docker/Dockerfile-alpine index ee5e0bfe8c..0470bdf7d7 100644 --- a/Dockerfile-alpine +++ b/.docker/Dockerfile-alpine @@ -1,6 +1,3 @@ -# To compile this image manually run: -# -# $ make docker FROM alpine:3.18 RUN addgroup -S ory; \ diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build new file mode 100644 index 0000000000..25172323fb --- /dev/null +++ b/.docker/Dockerfile-build @@ -0,0 +1,29 @@ +# Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342 +FROM golang:1.20-bullseye AS builder + +WORKDIR /go/src/github.com/ory/oathkeeper + +RUN apt-get update && apt-get upgrade -y + +COPY go.mod go.mod +COPY go.sum go.sum + +ENV CGO_ENABLED 0 +ENV GO111MODULE on + +RUN go mod download + +COPY . . + +RUN go build -o /usr/bin/oathkeeper . + +######################### + +FROM gcr.io/distroless/static-debian11:nonroot AS runner + +COPY --from=builder --chown=nonroot:nonroot /usr/bin/oathkeeper /usr/bin/oathkeeper + +EXPOSE 4455 4456 + +ENTRYPOINT ["oathkeeper"] +CMD ["serve"] diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static new file mode 100644 index 0000000000..91020b7c27 --- /dev/null +++ b/.docker/Dockerfile-distroless-static @@ -0,0 +1,7 @@ +FROM gcr.io/distroless/static-debian11:nonroot + +COPY --chown=nonroot:nonroot oathkeeper /usr/bin/oathkeeper +EXPOSE 4455 4456 + +ENTRYPOINT ["oathkeeper"] +CMD ["oathkeeper"] diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index e17ea70eda..4d99e53056 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -32,7 +32,7 @@ jobs: uses: anchore/scan-action@v3 id: grype-scan with: - image: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine + image: oryd/oathkeeper:${{ env.SHA_SHORT }} fail-build: true severity-cutoff: high add-cpes-if-none: true @@ -52,7 +52,7 @@ jobs: uses: aquasecurity/trivy-action@master if: ${{ always() }} with: - image-ref: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine + image-ref: oryd/oathkeeper:${{ env.SHA_SHORT }} format: "table" exit-code: "42" ignore-unfixed: true @@ -63,7 +63,7 @@ jobs: uses: erzz/dockle-action@v1.3.2 if: ${{ always() }} with: - image: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine + image: oryd/oathkeeper:${{ env.SHA_SHORT }} exit-code: 42 failure-threshold: high - name: Hadolint @@ -71,7 +71,7 @@ jobs: id: hadolint if: ${{ always() }} with: - dockerfile: Dockerfile-alpine + dockerfile: .docker/Dockerfile-build verbose: true format: "json" failure-threshold: "error" diff --git a/.goreleaser.yml b/.goreleaser.yml index cbb1798b70..02a2f607fe 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -17,6 +17,7 @@ variables: buildinfo_hash: "github.com/ory/oathkeeper/x.Commit" buildinfo_tag: "github.com/ory/oathkeeper/x.Version" buildinfo_date: "github.com/ory/oathkeeper/x.Date" - dockerfile: "./Dockerfile-alpine" + dockerfile_alpine: ".docker/Dockerfile-alpine" + dockerfile_static: ".docker/Dockerfile-distroless-static" project_name: oathkeeper diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 1c7a0f747a..0000000000 --- a/Dockerfile +++ /dev/null @@ -1,20 +0,0 @@ -# To compile this image manually run: -# -# $ make docker -FROM alpine:3.18 as base - -RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates - -############# -FROM scratch - -COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -COPY oathkeeper /usr/bin/oathkeeper - -USER 1000 - -EXPOSE 4455 -EXPOSE 4456 - -ENTRYPOINT ["oathkeeper"] -CMD ["serve"] diff --git a/Dockerfile-dc b/Dockerfile-dc deleted file mode 100644 index e3e6e43f8b..0000000000 --- a/Dockerfile-dc +++ /dev/null @@ -1,26 +0,0 @@ -FROM golang:1.20-alpine3.18 AS builder - -RUN addgroup -S ory; \ - adduser -S ory -G ory -D -H -s /bin/nologin - -RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates - -COPY . /app -WORKDIR /app -ENV GO111MODULE on -RUN go mod download && go mod tidy -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build - -############ -FROM alpine:3.18 AS runner - -RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates - -COPY --from=builder /app/oathkeeper /usr/bin/oathkeeper -USER 1000 - -EXPOSE 4455 -EXPOSE 4456 - -ENTRYPOINT ["/usr/bin/oathkeeper"] -CMD ["serve"] diff --git a/Makefile b/Makefile index 82029a7a3c..c4c1b156fd 100644 --- a/Makefile +++ b/Makefile @@ -82,10 +82,7 @@ install: .PHONY: docker docker: - CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build - DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG} --progress=plain . - DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG}-alpine --progress=plain -f Dockerfile-alpine . - rm oathkeeper + DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG} --progress=plain -f .docker/Dockerfile-build . docs/cli: .bin/clidoc clidoc .