2022-03-31 18:48:52 +00:00
|
|
|
# syntax=docker/dockerfile:1
|
2022-03-29 23:58:41 +00:00
|
|
|
|
2022-03-31 18:48:52 +00:00
|
|
|
# Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
2022-03-29 23:58:41 +00:00
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
# this dockerfile is used to produce a binary of Pinniped that uses
|
2022-03-31 18:48:52 +00:00
|
|
|
# only fips-allowable ciphers. Note that this is provided only as
|
|
|
|
# an example. Pinniped has no official support for fips and using
|
|
|
|
# a version built from this dockerfile may have unforseen consquences.
|
|
|
|
# Please do not create issues in regards to problems encountered by
|
|
|
|
# using this dockerfile. Using this dockerfile does not convey
|
|
|
|
# any type of fips certification.
|
2022-03-29 23:58:41 +00:00
|
|
|
|
|
|
|
# use go-boringcrypto rather than main go
|
2023-01-18 03:19:01 +00:00
|
|
|
FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:1.18.10b7 as build-env
|
2022-03-29 23:58:41 +00:00
|
|
|
|
|
|
|
WORKDIR /work
|
|
|
|
COPY . .
|
|
|
|
ARG GOPROXY
|
|
|
|
|
2022-03-31 18:48:52 +00:00
|
|
|
# Build the executable binary (CGO_ENABLED=1 is required for go boring).
|
|
|
|
# Even though we need cgo to call the boring crypto C functions, these
|
|
|
|
# functions are statically linked into the binary. We also want to statically
|
|
|
|
# link any libc bits hence we pass "-linkmode=external -extldflags -static"
|
|
|
|
# to the ldflags directive. We do not pass "-s" to ldflags because we do
|
|
|
|
# not want to strip symbols - those are used to verify if we compiled correctly.
|
|
|
|
# We do not pass in GOCACHE (build cache) and GOMODCACHE (module cache)
|
|
|
|
# because there have been bugs in the Go compiler caching when using cgo
|
|
|
|
# (it will sometimes use cached artifiacts when it should not). Since we
|
|
|
|
# use gcc as the C compiler, the following warning is emitted:
|
|
|
|
# /boring/boringssl/build/../crypto/bio/socket_helper.c:55: warning:
|
|
|
|
# Using 'getaddrinfo' in statically linked applications requires at
|
|
|
|
# runtime the shared libraries from the glibc version used for linking
|
|
|
|
# This is referring to the code in
|
|
|
|
# https://github.com/google/boringssl/blob/af34f6460f0bf99dc267818f02b2936f60a30de7/crypto/bio/socket_helper.c#L55
|
|
|
|
# which calls the getaddrinfo function. This function, even when statically linked,
|
|
|
|
# uses dlopen to dynamically fetch networking config. It is safe for us to ignore
|
|
|
|
# this warning because the go boring cypto code does not create netowrking connections:
|
|
|
|
# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/src/crypto/internal/boring/goboringcrypto.h
|
|
|
|
# The osusergo and netgo tags are used to make sure that the Go implementations of these
|
|
|
|
# standard library packages are used instead of the libc based versions.
|
|
|
|
# We want to have no reliance on any C code other than the boring crypto bits.
|
|
|
|
# Setting GOOS=linux GOARCH=amd64 is a hard requirment for boring crypto:
|
|
|
|
# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/misc/boring/README.md?plain=1#L95
|
|
|
|
# Thus trying to compile the pinniped CLI with boring crypto is meaningless
|
|
|
|
# since we would not be able to ship windows and macOS binaries.
|
2022-03-29 23:58:41 +00:00
|
|
|
RUN \
|
|
|
|
mkdir out && \
|
|
|
|
export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 && \
|
|
|
|
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
|
|
|
|
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
|
|
|
|
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
|
|
|
|
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
|
|
|
|
ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
|
|
|
|
|
|
|
|
# Use a distroless runtime image with CA certificates, timezone data, and not much else.
|
2022-09-23 21:41:54 +00:00
|
|
|
FROM gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e
|
2022-03-29 23:58:41 +00:00
|
|
|
|
|
|
|
# Copy the server binary from the build-env stage.
|
|
|
|
COPY --from=build-env /usr/local/bin /usr/local/bin
|
|
|
|
|
|
|
|
# Document the default server ports for the various server apps
|
|
|
|
EXPOSE 8443 8444 10250
|
|
|
|
|
|
|
|
# Run as non-root for security posture
|
|
|
|
# Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9
|
|
|
|
# This is a workaround for https://github.com/GoogleContainerTools/distroless/issues/718
|
|
|
|
USER 65532:65532
|
|
|
|
|
|
|
|
# Set the entrypoint
|
|
|
|
ENTRYPOINT ["/usr/local/bin/pinniped-server"]
|