djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
jtc/simplify-fips-1373
ContainerImage.Pinniped/hack/Dockerfile_fips
Joshua Casey 5dc454de3d wip
2023-04-07 19:39:41 -05:00

59 lines
2.6 KiB
Docker
Raw Permalink Blame History

# syntax=docker/dockerfile:1
# Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# This dockerfile is used to produce a binary of Pinniped that uses
# only FIPS-allowable ciphers. Note that this is provided only as
# an example. Pinniped has no official support for FIPS and using
# a version built from this dockerfile may have unforseen consquences.
# Please do not create issues in regards to problems encountered by
# using this dockerfile. Using this dockerfile does not convey
# any type of FIPS certification.
# Starting in 1.19, go-boringcrypto has been added to the main Go toolchain,
# hidden behind a `GOEXPERIMENT=boringcrypto` env var.
# See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md
# and https://kupczynski.info/posts/fips-golang/ for details.
FROM golang:1.20.3 as build-env
WORKDIR /work
COPY . .
ARG GOPROXY
# Build the executable binary (CGO_ENABLED=0 means static linking)
# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they
# can be re-used between image builds.
RUN \
--mount=type=cache,target=/cache/gocache \
--mount=type=cache,target=/cache/gomodcache \
mkdir out && \
export GOCACHE=/cache/gocache && \
export GOMODCACHE=/cache/gomodcache && \
export CGO_ENABLED=0 && \
export GOOS=linux && \
export GOARCH=amd64 && \
export GOEXPERIMENT=boringcrypto && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
# Use a distroless runtime image with CA certificates, timezone data, and not much else.
FROM gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e
# Copy the server binary from the build-env stage.
COPY --from=build-env /usr/local/bin /usr/local/bin
# Document the default server ports for the various server apps
EXPOSE 8443 8444 10250
# Run as non-root for security posture
# Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9
# This is a workaround for https://github.com/GoogleContainerTools/distroless/issues/718
USER 65532:65532
# Set the entrypoint
ENTRYPOINT ["/usr/local/bin/pinniped-server"]
Reference in New Issue View Git Blame Copy Permalink