84 lines
4.8 KiB
Docker
84 lines
4.8 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
# Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
# this dockerfile is used to produce a binary of Pinniped that uses
|
|
# only fips-allowable ciphers. Note that this is provided only as
|
|
# an example. Pinniped has no official support for fips and using
|
|
# a version built from this dockerfile may have unforseen consquences.
|
|
# Please do not create issues in regards to problems encountered by
|
|
# using this dockerfile. Using this dockerfile does not convey
|
|
# any type of fips certification.
|
|
|
|
# Starting in 1.19, go-boringcrypto has been added to the main Go toolchain,
|
|
# hidden behind a `GOEXPERIMENT=boringcrypto` env var.
|
|
# See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md
|
|
# and https://kupczynski.info/posts/fips-golang/ for details.
|
|
|
|
# This is not currently using --platform to prepare to cross-compile because we use gcc below to build
|
|
# platform-specific GCO code. This makes multi-arch builds slow due to target platform emulation.
|
|
FROM golang:1.21.3 as build-env
|
|
|
|
WORKDIR /work
|
|
|
|
ARG GOPROXY
|
|
|
|
ARG KUBE_GIT_VERSION
|
|
ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION
|
|
|
|
# These will be set by buildkit automatically, e.g. TARGETOS set to "linux" and TARGETARCH set to "amd64" or "arm64".
|
|
# Useful for building multi-arch container images.
|
|
ARG TARGETOS
|
|
ARG TARGETARCH
|
|
|
|
# Build the executable binary (CGO_ENABLED=1 is required for go boring).
|
|
# Even though we need cgo to call the boring crypto C functions, these
|
|
# functions are statically linked into the binary. We also want to statically
|
|
# link any libc bits hence we pass "-linkmode=external -extldflags -static"
|
|
# to the ldflags directive. We do not pass "-s" to ldflags because we do
|
|
# not want to strip symbols - those are used to verify if we compiled correctly.
|
|
# Since we use gcc as the C compiler, the following warning is emitted:
|
|
# /boring/boringssl/build/../crypto/bio/socket_helper.c:55: warning:
|
|
# Using 'getaddrinfo' in statically linked applications requires at
|
|
# runtime the shared libraries from the glibc version used for linking
|
|
# This is referring to the code in
|
|
# https://github.com/google/boringssl/blob/af34f6460f0bf99dc267818f02b2936f60a30de7/crypto/bio/socket_helper.c#L55
|
|
# which calls the getaddrinfo function. This function, even when statically linked,
|
|
# uses dlopen to dynamically fetch networking config. It is safe for us to ignore
|
|
# this warning because the go boring cypto code does not create netowrking connections:
|
|
# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/src/crypto/internal/boring/goboringcrypto.h
|
|
# The osusergo and netgo tags are used to make sure that the Go implementations of these
|
|
# standard library packages are used instead of the libc based versions.
|
|
# We want to have no reliance on any C code other than the boring crypto bits.
|
|
RUN \
|
|
--mount=target=. \
|
|
--mount=type=cache,target=/cache/gocache \
|
|
--mount=type=cache,target=/cache/gomodcache \
|
|
export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=1 GOOS=$TARGETOS GOARCH=$TARGETARCH GOEXPERIMENT=boringcrypto && \
|
|
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
|
|
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
|
|
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
|
|
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
|
|
ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
|
|
|
|
# Use a distroless runtime image with CA certificates, timezone data, and not much else.
|
|
# Note that we are not using --platform here, so it will choose the base image for the target platform, not the build platform.
|
|
# By using "distroless/static" instead of "distroless/static-debianXX" we can float on the latest stable version of debian.
|
|
# See https://github.com/GoogleContainerTools/distroless#base-operating-system
|
|
FROM gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e
|
|
|
|
# Copy the server binary from the build-env stage.
|
|
COPY --from=build-env /usr/local/bin /usr/local/bin
|
|
|
|
# Document the default server ports for the various server apps
|
|
EXPOSE 8443 8444 10250
|
|
|
|
# Run as non-root for security posture
|
|
# Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9
|
|
# This is a workaround for https://github.com/GoogleContainerTools/distroless/issues/718
|
|
USER 65532:65532
|
|
|
|
# Set the entrypoint
|
|
ENTRYPOINT ["/usr/local/bin/pinniped-server"]
|