8a41419b94
This optimizes our image in a few different ways: - It adds a bunch of files and directories to the `.dockerignore` file. This lets us have a single `COPY . .` but still be very aggressive about pruning what files end up in the build context. - It adds build-time cache mounts to the `go build` commands using BuildKit's `--mount=type=cache` flag. This requires BuildKit-capable Docker, but means that our Go builds can all be incremental builds. This replaces the previous flow we had where we needed to split out `go mod download`. - Instead of letting the full `apt-get install ca-certificates` layer end up in our final image, we copy just the single file we need. Signed-off-by: Matt Moyer <moyerm@vmware.com>
48 lines
1.4 KiB
Docker
48 lines
1.4 KiB
Docker
# syntax = docker/dockerfile:1.0-experimental
|
|
|
|
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
FROM golang:1.15.7 as build-env
|
|
|
|
WORKDIR /work
|
|
COPY . .
|
|
ARG GOPROXY
|
|
|
|
# Build the executable binary (CGO_ENABLED=0 means static linking)
|
|
# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they
|
|
# can be re-used between image builds.
|
|
RUN \
|
|
--mount=type=cache,target=/cache/gocache \
|
|
--mount=type=cache,target=/cache/gomodcache \
|
|
mkdir out && \
|
|
GOCACHE=/cache/gocache \
|
|
GOMODCACHE=/cache/gomodcache \
|
|
CGO_ENABLED=0 \
|
|
GOOS=linux \
|
|
GOARCH=amd64 \
|
|
go build -v -ldflags "$(hack/get-ldflags.sh)" -o out \
|
|
./cmd/pinniped-concierge/... \
|
|
./cmd/pinniped-supervisor/... \
|
|
./cmd/local-user-authenticator/...
|
|
|
|
# Use a Debian slim image to grab a reasonable default CA bundle.
|
|
FROM debian:10.7-slim AS get-ca-bundle-env
|
|
RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/* /var/cache/debconf/*
|
|
|
|
# Use a runtime image based on Debian slim.
|
|
FROM debian:10.7-slim
|
|
COPY --from=get-ca-bundle-env /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
|
|
|
|
# Copy the binaries from the build-env stage.
|
|
COPY --from=build-env /work/out/ /usr/local/bin/
|
|
|
|
# Document the ports
|
|
EXPOSE 8080 8443
|
|
|
|
# Run as non-root for security posture
|
|
USER 1001:1001
|
|
|
|
# Set the entrypoint
|
|
ENTRYPOINT ["/usr/local/bin/pinniped-concierge"]
|