forked from Kong/kubernetes-ingress-controller
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathDockerfile
173 lines (134 loc) · 6.22 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
### Standard binary
# Build the manager binary
FROM golang:1.19.1 as builder
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
RUN printf "Building for TARGETPLATFORM=${TARGETPLATFORM}" \
&& printf ", TARGETARCH=${TARGETARCH}" \
&& printf ", TARGETOS=${TARGETOS}" \
&& printf ", TARGETVARIANT=${TARGETVARIANT} \n" \
&& printf "With 'uname -s': $(uname -s) and 'uname -m': $(uname -m)"
WORKDIR /workspace
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
COPY pkg/ pkg/
COPY internal/ internal/
# Build
ARG TAG
ARG COMMIT
ARG REPO_INFO
RUN CGO_ENABLED=0 GOOS=linux GOARCH="${TARGETARCH}" GO111MODULE=on go build -a -o manager -ldflags "-s -w -X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Release=$TAG -X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Commit=$COMMIT -X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Repo=$REPO_INFO" ./internal/cmd/main.go
### FIPS 140-2 binary
# Build the manager binary
# https://github.com/golang/go/tree/dev.boringcrypto/misc/boring#building-from-docker
FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:1.18.6b7 as builder-fips
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
RUN printf "Building for TARGETPLATFORM=${TARGETPLATFORM}" \
&& printf ", TARGETARCH=${TARGETARCH}" \
&& printf ", TARGETOS=${TARGETOS}" \
&& printf ", TARGETVARIANT=${TARGETVARIANT} \n" \
&& printf "With 'uname -s': $(uname -s) and 'uname -m': $(uname -m)"
WORKDIR /workspace
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
COPY pkg/ pkg/
COPY internal/ internal/
# Build
ARG TAG
ARG COMMIT
ARG REPO_INFO
RUN CGO_ENABLED=0 GOOS=linux GOARCH="${TARGETARCH}" GO111MODULE=on go build -a -o manager -ldflags "-s -w -X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Release=$TAG -X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Commit=$COMMIT -X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Repo=$REPO_INFO" ./internal/cmd/fips/main.go
# Build a manager binary with debug symbols and download Delve
FROM builder as builder-delve
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
RUN CGO_ENABLED=0 GOOS=linux GOARCH="${TARGETARCH}" GO111MODULE=on go build -a -o manager-debug -gcflags=all="-N -l" -ldflags "-X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Release=$TAG -X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Commit=$COMMIT -X github.com/kong/kubernetes-ingress-controller/v2/internal/manager/metadata.Repo=$REPO_INFO" ./internal/cmd/main.go
### Debug
# Create an image that runs a debug build with a Delve remote server on port 2345
FROM golang:1.19.1 AS debug
RUN go install github.com/go-delve/delve/cmd/dlv@latest
# We want all source so Delve file location operations work
COPY --from=builder-delve /workspace/ /workspace/
USER 65532:65532
ENTRYPOINT ["/go/bin/dlv"]
CMD ["exec", "--continue", "--accept-multiclient", "--headless", "--api-version=2", "--listen=:2345", "--log", "/workspace/manager-debug"]
### Distroless/default
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot AS distroless
ARG TAG
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
LABEL name="Kong Ingress Controller" \
vendor="Kong" \
version="$TAG" \
release="1" \
url="https://github.com/Kong/kubernetes-ingress-controller" \
summary="Kong for Kubernetes Ingress" \
description="Use Kong for Kubernetes Ingress. Configure plugins, health checking, load balancing and more in Kong for Kubernetes Services, all using Custom Resource Definitions (CRDs) and Kubernetes-native tooling."
WORKDIR /
COPY --from=builder /workspace/manager .
USER 65532:65532
ENTRYPOINT ["/manager"]
### RHEL
# Build UBI image
FROM registry.access.redhat.com/ubi8/ubi AS redhat
ARG TAG
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
LABEL name="Kong Ingress Controller" \
vendor="Kong" \
version="$TAG" \
release="1" \
url="https://github.com/Kong/kubernetes-ingress-controller" \
summary="Kong for Kubernetes Ingress" \
description="Use Kong for Kubernetes Ingress. Configure plugins, health checking, load balancing and more in Kong for Kubernetes Services, all using Custom Resource Definitions (CRDs) and Kubernetes-native tooling."
# Create the user (ID 1000) and group that will be used in the
# running container to run the process as an unprivileged user.
RUN groupadd --system kic && \
adduser --system kic -g kic -u 1000
COPY --from=builder /workspace/manager .
COPY LICENSE /licenses/
COPY LICENSES /licenses/
# Perform any further action as an unprivileged user.
USER 1000
# Run the compiled binary.
ENTRYPOINT ["/manager"]
### distroless FIPS 140-2
FROM gcr.io/distroless/static:nonroot AS distroless-fips
WORKDIR /
COPY --from=builder-fips /workspace/manager .
USER 65532:65532
ENTRYPOINT ["/manager"]
### RHEL FIPS 140-2
FROM registry.access.redhat.com/ubi8/ubi AS redhat-fips
ARG TAG
LABEL name="Kong Ingress Controller" \
vendor="Kong" \
version="$TAG" \
release="1" \
url="https://github.com/Kong/kubernetes-ingress-controller" \
summary="Kong for Kubernetes Ingress" \
description="Use Kong for Kubernetes Ingress. Configure plugins, health checking, load balancing and more in Kong for Kubernetes Services, all using Custom Resource Definitions (CRDs) and Kubernetes-native tooling."
# Create the user (ID 1000) and group that will be used in the
# running container to run the process as an unprivileged user.
RUN groupadd --system kic && \
adduser --system kic -g kic -u 1000
COPY --from=builder-fips /workspace/manager .
COPY LICENSE /licenses/
# Perform any further action as an unprivileged user.
USER 1000
# Run the compiled binary.
ENTRYPOINT ["/manager"]