-
Notifications
You must be signed in to change notification settings - Fork 32
/
Dockerfile.dist
89 lines (67 loc) · 3.6 KB
/
Dockerfile.dist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Copyright The Enterprise Contract Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
## Build
# Ideally, use the official image from Red Hat, e.g. registry.access.redhat.com/ubi9/go-toolset,
# but a 1.22 release does not yet exist.
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.22.7@sha256:376dd8d1291580a32824c7a072b72e1dce524bb9d300393b656931ba6156b86d AS build
ARG TARGETOS
ARG TARGETARCH
ARG BUILD_SUFFIX="redhat"
ARG BUILD_LIST="darwin_amd64 darwin_arm64 linux_amd64 linux_arm64 linux_ppc64le linux_s390x windows_amd64"
# Avoid safe directory git failures building with default user from go-toolset
USER root
WORKDIR /build
# Copy just the mod file for better layer caching when building locally
COPY go.mod go.sum ./
RUN go mod download
# Copy the tools/kubectl mod file for better layer caching when building locally
COPY tools/kubectl/go.mod tools/kubectl/go.sum ./tools/kubectl/
RUN cd tools/kubectl && go mod download
# Now copy everything including .git
COPY . .
RUN /build/build.sh "${BUILD_LIST}" "${BUILD_SUFFIX}"
## Final image
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:d85040b6e3ed3628a89683f51a38c709185efc3fb552db2ad1b9180f2a6c38be
ARG TARGETOS
ARG TARGETARCH
LABEL \
name="ec-cli" \
description="Enterprise Contract verifies and checks supply chain artifacts to ensure they meet security and business policies." \
io.k8s.description="Enterprise Contract verifies and checks supply chain artifacts to ensure they meet security and business policies." \
summary="Provides the binaries for downloading the EC CLI. Also used as a Tekton task runner image for EC tasks. Red Hat build." \
io.k8s.display-name="Enterprise Contract for Red Hat Trusted Artifact Signer" \
io.openshift.tags="rhtas rhtap trusted-artifact-signer trusted-application-pipeline enterprise-contract ec opa cosign sigstore" \
com.redhat.component="ec-cli"
# Install tools we want to use in the Tekton task
RUN microdnf upgrade --assumeyes --nodocs --setopt=keepcache=0 --refresh && microdnf -y --nodocs --setopt=keepcache=0 install git-core jq
# Copy all the binaries so they're available to extract and download
# (Beware if you're testing this locally it will copy everything from
# your dist directory, not just the freshly built binaries.)
COPY --from=build /build/dist/ec* /usr/local/bin/
# Gzip them because that's what the cli downloader image expects, see
# https://github.com/securesign/cosign/blob/main/Dockerfile.client-server-re.rh
RUN gzip /usr/local/bin/ec_*
# Copy the one ec binary that can run in this container
COPY --from=build "/build/dist/ec_${TARGETOS}_${TARGETARCH}" /usr/local/bin/ec
# Copy the one kubectl binary that can run in this container
COPY --from=build "/build/dist/kubectl_${TARGETOS}_${TARGETARCH}" /usr/local/bin/kubectl
# OpenShift preflight check requires a license
COPY --from=build /build/LICENSE /licenses/LICENSE
# OpenShift preflight check requires a non-root user
USER 1001
# Show some version numbers for troubleshooting purposes
RUN git version && jq --version && ec version && ls -l /usr/local/bin
ENTRYPOINT ["/usr/local/bin/ec"]