-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add dockerfile to build harness image
- Loading branch information
Showing
2 changed files
with
69 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
FROM alpine:3.19 as environment | ||
Check notice Code scanning / Trivy No HEALTHCHECK defined Low
Artifact: hack/harness.Dockerfile
Type: dockerfile Vulnerability DS026 Severity: LOW Message: Add HEALTHCHECK instruction in your Dockerfile Link: DS026 |
||
|
||
RUN mkdir /plural | ||
RUN mkdir /tmp/plural | ||
|
||
FROM golang:1.22-alpine3.19 as builder | ||
|
||
ARG TARGETARCH | ||
ARG TARGETOS | ||
ARG VERSION | ||
|
||
WORKDIR /workspace | ||
|
||
# Retrieve application dependencies. | ||
# This allows the container build to reuse cached dependencies. | ||
# Expecting to copy go.mod and if present go.sum. | ||
COPY go.* ./ | ||
RUN go mod download | ||
|
||
COPY cmd/harness ./cmd/harness | ||
COPY pkg ./pkg | ||
COPY internal ./internal | ||
COPY api ./api | ||
|
||
RUN CGO_ENABLED=0 \ | ||
GOOS=${TARGETOS} \ | ||
GOARCH=${TARGETARCH} \ | ||
go build \ | ||
-trimpath \ | ||
-ldflags="-s -w" \ | ||
-o /plural/harness \ | ||
cmd/harness/main.go | ||
|
||
FROM hashicorp/terraform:1.8.2 as terraform | ||
|
||
FROM busybox:1.35.0-uclibc as busybox | ||
|
||
FROM gcr.io/distroless/base-debian12 as final | ||
Check warning Code scanning / Trivy ':latest' tag used Medium
Artifact: hack/harness.Dockerfile
Type: dockerfile Vulnerability DS001 Severity: MEDIUM Message: Specify a tag in the 'FROM' statement for image 'gcr.io/distroless/base-debian12' Link: DS001 |
||
|
||
# Switch to the nonroot user | ||
USER nonroot:nonroot | ||
|
||
# Set up the environment | ||
# 1. copy plural and tmp directories with proper permissions for the nonroot user | ||
# 2. copy the static shell into base image <- TODO: shell should not be required for prod image | ||
# 3. copy the harness binary | ||
# 4. copy terraform binary | ||
COPY --chown=nonroot --from=environment /plural /plural | ||
COPY --chown=nonroot --from=environment /tmp/plural /tmp | ||
COPY --chown=nonroot --from=busybox /bin/sh /bin/sh | ||
COPY --from=builder /plural/harness /harness | ||
COPY --from=terraform /bin/terraform /bin/terraform | ||
|
||
ENTRYPOINT ["/harness", "--working-dir=plural"] |