forked from cyberark/secretless-broker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
121 lines (100 loc) · 4.08 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
FROM golang:1.13-stretch as secretless-builder
MAINTAINER Conjur Inc.
LABEL builder="secretless-builder"
WORKDIR /secretless
# TODO: Expand this with build args when we support other arches
ENV GOOS=linux \
GOARCH=amd64 \
CGO_ENABLED=1
COPY go.mod go.sum /secretless/
COPY third_party/ /secretless/third_party
RUN go mod download
# secretless source files
COPY ./cmd /secretless/cmd
COPY ./internal /secretless/internal
COPY ./pkg /secretless/pkg
COPY ./resource-definitions /secretless/resource-definitions
ARG TAG="dev"
# The `Tag` override is there to provide the git commit information in the
# final binary. See `Static long version tags` in the `Building` section
# of `CONTRIBUTING.md` for more information.
RUN go build -ldflags="-X github.com/cyberark/secretless-broker/pkg/secretless.Tag=$TAG" \
-o dist/$GOOS/$GOARCH/secretless-broker ./cmd/secretless-broker && \
go build -o dist/$GOOS/$GOARCH/summon2 ./cmd/summon2
# =================== MAIN CONTAINER ===================
FROM alpine:3.12 as secretless-broker
MAINTAINER CyberArk Software, Inc.
RUN apk add -u shadow libc6-compat && \
# Add Limited user
groupadd -r secretless \
-g 777 && \
useradd -c "secretless runner account" \
-g secretless \
-u 777 \
-m \
-r \
secretless && \
# Ensure plugin dir is owned by secretless user
mkdir -p /usr/local/lib/secretless && \
# Make and setup a directory for sockets at /sock
mkdir /sock && \
# Make and setup a directory for the Conjur client certificate/access token
mkdir -p /etc/conjur/ssl && \
mkdir -p /run/conjur && \
# Use GID of 0 since that is what OpenShift will want to be able to read things
chown secretless:0 /usr/local/lib/secretless \
/sock \
/etc/conjur/ssl \
/run/conjur && \
# We need open group permissions in these directories since OpenShift won't
# match our UID when we try to write files to them
chmod 770 /sock \
/etc/conjur/ssl \
/run/conjur
USER secretless
ENTRYPOINT [ "/usr/local/bin/secretless-broker" ]
COPY --from=secretless-builder /secretless/dist/linux/amd64/secretless-broker \
/secretless/dist/linux/amd64/summon2 /usr/local/bin/
# =================== MAIN CONTAINER (REDHAT) ===================
FROM registry.access.redhat.com/rhel as secretless-broker-redhat
MAINTAINER CyberArk Software, Inc.
ARG VERSION
LABEL name="Secretless-broker"
LABEL vendor="CyberArk"
LABEL version="$VERSION"
LABEL release="$VERSION"
LABEL summary="Secure your apps by making them Secretless"
LABEL description="Secretless Broker is a connection broker which relieves client \
applications of the need to directly handle secrets to target services"
# Add Limited user
RUN groupadd -r secretless \
-g 777 && \
useradd -c "secretless runner account" \
-g secretless \
-u 777 \
-m \
-r \
secretless && \
# Ensure plugin dir is owned by secretless user
mkdir -p /usr/local/lib/secretless && \
# Make and setup a directory for sockets at /sock
mkdir /sock && \
# Make and setup a directory for the Conjur client certificate/access token
mkdir -p /etc/conjur/ssl && \
mkdir -p /run/conjur && \
mkdir -p /licenses && \
# Use GID of 0 since that is what OpenShift will want to be able to read things
chown secretless:0 /usr/local/lib/secretless \
/sock \
/etc/conjur/ssl \
/run/conjur && \
# We need open group permissions in these directories since OpenShift won't
# match our UID when we try to write files to them
chmod 770 /sock \
/etc/conjur/ssl \
/run/conjur
COPY LICENSE /licenses
USER secretless
ENTRYPOINT [ "/usr/local/bin/secretless-broker" ]
COPY --from=secretless-builder /secretless/dist/linux/amd64/secretless-broker \
/secretless/dist/linux/amd64/summon2 /usr/local/bin/