-
Notifications
You must be signed in to change notification settings - Fork 36
Expand file tree
/
Copy pathDockerfile
More file actions
105 lines (69 loc) · 3.37 KB
/
Dockerfile
File metadata and controls
105 lines (69 loc) · 3.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# syntax=docker/dockerfile:1@sha256:fe40cf4e92cd0c467be2cfc30657a680ae2398318afd50b0c80585784c604f28
# Regsync version
ARG REGSYNC_VERSION=v0.11.1
# xx is a helper for cross-compilation
FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0@sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707 AS xx
FROM --platform=$BUILDPLATFORM golang:1.26.1-bookworm@sha256:c7a82e9e2df2fea5d8cb62a16aa6f796d2b2ed81ccad4ddd2bc9f0d22936c3f2 AS builder
COPY --link --from=xx / /
ARG TARGETPLATFORM
RUN --mount=type=cache,id=${TARGETPLATFORM}-apt,target=/var/cache/apt,sharing=locked \
apt-get update \
&& xx-apt-get install -y --no-install-recommends \
gcc \
libc6-dev
WORKDIR /build/reconciler
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
--mount=type=bind,source=.,target=/build,ro \
xx-go mod download -x
ARG BUILD_OPTS
ARG BUILD_GCFLAGS
ARG BUILD_LDFLAGS
ENV CGO_ENABLED=0
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
--mount=type=bind,source=.,target=/build,ro \
xx-go build ${BUILD_OPTS} -gcflags="${BUILD_GCFLAGS}" -ldflags="${BUILD_LDFLAGS}" \
-o /bin/reconciler .
RUN xx-verify /bin/reconciler
# Build regsync from source using the same Go version.
# This ensures we have a statically linked binary compatible with distroless
# and avoids security issues with different Go versions in prebuilt binaries.
ARG REGSYNC_VERSION
RUN git clone --depth 1 --branch ${REGSYNC_VERSION} \
https://github.com/regclient/regclient.git /tmp/regclient
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
--mount=type=bind,source=.,target=/build,ro \
xx-go -C /tmp/regclient build -o /bin/regsync ./cmd/regsync
RUN xx-verify /bin/regsync
# Debug image - includes Delve for remote debugging. For local development only
FROM builder AS debug
WORKDIR /
COPY --from=builder /bin/reconciler ./reconciler
COPY --from=builder /bin/regsync /usr/local/bin/regsync
RUN xx-go install github.com/go-delve/delve/cmd/dlv@v1.26.1
ENTRYPOINT ["/go/bin/dlv", "--listen=0.0.0.0:2345", "--headless=true", "--accept-multiclient=true", "--api-version=2", "exec", "--continue", "./reconciler"]
# Runtime stage - using Alpine because regsync may need shell/tools
# https://github.com/docker-library/repo-info/blob/master/repos/alpine/tag-details.md
FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
RUN apk add --no-cache ca-certificates tzdata
# Create non-root user matching distroless nonroot
RUN addgroup -g 65532 -S nonroot && adduser -u 65532 -S nonroot -G nonroot
WORKDIR /
COPY --from=builder /bin/reconciler ./reconciler
COPY --from=builder /bin/regsync /usr/local/bin/regsync
USER 65532:65532
ENTRYPOINT ["./reconciler"]
# Coverage image - includes tar for kubectl cp to work
FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709 AS coverage
RUN apk add --no-cache tar
WORKDIR /
COPY --from=builder /bin/reconciler ./reconciler
COPY --from=builder /bin/regsync /usr/local/bin/regsync
# Create a non-root user for coverage
RUN addgroup -g 65532 -S nonroot && adduser -u 65532 -S nonroot -G nonroot
# Create coverage directory with proper permissions
RUN mkdir -p /tmp/coverage && chown -R 65532:65532 /tmp/coverage
USER 65532:65532
ENTRYPOINT ["./reconciler"]