-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
72 lines (57 loc) · 2.46 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
###############
# BUILD STAGE #
###############
FROM golang:1.22-alpine AS builder
# this value changes in ./bin/build
ARG TAG_SUFFIX="dev"
ARG VERSION="unreleased"
# On CyberArk dev laptops, golang module dependencies are downloaded with a
# corporate proxy in the middle. For these connections to succeed we need to
# configure the proxy CA certificate in build containers.
#
# To allow this script to also work on non-CyberArk laptops where the CA
# certificate is not available, we copy the (potentially empty) directory
# and update container certificates based on that, rather than rely on the
# CA file itself.
ADD build_ca_certificate /usr/local/share/ca-certificates/
RUN update-ca-certificates
WORKDIR /conjur-k8s-csi-provider
ADD . .
RUN go build \
-ldflags="-X 'github.com/cyberark/conjur-k8s-csi-provider/pkg/provider.ProviderVersion=$VERSION' \
-X 'github.com/cyberark/conjur-k8s-csi-provider/pkg/provider.TagSuffix=$TAG_SUFFIX'" \
-o /conjur-csi-provider \
./cmd/conjur-k8s-csi-provider/main.go
#############
# RUN STAGE #
#############
FROM alpine:3.19.1 as conjur-k8s-csi-provider
LABEL org.opencontainers.image.authors="CyberArk Software Ltd."
LABEL id="conjur-k8s-csi-provider"
COPY --from=builder /conjur-csi-provider /conjur-csi-provider
ENTRYPOINT [ "/conjur-csi-provider" ]
################
# REDHAT IMAGE #
################
FROM registry.access.redhat.com/ubi9/ubi as conjur-k8s-csi-provider-redhat
ARG VERSION
LABEL org.opencontainers.image.authors="CyberArk Software Ltd."
LABEL id="conjur-k8s-csi-provider"
LABEL vendor="CyberArk"
LABEL version="$VERSION"
LABEL release="$VERSION"
LABEL summary="Inject Conjur secrets into Kubernetes environments via Container Storage Interface volumes."
LABEL description="Conjur's integration for the Kubernetes Secrets Store CSI Driver, which injects secrets into \
Kubernetes environments via Container Storage Interface volumes."
RUN yum -y distro-sync
# Add a non-root user with permissions on the default socket dir.
# NOTE: If deploying this image via the helm chart, the csi-provider
# user will require special permissions on the host to access the
# secrets-store-csi-provider socket directory which is volume mounted.
RUN useradd -m csi-provider
RUN mkdir -p /var/run/secrets-store-csi-providers /licenses
RUN chown -R csi-provider:0 /var/run/secrets-store-csi-providers
USER csi-provider
ADD LICENSE /licenses
COPY --from=builder /conjur-csi-provider /conjur-csi-provider
ENTRYPOINT [ "/conjur-csi-provider" ]