-
Notifications
You must be signed in to change notification settings - Fork 11
/
Dockerfile
165 lines (128 loc) · 5.84 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# =================== BASE BUILD LAYER ===================
# this layer is used to prepare a common layer for both debug and release builds
FROM golang:1.22 as secrets-provider-builder-base
MAINTAINER CyberArk Software Ltd.
ENV GOOS=linux \
GOARCH=amd64 \
CGO_ENABLED=0
# On CyberArk dev laptops, golang module dependencies are downloaded with a
# corporate proxy in the middle. For these connections to succeed we need to
# configure the proxy CA certificate in build containers.
#
# To allow this script to also work on non-CyberArk laptops where the CA
# certificate is not available, we copy the (potentially empty) directory
# and update container certificates based on that, rather than rely on the
# CA file itself.
ADD build_ca_certificate /usr/local/share/ca-certificates/
RUN update-ca-certificates
RUN go install github.com/jstemmer/go-junit-report/v2@latest
WORKDIR /opt/secrets-provider-for-k8s
EXPOSE 8080
COPY go.mod go.sum ./
# =================== RELEASE BUILD LAYER ===================
# this layer is used to build the release binaries
FROM secrets-provider-builder-base as secrets-provider-builder
COPY . .
# this value is set in ./bin/build
ARG TAG
RUN go build \
-a \
-installsuffix cgo \
-ldflags="-X github.com/cyberark/secrets-provider-for-k8s/pkg/secrets.Tag=$TAG" \
-o secrets-provider \
./cmd/secrets-provider
# =================== DEBUG BUILD LAYER ===================
# this layer is used to build the debug binaries
FROM secrets-provider-builder-base as secrets-provider-builder-debug
# Build Delve - debugging tool for Go
RUN go get github.com/go-delve/delve/cmd/dlv
# Expose port 40000 for debugging
EXPOSE 40000
COPY . .
# Build debug flavor without compilation optimizations using "all=-N -l"
RUN go build -a -installsuffix cgo -gcflags="all=-N -l" -o secrets-provider ./cmd/secrets-provider
# =================== BASE MAIN CONTAINER ===================
# this layer is used to prepare a common layer for both debug and release containers
FROM alpine:latest as secrets-provider-base
MAINTAINER CyberArk Software Ltd.
# Ensure openssl development libraries are always up to date
RUN apk add --no-cache openssl-dev
COPY bin/run-time-scripts /usr/local/bin/
RUN apk add -u shadow libc6-compat && \
# Add limited user
groupadd -r secrets-provider \
-g 777 && \
useradd -c "secrets-provider runner account" \
-g secrets-provider \
-u 777 \
-m \
-r \
secrets-provider && \
# Ensure plugin dir is owned by secrets-provider user
mkdir -p /usr/local/lib/secrets-provider /etc/conjur/ssl /run/conjur /conjur/status && \
# Use GID of 0 since that is what OpenShift will want to be able to read things
chown secrets-provider:0 /usr/local/lib/secrets-provider \
/etc/conjur/ssl \
/run/conjur \
/conjur/status && \
# We need open group permissions in these directories since OpenShift won't
# match our UID when we try to write files to them
chmod 770 /etc/conjur/ssl \
/run/conjur && \
chmod 777 /conjur/status
USER secrets-provider
# =================== RELEASE MAIN CONTAINER ===================
FROM secrets-provider-base as secrets-provider
COPY --from=secrets-provider-builder /opt/secrets-provider-for-k8s/secrets-provider /usr/local/bin/
CMD [ "/usr/local/bin/secrets-provider"]
# =================== DEBUG MAIN CONTAINER ===================
FROM secrets-provider-base as secrets-provider-debug
COPY --from=secrets-provider-builder-debug /go/bin/dlv /usr/local/bin/
COPY --from=secrets-provider-builder-debug /opt/secrets-provider-for-k8s/secrets-provider /usr/local/bin/
# Execute secrets provider wrapped with dlv debugger listening on port 40000 for remote debugger connection.
# Will wait indefinitely until a debugger is connected.
CMD ["/usr/local/bin/dlv", \
"--listen=:40000", \
"--headless=true", \
"--api-version=2", \
"--accept-multiclient",\
"exec", \
"/usr/local/bin/secrets-provider"]
# =================== MAIN CONTAINER (REDHAT) ===================
FROM registry.access.redhat.com/ubi9/ubi as secrets-provider-for-k8s-redhat
MAINTAINER CyberArk Software Ltd.
ARG VERSION
LABEL name="secrets-provider-for-k8s"
LABEL vendor="CyberArk"
LABEL version="$VERSION"
LABEL release="$VERSION"
LABEL summary="Store secrets in Conjur or DAP and consume them in your Kubernetes / Openshift application containers"
LABEL description="To retrieve the secrets from Conjur or DAP, the CyberArk Secrets Provider for Kubernetes runs as an \
init container or separate application container and fetches the secrets that the pods require"
RUN yum -y distro-sync
# Add limited user
RUN groupadd -r secrets-provider \
-g 777 && \
useradd -c "secrets-provider runner account" \
-g secrets-provider \
-u 777 \
-m \
-r \
secrets-provider && \
# Ensure plugin dir is owned by secrets-provider user
mkdir -p /usr/local/lib/secrets-provider /etc/conjur/ssl /run/conjur /conjur/status /licenses && \
# Use GID of 0 since that is what OpenShift will want to be able to read things
chown secrets-provider:0 /usr/local/lib/secrets-provider \
/etc/conjur/ssl \
/run/conjur \
/conjur/status && \
# We need open group permissions in these directories since OpenShift won't
# match our UID when we try to write files to them
chmod 770 /etc/conjur/ssl \
/run/conjur && \
chmod 777 /conjur/status
COPY --from=secrets-provider-builder /opt/secrets-provider-for-k8s/secrets-provider /usr/local/bin/
COPY bin/run-time-scripts /usr/local/bin/
COPY LICENSE.md /licenses
USER secrets-provider
ENTRYPOINT [ "/usr/local/bin/secrets-provider"]