github.com/cilium/cilium@v1.16.2/images/clustermesh-apiserver/Dockerfile

github.com/cilium/cilium@v1.16.2/images/clustermesh-apiserver/Dockerfile (about)

     1  # Copyright Authors of Cilium
     2  # SPDX-License-Identifier: Apache-2.0
     3  
     4  # distroless images are signed by cosign and can be verified using:
     5  # cosign verify $IMAGE_NAME --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com
     6  ARG BASE_IMAGE=gcr.io/distroless/static-debian11:nonroot@sha256:63ebe035fbdd056ed682e6a87b286d07d3f05f12cb46f26b2b44fc10fc4a59ed
     7  # These SHA256 digests are important for two reasons:
     8  # 1. They 'pin' the container image to a specific version. Unlike a tag that can be changed at any future point, a
     9  #    SHA265 hash cannot be modified. This increases the security of the build by protecting against a class of supply
    10  #    chain attacks where an attacker has write access to our 3rd party dependnecy image registries.
    11  # 2. These digests must be to the *overall* digest, not the digest for a specific image. This is because the images will
    12  #    be architecture specific, but the overall digest will contiain all of the architectures.
    13  ARG GOLANG_IMAGE=docker.io/library/golang:1.22.7@sha256:4594271250150c1a322ed749abfd218e1a8c6eb1ade90872e325a664412e2037
    14  # We don't use ETCD_IMAGE because that's used in Makefile.defs to select a ETCD image approrpate for the *host platform*
    15  # to run tests with.
    16  ARG ETCD_SERVER_IMAGE=gcr.io/etcd-development/etcd:v3.5.16@sha256:0d0a9fe2d8344722acfb6f456beb0c64328b58f51dc6dee6291976e62a7b5a3f
    17  
    18  # BUILDPLATFORM is an automatic platform ARG enabled by Docker BuildKit.
    19  # Represents the plataform where the build is happening, do not mix with
    20  # TARGETARCH
    21  FROM --platform=${BUILDPLATFORM} ${GOLANG_IMAGE} AS builder
    22  
    23  # TARGETOS is an automatic platform ARG enabled by Docker BuildKit.
    24  ARG TARGETOS
    25  # TARGETARCH is an automatic platform ARG enabled by Docker BuildKit.
    26  ARG TARGETARCH
    27  # MODIFIERS are extra arguments to be passed to make at build time.
    28  ARG MODIFIERS
    29  
    30  WORKDIR /go/src/github.com/cilium/cilium/clustermesh-apiserver
    31  RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg,type=cache \
    32      mkdir -p /out/${TARGETOS}/${TARGETARCH} && cp etcd-config.yaml /out/${TARGETOS}/${TARGETARCH}/etcd-config.yaml
    33  RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg,type=cache \
    34      make GOARCH=${TARGETARCH} ${MODIFIERS} \
    35      && mkdir -p /out/${TARGETOS}/${TARGETARCH}/usr/bin && mv clustermesh-apiserver /out/${TARGETOS}/${TARGETARCH}/usr/bin
    36  
    37  WORKDIR /go/src/github.com/cilium/cilium
    38  # licenses-all is a "script" that executes "go run" so its ARCH should be set
    39  # to the same ARCH specified in the base image of this Docker stage (BUILDARCH)
    40  RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg,type=cache \
    41      make GOARCH=${BUILDARCH} licenses-all && mv LICENSE.all /out/${TARGETOS}/${TARGETARCH}
    42  
    43  # BUILDPLATFORM is an automatic platform ARG enabled by Docker BuildKit.
    44  # Represents the plataform where the build is happening, do not mix with
    45  # TARGETARCH
    46  FROM --platform=${BUILDPLATFORM} ${GOLANG_IMAGE} AS gops
    47  
    48  # build-gops.sh will build both archs at the same time
    49  WORKDIR /go/src/github.com/cilium/cilium/images/runtime
    50  RUN apt-get update && apt-get install -y binutils-aarch64-linux-gnu binutils-x86-64-linux-gnu
    51  RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg,type=cache \
    52      ./build-gops.sh
    53  
    54  FROM --platform=${TARGETARCH} ${ETCD_SERVER_IMAGE} AS etcd
    55  
    56  FROM ${BASE_IMAGE} AS release
    57  # TARGETOS is an automatic platform ARG enabled by Docker BuildKit.
    58  ARG TARGETOS
    59  # TARGETARCH is an automatic platform ARG enabled by Docker BuildKit.
    60  ARG TARGETARCH
    61  LABEL maintainer="maintainer@cilium.io"
    62  COPY --from=gops /out/${TARGETOS}/${TARGETARCH}/bin/gops /bin/gops
    63  # While the etcd image uses /usr/local/bin, we're moving it to /usr/bin to keep consistency with the rest of our images.
    64  # We also don't grab the etcdctl or etcdutl binaries, as we don't need them for our application.
    65  COPY --from=etcd /usr/local/bin/etcd /usr/bin/etcd
    66  COPY --from=builder /out/${TARGETOS}/${TARGETARCH}/etcd-config.yaml /var/lib/cilium/etcd-config.yaml
    67  COPY --from=builder /out/${TARGETOS}/${TARGETARCH}/usr/bin/clustermesh-apiserver /usr/bin/clustermesh-apiserver
    68  COPY --from=builder /out/${TARGETOS}/${TARGETARCH}/LICENSE.all /LICENSE.all
    69  
    70  # Configure gops to use a temporary directory, to prevent permission
    71  # issues depending on the UID configured to run the entrypoint.
    72  ENV GOPS_CONFIG_DIR=/tmp/gops
    73  
    74  ENTRYPOINT ["/usr/bin/clustermesh-apiserver"]