github.com/cilium/cilium@v1.16.2/images/hubble-relay/Dockerfile (about) 1 # Copyright Authors of Cilium 2 # SPDX-License-Identifier: Apache-2.0 3 4 # distroless images are signed by cosign. You should verify the image with the following public key: 5 # $ cat cosign.pub 6 # -----BEGIN PUBLIC KEY----- 7 # MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q 8 # OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA== 9 # -----END PUBLIC KEY----- 10 # $ cosign verify --key cosign.pub $BASE_IMAGE 11 # The key may be found at the following address: 12 # https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub 13 ARG BASE_IMAGE=gcr.io/distroless/static-debian11:nonroot@sha256:63ebe035fbdd056ed682e6a87b286d07d3f05f12cb46f26b2b44fc10fc4a59ed 14 ARG GOLANG_IMAGE=docker.io/library/golang:1.22.7@sha256:4594271250150c1a322ed749abfd218e1a8c6eb1ade90872e325a664412e2037 15 ARG CILIUM_BUILDER_IMAGE=quay.io/cilium/cilium-builder:40a6366e1459a87c9bc45c6798c241cab66612c1@sha256:41f50fd628282eec0d506345bed3b42f01050f1e99fd3cfb500575ce358c3549 16 17 # BUILDPLATFORM is an automatic platform ARG enabled by Docker BuildKit. 18 # Represents the plataform where the build is happening, do not mix with 19 # TARGETARCH 20 FROM --platform=${BUILDPLATFORM} ${GOLANG_IMAGE} AS builder 21 22 # TARGETOS is an automatic platform ARG enabled by Docker BuildKit. 23 ARG TARGETOS 24 # TARGETARCH is an automatic platform ARG enabled by Docker BuildKit. 25 ARG TARGETARCH 26 # MODIFIERS are extra arguments to be passed to make at build time. 27 ARG MODIFIERS 28 29 WORKDIR /go/src/github.com/cilium/cilium 30 RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg,type=cache \ 31 make GOARCH=${TARGETARCH} DESTDIR=/out/${TARGETOS}/${TARGETARCH} ${MODIFIERS} \ 32 build-container-hubble-relay install-container-binary-hubble-relay 33 34 WORKDIR /go/src/github.com/cilium/cilium 35 # licenses-all is a "script" that executes "go run" so its ARCH should be set 36 # to the same ARCH specified in the base image of this Docker stage (BUILDARCH) 37 RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg,type=cache \ 38 make GOARCH=${BUILDARCH} licenses-all && mv LICENSE.all /out/${TARGETOS}/${TARGETARCH} 39 40 # BUILDPLATFORM is an automatic platform ARG enabled by Docker BuildKit. 41 # Represents the plataform where the build is happening, do not mix with 42 # TARGETARCH 43 FROM --platform=${BUILDPLATFORM} ${GOLANG_IMAGE} AS gops 44 45 # build-gops.sh will build both archs at the same time 46 WORKDIR /go/src/github.com/cilium/cilium/images/runtime 47 RUN apt-get update && apt-get install -y binutils-aarch64-linux-gnu binutils-x86-64-linux-gnu 48 RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg,type=cache \ 49 ./build-gops.sh 50 51 # 52 # gRPC health probes 53 # 54 FROM --platform=${BUILDPLATFORM} ${CILIUM_BUILDER_IMAGE} AS grpc_health_probe 55 ARG BUILDPLATFORM 56 COPY images/hubble-relay/download-grpc-health-probe.sh /tmp/download-grpc-health-probe.sh 57 RUN /tmp/download-grpc-health-probe.sh 58 59 FROM ${BASE_IMAGE} AS release 60 # TARGETOS is an automatic platform ARG enabled by Docker BuildKit. 61 ARG TARGETOS 62 # TARGETARCH is an automatic platform ARG enabled by Docker BuildKit. 63 ARG TARGETARCH 64 LABEL maintainer="maintainer@cilium.io" 65 COPY --from=gops /out/${TARGETOS}/${TARGETARCH}/bin/gops /bin/gops 66 COPY --from=grpc_health_probe /out/${TARGETOS}/${TARGETARCH}/bin/grpc_health_probe /bin/grpc_health_probe 67 COPY --from=builder /out/${TARGETOS}/${TARGETARCH}/usr/bin/hubble-relay /usr/bin/hubble-relay 68 COPY --from=builder /out/${TARGETOS}/${TARGETARCH}/LICENSE.all /LICENSE.all 69 # use uid:gid for the nonroot user for compatibility with runAsNonRoot 70 USER 65532:65532 71 ENTRYPOINT ["/usr/bin/hubble-relay"] 72 CMD ["serve"]