forked from kyverno/reports-server
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile.fips
44 lines (31 loc) · 1.09 KB
/
Dockerfile.fips
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
FROM mcr.microsoft.com/oss/go/microsoft/golang:1.23.6-fips-cbl-mariner2.0 AS builder
ENV GOPATH=/go \
PATH=/usr/local/go/bin:/go/bin:/usr/local/bin:/usr/bin:$PATH \
CGO_ENABLED=1 \
FIPS_ENABLED=1
RUN mkdir -p /go && \
tdnf install -y \
ca-certificates \
build-essential \
openssl-devel \
gcc \
shadow-utils && \
tdnf clean all
WORKDIR /app
COPY . .
ARG LD_FLAGS
ARG TARGETARCH
RUN GOOS=linux GOARCH=$TARGETARCH \
BUILD_TAGS=fips GOEXPERIMENT=systemcrypto \
CGO_ENABLED=1 FIPS_ENABLED=1 \
go build -p 1 -ldflags="-s -w" -o /app/reports-server ./
RUN groupadd --system appgroup && \
useradd --system --uid 1001 --gid appgroup --home-dir /nonexistent --shell /usr/sbin/nologin appuser && \
chown appuser:appgroup /app/reports-server
FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0-nonroot
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group
COPY --from=builder /app/reports-server /reports-server
COPY --from=builder /etc/ssl/certs /etc/ssl/certs
USER 1001
ENTRYPOINT ["/reports-server"]