-
Notifications
You must be signed in to change notification settings - Fork 174
Expand file tree
/
Copy pathDockerfile
More file actions
73 lines (55 loc) · 3.2 KB
/
Dockerfile
File metadata and controls
73 lines (55 loc) · 3.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# We have to emulate directory layout as in the repo so that imports in go files work fine.
ARG roxpath=/workspace/src/github.com/stackrox/rox
ARG TARGET_ARCH=amd64
FROM registry.access.redhat.com/ubi9/go-toolset:1.25 AS builder
# Build the manager binary
ARG TARGET_ARCH
ARG roxpath
WORKDIR ${roxpath}/
ENV GOPATH=/workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# Cache deps before building and copying source so that we don't need to re-download as much and so that source changes
# don't invalidate our downloaded layer.
# We're not using `go mod tidy` here because go mod tidy needs to examine _source code_ in order to find unused modules.
# There's no source code in this docker layer yet and so `go mod tidy` would empty go.mod and go.sum which is not what
# we want. If we're to COPY source before running `go mod tidy`, local docker build times would go up because any code
# change will invalidate docker layers and will cause modules redownload (during `tidy`). Therefore we use
# `go mod download` as a compromise for shorter local build times due to docker layer caching. There are CI checks
# ensuring that there will not be unused modules for the repo overall.
# Note that `go mod download` can donwload more stuff than `go mod tidy` https://github.com/golang/go/issues/43994
# However it does _not_ seem to resolve packages _incorrectly_ and so should be safe especially given that downloaded
# packages are only used during build and later this docker layer is discarded (only resulting binary goes in the final
# image).
# Retry as the proxy can be unavailable at times.
ENV GOPROXY=https://proxy.golang.org|https://goproxy.io|direct
RUN go mod download || go mod download || go mod download
# Copy operator source
COPY operator/ operator/
# Copy common packages from repo root
COPY pkg/ pkg/
COPY image/ image/
# Copy generated files from repo root.
# Not generating them during this docker build because they anyway need to be generated by the orchestrating makefiles.
COPY generated/ generated/
# Copy scripts/go-build.sh and dependencies.
COPY scripts/ scripts/
COPY operator/build/status.sh status.sh
# This creates a git repo in workdir so that `git grep` command in build.sh can succeed and actually find //XDef-s.
RUN git init && git add .
# We've been historically building operator without CGO both upstream and downstream.
ENV CGO_ENABLED=0
# Build the operator binary.
RUN GOOS=linux GOARCH=${TARGET_ARCH} scripts/go-build-file.sh operator/cmd/main.go stackrox-operator
ARG TARGET_ARCH
FROM --platform=linux/${TARGET_ARCH} registry.access.redhat.com/ubi9-micro:latest
ARG roxpath
ARG ROX_IMAGE_FLAVOR
ENV ROX_IMAGE_FLAVOR=${ROX_IMAGE_FLAVOR}
COPY --from=builder ${roxpath}/stackrox-operator /usr/local/bin/
# The following are numeric uid and gid of `nobody` user in UBI.
# We can't use symbolic names because otherwise k8s will fail to start the pod with an error like this:
# Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root (pod: "stackrox-operator-controller-manager-75bc744454-bkbjr_stackrox-operator-system(49874aae-2695-4d3a-afd3-8723914d2af5)", container: manager)
USER 65534:65534
ENTRYPOINT ["/usr/local/bin/stackrox-operator"]