Have the docker image run as a non-root liftbridge user and publish t…

…he k8s image to dockerhub
liftbridge-io · Oct 2, 2020 · fccd0b8 · fccd0b8
1 parent c6abcf1
commit fccd0b8
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 3 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -93,6 +93,33 @@ jobs:
             docker push "liftbridge/liftbridge:${VERSION}"
             docker push 'liftbridge/liftbridge:latest'
 
+  # Build and publish release k8s Docker image
+  build-and-push-release-k8s-image:
+    docker:
+      - image: circleci/buildpack-deps:stretch
+    steps:
+      - setup_remote_docker
+      - checkout
+      - run:
+          name: Set image version
+          command: |
+            if [ -n "$CIRCLE_TAG" ]; then
+                echo "export VERSION='${CIRCLE_TAG}-k8s'" >> $BASH_ENV
+            else
+                echo "export VERSION='${CIRCLE_SHA1}-k8s'" >> $BASH_ENV
+            fi
+      - run:
+          name: Build image
+          command: |
+            docker build -t "liftbridge/liftbridge:${VERSION}" -f k8s/Dockerfile.k8s .
+            docker tag "liftbridge/liftbridge:${VERSION}" 'liftbridge/liftbridge:latest-k8s'
+      - run:
+          name: Publish image
+          command: |
+            echo "$DOCKERHUB_PASSWORD" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin
+            docker push "liftbridge/liftbridge:${VERSION}"
+            docker push 'liftbridge/liftbridge:latest-k8s'
+
   # Create GitHub release and upload artifacts
   release:
     docker:
@@ -157,6 +184,13 @@ workflows:
               ignore: /.*/
             tags:
               only: /v[0-9]+(\.[0-9]+)*(-.*)*/
+      - build-and-push-release-k8s-image:
+          context: docker-push
+          filters:
+            branches:
+              ignore: /.*/
+            tags:
+              only: /v[0-9]+(\.[0-9]+)*(-.*)*/
       - release:
           context: github-push
           filters:

diff --git a/Dockerfile b/Dockerfile
@@ -10,7 +10,9 @@ ENV GOOS linux
 RUN go build -mod=readonly -o liftbridge
 
 FROM alpine:latest
-COPY --from=build-base /go/src/github.com/liftbridge-io/liftbridge/liftbridge /usr/local/bin/liftbridge
+RUN addgroup -g 1001 -S liftbridge && adduser -u 1001 -S liftbridge -G liftbridge
+COPY --chown=liftbridge:liftbridge --from=build-base /go/src/github.com/liftbridge-io/liftbridge/liftbridge /usr/local/bin/liftbridge
 EXPOSE 9292
 VOLUME "/tmp/liftbridge/liftbridge-default"
 ENTRYPOINT ["liftbridge"]
+USER liftbridge
diff --git a/k8s/Dockerfile.k8s b/k8s/Dockerfile.k8s
@@ -24,7 +24,9 @@ RUN GRPC_HEALTH_PROBE_VERSION=v0.3.1 && \
 
 FROM alpine:latest
 RUN apk update && apk add --no-cache bash
-COPY --from=build-base /workspace/liftbridge /usr/local/bin/liftbridge
-COPY --from=build-base /bin/grpc_health_probe /bin/grpc_health_probe
+RUN addgroup -g 1001 -S liftbridge && adduser -u 1001 -S liftbridge -G liftbridge
+COPY --chown=liftbridge:liftbridge --from=build-base /workspace/liftbridge /usr/local/bin/liftbridge
+COPY --chown=liftbridge:liftbridge --from=build-base /bin/grpc_health_probe /bin/grpc_health_probe
 COPY k8s/entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
+USER liftbridge