feat: add distroless (#1348)

* feat: add distroless * Update Dockerfile-build * Update Dockerfile-distroless-static --------- Co-authored-by: Jakub Błaszczyk <blaszczyk.jakub@protonmail.com>
ory · Jun 29, 2023 · f0839ee · f0839ee
1 parent 5212b59
commit f0839ee
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 21 deletions.
diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
@@ -1,9 +1,12 @@
-FROM golang:1.20-alpine3.18 AS builder
-
-RUN apk -U --no-cache add build-base git gcc bash
+# Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342
+FROM golang:1.20-bullseye AS builder
 
 WORKDIR /go/src/github.com/ory/keto
 
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite &&\
+    mkdir -p ./internal/httpclient
+
 COPY go.mod go.mod
 COPY go.sum go.sum
 
@@ -18,30 +21,16 @@ COPY . .
 
 RUN go build -buildvcs=false -tags sqlite -o /usr/bin/keto .
 
-FROM alpine:3.18
-
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory
+#########################
 
-RUN apk --no-cache --latest upgrade &&\
-    apk --no-cache --upgrade --latest add ca-certificates
+FROM gcr.io/distroless/base-nossl-debian11:nonroot AS runner
 
+COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/keto /usr/bin/keto
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite
-RUN chown ory:ory /var/lib/sqlite
 VOLUME /var/lib/sqlite
 
-# Exposing the ory home directory to simplify passing in the configuration.
-VOLUME /home/ory
-
 EXPOSE 4466 4467
 
-USER ory
-
 ENTRYPOINT ["keto"]
-
 CMD ["serve"]
diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static
@@ -0,0 +1,7 @@
+FROM gcr.io/distroless/static-debian11:nonroot
+
+COPY keto /usr/bin/keto
+EXPOSE 4466 4467
+
+ENTRYPOINT ["keto"]
+CMD ["serve"]
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -10,4 +10,5 @@ variables:
   buildinfo_hash: "github.com/ory/keto/internal/driver/config.Commit"
   buildinfo_tag: "github.com/ory/keto/internal/driver/config.Version"
   buildinfo_date: "github.com/ory/keto/internal/driver/config.Date"
-  dockerfile: ".docker/Dockerfile-alpine"
+  dockerfile_alpine: ".docker/Dockerfile-alpine"
+  dockerfile_static: ".docker/Dockerfile-distroless-static"