forked from authzed/spicedb
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathDockerfile.fips
32 lines (28 loc) · 1.21 KB
/
Dockerfile.fips
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5-1736404155 AS base
ARG TARGETARCH
USER root
RUN microdnf install -y tar gzip make which git gcc go-toolset
# Builder for spicedb
FROM base AS spicedb-builder
WORKDIR /go/src/app
ENV CGO_ENABLED=1
COPY go.mod go.sum ./
COPY . .
RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod go mod download && \
go mod tidy && \
GOEXPERIMENT=strictfipsruntime,boringcrypto GOOS=linux GOARCH=${TARGETARCH} GOFLAGS="" go build -tags=fips_enabled -gcflags=all=-trimpath=/go -asmflags=all=-trimpath=/go ./cmd/...
# Builder for health probe
FROM base AS health-probe-builder
WORKDIR /go/src/app
RUN git clone https://github.com/authzed/grpc-health-probe.git
WORKDIR /go/src/app/grpc-health-probe
# Bump this when moving to go 1.23+
RUN git checkout aefcf1106afeb10e87df1649b21fd20d2ef79d2f
RUN GOEXPERIMENT=strictfipsruntime,boringcrypto CGO_ENABLED=1 GOBIN=/go/bin go install -a -tags netgo -ldflags=-w
# Final stage
FROM base
COPY --from=health-probe-builder /go/bin/grpc-health-probe /bin/grpc_health_probe
COPY --from=spicedb-builder /go/src/app/spicedb /usr/local/bin/spicedb
ENV PATH="$PATH:/usr/local/bin"
EXPOSE 50051
ENTRYPOINT ["spicedb"]