-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
91 lines (72 loc) · 3.22 KB
/
Dockerfile
File metadata and controls
91 lines (72 loc) · 3.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Copyright 2026 CloudBlue LLC
# SPDX-License-Identifier: Apache-2.0
# Chaperone Egress Proxy - Multi-Stage Dockerfile
# See: docs/guides/deployment.md
# =============================================================================
# Stage 1: Builder
# =============================================================================
FROM golang:1.26-alpine AS builder
# Install git for version info (optional) and ca-certificates
RUN apk add --no-cache git ca-certificates
WORKDIR /build
# Cache dependencies first (for better layer caching)
# Copy both modules' dependency files
# Note: go.sum may not exist if no external dependencies
COPY go.mod ./
COPY sdk/go.mod ./sdk/
# Download dependencies (SDK has no external deps currently)
RUN go mod download
# Copy source code
COPY . .
# Build static binary
# CGO_ENABLED=0 ensures static linking (required for distroless)
# -ldflags "-s -w" strips debug info for smaller binary
ARG VERSION=dev
ARG GIT_COMMIT=unknown
ARG BUILD_DATE=unknown
# Security: ALLOW_INSECURE_TARGETS defaults to false (HTTPS-only).
# Only docker-test overrides this to reach the local HTTP echo server.
# Production builds MUST NOT set this to true.
ARG ALLOW_INSECURE_TARGETS=false
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
-ldflags "-s -w \
-X main.Version=${VERSION} \
-X main.GitCommit=${GIT_COMMIT} \
-X main.BuildDate=${BUILD_DATE} \
-X 'github.com/cloudblue/chaperone/internal/proxy.allowInsecureTargets=${ALLOW_INSECURE_TARGETS}'" \
-o chaperone ./cmd/chaperone
# =============================================================================
# Stage 2: Runtime (Distroless)
# =============================================================================
# Using distroless/static for minimal attack surface:
# - No shell (prevents container escape techniques)
# - No package manager
# - Only the binary and CA certificates
FROM gcr.io/distroless/static:nonroot
LABEL org.opencontainers.image.title="Chaperone"
LABEL org.opencontainers.image.description="Secure egress proxy for credential injection"
LABEL org.opencontainers.image.source="https://github.com/cloudblue/chaperone"
LABEL org.opencontainers.image.licenses="Apache-2.0"
WORKDIR /app
# Copy the statically-linked binary
COPY --from=builder /build/chaperone /app/chaperone
# Copy default config for Docker (TLS disabled, minimal allow_list)
# Users should mount their own config for production
COPY configs/docker.yaml /app/config.yaml
# Distroless nonroot image runs as UID 65532 by default
# This is a security best practice
USER nonroot:nonroot
# Expose ports:
# - 8443: Traffic port (mTLS)
# - 9090: Admin/metrics port (future)
EXPOSE 8443 9090
# Note: HEALTHCHECK directive not used because distroless has no shell/curl/wget.
# Health checking options:
# - Kubernetes: livenessProbe/readinessProbe with httpGet to /_ops/health
# - Docker Compose: healthcheck with curl from host or sidecar container
# - Manual: curl http://localhost:8443/_ops/health (from host, not container)
# Run the proxy with default config
# Override config via: docker run -v /path/to/config.yaml:/app/config.yaml
# Or use environment variables: docker run -e CHAPERONE_SERVER_ADDR=:9443
ENTRYPOINT ["/app/chaperone"]
CMD ["-config", "/app/config.yaml"]