VOL-3970 lock down deploy image - use distroless base image for deployment - use nonroot user/group for image Change-Id: Ic79455b86e1b03dee3f8918858ecf9bd82976252

commit: 3d5ac93dd84ecea101cc068977f03c53776499ca [log] [tgz]
author: David K. Bainbridge <dbainbri@ciena.com> Tue Apr 06 18:08:35 2021 +0000
committer: David K. Bainbridge <dbainbri@ciena.com> Tue Apr 06 18:08:35 2021 +0000
tree: b39f2a2cbea5c20318718922da6538221f484e05
parent: 0ee1865976b0e80ab195457916fb7d428303edcc [diff] [blame]
diff --git a/docker/Dockerfile.ofagent-go b/docker/Dockerfile.ofagent-go
index 8de0b9b..663a0ae 100644
--- a/docker/Dockerfile.ofagent-go
+++ b/docker/Dockerfile.ofagent-go

@@ -15,15 +15,12 @@
 # -------------
 # Build stage
 
-ARG GOLANG_IMAGE=golang:1.13.8-alpine3.11
-ARG DEPLOY_IMAGE=gcr.io/distroless/static:nonroot
-ARG IMAGE_OS=linux
-ARG IMAGE_ARCH=amd64
-# hadolint ignore=DL3006
-FROM --platform=$IMAGE_OS/$IMAGE_ARCH  $GOLANG_IMAGE AS build-env
+FROM --platform=linux/amd64  golang:1.13.8-alpine3.11 AS dev
 
-WORKDIR /src/
-COPY . /src/
+WORKDIR /go/src
+COPY . .
+
+ARG EXTRA_GO_BUILD_TAGS=""
 
 ARG org_label_schema_version=unknown
 ARG org_label_schema_vcs_url=unknown
@@ -32,13 +29,10 @@
 ARG org_opencord_vcs_commit_date=unknown
 ARG org_opencord_vcs_dirty=unknown
 
-ARG EXTRA_GO_BUILD_TAGS=""
-
-# Build ofagent-go
+# Build
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 RUN \
-CGO_ENABLED=0 GOOS=$IMAGE_OS GOARCH=$IMAGE_ARCH \
-go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /build/ofagent \
+CGO_ENABLED=0 go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /app/ofagent \
 -ldflags \
 "-X github.com/opencord/voltha-lib-go/v2/pkg/version.version=$org_label_schema_version \
 -X github.com/opencord/voltha-lib-go/v2/pkg/version.vcsRef=$org_label_schema_vcs_ref \
@@ -49,16 +43,17 @@
 -X github.com/opencord/voltha-lib-go/v2/pkg/version.buildTime=$org_label_schema_build_date" \
 ./cmd/ofagent
 
+WORKDIR /app
+
 # -------------
 # Image creation stage
-# hadolint ignore=DL3006
-FROM --platform=$IMAGE_OS/$IMAGE_ARCH $DEPLOY_IMAGE
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot AS prod
 
 # Set the working directory
 WORKDIR /app
 
 # Copy required files
-COPY --from=build-env /build/ofagent /app/ofagent
+COPY --from=dev /app/ofagent /app/ofagent
 
 # Label image
 ARG org_label_schema_version=unknown
@@ -67,8 +62,6 @@
 ARG org_label_schema_build_date=unknown
 ARG org_opencord_vcs_commit_date=unknown
 ARG org_opencord_vcs_dirty=unknown
-ARG IMAGE_USER=nonroot
-ARG IMAGE_GROUP=nonroot
 
 LABEL \
 org.label-schema.schema-version=1.0 \
@@ -80,4 +73,4 @@
 org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
 org.opencord.vcs-dirty=$org_opencord_vcs_dirty
 
-USER $IMAGE_USER:$IMAGE_GROUP
+USER nonroot:nonroot
commit	3d5ac93dd84ecea101cc068977f03c53776499ca	[log] [tgz]
author	David K. Bainbridge <dbainbri@ciena.com>	Tue Apr 06 18:08:35 2021 +0000
committer	David K. Bainbridge <dbainbri@ciena.com>	Tue Apr 06 18:08:35 2021 +0000
tree	b39f2a2cbea5c20318718922da6538221f484e05
parent	0ee1865976b0e80ab195457916fb7d428303edcc [diff] [blame]