VOL-3970 lock down deploy image

- use distroless base image for deployment
- use nonroot user/group for image

Change-Id: Id89752d763748c2ce442ae41068705ae682d646a
diff --git a/Makefile b/Makefile
index 494e691..80b793f 100644
--- a/Makefile
+++ b/Makefile
@@ -28,8 +28,9 @@
 DOCKER_EXTRA_ARGS        ?=
 DOCKER_REGISTRY          ?=
 DOCKER_REPOSITORY        ?=
-DOCKER_TAG               ?= ${VERSION}
+DOCKER_TAG               ?= ${VERSION}$(shell [[ ${DOCKER_LABEL_VCS_DIRTY} == "true" ]] && echo "-dirty" || true)
 ADAPTER_IMAGENAME        := ${DOCKER_REGISTRY}${DOCKER_REPOSITORY}voltha-openolt-adapter:${DOCKER_TAG}
+DOCKER_TARGET            ?= prod
 TYPE                     ?= minimal
 
 ## Docker labels. Only set ref and commit date if committed
@@ -78,9 +79,9 @@
 build: docker-build ## Alias for 'docker build'
 
 docker-build: local-protos local-lib-go ## Build openolt adapter docker image (set BUILD_PROFILED=true to also build the profiled image)
-	docker build $(DOCKER_BUILD_ARGS) -t ${ADAPTER_IMAGENAME} -f docker/Dockerfile.openolt .
+	docker build $(DOCKER_BUILD_ARGS) --target ${DOCKER_TARGET} -t ${ADAPTER_IMAGENAME} -f docker/Dockerfile.openolt .
 ifdef BUILD_PROFILED
-	docker build $(DOCKER_BUILD_ARGS) --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${ADAPTER_IMAGENAME}-profile -f docker/Dockerfile.openolt .
+	docker build $(DOCKER_BUILD_ARGS) --target ${DOCKER_TARGET} --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${ADAPTER_IMAGENAME}-profile -f docker/Dockerfile.openolt .
 endif
 
 docker-push: ## Push the docker images to an external repository
diff --git a/docker/Dockerfile.openolt b/docker/Dockerfile.openolt
index f3a97a6..bc31eb3 100644
--- a/docker/Dockerfile.openolt
+++ b/docker/Dockerfile.openolt
@@ -15,13 +15,13 @@
 # -------------
 # Build stage
 
-FROM golang:1.13.8-alpine3.11 AS build-env
+FROM --platform=linux/amd64 golang:1.13.8-alpine3.11 AS dev
 
 # Install required packages
 RUN apk add --no-cache build-base=0.5-r1
 
-# Prepare directory structure
-WORKDIR /go/src/github.com/opencord/voltha-openolt-adapter
+# Use Standard go build directory structure
+WORKDIR /go/src
 COPY . .
 
 ARG EXTRA_GO_BUILD_TAGS=""
@@ -33,29 +33,32 @@
 ARG org_opencord_vcs_commit_date=unknown
 ARG org_opencord_vcs_dirty=unknown
 
-# Build openolt
+# Build
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
-RUN go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /go/bin/openolt \
-	-ldflags \
-	"-X github.com/opencord/voltha-lib-go/v4/pkg/version.version=$org_label_schema_version \
-	 -X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsRef=$org_label_schema_vcs_ref  \
-	 -X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsDirty=$org_opencord_vcs_dirty \
-	 -X github.com/opencord/voltha-lib-go/v4/pkg/version.goVersion=$(go version 2>&1 | sed -E  's/.*go([0-9]+\.[0-9]+\.[0-9]+).*/\1/g') \
-	 -X github.com/opencord/voltha-lib-go/v4/pkg/version.os=$(go env GOHOSTOS) \
-	 -X github.com/opencord/voltha-lib-go/v4/pkg/version.arch=$(go env GOHOSTARCH) \
-	 -X github.com/opencord/voltha-lib-go/v4/pkg/version.buildTime=$org_label_schema_build_date" \
-	 ./cmd/openolt-adapter/
+RUN \
+CGO_ENABLED=0 go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /app/openolt \
+-ldflags \
+"-X github.com/opencord/voltha-lib-go/v4/pkg/version.version=$org_label_schema_version \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsRef=$org_label_schema_vcs_ref \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsDirty=$org_opencord_vcs_dirty \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.goVersion=$(go version 2>&1 | sed -E  's/.*go([0-9]+\.[0-9]+\.[0-9]+).*/\1/g') \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.os=$(go env GOHOSTOS) \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.arch=$(go env GOHOSTARCH) \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.buildTime=$org_label_schema_build_date" \
+./cmd/openolt-adapter/
+
+WORKDIR /app
 
 # -------------
 # Image creation stage
 
-FROM alpine:3.11.3
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot as prod
 
 # Set the working directory
 WORKDIR /app
 
 # Copy required files
-COPY --from=build-env /go/bin/openolt /app/
+COPY --from=dev /app/openolt /app/openolt
 
 # Label image
 ARG org_label_schema_version=unknown
@@ -65,11 +68,14 @@
 ARG org_opencord_vcs_commit_date=unknown
 ARG org_opencord_vcs_dirty=unknown
 
-LABEL org.label-schema.schema-version=1.0 \
-      org.label-schema.name=voltha-openolt-adapter-go \
-      org.label-schema.version=$org_label_schema_version \
-      org.label-schema.vcs-url=$org_label_schema_vcs_url \
-      org.label-schema.vcs-ref=$org_label_schema_vcs_ref \
-      org.label-schema.build-date=$org_label_schema_build_date \
-      org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
-      org.opencord.vcs-dirty=$org_opencord_vcs_dirty
+LABEL \
+org.label-schema.schema-version=1.0 \
+org.label-schema.name=voltha-openolt-adapter-go \
+org.label-schema.version=$org_label_schema_version \
+org.label-schema.vcs-url=$org_label_schema_vcs_url \
+org.label-schema.vcs-ref=$org_label_schema_vcs_ref \
+org.label-schema.build-date=$org_label_schema_build_date \
+org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
+org.opencord.vcs-dirty=$org_opencord_vcs_dirty
+
+USER nonroot:nonroot