mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
9a6ffcd844
* Make UBI safer from OS vulnerabilities * Add missing files * Use correct packages * Fix CVEs
35 lines
No EOL
1.5 KiB
Text
35 lines
No EOL
1.5 KiB
Text
FROM registry.access.redhat.com/ubi8/ubi as minimal-ubi
|
|
|
|
ARG TARGETOS
|
|
ARG TARGETARCH
|
|
RUN dnf update -y && dnf install -y binutils
|
|
# prep target rootfs for scratch container
|
|
WORKDIR /
|
|
RUN mkdir /image && \
|
|
ln -s usr/bin /image/bin && \
|
|
ln -s usr/sbin /image/sbin && \
|
|
ln -s usr/lib64 /image/lib64 && \
|
|
ln -s usr/lib /image/lib && \
|
|
mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev}
|
|
|
|
COPY ubi-build-files-${TARGETARCH}.txt /tmp
|
|
# Copy all the required files from the base UBI image into the image directory
|
|
# As the go binary is not statically compiled this includes everything needed for CGO to work, cacerts, tzdata and RH release files
|
|
RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${TARGETARCH}.txt && tar xf /tmp/files.tar -C /image/ \
|
|
&& strip --strip-unneeded /image/usr/lib64/*[0-9].so
|
|
|
|
# Generate a rpm database which contains all the packages that you said were needed in ubi-build-files-*.txt
|
|
RUN rpm --root /image --initdb \
|
|
&& PACKAGES=$(rpm -qf $(cat /tmp/ubi-build-files-${TARGETARCH}.txt) | grep -v "is not owned by any package" | sort -u) \
|
|
&& echo dnf install -y 'dnf-command(download)' \
|
|
&& dnf download --destdir / ${PACKAGES} \
|
|
&& rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done`
|
|
|
|
FROM scratch
|
|
# Copy all required files + rpm database so the image is scannable
|
|
COPY --from=minimal-ubi /image/ /
|
|
USER 65534
|
|
ARG TARGETOS
|
|
ARG TARGETARCH
|
|
COPY bin/external-secrets-${TARGETOS}-${TARGETARCH} /bin/external-secrets
|
|
ENTRYPOINT ["/bin/external-secrets"] |