-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathkonflux.Dockerfile
More file actions
84 lines (63 loc) · 3 KB
/
konflux.Dockerfile
File metadata and controls
84 lines (63 loc) · 3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Multi-stage Dockerfile for ACS MCP Server build on Konflux
# Stage 1: Builder - Build the Go binary
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:071786da0259b1c8488b05aaa7e8ad3e93d601b578b532bc11f78f5e8926c6d3 AS builder
# Build arguments for application version and branding
ARG VERSION=dev
ARG SERVER_NAME="acs-mcp-server"
ARG PRODUCT_DISPLAY_NAME="Red Hat Advanced Cluster Security (ACS)"
# Set working directory
WORKDIR /workspace
# Copy source code
COPY . .
# Build the binary with optimizations
# Output to "/tmp" directory, because user can not copy built binary to "/workspace"
# Go build uses "venodr" mode and that fails, that's why explicit "-mod=mod" is set.
RUN RACE=0 GOOS=$(go env GOOS) GOARCH=$(go env GOARCH) \
go build \
-mod=mod \
-ldflags="-w -s \
-X 'github.com/stackrox/stackrox-mcp/internal/config.version=${VERSION}' \
-X 'github.com/stackrox/stackrox-mcp/internal/config.serverName=${SERVER_NAME}' \
-X 'github.com/stackrox/stackrox-mcp/internal/config.productDisplayName=${PRODUCT_DISPLAY_NAME}'" \
-trimpath \
-o /tmp/stackrox-mcp \
./cmd/stackrox-mcp
# Stage 2: Runtime base - used to preserve rpmdb when installing packages
FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:2173487b3b72b1a7b11edc908e9bbf1726f9df46a4f78fd6d19a2bab0a701f38 AS ubi-micro-base
# Stage 3: Package installer - installs ca-certificates and openssl into /ubi-micro-base-root/
FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:8805abe5b8a32c826d46926c069f20e6a7f854d59d5bd75c55e68278aea65ccc AS package_installer
# Copy ubi-micro base to /ubi-micro-base-root/ to preserve its rpmdb
COPY --from=ubi-micro-base / /ubi-micro-base-root/
# Install packages directly to /ubi-micro-base-root/ using --installroot
# Note: --setopt=reposdir=/etc/yum.repos.d instructs dnf to use repo configurations pointing to RPMs
# prefetched by Hermeto/Cachi2, instead of installroot's default UBI repos.
# hadolint ignore=DL3041 # We are installing ca-certificates and openssl only to include trusted certs.
RUN dnf install -y \
--installroot=/ubi-micro-base-root/ \
--releasever=9 \
--setopt=install_weak_deps=False \
--setopt=reposdir=/etc/yum.repos.d \
--nodocs \
ca-certificates \
openssl && \
dnf clean all --installroot=/ubi-micro-base-root/ && \
rm -rf /ubi-micro-base-root/var/cache/*
# Stage 4: Runtime - Minimal runtime image
FROM ubi-micro-base
# Set default environment variables
ENV LOG_LEVEL=INFO
# Set working directory
WORKDIR /app
COPY --from=package_installer /ubi-micro-base-root/ /
# Copy binary from builder
COPY --from=builder /tmp/stackrox-mcp /app/stackrox-mcp
# Set ownership for OpenShift arbitrary UID support
# Files owned by 4000, group 0 (root), with group permissions matching user
RUN chown -R 4000:0 /app && \
chmod -R g=u /app
# Switch to non-root user (can be overridden by OpenShift SCC)
USER 4000
# Expose port for MCP server
EXPOSE 8080
# Run the application
ENTRYPOINT ["/app/stackrox-mcp"]