Merge pull request #1765 from simonbaird/dockerfile-consistency

Increase Dockerfile consistency between upstream and downstream
enterprise-contract · Jul 18, 2024 · 3ba6e2c · 3ba6e2c
2 parents 4fafa08 + f9355b1
commit 3ba6e2c
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -20,6 +20,11 @@ FROM docker.io/library/golang:1.21 AS build
 
 ARG TARGETOS
 ARG TARGETARCH
+ARG BUILD_SUFFIX=""
+ARG BUILD_LIST="${TARGETOS}_${TARGETARCH}"
+
+# Avoid safe directory git failures building with default user from go-toolset
+USER root
 
 WORKDIR /build
 
@@ -30,16 +35,43 @@ RUN go mod download
 # Now copy everything including .git
 COPY . .
 
-RUN /build/build.sh "${TARGETOS}_${TARGETARCH}"
+RUN /build/build.sh "${BUILD_LIST}" "${BUILD_SUFFIX}"
 
 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a
 
 ARG TARGETOS
 ARG TARGETARCH
 
+LABEL \
+  name="ec-cli" \
+  description="Enterprise Contract verifies and checks supply chain artifacts to ensure they meet security and business policies." \
+  io.k8s.description="Enterprise Contract verifies and checks supply chain artifacts to ensure they meet security and business policies." \
+  summary="Provides the binaries for downloading the EC CLI. Also used as a Tekton task runner image for EC tasks. Upstream build." \
+  io.k8s.display-name="Enterprise Contract" \
+  io.openshift.tags="enterprise-contract ec opa cosign sigstore"
+
+# Install tools we want to use in the Tekton task
 RUN microdnf upgrade --assumeyes --nodocs --setopt=keepcache=0 --refresh && microdnf -y --nodocs --setopt=keepcache=0 install git-core jq
 
+# Copy all the binaries so they're available to extract and download
+# (Beware if you're testing this locally it will copy everything from
+# your dist directory, not just the freshly built binaries.)
+COPY --from=build /build/dist/* /usr/local/bin/
+
+# Gzip them because that's what the cli downloader image expects, see
+# https://github.com/securesign/cosign/blob/main/Dockerfile.client-server-re.rh
+RUN gzip /usr/local/bin/ec_*
+
 # Copy the one ec binary that can run in this container
 COPY --from=build "/build/dist/ec_${TARGETOS}_${TARGETARCH}" /usr/local/bin/ec
 
+# OpenShift preflight check requires a license
+COPY --from=build /build/LICENSE /licenses/LICENSE
+
+# OpenShift preflight check requires a non-root user
+USER 1001
+
+# Show some version numbers for troubleshooting purposes
+RUN git version && jq --version && ec version && ls -l /usr/local/bin
+
 ENTRYPOINT ["/usr/local/bin/ec"]
diff --git a/Dockerfile.dist b/Dockerfile.dist
@@ -21,10 +21,10 @@
 
 FROM registry.access.redhat.com/ubi9/go-toolset:1.21@sha256:ae17d73e70a966f39ef4dfca74241e3ca4374cd1198b02c30ea0748b8dcc83a6 AS build
 
-ARG BUILD_SUFFIX="redhat"
-ARG BUILD_LIST="darwin_amd64 darwin_arm64 linux_amd64 linux_arm64 linux_ppc64le linux_s390x windows_amd64"
 ARG TARGETOS
 ARG TARGETARCH
+ARG BUILD_SUFFIX="redhat"
+ARG BUILD_LIST="darwin_amd64 darwin_arm64 linux_amd64 linux_arm64 linux_ppc64le linux_s390x windows_amd64"
 
 # Avoid safe directory git failures building with default user from go-toolset
 USER root
@@ -51,7 +51,7 @@ LABEL \
   name="ec-cli" \
   description="Enterprise Contract verifies and checks supply chain artifacts to ensure they meet security and business policies." \
   io.k8s.description="Enterprise Contract verifies and checks supply chain artifacts to ensure they meet security and business policies." \
-  summary="Provides the binaries for downloading the EC CLI. Also used as a Tekton task runner image for EC tasks." \
+  summary="Provides the binaries for downloading the EC CLI. Also used as a Tekton task runner image for EC tasks. Red Hat build." \
   io.k8s.display-name="Enterprise Contract for Red Hat Trusted Artifact Signer" \
   io.openshift.tags="rhtas rhtap trusted-artifact-signer trusted-application-pipeline enterprise-contract ec opa cosign sigstore" \
   com.redhat.component="ec-cli"
@@ -65,7 +65,7 @@ RUN microdnf upgrade --assumeyes --nodocs --setopt=keepcache=0 --refresh && micr
 COPY --from=build /build/dist/* /usr/local/bin/
 
 # Gzip them because that's what the cli downloader image expects, see
-# https://github.com/securesign/sigstore-ocp/blob/main/images/Dockerfile-clientserver
+# https://github.com/securesign/cosign/blob/main/Dockerfile.client-server-re.rh
 RUN gzip /usr/local/bin/ec_*
 
 # Copy the one ec binary that can run in this container