From c7a2e10fa0dcb780ae5aa103079bc8830449cf03 Mon Sep 17 00:00:00 2001 From: Olivier Bazoud Date: Fri, 3 Oct 2025 09:44:56 +0200 Subject: [PATCH 1/5] fix(build): include CA certificates in Docker image (#483) Ensure the image contains trusted CA certificates so the app can establish secure HTTPS connections to AWS services. Without them, TLS handshakes fail with **x509: certificate signed by unknown authority**: `failed to check if infra exists: operation error SQS: GetQueueUrl, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sqs.eu-west-1.amazonaws.com/": tls: failed to verify certificate: x509: certificate signed by unknown authority` --- build/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/build/Dockerfile b/build/Dockerfile index 644e5451..1084b43a 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -12,6 +12,7 @@ RUN go build -o ./bin/outpost ./cmd/outpost/main.go && \ # Stage 1 # Copy binaries to a new image FROM scratch +COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=0 /app/bin/outpost /bin/outpost COPY --from=0 /app/bin/outpost-server /bin/outpost-server COPY --from=0 /app/bin/outpost-migrate-redis /bin/outpost-migrate-redis From 1fdd90e51d74d2a6dd641acaab075ba156186597 Mon Sep 17 00:00:00 2001 From: Olivier Bazoud Date: Fri, 3 Oct 2025 09:45:34 +0200 Subject: [PATCH 2/5] =?UTF-8?q?chore(build):=20Copy=20go=20mod=20files=20f?= =?UTF-8?q?irst=20to=20leverage=20Docker=20layer=20cachin=E2=80=A6=20(#482?= =?UTF-8?q?)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore(build): Copy go mod files first to leverage Docker layer caching for dependencies * chore(build): reorder WORKDIR command --- build/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/Dockerfile b/build/Dockerfile index 1084b43a..b025cb5b 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -2,6 +2,8 @@ # Build the binaries FROM golang:1.23-alpine WORKDIR /app +COPY go.mod go.sum ./ +RUN go mod download COPY . . # Build all binaries From 6e89730e441b4dc295467f40955f6d8057424de9 Mon Sep 17 00:00:00 2001 From: Alex Luong Date: Fri, 3 Oct 2025 14:47:14 +0700 Subject: [PATCH 3/5] chore: rename to dockerfile.example --- build/{Dockerfile => Dockerfile.example} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename build/{Dockerfile => Dockerfile.example} (100%) diff --git a/build/Dockerfile b/build/Dockerfile.example similarity index 100% rename from build/Dockerfile rename to build/Dockerfile.example From f737d2df310db8c77506c9c9a7c0ca9a16efc1a9 Mon Sep 17 00:00:00 2001 From: Alex Luong Date: Fri, 3 Oct 2025 14:54:56 +0700 Subject: [PATCH 4/5] chore: update dockerfile.example to include entrypoint.sh --- build/Dockerfile.example | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/build/Dockerfile.example b/build/Dockerfile.example index b025cb5b..837c80bc 100644 --- a/build/Dockerfile.example +++ b/build/Dockerfile.example @@ -12,12 +12,23 @@ RUN go build -o ./bin/outpost ./cmd/outpost/main.go && \ go build -o ./bin/outpost-migrate-redis ./cmd/outpost-migrate-redis/main.go # Stage 1 +# Get busybox shell for entrypoint script +FROM busybox:1.36-musl AS busybox + +# Stage 2 # Copy binaries to a new image -FROM scratch -COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -COPY --from=0 /app/bin/outpost /bin/outpost -COPY --from=0 /app/bin/outpost-server /bin/outpost-server -COPY --from=0 /app/bin/outpost-migrate-redis /bin/outpost-migrate-redis +FROM gcr.io/distroless/base-debian12:nonroot + +# Copy statically linked shell from busybox for entrypoint script +COPY --from=busybox /bin/sh /bin/sh + +# Copy all binaries +COPY --from=0 /app/bin/outpost /usr/local/bin/outpost +COPY --from=0 /app/bin/outpost-server /usr/local/bin/outpost-server +COPY --from=0 /app/bin/outpost-migrate-redis /usr/local/bin/outpost-migrate-redis + +# Copy entrypoint script +COPY --from=0 /app/build/entrypoint.sh /usr/local/bin/entrypoint.sh -# Default to running the server -ENTRYPOINT ["/bin/outpost", "serve"] +# Default entrypoint runs migrations and starts server +ENTRYPOINT ["/bin/sh", "/usr/local/bin/entrypoint.sh"] From 0546e9c475cc86831845ab7f27629633907f3899 Mon Sep 17 00:00:00 2001 From: Alex Luong Date: Fri, 3 Oct 2025 14:55:05 +0700 Subject: [PATCH 5/5] chore: comment --- build/Dockerfile.example | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/build/Dockerfile.example b/build/Dockerfile.example index 837c80bc..869529e9 100644 --- a/build/Dockerfile.example +++ b/build/Dockerfile.example @@ -1,3 +1,15 @@ +# ⚠️ IMPORTANT: This Dockerfile is for REFERENCE ONLY and is NOT production-ready. +# +# We do NOT recommend using this Dockerfile in production. Instead, use the official +# hookdeck/outpost image from Docker Hub: +# docker pull hookdeck/outpost:latest +# +# The official image is optimized, regularly updated, and fully supported. +# +# This example is provided for educational purposes and as a starting point for +# custom builds. If you need help with custom deployments, please create a +# discussion at: https://github.com/hookdeck/outpost/discussions + # Stage 0 # Build the binaries FROM golang:1.23-alpine