Move to Quay; build improvements

.dockerignore

@@ -0,0 +1 @@
+.gitignore

.gitlab-ci.yml

@@ -1,47 +1,39 @@
 variables:
+  CI_REGISTRY: quay.io
   GL_URL: github.com/rb3ckers
   GO_PROJECT_NAMESPACE: trafficmirror
   IMAGE_FAMILY: stackstate/trafficmirror
-  CI_REGISTRY: docker.io
-
-.prep_go: &prep_go
-  before_script:
-    - echo export GO_PROJECT_PATH="$GOPATH/src/$GL_URL/$GO_PROJECT_NAMESPACE"
-    - export GO_PROJECT_PATH="$GOPATH/src/$GL_URL/$GO_PROJECT_NAMESPACE"
-    - rm -rf $GOPATH/src/$GL_URL
-    - mkdir -p $GOPATH/src/$GL_URL
-    - echo ln -s $(pwd) $GO_PROJECT_PATH
-    - ln -s $(pwd) $GO_PROJECT_PATH
-    - cd $GO_PROJECT_PATH
 
 stages:
   - build
   - docker_build
 
 go_build:
-  <<: *prep_go
   stage: build
-  image: golang:1.11
+  image: docker:stable
   script:
-    - go get github.com/golang/dep/cmd/dep
-    - dep ensure
-    - mkdir -p build
-    - env GOOS=linux GOARCH=amd64 go build -o build/trafficmirror
-    - ls -la $GO_PROJECT_PATH/
+    - docker build
+      --tag "${CI_REGISTRY}/${IMAGE_FAMILY}:${CI_BUILD_REF:-dirty}"
+      --target builder
+      ${PWD}
+    - docker run
+      --volume ${PWD}/build:/opt/copy
+      --rm
+      --entrypoint cp
+      "${CI_REGISTRY}/${IMAGE_FAMILY}:${CI_BUILD_REF:-dirty}"
+      /build/trafficmirror /opt/copy/
   artifacts:
     paths:
       - build
     expire_in: 1 week
 
 docker_build:
   stage: docker_build
-  image: docker:latest
-  dependencies:
-    - go_build
-  services:
-    - docker:dind
+  image: docker:stable
   script:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
-    - docker build -t $IMAGE_FAMILY:${CI_BUILD_REF:-dirty} .
-    - echo docker push $IMAGE_FAMILY:${CI_BUILD_REF:-dirty}
-    - docker push $IMAGE_FAMILY:${CI_BUILD_REF:-dirty}
+    - echo "${quay_password}" | docker login --username=${quay_user} --password-stdin ${CI_REGISTRY}
+    - docker build
+      --tag ${CI_REGISTRY}/${IMAGE_FAMILY}:${CI_BUILD_REF:-dirty
+      --target app
+      ${PWD}
+    - docker push "${CI_REGISTRY}/${IMAGE_FAMILY}:${CI_BUILD_REF:-dirty}"

Dockerfile

@@ -1,10 +1,49 @@
-FROM debian:stretch
+###########
+# Builder #
+###########
 
-ADD ./init.sh /init.sh
-RUN chmod +x /init.sh && apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+FROM golang:1.11-alpine AS builder
 
-ADD build/trafficmirror /trafficmirror
+RUN apk add --no-cache git
 
-CMD ["/init.sh"]
+COPY . $GOPATH/src/github.com/rb3ckers/trafficmirror
+
+WORKDIR $GOPATH/src/github.com/rb3ckers/trafficmirror
+
+RUN set -ex \
+    && go get -u -v github.com/golang/dep/cmd/dep \
+    && dep ensure -v \
+    && GOOS=linux GOARCH=amd64 go build -o /build/trafficmirror
+
+RUN /build/trafficmirror --help
+
+#######
+# App #
+#######
+
+FROM alpine:latest AS app
+
+ENV PERSISTENT_PACKAGES="ca-certificates tini"
+
+# Copy support files
+COPY rootfs /
+
+# Upgrade OS packages for security
+RUN apk upgrade --no-cache --available \
+    && apk add --no-cache ${PERSISTENT_PACKAGES}
+
+# Copy artifacts from builder container
+COPY --from=builder /build/trafficmirror /trafficmirror
+
+# Create non-root user
+RUN addgroup -S -g 1000 stackstate && \
+    adduser -S -u 1000 -G stackstate -s /bin/sh stackstate
+
+# Switch to non-root user
+USER stackstate
 
 EXPOSE 8080
+
+ENTRYPOINT ["/sbin/tini", "--"]
+
+CMD ["/docker-entrypoint.sh"]

build-linux.sh

@@ -1,2 +1,3 @@
-#! /bin/bash
-env GOOS=linux GOARCH=amd64 go build
+#!/bin/bash
+
+env GOOS=linux GOARCH=amd64 go build

build-mac.sh

@@ -1,2 +1,3 @@
-#! /bin/bash
-env GOOS=darwin GOARCH=386 go build
+#!/bin/bash
+
+env GOOS=darwin GOARCH=386 go build

rootfs/docker-entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Takes these environment variables:
+#
+# LISTEN_PORT: port to listen on (defaults to 8080)
+# MAIN: reverse proxy to this address (defaults to localhost:8888)
+# USERNAME & PASSWORD: if USERNAME is set protect targets endpoint with basic auth (default to empty)
+
+extraParams="${1}"
+listenPort="${LISTEN_PORT:-8080}"
+main="${MAIN:-localhost:8888}"
+
+if [ -n "${USERNAME}" ]; then
+  echo "${USERNAME}:${PASSWORD}" > /password.file
+  extraParams="${extraParams} -password /password.file"
+fi
+
+cmd="/trafficmirror -listen ":${listenPort}" -main=${main} ${extraParams}"
+
+exec "${cmd}"