Kestrel-Operator/Dockerfile at main · KestrelAI/Kestrel-Operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
FROM golang:1.25-alpine AS builder

WORKDIR /app

# Copy the source code
COPY . .

# Build the operator application
WORKDIR /app
RUN CGO_ENABLED=0 GOOS=linux go build -o /app/bin/client ./cmd/client

# Use a small alpine image for the final container
FROM alpine:latest

# Install basic dependencies
RUN apk --no-cache add \
    ca-certificates \
    bash \
    curl \
    wget \
    tar \
    gzip \
    jq

# Install kubectl (multi-arch) - pinned to v1.31.0 for reliability
RUN ARCH=$(uname -m) && \
    if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; elif [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi && \
    curl -LO "https://dl.k8s.io/release/v1.31.0/bin/linux/${ARCH}/kubectl" && \
    chmod +x kubectl && \
    mv kubectl /usr/local/bin/

# Install Cilium CLI (multi-arch)
RUN ARCH=$(uname -m) && \
    if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; elif [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi && \
    CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt) && \
    curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${ARCH}.tar.gz{,.sha256sum} && \
    sha256sum -c cilium-linux-${ARCH}.tar.gz.sha256sum && \
    tar xzvfC cilium-linux-${ARCH}.tar.gz /usr/local/bin && \
    rm cilium-linux-${ARCH}.tar.gz cilium-linux-${ARCH}.tar.gz.sha256sum

# Install Trivy (multi-arch)
RUN ARCH=$(uname -m) && \
    if [ "$ARCH" = "x86_64" ]; then TRIVY_ARCH="64bit"; elif [ "$ARCH" = "aarch64" ]; then TRIVY_ARCH="ARM64"; fi && \
    TRIVY_VERSION=$(curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed 's/v//') && \
    wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz && \
    tar zxvf trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz && \
    mv trivy /usr/local/bin/ && \
    rm trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz

# Install Helm (multi-arch)
RUN ARCH=$(uname -m) && \
    if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; elif [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi && \
    curl -fsSL https://get.helm.sh/helm-v3.16.3-linux-${ARCH}.tar.gz -o helm.tar.gz && \
    tar xzf helm.tar.gz && \
    mv linux-${ARCH}/helm /usr/local/bin/ && \
    rm -rf helm.tar.gz linux-${ARCH}

# Pre-download Trivy vulnerability database during build
# This ensures the operator doesn't need internet access at runtime
RUN mkdir -p /root/.cache/trivy && \
    trivy image --download-db-only --cache-dir /root/.cache/trivy && \
    chmod -R 755 /root/.cache/trivy

WORKDIR /app

# Set environment variables for Trivy to use offline mode with pre-downloaded DB
ENV TRIVY_OFFLINE=true
ENV TRIVY_CACHE_DIR=/root/.cache/trivy
ENV TRIVY_DB_REPOSITORY=""

# Copy the binary from the builder stage
COPY --from=builder /app/bin/client .

# Verify tools are installed and Trivy database is ready
RUN kubectl version --client=true && \
    cilium version --client && \
    helm version --short && \
    trivy --version && \
    echo "Testing Trivy offline mode..." && \
    trivy image --offline-scan --skip-db-update alpine:latest || echo "Trivy offline test completed (exit code expected for test image)" && \
    jq --version && \
    bash --version

# Run the client
CMD ["/app/client"]