-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathDockerfile.backup
More file actions
44 lines (34 loc) · 1.59 KB
/
Dockerfile.backup
File metadata and controls
44 lines (34 loc) · 1.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Backup executor image
#
# This Dockerfile builds a minimal container image for the backup executor
# process used by the OpenBao backup Job. The executor binary is built from
# source in a multi-stage build. The image is configured to run as a non-root
# user, matching the PodSecurityContext used by the backup Job (UID 1000, GID 1000).
#
# Example build (from repo root):
# docker build -f Dockerfile.backup -t openbao-backup:dev .
FROM --platform=$BUILDPLATFORM golang:1.26.4@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edff595aa0479 AS builder
ARG TARGETOS
ARG TARGETARCH
ARG SOURCE_DATE_EPOCH=0
ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
WORKDIR /workspace
COPY go.mod go.mod
COPY go.sum go.sum
COPY vendor/ vendor/
RUN test -f vendor/modules.txt
COPY . .
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
go build -a -mod=vendor -trimpath -buildvcs=false -ldflags="-buildid=" -o bao-backup ./cmd/bao-backup && \
touch -h -d "@${SOURCE_DATE_EPOCH}" bao-backup
FROM gcr.io/distroless/static:nonroot@sha256:963fa6c544fe5ce420f1f54fb88b6fb01479f054c8056d0f74cc2c6000df5240
# The backup executor binary is designed to run as a non-root user. We align the
# container user and group IDs with the IDs used by the operator-managed
# backup Job PodSecurityContext (UID 1000, GID 1000) so that volume ownership
# and security context behave consistently across environments.
USER 1000:1000
WORKDIR /
COPY --from=builder /workspace/bao-backup /backup-executor
# Disable Docker-native healthchecks as this is a short-lived Job container
HEALTHCHECK NONE
ENTRYPOINT ["/backup-executor"]