Dockerfile.init

FROM --platform=$BUILDPLATFORM golang:1.26.4@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edff595aa0479 AS builder
ARG TARGETOS
ARG TARGETARCH
ARG SOURCE_DATE_EPOCH=0
ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}

WORKDIR /workspace

COPY go.mod go.mod
COPY go.sum go.sum
COPY vendor/ vendor/
RUN test -f vendor/modules.txt

COPY . .

# Build the init config binary
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
  go build -a -mod=vendor -trimpath -buildvcs=false -ldflags="-buildid=" -o bao-init-config ./cmd/bao-config-init && \
  touch -h -d "@${SOURCE_DATE_EPOCH}" bao-init-config

# Build the wrapper binary
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
  go build -a -mod=vendor -trimpath -buildvcs=false -ldflags="-buildid=" -o bao-wrapper ./cmd/bao-wrapper && \
  touch -h -d "@${SOURCE_DATE_EPOCH}" bao-wrapper

# Build the probe binary
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
  go build -a -mod=vendor -trimpath -buildvcs=false -ldflags="-buildid=" -o bao-probe ./cmd/bao-probe && \
  touch -h -d "@${SOURCE_DATE_EPOCH}" bao-probe

FROM gcr.io/distroless/static:nonroot@sha256:963fa6c544fe5ce420f1f54fb88b6fb01479f054c8056d0f74cc2c6000df5240

# The config-init binary is designed to run as a non-root user. We align the
# container user and group IDs with the IDs used by the operator-managed
# StatefulSet PodSecurityContext (UID 100, GID 1000) so that volume ownership
# and security context behave consistently across environments.
USER 100:1000
WORKDIR /

COPY --from=builder /workspace/bao-init-config /bao-init-config
# Copy wrapper to the image
COPY --from=builder /workspace/bao-wrapper /bao-wrapper
# Copy probe to the image
COPY --from=builder /workspace/bao-probe /bao-probe

# Disable Docker-native healthchecks as this is a short-lived Init container
HEALTHCHECK NONE

ENTRYPOINT ["/bao-init-config"]