Build multi arch kratos image with patched vulns

ddelnano · ddelnano · commit 75010e00455d · 2025-07-24T21:41:06.000Z
Signed-off-by: Dom Del Nano &lt;ddelnano@gmail.com&gt;
diff --git a/k8s/cloud/base/ory_auth/kratos/kratos_deployment.yaml b/k8s/cloud/base/ory_auth/kratos/kratos_deployment.yaml
@@ -49,7 +49,7 @@ spec:
           # yamllint disable-line rule:line-length
           value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_POSTGRES_DB)?sslmode=disable&max_conns=20&max_idle_conns=4
         imagePullPolicy: IfNotPresent
-        image: docker.io/ddelnano/kratos:v1.3.1-go1.23@sha256:66540a7f62864e4555a744ed0db2294331a500ddb634846ec2cde1064ce459da
+        image: ghcr.io/pixie-io/kratos:1.3.1-scratch@sha256:8855cd72b9a5ffa25cc5588b4dc72b40c1b367c7fbe9fd3b1d1a477e731abfdd
         resources: {}
         securityContext:
           allowPrivilegeEscalation: false
@@ -135,7 +135,7 @@ spec:
         - name: SELFSERVICE_FLOWS_ERROR_UI_URL
           value: https://$(PL_WORK_DOMAIN)/auth/password/error
         imagePullPolicy: IfNotPresent
-        image: docker.io/ddelnano/kratos:v1.3.1-go1.23@sha256:66540a7f62864e4555a744ed0db2294331a500ddb634846ec2cde1064ce459da
+        image: ghcr.io/pixie-io/kratos:1.3.1-scratch@sha256:8855cd72b9a5ffa25cc5588b4dc72b40c1b367c7fbe9fd3b1d1a477e731abfdd
         ports:
         - containerPort: 4433
         - containerPort: 4434
diff --git a/tools/docker/Makefile b/tools/docker/Makefile
@@ -119,6 +119,10 @@ LINUX_HEADERS_GS_PATH := gs://pixie-dev-public/linux-headers/$(LINUX_HEADERS_REV
 NATS_IMAGE_VERSION := 2.9.25
 nats_image_tag := "ghcr.io/pixie-io/nats:$(NATS_IMAGE_VERSION)-scratch"
 
+## Ory image parameters.
+KRATOS_IMAGE_VERSION := 1.3.1
+kratos_image_tag := "ghcr.io/pixie-io/kratos:$(KRATOS_IMAGE_VERSION)-scratch"
+
 ## Copybara image parameters.
 COPYBARA_IMAGE_VERSION := 20210420
 copybara_image_tag := "gcr.io/pixie-oss/pixie-dev-public/copybara:$(COPYBARA_IMAGE_VERSION)"
@@ -276,6 +280,15 @@ build_and_upload_nats_image:
 		-t $(nats_image_tag) \
 		--push
 
+.PHONY: build_and_upload_kratos_image
+build_and_upload_kratos_image:
+	$(DOCKER) buildx build kratos_image \
+		--platform linux/amd64,linux/arm64 \
+		--build-arg=KRATOS_VERSION="v$(KRATOS_IMAGE_VERSION)" \
+		--build-arg=BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
+		-t $(kratos_image_tag) \
+		--push
+
 .PHONY: build_and_upload_copybara_image
 build_and_upload_copybara_image:
 	$(DOCKER) build copybara -t $(copybara_image_tag)
diff --git a/tools/docker/kratos_image/Dockerfile b/tools/docker/kratos_image/Dockerfile
@@ -0,0 +1,42 @@
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine@sha256:9fadeb603e14f1f3e08bdbec6681fa14446053c498a554f3e57260bf892c487e AS build
+
+ARG TARGETOS TARGETARCH
+ARG KRATOS_VERSION
+
+ARG GOOS=$TARGETOS
+ARG GOARCH=$TARGETARCH
+
+WORKDIR /src
+
+RUN apk update
+RUN apk add git
+
+RUN git clone --depth 1 https://github.com/ory/kratos.git
+WORKDIR /src/kratos
+RUN git fetch --tags && git checkout $KRATOS_VERSION
+
+ENV GO111MODULE=on
+# kratos and hydra require CGO if sqlite is used, but we exclusively use postgres
+ENV CGO_ENABLED=0
+
+RUN go mod download
+
+# TODO(ddelnano): Remove once kratos upstream has updated dependencies
+RUN go get github.com/golang-jwt/jwt/v4@v4.5.2
+RUN go get github.com/golang-jwt/jwt/v5@v5.2.2
+RUN go get golang.org/x/crypto@v0.35.0
+RUN go get golang.org/x/oauth2@v0.27.0
+
+ARG BUILD_DATE
+
+RUN go build \
+  -ldflags="-X 'github.com/ory/kratos/driver/config.Version=${KRATOS_VERSION}' -X 'github.com/ory/kratos/driver/config.Date=${BUILD_DATE}' -X 'github.com/ory/kratos/driver/config.Commit=$(git rev-parse HEAD)'" \
+  -o /usr/bin/kratos
+
+FROM gcr.io/distroless/static-debian12:nonroot
+
+COPY --from=build /usr/bin/kratos /usr/bin/kratos
+EXPOSE 4433 4434
+
+ENTRYPOINT ["kratos"]
+CMD ["serve"]
