Build multi arch hydra images with patched vulns

ddelnano · ddelnano · commit 9f221c115fa7 · 2025-07-24T21:41:06.000Z
Signed-off-by: Dom Del Nano &lt;ddelnano@gmail.com&gt;
diff --git a/k8s/cloud/base/ory_auth/hydra/hydra_deployment.yaml b/k8s/cloud/base/ory_auth/hydra/hydra_deployment.yaml
@@ -63,7 +63,7 @@ spec:
           # yamllint disable-line rule:line-length
           value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_POSTGRES_DB)?sslmode=disable&max_conns=20&max_idle_conns=4
         imagePullPolicy: IfNotPresent
-        image: docker.io/ddelnano/hydra:v2.3.0-go1.23@sha256:9382a850d54ff48f1f6b3bfa277a2ec430285bcaf500d09ee7ea7a7cca18e246
+        image: ghcr.io/pixie-io/hydra:2.3.0-scratch@sha256:460d7738ec473cd5d74a725221cc629eb03b76f68593194496700c2d43e05b70
         volumeMounts:
         - mountPath: /etc/config/hydra
           name: config
@@ -79,7 +79,7 @@ spec:
       containers:
       - name: server
         imagePullPolicy: IfNotPresent
-        image: docker.io/ddelnano/hydra:v2.3.0-go1.23@sha256:9382a850d54ff48f1f6b3bfa277a2ec430285bcaf500d09ee7ea7a7cca18e246
+        image: ghcr.io/pixie-io/hydra:2.3.0-scratch@sha256:460d7738ec473cd5d74a725221cc629eb03b76f68593194496700c2d43e05b70
         args:
         - serve
         - -c
diff --git a/tools/docker/Makefile b/tools/docker/Makefile
@@ -122,6 +122,8 @@ nats_image_tag := "ghcr.io/pixie-io/nats:$(NATS_IMAGE_VERSION)-scratch"
 ## Ory image parameters.
 KRATOS_IMAGE_VERSION := 1.3.1
 kratos_image_tag := "ghcr.io/pixie-io/kratos:$(KRATOS_IMAGE_VERSION)-scratch"
+HYDRA_IMAGE_VERSION := 2.3.0
+hydra_image_tag := "ghcr.io/pixie-io/hydra:$(HYDRA_IMAGE_VERSION)-scratch"
 
 ## Copybara image parameters.
 COPYBARA_IMAGE_VERSION := 20210420
@@ -289,6 +291,15 @@ build_and_upload_kratos_image:
 		-t $(kratos_image_tag) \
 		--push
 
+.PHONY: build_and_upload_hydra_image
+build_and_upload_hydra_image:
+	$(DOCKER) buildx build hydra_image \
+		--platform linux/amd64,linux/arm64 \
+		--build-arg=HYDRA_VERSION="v$(HYDRA_IMAGE_VERSION)" \
+		--build-arg=BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
+		-t $(hydra_image_tag) \
+		--push
+
 .PHONY: build_and_upload_copybara_image
 build_and_upload_copybara_image:
 	$(DOCKER) build copybara -t $(copybara_image_tag)
diff --git a/tools/docker/hydra_image/Dockerfile b/tools/docker/hydra_image/Dockerfile
@@ -0,0 +1,37 @@
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine@sha256:9fadeb603e14f1f3e08bdbec6681fa14446053c498a554f3e57260bf892c487e AS build
+
+ARG TARGETOS TARGETARCH
+ARG HYDRA_VERSION
+
+ARG GOOS=$TARGETOS
+ARG GOARCH=$TARGETARCH
+
+WORKDIR /src
+
+RUN apk update
+RUN apk add git
+
+RUN git clone --depth 1 https://github.com/ory/hydra.git
+WORKDIR /src/hydra
+RUN git fetch --tags && git checkout $HYDRA_VERSION
+
+ENV GO111MODULE=on
+# kratos and hydra require CGO if sqlite is used, but we exclusively use postgres
+ENV CGO_ENABLED=0
+
+RUN go mod download
+
+# TODO(ddelnano): Remove once hydra upstream has updated dependencies
+RUN go get github.com/golang-jwt/jwt/v5@v5.2.2
+RUN go get golang.org/x/oauth2@v0.27.0
+
+RUN go build -ldflags="-extldflags=-static" -tags sqlite_omit_load_extension -o /usr/bin/hydra
+
+FROM gcr.io/distroless/static-debian12:nonroot@sha256:627d6c5a23ad24e6bdff827f16c7b60e0289029b0c79e9f7ccd54ae3279fb45f
+
+COPY --from=build /usr/bin/hydra /usr/bin/hydra
+
+EXPOSE 4444 4445
+
+ENTRYPOINT ["hydra"]
+CMD ["serve", "all"]
