forked from external-secrets/external-secrets
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.ubi
More file actions
33 lines (29 loc) · 1.27 KB
/
Dockerfile.ubi
File metadata and controls
33 lines (29 loc) · 1.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
FROM registry.access.redhat.com/ubi9/ubi@sha256:fd3612ebe7968002122fb8c41df2cf9bd3f9916c573f7248113cdec1d6f4c245 AS minimal-ubi
# Add metadata
LABEL maintainer="cncf-externalsecretsop-maintainers@lists.cncf.io" \
description="External Secrets Operator is a Kubernetes operator that integrates external secret management systems"
ARG TARGETOS
ARG TARGETARCH
RUN dnf update -y --allowerasing
# prep target rootfs for scratch container
WORKDIR /
RUN mkdir /image && \
ln -s usr/bin /image/bin && \
ln -s usr/sbin /image/sbin && \
ln -s usr/lib64 /image/lib64 && \
ln -s usr/lib /image/lib && \
mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev}
# Install required packages directly into /image root - more robust under QEMU emulation
RUN rpm --root /image --initdb \
&& dnf install -y --installroot=/image --releasever=9 --setopt=install_weak_deps=false --nodocs \
glibc tzdata ca-certificates \
&& dnf clean all --installroot=/image \
&& rm -rf /image/var/cache/dnf /image/var/log/*
FROM scratch
# Copy all required files + rpm database so the image is scannable
COPY --from=minimal-ubi /image/ /
USER 65534
ARG TARGETOS
ARG TARGETARCH
COPY bin/external-secrets-${TARGETOS}-${TARGETARCH} /bin/external-secrets
ENTRYPOINT ["/bin/external-secrets"]