Skip to content

Commit 10e3c7d

Browse files
DemonsthereDemonsthere
authored
Merge fd77bf9 into 4877c59 
2 parents 4877c59 + fd77bf9 commit 10e3c7d

File tree

6 files changed

+46
-38
lines changed

6 files changed

+46
-38
lines changed

.docker/Dockerfile-build

Lines changed: 9 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,10 @@
1-
FROM golang:1.20-alpine3.17 AS builder
2-
3-
RUN apk -U --no-cache --upgrade --latest add build-base git gcc bash
1+
FROM golang:1.20 AS builder
42

53
WORKDIR /go/src/github.com/ory/hydra
6-
RUN mkdir -p ./internal/httpclient
4+
5+
RUN apt-get update && apt-get upgrade -y &&\
6+
mkdir -p /var/lib/sqlite &&\
7+
mkdir -p ./internal/httpclient
78

89
COPY go.mod go.sum ./
910
COPY internal/httpclient/go.* ./internal/httpclient/
@@ -14,31 +15,19 @@ ENV CGO_ENABLED 1
1415
RUN go mod download
1516

1617
COPY . .
17-
1818
RUN go build -tags sqlite,json1 -o /usr/bin/hydra
1919

20-
FROM alpine:3.18
20+
#########################
2121

22-
RUN addgroup -S ory; \
23-
adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \
24-
chown -R ory:ory /home/ory
22+
FROM gcr.io/distroless/base-nossl-debian11:nonroot AS runner
2523

24+
COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
2625
COPY --from=builder /usr/bin/hydra /usr/bin/hydra
2726

28-
# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
29-
# is required for read/write of SQLite.
30-
RUN mkdir -p /var/lib/sqlite && \
31-
chown ory:ory /var/lib/sqlite
32-
3327
VOLUME /var/lib/sqlite
3428

35-
# Exposing the ory home directory
36-
VOLUME /home/ory
37-
3829
# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
3930
EXPOSE 4444 4445
4031

41-
USER ory
42-
4332
ENTRYPOINT ["hydra"]
44-
CMD ["serve"]
33+
CMD ["serve", "all"]

.docker/Dockerfile-distroless-static

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
FROM gcr.io/distroless/static-debian11:nonroot
2+
3+
COPY hydra /usr/bin/hydra
4+
# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
5+
EXPOSE 4444 4445
6+
7+
ENTRYPOINT ["hydra"]
8+
CMD ["serve", "all"]

.docker/Dockerfile-hsm

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,10 @@
1-
FROM golang:1.20-alpine3.18 AS builder
2-
3-
RUN apk -U --no-cache --upgrade --latest add build-base git gcc bash
1+
FROM golang:1.20 AS builder
42

53
WORKDIR /go/src/github.com/ory/hydra
6-
RUN mkdir -p ./internal/httpclient
4+
5+
RUN apt-get update && apt-get upgrade -y &&\
6+
mkdir -p /var/lib/sqlite &&\
7+
mkdir -p ./internal/httpclient
78

89
COPY go.mod go.sum ./
910
COPY internal/httpclient/go.* ./internal/httpclient
@@ -12,26 +13,36 @@ ENV GO111MODULE on
1213
ENV CGO_ENABLED 1
1314

1415
RUN go mod download
15-
1616
COPY . .
1717

18+
###############################
19+
1820
FROM builder as build-hydra
1921
RUN go build -tags sqlite,json1,hsm -o /usr/bin/hydra
2022

23+
###############################
24+
2125
FROM builder as test-hsm
2226
ENV HSM_ENABLED=true
2327
ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
2428
ENV HSM_TOKEN_LABEL=hydra
2529
ENV HSM_PIN=1234
2630

27-
RUN apk --no-cache --upgrade --latest add softhsm opensc; \
28-
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra; \
31+
RUN apt-get -y install softhsm opensc &&\
32+
pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" &&\
2933
go test -p 1 -v -failfast -short -tags=sqlite,hsm ./...
3034

31-
FROM alpine:3.18
35+
###############################
36+
37+
FROM gcr.io/distroless/base-nossl-debian11:debug-nonroot AS runner
38+
39+
ENV HSM_ENABLED=true
40+
ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
41+
ENV HSM_TOKEN_LABEL=hydra
42+
ENV HSM_PIN=1234
3243

33-
RUN apk --no-cache --upgrade --latest add softhsm opensc; \
34-
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra
44+
RUN apt-get -y install softhsm opensc &&\
45+
pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
3546

3647
RUN addgroup -S ory; \
3748
adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \

.github/workflows/cve-scan.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
uses: anchore/scan-action@v3
3333
id: grype-scan
3434
with:
35-
image: oryd/hydra:${{ env.SHA_SHORT }}
35+
image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
3636
fail-build: true
3737
severity-cutoff: high
3838
add-cpes-if-none: true
@@ -52,7 +52,7 @@ jobs:
5252
uses: aquasecurity/trivy-action@master
5353
if: ${{ always() }}
5454
with:
55-
image-ref: oryd/hydra:${{ env.SHA_SHORT }}
55+
image-ref: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
5656
format: "table"
5757
exit-code: "42"
5858
ignore-unfixed: true
@@ -63,7 +63,7 @@ jobs:
6363
uses: erzz/[email protected]
6464
if: ${{ always() }}
6565
with:
66-
image: oryd/hydra:${{ env.SHA_SHORT }}
66+
image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
6767
exit-code: 42
6868
failure-threshold: high
6969
- name: Hadolint
@@ -80,5 +80,5 @@ jobs:
8080
shell: bash
8181
run: |
8282
echo "::group::Hadolint Scan Details"
83-
echo "${HADOLINT_RESULTS}" | jq '.'
83+
echo "${HADOLINT_RESULTS}" | jq '.'
8484
echo "::endgroup::"

.goreleaser.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,6 @@ variables:
88
buildinfo_hash: "github.com/ory/hydra/v2/driver/config.Commit"
99
buildinfo_tag: "github.com/ory/hydra/v2/driver/config.Version"
1010
buildinfo_date: "github.com/ory/hydra/v2/driver/config.Date"
11-
dockerfile: ".docker/Dockerfile-alpine"
12-
11+
dockerfile_alpine: ".docker/Dockerfile-alpine"
12+
dockerfile_static: ".docker/Dockerfile-distroless-static"
1313
project_name: hydra

Makefile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ SHELL=/bin/bash -o pipefail
33
export GO111MODULE := on
44
export PATH := .bin:${PATH}
55
export PWD := $(shell pwd)
6-
export IMAGE_TAG := $(if $(IMAGE_TAG),$(IMAGE_TAG),latest-sqlite)
6+
export IMAGE_TAG := $(if $(IMAGE_TAG),$(IMAGE_TAG),latest)
77

88
GOLANGCI_LINT_VERSION = 1.53.2
99

@@ -71,7 +71,7 @@ test-resetdb: node_modules
7171
# Build local docker images
7272
.PHONY: docker
7373
docker:
74-
DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG} .
74+
DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG}-sqlite .
7575

7676
.PHONY: e2e
7777
e2e: node_modules test-resetdb

0 commit comments

Comments
 (0)