From c18f7d89ae8375320c2d09a8a77e9bb64f1e5760 Mon Sep 17 00:00:00 2001
From: Bobby DeSimone <desimone@users.noreply.github.com>
Date: Thu, 2 May 2019 19:02:46 -0700
Subject: [PATCH] deployment: use distroless builds (#101)

Replaces the current alpine based Dockerfile with distroless. Improvements include:

- Minimal surface area, ideal for static builds like pomerium.
- Includes `ca-certificates`
- Includes`nsswitch`

Closes #97 .
---
 Dockerfile | 19 +++++++------------
 Makefile   |  2 +-
 2 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a87676b02..a2907eb06 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,20 +1,15 @@
-FROM golang:alpine as build
-RUN apk --update --no-cache add ca-certificates git make
+FROM golang:latest as build
+WORKDIR /go/src/github.com/pomerium/pomerium
 ENV CGO_ENABLED=0
 ENV GO111MODULE=on
-
-WORKDIR /go/src/github.com/pomerium/pomerium
-
-COPY go.mod .
-COPY go.sum .
+# cache depedency downloads
+COPY go.mod go.sum ./
 RUN go mod download
-
 COPY . .
+# build 
+RUN make build
 
-RUN make
-
-FROM scratch
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+FROM gcr.io/distroless/static
 WORKDIR /pomerium
 COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/
 CMD ["/bin/pomerium"]
diff --git a/Makefile b/Makefile
index f581e9203..b3455f8e7 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,7 @@ CTIMEVAR=-X $(PKG)/internal/version.GitCommit=$(GITCOMMIT) \
 	-X $(PKG)/internal/version.BuildMeta=$(BUILDMETA) \
 	-X $(PKG)/internal/version.ProjectName=$(NAME) \
 	-X $(PKG)/internal/version.ProjectURL=$(PKG)
-GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)"
+GO_LDFLAGS=-ldflags "-s -w $(CTIMEVAR)"
 GOOSARCHES = linux/amd64 darwin/amd64 windows/amd64