3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

deployment: add nonroot release docker images (#2997)

Browse source
This commit is contained in:
Travis Groth 2022-02-03 15:54:39 -05:00 committed by GitHub
parent 3150479f07
commit ec03a9ffcb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 63 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
.github/Dockerfile-release-nonroot vendored Normal file
View file

@ -0,0 +1,18 @@
# build our own root trust store from current stable
FROM debian:stable as casource
RUN apt-get update && apt-get install -y ca-certificates
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates
FROM busybox:latest as build
RUN touch /config.yaml
FROM gcr.io/distroless/base-debian10:nonroot-${TARGETARCH:-amd64}
ENV AUTOCERT_DIR /data/autocert
WORKDIR /pomerium
COPY pomerium* /bin/
COPY --from=build /config.yaml /pomerium/config.yaml
COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ENTRYPOINT [ "/bin/pomerium" ]
CMD ["-config","/pomerium/config.yaml"]

36
.github/goreleaser.yaml vendored
View file

@ -77,6 +77,21 @@ dockers:
- "--label=repository=http://github.com/pomerium/pomerium" - "--label=repository=http://github.com/pomerium/pomerium"
- "--label=homepage=http://www.pomerium.io" - "--label=homepage=http://www.pomerium.io"
- image_templates:
- "pomerium/pomerium:nonroot-amd64-{{ .Tag }}"
dockerfile: .github/Dockerfile-release-nonroot
use: buildx
build_flag_templates:
- "--pull"
- "--platform=linux/amd64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.name={{.ProjectName}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--label=org.opencontainers.image.source={{.GitURL}}"
- "--label=repository=http://github.com/pomerium/pomerium"
- "--label=homepage=http://www.pomerium.io"
- image_templates: - image_templates:
- "gcr.io/pomerium-io/pomerium:{{ .Tag }}-cloudrun" - "gcr.io/pomerium-io/pomerium:{{ .Tag }}-cloudrun"
dockerfile: .github/Dockerfile-cloudrun dockerfile: .github/Dockerfile-cloudrun
@ -107,12 +122,33 @@ dockers:
- "--label=repository=http://github.com/pomerium/pomerium" - "--label=repository=http://github.com/pomerium/pomerium"
- "--label=homepage=http://www.pomerium.io" - "--label=homepage=http://www.pomerium.io"
- goarch: arm64
image_templates:
- "pomerium/pomerium:nonroot-arm64v8-{{ .Tag }}"
dockerfile: .github/Dockerfile-release-nonroot
use: buildx
build_flag_templates:
- "--pull"
- "--platform=linux/arm64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.name={{.ProjectName}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--label=org.opencontainers.image.source={{.GitURL}}"
- "--label=repository=http://github.com/pomerium/pomerium"
- "--label=homepage=http://www.pomerium.io"
docker_manifests: docker_manifests:
- name_template: "pomerium/pomerium:{{ .Tag }}" - name_template: "pomerium/pomerium:{{ .Tag }}"
image_templates: image_templates:
- pomerium/pomerium:arm64v8-{{ .Tag }} - pomerium/pomerium:arm64v8-{{ .Tag }}
- pomerium/pomerium:amd64-{{ .Tag }} - pomerium/pomerium:amd64-{{ .Tag }}
- name_template: "pomerium/pomerium:nonroot-{{ .Tag }}"
image_templates:
- pomerium/pomerium:nonroot-arm64v8-{{ .Tag }}
- pomerium/pomerium:nonroot-amd64-{{ .Tag }}
brews: brews:
- # Name template of the recipe - # Name template of the recipe
name: pomerium name: pomerium

3
.github/workflows/release.yaml vendored
View file

@ -91,6 +91,9 @@ jobs:
docker tag gcr.io/pomerium-io/pomerium:${{ steps.tagName.outputs.tag }}-cloudrun gcr.io/pomerium-io/pomerium:latest-cloudrun docker tag gcr.io/pomerium-io/pomerium:${{ steps.tagName.outputs.tag }}-cloudrun gcr.io/pomerium-io/pomerium:latest-cloudrun
docker push gcr.io/pomerium-io/pomerium:latest-cloudrun docker push gcr.io/pomerium-io/pomerium:latest-cloudrun
docker manifest create -a pomerium/pomerium:nonroot pomerium/pomerium:nonroot-amd64-${{ steps.tagName.outputs.tag }} pomerium/pomerium:nonroot-arm64v8-${{ steps.tagName.outputs.tag }}
docker manifest push pomerium/pomerium:nonroot
deploy: deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: goreleaser needs: goreleaser

5
docs/docs/releases.md
View file

@ -86,6 +86,11 @@ Pomerium utilizes a [minimal](https://github.com/GoogleContainerTools/distroless
docker pull pomerium/pomerium:master docker pull pomerium/pomerium:master
``` ```
Rootless images for official releases are also published to provide additional security. In these images, Pomerium runs as the `nonroot` user. Depending on your deployment environment, you may need to grant the container additional [capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/) or change the listening port from `443`.
- `:nonroot-vX.Y.Z`: the rootless image for a specific release
- `:nonroot`: rootless equivalent to the `latest` tag
### Helm ### Helm
Pomerium maintains a [helm](https://helm.sh) chart for easy Kubernetes deployment with best practices <https://helm.pomerium.io/> Pomerium maintains a [helm](https://helm.sh) chart for easy Kubernetes deployment with best practices <https://helm.pomerium.io/>