deployment: add nonroot release docker images (#2997)

2025-04-29 10:26:29 +02:00 · 2022-02-03 15:54:39 -05:00 · 2022-02-03 15:54:39 -05:00 · ec03a9ffcb
commit ec03a9ffcb
parent 3150479f07
4 changed files with 63 additions and 1 deletions
--- a/.github/Dockerfile-release-nonroot
+++ b/.github/Dockerfile-release-nonroot
@ -0,0 +1,18 @@
+# build our own root trust store from current stable
+FROM debian:stable as casource
+RUN apt-get update && apt-get install -y ca-certificates
+# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
+RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates
+
+
+FROM busybox:latest as build
+RUN touch /config.yaml
+
+FROM gcr.io/distroless/base-debian10:nonroot-${TARGETARCH:-amd64}
+ENV AUTOCERT_DIR /data/autocert
+WORKDIR /pomerium
+COPY pomerium* /bin/
+COPY --from=build /config.yaml /pomerium/config.yaml
+COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENTRYPOINT [ "/bin/pomerium" ]
+CMD ["-config","/pomerium/config.yaml"]
--- a/.github/goreleaser.yaml
+++ b/.github/goreleaser.yaml
@ -77,6 +77,21 @@ dockers:
      - "--label=repository=http://github.com/pomerium/pomerium"
      - "--label=homepage=http://www.pomerium.io"

+  - image_templates:
+      - "pomerium/pomerium:nonroot-amd64-{{ .Tag }}"
+    dockerfile: .github/Dockerfile-release-nonroot
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.name={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source={{.GitURL}}"
+      - "--label=repository=http://github.com/pomerium/pomerium"
+      - "--label=homepage=http://www.pomerium.io"
+
  - image_templates:
      - "gcr.io/pomerium-io/pomerium:{{ .Tag }}-cloudrun"
    dockerfile: .github/Dockerfile-cloudrun
@ -107,12 +122,33 @@ dockers:
      - "--label=repository=http://github.com/pomerium/pomerium"
      - "--label=homepage=http://www.pomerium.io"

+  - goarch: arm64
+    image_templates:
+      - "pomerium/pomerium:nonroot-arm64v8-{{ .Tag }}"
+    dockerfile: .github/Dockerfile-release-nonroot
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.name={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source={{.GitURL}}"
+      - "--label=repository=http://github.com/pomerium/pomerium"
+      - "--label=homepage=http://www.pomerium.io"
+
 docker_manifests:
  - name_template: "pomerium/pomerium:{{ .Tag }}"
    image_templates:
      - pomerium/pomerium:arm64v8-{{ .Tag }}
      - pomerium/pomerium:amd64-{{ .Tag }}

+  - name_template: "pomerium/pomerium:nonroot-{{ .Tag }}"
+    image_templates:
+      - pomerium/pomerium:nonroot-arm64v8-{{ .Tag }}
+      - pomerium/pomerium:nonroot-amd64-{{ .Tag }}
+
 brews:
  - # Name template of the recipe
    name: pomerium
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -91,6 +91,9 @@ jobs:
          docker tag gcr.io/pomerium-io/pomerium:${{ steps.tagName.outputs.tag }}-cloudrun gcr.io/pomerium-io/pomerium:latest-cloudrun
          docker push gcr.io/pomerium-io/pomerium:latest-cloudrun

+          docker manifest create -a pomerium/pomerium:nonroot pomerium/pomerium:nonroot-amd64-${{ steps.tagName.outputs.tag }} pomerium/pomerium:nonroot-arm64v8-${{ steps.tagName.outputs.tag }}
+          docker manifest push pomerium/pomerium:nonroot
+
  deploy:
    runs-on: ubuntu-latest
    needs: goreleaser
--- a/docs/docs/releases.md
+++ b/docs/docs/releases.md
@ -86,6 +86,11 @@ Pomerium utilizes a [minimal](https://github.com/GoogleContainerTools/distroless
  docker pull pomerium/pomerium:master
  ```

+Rootless images for official releases are also published to provide additional security. In these images, Pomerium runs as the `nonroot` user. Depending on your deployment environment, you may need to grant the container additional [capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/) or change the listening port from `443`.
+
+- `:nonroot-vX.Y.Z`: the rootless image for a specific release
+- `:nonroot`: rootless equivalent to the `latest` tag
+
 ### Helm

 Pomerium maintains a [helm](https://helm.sh) chart for easy Kubernetes deployment with best practices <https://helm.pomerium.io/>