From 1e65662c92b107290466c20de38bbdc0571b596a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20B=C5=82aszczyk?= <daemonsthere@gmail.com>
Date: Wed, 28 Jun 2023 10:21:13 +0200
Subject: [PATCH] feat: add distroless and static images (#3350)

---
 .docker/Dockerfile-alpine            |  2 +-
 .docker/Dockerfile-build             | 26 ++++++++------------------
 .docker/Dockerfile-distroless-static |  7 +++++++
 .goreleaser.yml                      |  3 ++-
 4 files changed, 18 insertions(+), 20 deletions(-)
 create mode 100644 .docker/Dockerfile-distroless-static

diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
index deba158a833e..29a9663d2b5a 100644
--- a/.docker/Dockerfile-alpine
+++ b/.docker/Dockerfile-alpine
@@ -1,4 +1,4 @@
-FROM alpine:3.16
+FROM alpine:3.18
 
 # Because this image supports SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
 # and declare /home/ory/sqlite a volume.
diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
index 7b4fc93e8b7b..c75aed17db64 100644
--- a/.docker/Dockerfile-build
+++ b/.docker/Dockerfile-build
@@ -1,7 +1,9 @@
 # syntax = docker/dockerfile:1-experimental
-FROM golang:1.19-alpine3.18 AS base
+# Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342
+FROM golang:1.19-bullseye AS builder
 
-RUN apk --update upgrade && apk --no-cache --update-cache --upgrade --latest add ca-certificates build-base gcc
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite
 
 WORKDIR /go/src/github.com/ory/kratos
 
@@ -26,28 +28,16 @@ RUN --mount=type=cache,target=/root/.cache/go-build go build -tags sqlite \
     -ldflags="-X 'github.com/ory/kratos/driver/config.Version=${VERSION}' -X 'github.com/ory/kratos/driver/config.Date=${BUILD_DATE}' -X 'github.com/ory/kratos/driver/config.Commit=${COMMIT}'" \
     -o /usr/bin/kratos
 
-FROM alpine:3.18
+#########################
+FROM gcr.io/distroless/base-nossl-debian11:nonroot AS runner
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D -u 10000 -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory
+COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
+COPY --from=builder --chown=nonroot:nonroot /usr/bin/kratos /usr/bin/kratos
 
-COPY --from=base /usr/bin/kratos /usr/bin/kratos
-
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite
-RUN chown ory:ory /var/lib/sqlite
 VOLUME /var/lib/sqlite
 
-# Exposing the ory home directory to simplify passing in Kratos configuration (e.g. if the file $HOME/.kratos.yaml
-# exists, it will be automatically used as the configuration file).
-VOLUME /home/ory
-
 # Declare the standard ports used by Kratos (4433 for public service endpoint, 4434 for admin service endpoint)
 EXPOSE 4433 4434
 
-USER 10000
-
 ENTRYPOINT ["kratos"]
 CMD ["serve"]
diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static
new file mode 100644
index 000000000000..48cd03a868cc
--- /dev/null
+++ b/.docker/Dockerfile-distroless-static
@@ -0,0 +1,7 @@
+FROM gcr.io/distroless/static-debian11:nonroot
+
+COPY kratos /usr/bin/kratos
+EXPOSE 4433 4434
+
+ENTRYPOINT ["kratos"]
+CMD ["serve"]
diff --git a/.goreleaser.yml b/.goreleaser.yml
index cbf5ef33d13c..b45adb94eceb 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -8,7 +8,8 @@ variables:
   buildinfo_hash: "github.com/ory/kratos/driver/config.Commit"
   buildinfo_tag: "github.com/ory/kratos/driver/config.Version"
   buildinfo_date: "github.com/ory/kratos/driver/config.Date"
-  dockerfile: ".docker/Dockerfile-alpine"
+  dockerfile_alpine: ".docker/Dockerfile-alpine"
+  dockerfile_static: ".docker/Dockerfile-distroless-static"
 
 project_name: kratos