-
Notifications
You must be signed in to change notification settings - Fork 123
/
Copy pathDockerfile.ubi
84 lines (68 loc) · 2.6 KB
/
Dockerfile.ubi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Ruby builder
FROM cyberark/ubi-ruby-builder:latest as builder
ENV CONJUR_HOME=/opt/conjur-server
WORKDIR ${CONJUR_HOME}
COPY Gemfile Gemfile.lock ./
COPY ./gems/ ./gems/
RUN bundle config set --local without 'test development' && \
bundle config set --local deployment true && \
bundle config set --local path vendor/bundle && \
bundle config --local jobs "$(nproc --all)" && \
bundle install && \
# removing CA bundle of httpclient gem
find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \
find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
# remove the private key in the oidc_connect gem spec directory
find / -name 'openid_connect-*' -type d -exec find {} -name '*.pem' -type f -delete \;
# Conjur Base Image (UBI)
FROM cyberark/ubi-ruby-fips:latest
ARG VERSION
LABEL name="conjur-ubi" \
vendor="CyberArk" \
version="$VERSION" \
release="$VERSION" \
summary="Conjur UBI-based image" \
description="Conjur provides secrets management and machine identity for modern infrastructure."
ENV PORT=8080 \
LOG_DIR=${CONJUR_HOME}/log \
TMP_DIR=${CONJUR_HOME}/tmp \
SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl \
RAILS_ENV=production \
CONJUR_HOME=/opt/conjur-server
ENV PATH="${PATH}:${CONJUR_HOME}/bin"
# Create conjur user with one that has known gid / uid.
RUN groupadd -r conjur \
-g 777 && \
useradd -c "conjur runner account" \
-g conjur \
-d "$HOME" \
-r \
-m \
-s /bin/bash \
-u 777 conjur
WORKDIR ${CONJUR_HOME}
# Ensure few required GID0-owned folders to run as a random UID (OpenShift requirement)
RUN mkdir -p "$TMP_DIR" \
"$LOG_DIR" \
"$SSL_CERT_DIRECTORY/ca" \
"$SSL_CERT_DIRECTORY/cert" \
/run/authn-local && \
# Use GID of 0 since that is what OpenShift will want to be able to read things
chown -R conjur:0 "$LOG_DIR" \
"$TMP_DIR" \
"$SSL_CERT_DIRECTORY" \
"$CONJUR_HOME" \
/run/authn-local && \
# We need open group permissions in these directories since OpenShift won't
# match our UID when we try to write files to them
chmod -R 770 "$LOG_DIR" \
"$TMP_DIR" \
"$SSL_CERT_DIRECTORY" \
"$CONJUR_HOME" \
/run/authn-local
COPY --chown=conjur:0 . .
COPY --from=builder --chown=conjur:0 ${CONJUR_HOME} ${CONJUR_HOME}
EXPOSE ${PORT}
COPY LICENSE.md /licenses/
USER conjur
ENTRYPOINT ["conjurctl"]