Build hardened docker image for cloud-service-broker

Related to cloud-gov/product#2943
cloud-gov · Mar 6, 2024 · b7b91fa · b7b91fa
1 parent 91781a6
commit b7b91fa
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/ci/container/external/cloud-service-broker/vars.yml b/ci/container/external/cloud-service-broker/vars.yml
@@ -0,0 +1,8 @@
+base-image: ubuntu-hardened
+base-image-tag: "latest"
+image-repository: cloud-service-broker
+oci-build-params: {}
+src-repo: cloudfoundry/cloud-service-broker
+common-pipelines-trigger: false
+dockerfile-path: ["container/dockerfiles/cloud-service-broker/Dockerfile"]
+dockerfile-trigger: false
diff --git a/ci/container/pipeline.yml b/ci/container/pipeline.yml
@@ -40,6 +40,7 @@ jobs:
       - var: name # repo, pipeline, and image name; all the same.
         values:
           - cf-cli-resource
+          - cloud-service-broker
           - email-resource
           - git-resource
           - registry-image-resource

diff --git a/container/dockerfiles/cloud-service-broker/Dockerfile b/container/dockerfiles/cloud-service-broker/Dockerfile
@@ -0,0 +1,24 @@
+# Adapted from https://github.com/cloudfoundry/cloud-service-broker/blob/main/Dockerfile
+FROM golang:1.22 AS build
+WORKDIR /app
+ADD . /app
+
+ARG CSB_VERSION=0.0.0
+RUN GOOS=linux go build -o ./build/cloud-service-broker -ldflags "-X github.com/cloudfoundry/cloud-service-broker/utils.Version=$CSB_VERSION"
+
+# Dockerfile using our hardened base image
+ARG base_image
+
+FROM ${base_image}
+
+COPY --from=build /app/build/cloud-service-broker /bin/cloud-service-broker
+
+ADD https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
+ENV PORT 8080
+EXPOSE 8080/tcp
+
+WORKDIR /bin
+ENTRYPOINT ["/bin/cloud-service-broker"]
+CMD ["help"]