Merge fd77bf9 into 4877c59

.docker/Dockerfile-build

@@ -1,9 +1,10 @@
-FROM golang:1.20-alpine3.17 AS builder
-
-RUN apk -U --no-cache --upgrade --latest add build-base git gcc bash
+FROM golang:1.20 AS builder
 
 WORKDIR /go/src/github.com/ory/hydra
-RUN mkdir -p ./internal/httpclient
+
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite &&\
+    mkdir -p ./internal/httpclient
 
 COPY go.mod go.sum ./
 COPY internal/httpclient/go.* ./internal/httpclient/
@@ -14,31 +15,19 @@ ENV CGO_ENABLED 1
 RUN go mod download
 
 COPY . .
-
 RUN go build -tags sqlite,json1 -o /usr/bin/hydra
 
-FROM alpine:3.18
+#########################
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory
+FROM gcr.io/distroless/base-nossl-debian11:nonroot AS runner
 
+COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/hydra /usr/bin/hydra
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
-
 VOLUME /var/lib/sqlite
 
-# Exposing the ory home directory
-VOLUME /home/ory
-
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
-USER ory
-
 ENTRYPOINT ["hydra"]
-CMD ["serve"]
+CMD ["serve", "all"]

.docker/Dockerfile-distroless-static

@@ -0,0 +1,8 @@
+FROM gcr.io/distroless/static-debian11:nonroot
+
+COPY hydra /usr/bin/hydra
+# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
+EXPOSE 4444 4445
+
+ENTRYPOINT ["hydra"]
+CMD ["serve", "all"]

.docker/Dockerfile-hsm

@@ -1,9 +1,10 @@
-FROM golang:1.20-alpine3.18 AS builder
-
-RUN apk -U --no-cache --upgrade --latest add build-base git gcc bash
+FROM golang:1.20 AS builder
 
 WORKDIR /go/src/github.com/ory/hydra
-RUN mkdir -p ./internal/httpclient
+
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite &&\
+    mkdir -p ./internal/httpclient
 
 COPY go.mod go.sum ./
 COPY internal/httpclient/go.* ./internal/httpclient
@@ -12,26 +13,36 @@ ENV GO111MODULE on
 ENV CGO_ENABLED 1
 
 RUN go mod download
-
 COPY . .
 
+###############################
+
 FROM builder as build-hydra
 RUN go build -tags sqlite,json1,hsm -o /usr/bin/hydra
 
+###############################
+
 FROM builder as test-hsm
 ENV HSM_ENABLED=true
 ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
 ENV HSM_TOKEN_LABEL=hydra
 ENV HSM_PIN=1234
 
-RUN apk --no-cache --upgrade --latest add softhsm opensc; \
-    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra; \
+RUN apt-get -y install softhsm opensc &&\
+    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" &&\
     go test -p 1 -v -failfast -short -tags=sqlite,hsm ./...
 
-FROM alpine:3.18
+###############################
+
+FROM gcr.io/distroless/base-nossl-debian11:debug-nonroot AS runner
+
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
 
-RUN apk --no-cache --upgrade --latest add softhsm opensc; \
-    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra
+RUN apt-get -y install softhsm opensc &&\
+    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \

.github/workflows/cve-scan.yaml

@@ -32,7 +32,7 @@ jobs:
         uses: anchore/scan-action@v3
         id: grype-scan
         with:
-          image: oryd/hydra:${{ env.SHA_SHORT }}
+          image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
           fail-build: true
           severity-cutoff: high
           add-cpes-if-none: true
@@ -52,7 +52,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/hydra:${{ env.SHA_SHORT }}
+          image-ref: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
@@ -63,7 +63,7 @@ jobs:
         uses: erzz/dockle-action@v1.3.2
         if: ${{ always() }}
         with:
-          image: oryd/hydra:${{ env.SHA_SHORT }}
+          image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
           exit-code: 42
           failure-threshold: high
       - name: Hadolint
@@ -80,5 +80,5 @@ jobs:
         shell: bash
         run: |
           echo "::group::Hadolint Scan Details"
-          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "${HADOLINT_RESULTS}" | jq '.'
           echo "::endgroup::"

.goreleaser.yml

@@ -8,6 +8,6 @@ variables:
   buildinfo_hash: "github.com/ory/hydra/v2/driver/config.Commit"
   buildinfo_tag: "github.com/ory/hydra/v2/driver/config.Version"
   buildinfo_date: "github.com/ory/hydra/v2/driver/config.Date"
-  dockerfile: ".docker/Dockerfile-alpine"
-
+  dockerfile_alpine: ".docker/Dockerfile-alpine"
+  dockerfile_static: ".docker/Dockerfile-distroless-static"
 project_name: hydra

Makefile

@@ -3,7 +3,7 @@ SHELL=/bin/bash -o pipefail
 export GO111MODULE 		:= on
 export PATH 					:= .bin:${PATH}
 export PWD 						:= $(shell pwd)
-export IMAGE_TAG 			:= $(if $(IMAGE_TAG),$(IMAGE_TAG),latest-sqlite)
+export IMAGE_TAG 			:= $(if $(IMAGE_TAG),$(IMAGE_TAG),latest)
 
 GOLANGCI_LINT_VERSION = 1.53.2
 
@@ -71,7 +71,7 @@ test-resetdb: node_modules
 # Build local docker images
 .PHONY: docker
 docker:
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG} .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG}-sqlite .
 
 .PHONY: e2e
 e2e: node_modules test-resetdb