Add helm nonroot user

Signed-off-by: Tamal Saha <[email protected]>
appscodelabs · Jan 26, 2024 · 983f455 · 983f455
1 parent 0af4daf
commit 983f455
Show file tree

Hide file tree

Showing 5 changed files with 98 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -48,4 +48,7 @@ jobs:
           USERNAME: 1gtm
         run: |
           docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN}
+          cd root
+          make release RELEASE=${{ matrix.helm }}
+          cd ../nonroot
           make release RELEASE=${{ matrix.helm }}
diff --git a/nonroot/Dockerfile b/nonroot/Dockerfile
@@ -0,0 +1,33 @@
+FROM alpine
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG VERSION
+
+RUN set -x \
+	&& apk add --update ca-certificates curl zip
+
+RUN set -x \
+	&& curl -LO https://github.com/moparisthebest/static-curl/archive/refs/heads/master.zip \
+	&& unzip master.zip \
+	&& cd static-curl-master \
+	&& ARCH=${TARGETARCH} ./build.sh
+
+RUN set -x \
+	&& curl -fsSL https://get.helm.sh/helm-$VERSION-${TARGETOS}-${TARGETARCH}.tar.gz | tar -zxv
+
+
+
+FROM busybox
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG VERSION
+
+LABEL org.opencontainers.image.source https://github.com/appscodelabs/helm-docker
+
+COPY --from=0 /tmp/release/curl-$TARGETARCH /usr/bin/curl
+COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=0 /${TARGETOS}-${TARGETARCH}/helm /usr/bin/helm
+
+USER 65534
diff --git a/nonroot/Makefile b/nonroot/Makefile
@@ -0,0 +1,62 @@
+SHELL=/bin/bash -o pipefail
+
+REGISTRY   ?= ghcr.io/appscode
+BIN        := helm-nonroot
+IMAGE      := $(REGISTRY)/$(BIN)
+RELEASE    ?= 1.20
+VERSION    ?= v$(RELEASE)
+SRC_REG    ?=
+
+DOCKER_PLATFORMS := linux/amd64 linux/386 linux/arm64 # linux/ppc64le linux/s390x
+PLATFORM         ?= $(firstword $(DOCKER_PLATFORMS))
+TAG              = $(VERSION)_$(subst /,_,$(PLATFORM))
+
+container-%:
+	@$(MAKE) container \
+	    --no-print-directory \
+	    PLATFORM=$(subst _,/,$*)
+
+push-%:
+	@$(MAKE) push \
+	    --no-print-directory \
+	    PLATFORM=$(subst _,/,$*)
+
+all-container: $(addprefix container-, $(subst /,_,$(DOCKER_PLATFORMS)))
+
+all-push: $(addprefix push-, $(subst /,_,$(DOCKER_PLATFORMS)))
+
+ifeq (,$(SRC_REG))
+container:
+	@echo "container: $(IMAGE):$(TAG)"
+	@docker buildx build --platform $(PLATFORM) --build-arg VERSION=$(VERSION) --load --pull -t $(IMAGE):$(TAG) -f Dockerfile .
+	@echo
+else
+container:
+	@echo "container: $(IMAGE):$(TAG)"
+	@docker tag $(SRC_REG)/$(BIN):$(TAG) $(IMAGE):$(TAG)
+	@echo
+endif
+
+push: container
+	@docker push $(IMAGE):$(TAG)
+	@echo "pushed: $(IMAGE):$(TAG)"
+	@echo
+
+.PHONY: manifest-version
+manifest-version:
+	docker manifest create -a $(IMAGE):$(VERSION) $(foreach PLATFORM,$(DOCKER_PLATFORMS),$(IMAGE):$(VERSION)_$(subst /,_,$(PLATFORM)))
+	docker manifest push $(IMAGE):$(VERSION)
+
+.PHONY: manifest-release
+manifest-release:
+	docker manifest create -a $(IMAGE):v$(RELEASE) $(foreach PLATFORM,$(DOCKER_PLATFORMS),$(IMAGE):$(VERSION)_$(subst /,_,$(PLATFORM)))
+	docker manifest push $(IMAGE):v$(RELEASE)
+	docker manifest create -a $(IMAGE):$(RELEASE) $(foreach PLATFORM,$(DOCKER_PLATFORMS),$(IMAGE):$(VERSION)_$(subst /,_,$(PLATFORM)))
+	docker manifest push $(IMAGE):$(RELEASE)
+
+.PHONY: docker-manifest
+docker-manifest: manifest-version manifest-release
+
+.PHONY: release
+release:
+	@$(MAKE) all-push docker-manifest --no-print-directory
diff --git a/Dockerfile → root/Dockerfile b/Dockerfile → root/Dockerfile
diff --git a/Makefile → root/Makefile b/Makefile → root/Makefile