-
Notifications
You must be signed in to change notification settings - Fork 4.8k
/
Dockerfile-envoy
109 lines (91 loc) · 3.97 KB
/
Dockerfile-envoy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
ARG BUILD_OS=ubuntu
ARG BUILD_TAG=22.04
ARG BUILD_SHA=0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97
ARG ENVOY_VRP_BASE_IMAGE=envoy-base
FROM scratch AS binary
COPY ci/docker-entrypoint.sh /
ADD configs/envoyproxy_io_proxy.yaml /etc/envoy/envoy.yaml
# See https://github.com/docker/buildx/issues/510 for why this _must_ be this way
ARG TARGETPLATFORM
ENV TARGETPLATFORM="${TARGETPLATFORM:-linux/amd64}"
ADD "${TARGETPLATFORM}/release.tar.zst" /usr/local/bin/
# STAGE: envoy-base
FROM ${BUILD_OS}:${BUILD_TAG}@sha256:${BUILD_SHA} AS envoy-base
ENV DEBIAN_FRONTEND=noninteractive
EXPOSE 10000
CMD ["envoy", "-c", "/etc/envoy/envoy.yaml"]
RUN mkdir -p /etc/envoy \
&& adduser --group --system envoy
ENTRYPOINT ["/docker-entrypoint.sh"]
# NB: Adding this here means that following steps, for example updating the system packages, are run
# when the version file changes. This should mean that a release version will always update.
# In PRs this will just use cached layers unless either this file changes or the version has changed.
ADD VERSION.txt /etc/envoy
RUN --mount=type=tmpfs,target=/var/cache/apt \
--mount=type=tmpfs,target=/var/lib/apt/lists \
apt-get -qq update \
&& apt-get -qq upgrade -y \
&& apt-get -qq install --no-install-recommends -y ca-certificates \
&& apt-get -qq autoremove -y
# STAGE: envoy
FROM envoy-base AS envoy
COPY --from=binary --chown=0:0 --chmod=644 \
/etc/envoy/envoy.yaml /etc/envoy/envoy.yaml
COPY --from=binary --chown=0:0 --chmod=755 \
/docker-entrypoint.sh /
COPY --from=binary --chown=0:0 --chmod=755 \
/usr/local/bin/utils/su-exec /usr/local/bin/
ARG ENVOY_BINARY=envoy
ARG ENVOY_BINARY_PREFIX=
COPY --from=binary --chown=0:0 --chmod=755 \
"/usr/local/bin/${ENVOY_BINARY_PREFIX}${ENVOY_BINARY}" /usr/local/bin/envoy
COPY --from=binary --chown=0:0 --chmod=755 \
/usr/local/bin/${ENVOY_BINARY_PREFIX}${ENVOY_BINARY}\.* /usr/local/bin/
# STAGE: envoy-tools
FROM envoy AS envoy-tools
# See https://github.com/docker/buildx/issues/510 for why this _must_ be this way
ARG TARGETPLATFORM
ENV TARGETPLATFORM="${TARGETPLATFORM:-linux/amd64}"
COPY --chown=0:0 --chmod=755 \
"${TARGETPLATFORM}/schema_validator_tool" "${TARGETPLATFORM}/router_check_tool" /usr/local/bin/
# STAGE: envoy-distroless
FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:2a803cc873dc1a69a33087ee10c75755367dd2c259219893504680480ad563f0 AS envoy-distroless
EXPOSE 10000
ENTRYPOINT ["/usr/local/bin/envoy"]
CMD ["-c", "/etc/envoy/envoy.yaml"]
COPY --from=binary --chown=0:0 --chmod=644 \
/etc/envoy/envoy.yaml /etc/envoy/envoy.yaml
COPY --from=binary --chown=0:0 --chmod=755 \
/usr/local/bin/envoy /usr/local/bin/
# STAGE: envoy-google-vrp-base
FROM ${ENVOY_VRP_BASE_IMAGE} AS envoy-google-vrp-base
EXPOSE 10000
EXPOSE 10001
CMD ["supervisord", "-c", "/etc/supervisor.conf"]
ENTRYPOINT []
ADD --chown=0:0 --chmod=644 \
configs/google-vrp/*.yaml /etc/envoy/
ADD --chown=0:0 --chmod=755 \
configs/google-vrp/launch_envoy.sh /usr/local/bin/launch_envoy.sh
ADD --chown=0:0 --chmod=644 \
test/config/integration/certs/serverkey.pem /etc/envoy/certs/serverkey.pem
ADD --chown=0:0 --chmod=644 \
test/config/integration/certs/servercert.pem /etc/envoy/certs/servercert.pem
RUN --mount=type=tmpfs,target=/var/cache/apt \
--mount=type=tmpfs,target=/var/lib/apt/lists \
apt-get -qq update \
&& apt-get -qq upgrade -y \
&& apt-get -qq install -y libc++1 supervisor gdb strace tshark \
&& apt-get autoremove -y \
&& chmod 777 /var/log/supervisor
ADD --chown=0:0 --chmod=755 configs/google-vrp/supervisor.conf /etc/supervisor.conf
# STAGE: envoy-google-vrp
FROM envoy-google-vrp-base AS envoy-google-vrp
COPY --from=binary --chown=0:0 --chmod=755 \
/usr/local/bin/envoy /usr/local/bin/envoy
# STAGE: envoy-google-vrp-custom
FROM envoy-google-vrp-base AS envoy-google-vrp-custom
ARG ENVOY_CTX_BINARY_PATH
ADD "${ENVOY_CTX_BINARY_PATH}" /usr/local/bin/envoy
# Make envoy image as last stage so it is built by default
FROM envoy