Merge pull request #1141 from cyberark/openshift-image-support

Add openshift registry support for secretless-broker
cyberark · Feb 12, 2020 · 01a013d · 01a013d
2 parents 4efa41f + b7e837a
commit 01a013d
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -68,3 +68,54 @@ ENTRYPOINT [ "/usr/local/bin/secretless-broker" ]
 
 COPY --from=secretless-builder /secretless/dist/linux/amd64/secretless-broker \
                                /secretless/dist/linux/amd64/summon2 /usr/local/bin/
+
+# =================== MAIN CONTAINER (REDHAT) ===================
+FROM registry.access.redhat.com/rhel as secretless-broker-redhat
+MAINTAINER CyberArk Software, Inc.
+
+ARG VERSION
+
+LABEL name="Secretless-broker"
+LABEL vendor="CyberArk"
+LABEL version="$VERSION"
+LABEL release="$VERSION"
+LABEL summary="Secure your apps by making them Secretless"
+LABEL description="Secretless Broker is a connection broker which relieves client \
+applications of the need to directly handle secrets to target services"
+
+    # Add Limited user
+RUN groupadd -r secretless \
+             -g 777 && \
+    useradd -c "secretless runner account" \
+            -g secretless \
+            -u 777 \
+            -m \
+            -r \
+            secretless && \
+    # Ensure plugin dir is owned by secretless user
+    mkdir -p /usr/local/lib/secretless && \
+    # Make and setup a directory for sockets at /sock
+    mkdir /sock && \
+    # Make and setup a directory for the Conjur client certificate/access token
+    mkdir -p /etc/conjur/ssl && \
+    mkdir -p /run/conjur && \
+    mkdir -p /licenses && \
+    # Use GID of 0 since that is what OpenShift will want to be able to read things
+    chown secretless:0 /usr/local/lib/secretless \
+                       /sock \
+                       /etc/conjur/ssl \
+                       /run/conjur && \
+    # We need open group permissions in these directories since OpenShift won't
+    # match our UID when we try to write files to them
+    chmod 770 /sock \
+              /etc/conjur/ssl \
+              /run/conjur
+
+COPY LICENSE /licenses
+
+USER secretless
+
+ENTRYPOINT [ "/usr/local/bin/secretless-broker" ]
+
+COPY --from=secretless-builder /secretless/dist/linux/amd64/secretless-broker \
+                               /secretless/dist/linux/amd64/summon2 /usr/local/bin/
diff --git a/bin/build b/bin/build
@@ -30,6 +30,7 @@ echo "Building secretless-broker:$FULL_VERSION_TAG Docker image"
 # shellcheck disable=SC2086
 docker build --tag "secretless-broker:${FULL_VERSION_TAG}" \
              --tag "secretless-broker:latest" \
+             --target "secretless-broker" \
              $DOCKER_FLAGS \
              --file "$TOPLEVEL_DIR/Dockerfile" \
              "$TOPLEVEL_DIR"
@@ -53,3 +54,13 @@ docker build --tag "secretless-broker-quickstart:${FULL_VERSION_TAG}" \
              $DOCKER_FLAGS \
              --file "$QUICK_START_DIR/Dockerfile" \
              "$QUICK_START_DIR"
+
+echo "Building secretless-broker-redhat:$FULL_VERSION_TAG Docker image"
+# (we want the flags to be word split here)
+# shellcheck disable=SC2086
+docker build --tag "secretless-broker-redhat:${FULL_VERSION_TAG}" \
+             --target "secretless-broker-redhat" \
+             --build-arg VERSION="${FULL_VERSION_TAG}" \
+             $DOCKER_FLAGS \
+              --file "$TOPLEVEL_DIR/Dockerfile" \
+             "$TOPLEVEL_DIR"
diff --git a/bin/publish b/bin/publish
@@ -8,7 +8,7 @@ readonly REGISTRY="cyberark"
 readonly VERSION="$(short_version_tag)"
 readonly FULL_VERSION_TAG="$(full_version_tag)"
 readonly INTERNAL_REGISTRY="registry.tld"
-
+readonly REDHAT_IMAGE="scan.connect.redhat.com/ospid-18d9f51d-9c0c-4031-9f9e-ef08aa2ff409/secretless-broker"
 readonly IMAGES=(
   "secretless-broker"
   "secretless-broker-quickstart"
@@ -44,3 +44,15 @@ for image_name in "${IMAGES[@]}"; do
     done
   fi
 done
+
+if [ "$git_description" = "v${VERSION}" ]; then
+  # Publish only latest to Redhat Registries
+  echo "Tagging and pushing ${REDHAT_IMAGE}"
+
+  docker tag "secretless-broker-redhat:${FULL_VERSION_TAG}" "${REDHAT_IMAGE}:${VERSION}"
+  # you can't push the same tag twice to redhat registry, so ignore errors
+  if ! docker push "${REDHAT_IMAGE}:${VERSION}"; then
+    echo 'RedHat push FAILED! (Maybe the image was pushed already?)'
+    exit 0
+  fi
+fi