# Guildhouse SPIRE Plugins — production image. # # This image is a passive binary container: it is not executed directly. # SPIRE server/agent Deployments mount an emptyDir volume and run an # initContainer from this image that copies /plugins/ into the shared # volume. The runtime layer therefore only needs the plugin binaries # themselves plus a minimal `cp` — distroless static-nonroot ships a # BusyBox-less runtime, so we use the bookworm slim minimal base here # which includes coreutils. # # Plugin binary paths are /plugins/. SPIRE's HCL plugin_cmd # directive expects these exact paths. FROM golang:1.23.6-bookworm AS builder WORKDIR /src # Dependency cache layer — go.mod/go.sum copied first so we only redo # `go mod download` when module graph changes, not on every source edit. COPY go.mod go.sum ./ RUN go mod download COPY . . # Build each plugin binary into /plugins/. CGO disabled so the binaries # are statically linked and runnable from any base image. ENV CGO_ENABLED=0 ENV GOOS=linux ENV GOARCH=amd64 RUN mkdir -p /plugins && \ go build -trimpath -ldflags="-s -w" -o /plugins/oidc-attestor ./cmd/oidc-attestor && \ go build -trimpath -ldflags="-s -w" -o /plugins/ssh-credential-composer ./cmd/ssh-credential-composer && \ go build -trimpath -ldflags="-s -w" -o /plugins/governance-notifier ./cmd/governance-notifier && \ go build -trimpath -ldflags="-s -w" -o /plugins/substrate-keymanager ./cmd/substrate-keymanager FROM debian:bookworm-slim AS runtime # No shell commands needed at image boot — this image is inert. The # initContainer that uses it supplies its own `cp -r /plugins/ /opt/spire/plugins/` # command. We keep the binaries readable by any UID so SPIRE's # non-root user can read them out of the shared volume. COPY --from=builder /plugins/ /plugins/ RUN chmod -R a+rx /plugins LABEL org.opencontainers.image.source="https://git.guildhouse.dev/tking/guildhouse-spire-plugins" \ org.opencontainers.image.description="Guildhouse SPIRE plugins: oidc-attestor, ssh-credential-composer, governance-notifier, substrate-keymanager" \ org.opencontainers.image.licenses="Apache-2.0"