eloylp/Dockerfile

## Dockerfile
## You can PULL this image from https://hub.docker.com/r/eloylp/go-vanity-urls-server

FROM golang:1.16.3 AS build
WORKDIR /src
COPY . .
# Dont run your programs as root.
RUN useradd -u 10001 nonprivuser

ARG VERSION
RUN git clone https://github.com/GoogleCloudPlatform/govanityurls.git app \
&& cd app && git checkout $VERSION

# CGO_ENABLED=0    -Disable CGO to discard CGO stuff and completely use pure Go net stack.
# -trimpath        -Skip your local paths in error stacktraces, take only from the root of the repo.
# -ldflags="-s -w" -Skip debugging symbol table (DWARF tables) from the binary. About ~25 % less of weight.
# -tags timetzdata -Add tzdata for be docker image indepent. Around ~800KB more size.
RUN cd app && CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -tags timetzdata -o vanity-urls-server

FROM scratch
# Copy CA certificates from build image.
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# Copy users table from build image
COPY --from=build /etc/passwd /etc/passwd
# Copy binary build image
COPY --from=build /src/app/vanity-urls-server /app/vanity-urls-server

EXPOSE 8080
USER nonprivuser
WORKDIR /app
ENTRYPOINT ["./vanity-urls-server"]

## k8s-vanity-example.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: go-vanity-url-server
  labels:
    app: go-vanity-url-server
spec:
  replicas: 1
  template:
    metadata:
      name: go-vanity-url-server
      labels:
        app: go-vanity-url-server
    spec:
      containers:
        - name: go-vanity-url-server
          image: eloylp/go-vanity-urls-server:v0.1.0
          imagePullPolicy: Always
          args:
            - /etc/vanity
          volumeMounts:
            - mountPath: /etc/vanity
              readOnly: true
              name: config
              subPath: vanity.yaml
          readinessProbe:
            httpGet:
              port: 8080
          securityContext:
            runAsNonRoot: true
            runAsUser: 10001
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
      restartPolicy: Always
      volumes:
        - name: config
          configMap:
            name: go-vanity-url-server-config
  selector:
    matchLabels:
      app: go-vanity-url-server
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: go-vanity-url-server-config
data:
  vanity.yaml: |
    host: example.com
    cache_max_age: 3600
    paths:
      /foo:
        repo: https://github.com/example/foo
        display: "https://github.com/example/foo https://github.com/example/foo/tree/master{/dir} https://github.com/example/foo/blob/master{/dir}/{file}#L{line}"
        vcs: git
---
apiVersion: v1
kind: Service
metadata:
  name: go-vanity-url-server
spec:
  selector:
    app: go-vanity-url-server
  ports:
    - port: 8080
  type: ClusterIP
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: https-example.com
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`example.com`)
      kind: Rule
      services:
        - name: go-vanity-url-server
          port: 8080
  tls:
    secretName: cert-wildcard-example.com
	## You can PULL this image from https://hub.docker.com/r/eloylp/go-vanity-urls-server

	FROM golang:1.16.3 AS build
	WORKDIR /src
	COPY . .
	# Dont run your programs as root.
	RUN useradd -u 10001 nonprivuser

	ARG VERSION
	RUN git clone https://github.com/GoogleCloudPlatform/govanityurls.git app \
	&& cd app && git checkout $VERSION

	# CGO_ENABLED=0 -Disable CGO to discard CGO stuff and completely use pure Go net stack.
	# -trimpath -Skip your local paths in error stacktraces, take only from the root of the repo.
	# -ldflags="-s -w" -Skip debugging symbol table (DWARF tables) from the binary. About ~25 % less of weight.
	# -tags timetzdata -Add tzdata for be docker image indepent. Around ~800KB more size.
	RUN cd app && CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -tags timetzdata -o vanity-urls-server

	FROM scratch
	# Copy CA certificates from build image.
	COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
	# Copy users table from build image
	COPY --from=build /etc/passwd /etc/passwd
	# Copy binary build image
	COPY --from=build /src/app/vanity-urls-server /app/vanity-urls-server

	EXPOSE 8080
	USER nonprivuser
	WORKDIR /app
	ENTRYPOINT ["./vanity-urls-server"]
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: go-vanity-url-server
	labels:
	app: go-vanity-url-server
	spec:
	replicas: 1
	template:
	metadata:
	name: go-vanity-url-server
	labels:
	app: go-vanity-url-server
	spec:
	containers:
	- name: go-vanity-url-server
	image: eloylp/go-vanity-urls-server:v0.1.0
	imagePullPolicy: Always
	args:
	- /etc/vanity
	volumeMounts:
	- mountPath: /etc/vanity
	readOnly: true
	name: config
	subPath: vanity.yaml
	readinessProbe:
	httpGet:
	port: 8080
	securityContext:
	runAsNonRoot: true
	runAsUser: 10001
	allowPrivilegeEscalation: false
	capabilities:
	drop:
	- ALL
	restartPolicy: Always
	volumes:
	- name: config
	configMap:
	name: go-vanity-url-server-config
	selector:
	matchLabels:
	app: go-vanity-url-server
	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: go-vanity-url-server-config
	data:
	vanity.yaml: \|
	host: example.com
	cache_max_age: 3600
	paths:
	/foo:
	repo: https://github.com/example/foo
	display: "https://github.com/example/foo https://github.com/example/foo/tree/master{/dir} https://github.com/example/foo/blob/master{/dir}/{file}#L{line}"
	vcs: git
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: go-vanity-url-server
	spec:
	selector:
	app: go-vanity-url-server
	ports:
	- port: 8080
	type: ClusterIP
	---
	apiVersion: traefik.containo.us/v1alpha1
	kind: IngressRoute
	metadata:
	name: https-example.com
	spec:
	entryPoints:
	- websecure
	routes:
	- match: Host(`example.com`)
	kind: Rule
	services:
	- name: go-vanity-url-server
	port: 8080
	tls:
	secretName: cert-wildcard-example.com