evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

dockerfile size reduction

Evan Jarrett c362eff3 75df81d3

+17 -5
+17 -5
Dockerfile
··· 36 36 COPY web/ web/ 37 37 38 38 # Build with CGO enabled for PKCS#11 support 39 - RUN CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o hsm-operator cmd/hsm-operator/main.go 39 + # Strip debug symbols to reduce binary size (-s -w) 40 + RUN CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -ldflags="-s -w" -o hsm-operator cmd/hsm-operator/main.go 40 41 41 42 # Collect all runtime dependencies using iterative discovery: 42 43 # 1. Start with ldd on binaries → get compile-time linked libraries ··· 76 77 comm -13 /tmp/deps_previous.txt /tmp/deps_all_sorted.txt > /tmp/deps_new.txt && \ 77 78 cp /tmp/deps_all_sorted.txt /tmp/deps_previous.txt; \ 78 79 done && \ 79 - # Final deduplication - just remove duplicate paths, keep both /lib and /usr/lib variants 80 + # Copy all libraries except /lib/* paths (will be symlinked to /usr/lib) 80 81 sort -u /tmp/deps_all.txt > /tmp/deps.txt && \ 81 82 echo "Found $(wc -l < /tmp/deps.txt) unique library paths after $ITERATION iterations" && \ 82 83 cat /tmp/deps.txt && \ 83 84 for lib in $(cat /tmp/deps.txt); do \ 84 - if [ -f "$lib" ]; then \ 85 + # Skip /lib/* paths (but not /lib64/* which is separate) 86 + if [ -f "$lib" ] && ! echo "$lib" | grep -q "^/lib/"; then \ 85 87 dir=$(dirname "$lib"); \ 86 88 mkdir -p "/runtime-deps$dir"; \ 87 89 cp -L "$lib" "/runtime-deps$lib"; \ 88 90 fi; \ 89 91 done && \ 90 - echo "Dependencies collected to /runtime-deps" && \ 92 + # Create single directory-level symlink: /lib → /usr/lib 93 + ln -s /usr/lib /runtime-deps/lib && \ 94 + echo "Dependencies collected to /runtime-deps (/lib symlinked to /usr/lib)" && \ 91 95 # Verify all binaries can find their dependencies 92 96 echo "Testing binaries for missing dependencies..." && \ 93 97 for binary in $SCAN_BINARIES; do \ ··· 95 99 ldd "$binary" 2>&1 | grep "not found" && echo "ERROR: Missing dependencies for $binary" && exit 1 || true; \ 96 100 done && \ 97 101 echo "All binaries have satisfied dependencies" 102 + 103 + # Create symlinks for opensc-pkcs11.so for both architectures (FROM scratch has no shell) 104 + RUN mkdir -p /tmp/pkcs11-links/x86_64-linux-gnu /tmp/pkcs11-links/aarch64-linux-gnu && \ 105 + ln -s /usr/lib/pkcs11/opensc-pkcs11.so /tmp/pkcs11-links/x86_64-linux-gnu/opensc-pkcs11.so && \ 106 + ln -s /usr/lib/pkcs11/opensc-pkcs11.so /tmp/pkcs11-links/aarch64-linux-gnu/opensc-pkcs11.so 98 107 99 108 # Stage 2: Ultra-minimal FROM scratch runtime (no shell, no distro) 100 109 # Maximum security: smallest possible attack surface (~15MB vs ~30MB distroless) ··· 108 117 # Includes dynamic linker (ld-linux-*.so) for all architectures (x86_64, arm64, etc.) 109 118 COPY --from=builder /runtime-deps / 110 119 111 - # Copy PKCS#11 library (loaded via dlopen by Go app at runtime with user-specified path) 120 + # Copy PKCS#11 library and symlinks for all architectures 121 + # Main copy: /usr/lib/pkcs11/ - actual file location 112 122 COPY --from=builder /usr/lib/*/opensc-pkcs11.so /usr/lib/pkcs11/ 123 + # Symlinks created in builder stage for pkcs11-tool default paths (works for both amd64 and arm64) 124 + COPY --from=builder /tmp/pkcs11-links/ /usr/lib/ 113 125 114 126 # Copy essential binaries 115 127 COPY --from=builder /usr/sbin/pcscd /usr/sbin/