rustsystem/Dockerfile.trustauth at main · fsek/rustsystem · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
ARG API_ENDPOINT_SERVER=https://rosta.fsektionen.se
ARG API_ENDPOINT_TRUSTAUTH_TO_SERVER=https://rustsystem-server:1444
ARG API_ENDPOINT_TRUSTAUTH=https://rosta.trustauth.fsektionen.se

FROM rust:1.91-bullseye AS builder
WORKDIR /app
COPY Cargo.trustauth.toml ./Cargo.toml
COPY Cargo.lock ./
COPY rustsystem-trustauth/ ./rustsystem-trustauth/
COPY rustsystem-core/ ./rustsystem-core/
ARG API_ENDPOINT_SERVER
ARG API_ENDPOINT_TRUSTAUTH_TO_SERVER
ARG API_ENDPOINT_TRUSTAUTH
# Build with empty PEM stubs to cache all dependency compilation.
# include_bytes! compiles fine with empty files; PEM parsing only happens at runtime.
COPY mtls-prod/ca/ ./mtls/ca/
COPY mtls-prod/trustauth/ ./mtls/trustauth/
RUN touch rustsystem-trustauth/src/main.rs
RUN cargo build --release --bin rustsystem-trustauth

FROM debian:bullseye-slim AS runtime
RUN apt-get update && apt-get install -y \
    ca-certificates \
    curl \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

COPY --from=builder /app/target/release/rustsystem-trustauth ./rustsystem-trustauth

RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app
USER appuser

EXPOSE 2443
EXPOSE 2444

CMD ["./rustsystem-trustauth"]