UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Normal view Permalink
Dockerfile 2.67 KiB
Newer Older
  • Learn to ignore specific revisions
    • sean.melissari's avatar
    bump v2  
    sean.melissari committed
    1 
    ARG BASE_REGISTRY=registry1.dso.mil
    James Casteel's avatar
    ubi9  
    James Casteel committed
    2 
    ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9-minimal
    James Daniel III's avatar
    Update Dockerfile  
    James Daniel III committed
    3 
    ARG BASE_TAG=9.5
    sean.melissari's avatar
    add argocd
    sean.melissari committed
    4
    POPs Trigger's avatar
    Update quay.io/argoproj/argocd Docker tag to v2.14.11  
    POPs Trigger committed
    5 
    FROM quay.io/argoproj/argocd:v2.14.11 as argocd
    sean.melissari's avatar
    add argocd
    sean.melissari committed
    6
    POPs Trigger's avatar
    Update amazon/aws-cli Docker tag to v2.27.0  
    POPs Trigger committed
    7 
    FROM amazon/aws-cli:2.27.0 as awscli
    sean.melissari's avatar
    add argocd
    sean.melissari committed
    8 9 10 11 12 13 
    
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

ENV HOME=/home/argocd \
    USER=argocd
    sean.melissari's avatar
    fix permissions  
    sean.melissari committed
    14 15 16 17 18 
    COPY --from=argocd --chown=root:root /usr/local/bin/argocd /usr/local/bin/
COPY --from=argocd --chown=root:root /usr/local/bin/helm* /usr/local/bin/
COPY --from=argocd --chown=root:root /usr/local/bin/kustomize /usr/local/bin/kustomize
COPY --from=argocd --chown=root:root /usr/bin/tini /usr/bin/tini
COPY --from=awscli --chown=root:root /usr/local/aws-cli /usr/local/aws-cli
    sean.melissari's avatar
    add gpg feature  
    sean.melissari committed
    19 
    COPY scripts/* /usr/local/bin/
    sean.melissari's avatar
    add argocd
    sean.melissari committed
    20
    Offboarding Automation Bot's avatar
    security fixes  
    Offboarding Automation Bot committed
    21 22 23 24 25 26 27 
    RUN groupadd -g 1000 argocd && \
    useradd -r -u 1000 -m -s /sbin/nologin -g argocd argocd && \
    chown argocd:argocd ${HOME} && \
    chmod g=u ${HOME} && \
    microdnf upgrade -y && \
    microdnf install --nodocs -y git git-lfs nss_wrapper && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth && \
    Alexander Indihar's avatar
    Update Dockerfile, hardening_manifest.yaml, renovate.json  
    Alexander Indihar committed
    28 
        mkdir -p /app/config/ssh /app/config/tls /app/config/gpg/{source,keys} && \
    sean.melissari's avatar
    add gpg feature  
    sean.melissari committed
    29 30 
        chown argocd:0 /app/config/gpg/keys && \
    chmod 0700 /app/config/gpg/keys && \
    sean.melissari's avatar
    fix permissions  
    sean.melissari committed
    31 
        chmod 0755 /usr/local/bin/*.sh && \
    sean.melissari's avatar
    add argocd
    sean.melissari committed
    32 33 34 
        touch /app/config/ssh/ssh_known_hosts && \
    ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts && \
    ln -s /usr/local/aws-cli/v2/current/bin/aws /usr/local/bin/aws && \
    sean.melissari's avatar
    remove suid on ssh-keysign  
    sean.melissari committed
    35 
        ln -s /usr/local/aws-cli/v2/current/bin/aws_completer /usr/local/bin/aws_completer && \
    sean.melissari's avatar
    align with upstream  
    sean.melissari committed
    36 37 38 39 
        ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex && \
    Colton Freeman's avatar
    add cmp-server, notifications and applicationset  
    Colton Freeman committed
    40 41 42 
        ln -s /usr/local/bin/argocd /usr/local/bin/argocd-cmp-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-notifications && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-applicationset-controller && \
    sean.melissari's avatar
    align with upstream  
    sean.melissari committed
    43 
        ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh && \
    Russell Huonder's avatar
    removing nullok from files to address CCE-83611-4  
    Russell Huonder committed
    44 
        chmod -s /usr/libexec/openssh/ssh-keysign && \
    Offboarding Automation Bot's avatar
    security fixes  
    Offboarding Automation Bot committed
    45 
        for i in /etc/pam.d/system-auth /etc/pam.d/password-auth; do sed -i "s/nullok//g" $i; done && \
    Alexander Indihar's avatar
    security fixes  
    Alexander Indihar committed
    46 47 
        sed -iE '/password\s\+sufficient\s\+pam_unix.so/ s/$/ rounds=5000/' /etc/pam.d/password-auth && \
    sed -iE '/password\s\+sufficient\s\+pam_unix.so/ s/$/ rounds=5000/' /etc/pam.d/system-auth && \
    Patrick Einheber's avatar
    remove vim-filesystem, cmake  
    Patrick Einheber committed
    48 
        microdnf remove -y vim-filesystem cmake-data cmake && \
    Offboarding Automation Bot's avatar
    security fixes  
    Offboarding Automation Bot committed
    49 50 
        microdnf clean all && \
    rm -rf /var/cache/yum /var/log/yum* /usr/local/aws-cli/v2/2.*/dist/awscli/examples/apigateway/*.rst
    sean.melissari's avatar
    add argocd
    sean.melissari committed
    51
    Christopher Knieriem's avatar
    Update Dockerfile  
    Christopher Knieriem committed
    52 53 
    RUN chmod 750 -R /home/argocd
    sean.melissari's avatar
    add gpg feature  
    sean.melissari committed
    54 
    USER 1000
    sean.melissari's avatar
    add argocd
    sean.melissari committed
    55 56 
    WORKDIR ${HOME}
    sean.melissari's avatar
    align with upstream  
    sean.melissari committed
    57 58 
    ENTRYPOINT ["entrypoint.sh"]
CMD ["argocd-server"]

    UNCLASSIFIED - NO CUI