mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-18 03:19:51 +03:00
Marc 'risson' Schmitt
114 lines
4.8 KiB
Docker
114 lines
4.8 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
# Stage 1: Build web
|
|
FROM --platform=${BUILDPLATFORM} docker.io/library/node:26 AS web-builder
|
|
|
|
ENV NODE_ENV=production
|
|
WORKDIR /static
|
|
|
|
# These files need to be copied and cannot be mounted as `npm ci` will build the client's typescript
|
|
COPY ./packages /packages
|
|
COPY ./web/packages /static/packages
|
|
|
|
RUN --mount=type=bind,target=/static/package.json,src=./package.json \
|
|
--mount=type=bind,target=/static/package-lock.json,src=./package-lock.json \
|
|
--mount=type=bind,target=/static/web/package.json,src=./web/package.json \
|
|
--mount=type=bind,target=/static/web/package-lock.json,src=./web/package-lock.json \
|
|
--mount=type=bind,target=/static/scripts/node/,src=./scripts/node/ \
|
|
--mount=type=bind,target=/static/packages/logger-js/,src=./packages/logger-js/ \
|
|
node ./scripts/node/setup-corepack.mjs --force && \
|
|
node ./scripts/node/lint-runtime.mjs ./web
|
|
|
|
COPY package.json /
|
|
|
|
RUN --mount=type=bind,target=/static/.npmrc,src=./.npmrc \
|
|
--mount=type=bind,target=/static/package.json,src=./web/package.json \
|
|
--mount=type=bind,target=/static/package-lock.json,src=./web/package-lock.json \
|
|
--mount=type=bind,target=/static/scripts,src=./web/scripts \
|
|
--mount=type=cache,target=/root/.npm \
|
|
corepack npm ci
|
|
|
|
COPY web .
|
|
RUN npm run build-proxy
|
|
|
|
# Stage 2: Build
|
|
FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:7726387c78b5787d2146868c2ccc8948a3591d0a5a6436f7780c8c28acc76341 AS builder
|
|
|
|
ARG TARGETARCH
|
|
ARG TARGETVARIANT
|
|
|
|
ENV PATH="/root/.cargo/bin:$PATH"
|
|
SHELL ["/bin/sh", "-o", "pipefail", "-c"]
|
|
RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
|
|
RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
|
|
--mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
|
|
apt-get update && \
|
|
# Required for installing pip packages
|
|
apt-get install -y --no-install-recommends \
|
|
# Build essentials
|
|
build-essential \
|
|
# aws-lc deps
|
|
cmake clang golang && \
|
|
curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal --default-toolchain none && \
|
|
rustup install && \
|
|
rustup default "$(sed -n 's/channel = "\(.*\)"/\1/p' rust-toolchain.toml)" && \
|
|
rustc --version && \
|
|
cargo --version
|
|
# See https://github.com/aws/aws-lc-rs/issues/569
|
|
ENV AWS_LC_FIPS_SYS_CC=clang
|
|
|
|
RUN --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
|
|
--mount=type=bind,target=Cargo.toml,src=Cargo.toml \
|
|
--mount=type=bind,target=Cargo.lock,src=Cargo.lock \
|
|
--mount=type=bind,target=.cargo/,src=.cargo/ \
|
|
--mount=type=bind,target=src/,src=src/ \
|
|
--mount=type=bind,target=packages/,src=packages/ \
|
|
--mount=type=bind,target=authentik/lib/default.yml,src=authentik/lib/default.yml \
|
|
# Required otherwise workspace discovery fails
|
|
--mount=type=bind,target=website/scripts/docsmg/,src=website/scripts/docsmg/ \
|
|
--mount=type=cache,id=cargo-git-db-$TARGETARCH$TARGETVARIANT,target=/root/.cargo/git/db/ \
|
|
--mount=type=cache,id=cargo-registry-$TARGETARCH$TARGETVARIANT,target=/root/.cargo/registry/ \
|
|
--mount=type=cache,id=rust-target-$TARGETARCH$TARGETVARIANT,target=/build/target/ \
|
|
cargo build --package authentik --no-default-features --features proxy --locked --release && \
|
|
cp ./target/release/authentik /bin/authentik
|
|
|
|
# Stage 3: Run
|
|
FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:7726387c78b5787d2146868c2ccc8948a3591d0a5a6436f7780c8c28acc76341
|
|
|
|
ARG VERSION
|
|
ARG GIT_BUILD_HASH
|
|
ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
|
|
|
|
LABEL org.opencontainers.image.authors="Authentik Security Inc." \
|
|
org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
|
|
org.opencontainers.image.description="goauthentik.io Proxy outpost image, see https://goauthentik.io for more info." \
|
|
org.opencontainers.image.documentation="https://docs.goauthentik.io" \
|
|
org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
|
|
org.opencontainers.image.revision=${GIT_BUILD_HASH} \
|
|
org.opencontainers.image.title="authentik proxy outpost image" \
|
|
org.opencontainers.image.url="https://goauthentik.io" \
|
|
org.opencontainers.image.vendor="Authentik Security Inc." \
|
|
org.opencontainers.image.version=${VERSION}
|
|
|
|
RUN apt-get update && \
|
|
apt-get upgrade -y && \
|
|
apt-get clean && \
|
|
rm -rf /tmp/* /var/lib/apt/lists/*
|
|
|
|
COPY --from=builder /bin/authentik /
|
|
COPY --from=web-builder /static/robots.txt /web/robots.txt
|
|
COPY --from=web-builder /static/security.txt /web/security.txt
|
|
COPY --from=web-builder /static/dist/ /web/dist/
|
|
COPY --from=web-builder /static/authentik/ /web/authentik/
|
|
|
|
HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/authentik", "healthcheck" ]
|
|
|
|
EXPOSE 9000 9300 9443
|
|
|
|
USER 1000
|
|
|
|
ENV TMPDIR=/dev/shm/ \
|
|
GOFIPS=1
|
|
|
|
ENTRYPOINT ["/authentik", "proxy"]
|