-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathDockerfile
More file actions
34 lines (27 loc) · 1.37 KB
/
Dockerfile
File metadata and controls
34 lines (27 loc) · 1.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# ── Build stage ──────────────────────────────────────────────
# Hard-code --platform to prevent exec format error on ARM Macs.
FROM --platform=linux/amd64 rust:1.88-bookworm AS builder
WORKDIR /build
COPY . .
RUN cargo build --release -p sprout-relay \
&& strip target/release/sprout-relay
# ── Runtime stage ────────────────────────────────────────────
FROM --platform=linux/amd64 debian:bookworm-slim
# CAKE: non-root UID 1000 (numeric, not username)
RUN groupadd -g 1000 sprout && useradd -u 1000 -g sprout -m sprout
# CAKE: writable dirs
RUN mkdir -p /cache /tmp && chown sprout:sprout /cache /tmp
# socat for Istio abstract→file socket bridge
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates socat && rm -rf /var/lib/apt/lists/*
COPY --from=builder /build/target/release/sprout-relay /code/sprout-relay
COPY script/start /code/start
RUN chmod +x /code/start
# CAKE: required Envoy env vars (overridden at runtime by CAKE).
ENV ENVOY_ADMIN_SOCKET_PATH="@envoy-admin.sock" \
ENVOY_INGRESS_PORT="20001" \
ENVOY_HTTP_EGRESS_SOCKET_PATH="@egress.sock" \
ENVOY_DATADOG_PORT="3030" \
CASH_FRAMEWORK="rust"
USER 1000
ENTRYPOINT ["/code/start"]