Dockerfile.rh

## Build stage
FROM registry.redhat.io/ubi9/go-toolset:latest@sha256:037c7c028e77fb078573f721b63c35c46d7630f3086452bc26e1ae4a6a7f1a63 AS build-env
WORKDIR /opt/app-root/src/
USER root
ENV GOEXPERIMENT=strictfipsruntime

# Set up build environment
RUN git config --global --add safe.directory /opt/app-root/src
COPY . .

RUN CGO_ENABLED=1 go build -mod=mod \
    -ldflags "-buildid= \
               -X sigs.k8s.io/release-utils/version.gitVersion=$(git describe --tags --always) \
               -X sigs.k8s.io/release-utils/version.gitCommit=$(git rev-parse HEAD) \
               -X sigs.k8s.io/release-utils/version.gitTreeState=$(git status --porcelain | awk '{print $1}' | head -n 1 || echo "clean") \
               -X sigs.k8s.io/release-utils/version.buildDate=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
    -o ./policy-controller ./cmd/webhook

# Install stage
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:7d4e47500f28ac3a2bff06c25eff9127ff21048538ae03ce240d57cf756acd00
COPY --from=build-env /opt/app-root/src/policy-controller /usr/local/bin/policy-controller
WORKDIR /opt/app-root/src/home
COPY LICENSE /licenses/LICENSE
USER 65532:65532

LABEL description="The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign."
LABEL io.k8s.description="The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign."
LABEL io.k8s.display-name="policy-controller container image for Red Hat Trusted Signer"
LABEL io.openshift.tags="policy-controller trusted-signer trusted-artifact-signer"
LABEL summary="Provides the policy-controller admission controller for enforcing policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign."
LABEL com.redhat.component="policy-controller"
LABEL name="rhtas/policy-controller-rhel9"

ENTRYPOINT [ "policy-controller" ]