# k8s-ws-proxy — Catalyst-built Go binary that bridges HMAC-signed
# WebSocket exec sessions onto the local kube-apiserver. Per
# docs/INVIOLABLE-PRINCIPLES.md the image is statically compiled, runs
# as a non-root numeric UID, and ships nothing beyond the binary +
# CA bundle.
#
# Build context: this Containerfile is invoked by the
# .github/workflows/build-k8s-ws-proxy.yaml workflow with the
# repository ROOT as the build context (NOT this directory). The
# COPY paths below assume that.
#
# Two stages:
#   build  — golang:1.23-alpine, vendored stdlib + module cache
#   final  — alpine:3.20 minimal runtime (CA certs + the binary)

FROM docker.io/library/golang:1.23-alpine AS build
WORKDIR /workspace

# Stage 1: cache module downloads.
COPY core/cmd/k8s-ws-proxy/go.mod core/cmd/k8s-ws-proxy/go.sum* core/cmd/k8s-ws-proxy/

WORKDIR /workspace/core/cmd/k8s-ws-proxy
RUN go mod download

# Stage 2: copy source + build.
COPY core/cmd/k8s-ws-proxy /workspace/core/cmd/k8s-ws-proxy

RUN CGO_ENABLED=0 GOOS=linux go build \
    -ldflags="-s -w" \
    -o /k8s-ws-proxy .

# Stage 3: minimal runtime.
FROM docker.io/library/alpine:3.20

# ca-certificates so the apiserver TLS verifies. tzdata so logs render
# in operator-friendly timezones.
RUN apk add --no-cache ca-certificates tzdata

COPY --from=build /k8s-ws-proxy /k8s-ws-proxy

# UID 65534 is `nobody`. Reuse rather than create a duplicate `nonroot`
# account. Numeric form satisfies runAsNonRoot=true / runAsUser=65534.
USER 65534:65534

EXPOSE 8080

ENTRYPOINT ["/k8s-ws-proxy"]
