This is an automated email from the ASF dual-hosted git repository.
more pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 04c91f5ed KNOX-3264 - Add workflow to push docker image on every
master push and new release & use docker hardened image (#1160)
04c91f5ed is described below
commit 04c91f5ed83df041c85e9fd65ea1898e509c2571
Author: Sandeep Moré <[email protected]>
AuthorDate: Fri Feb 27 06:31:06 2026 -0500
KNOX-3264 - Add workflow to push docker image on every master push and new
release & use docker hardened image (#1160)
---
.github/workflows/docker-publish.yml | 94 ++++++++++++++++++++++
.../src/main/resources/docker/Dockerfile | 24 ++++--
2 files changed, 110 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/docker-publish.yml
b/.github/workflows/docker-publish.yml
new file mode 100644
index 000000000..244a5b067
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,94 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Publish
+
+on:
+ push:
+ branches:
+ - master
+ tags:
+ - 'v*'
+ workflow_dispatch:
+
+jobs:
+ docker:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Setup Java
+ uses: actions/setup-java@v4
+ with:
+ java-version: '17'
+ distribution: 'temurin'
+ cache: maven
+
+ - name: Build with Maven
+ run: |
+ mvn -Dforbiddenapis.skip=true -Denforcer.skip
-Dpmd.failOnViolation=false \
+ -Dcheckstyle.skip=true -Dspotbugs.skip=true
-Ddependency-check.skip=true \
+ -Dmaven.test.skip=true -U clean verify install
-Prelease,package,docker
+
+ - name: Extract project version
+ id: project-version
+ run: |
+ echo "version=$(mvn help:evaluate -Dexpression=project.version -q
-DforceStdout)" >> "$GITHUB_OUTPUT"
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v3
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v3
+
+ - name: Login to DockerHub
+ uses: docker/login-action@v3
+ with:
+ username: ${{ secrets.DOCKERHUB_USER }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+ - name: Login to Docker Hardened Images
+ uses: docker/login-action@v3
+ with:
+ registry: dhi.io
+ username: ${{ secrets.DOCKERHUB_USER }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+ - name: Docker metadata
+ id: meta
+ uses: docker/metadata-action@v5
+ with:
+ images: apache/knox/knox-gateway
+ tags: |
+ # latest on every master push and on every version tag
+ type=raw,value=latest
+ # semver tags only activate when triggered by a v* tag
+ type=semver,pattern={{version}}
+ type=semver,pattern={{major}}.{{minor}}
+ type=semver,pattern={{major}}
+
+ - name: Build and push
+ uses: docker/build-push-action@v6
+ with:
+ context: gateway-docker/target/classes/docker
+ push: true
+ platforms: linux/amd64,linux/arm64
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ build-args: |
+ RELEASE_FILE=knox-${{ steps.project-version.outputs.version }}.zip
+ ENTRYPOINT=gateway-entrypoint.sh
+ EXPOSE_PORT=8443
diff --git a/gateway-docker/src/main/resources/docker/Dockerfile
b/gateway-docker/src/main/resources/docker/Dockerfile
index fabb9dd95..c1594452b 100644
--- a/gateway-docker/src/main/resources/docker/Dockerfile
+++ b/gateway-docker/src/main/resources/docker/Dockerfile
@@ -13,22 +13,30 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-FROM openjdk:8-jre-alpine3.8
-MAINTAINER Apache Knox <[email protected]>
+FROM dhi.io/eclipse-temurin:17-jdk-debian13-dev AS build
+LABEL maintainer="Apache Knox <[email protected]>"
+
+ARG TARGETARCH
+RUN echo "Building Apache Knox Gateway for architecture ${TARGETARCH}"
USER root
# Make sure required packages are available
-RUN apk upgrade --no-cache && \
- apk add --no-cache openssl \
+RUN apt-get update && \
+ apt-get upgrade -y && \
+ apt-get install -y \
+ openssl \
procps \
ca-certificates \
unzip \
- nss && \
- apk add --no-cache bash
+ libnss3 \
+ bash \
+ passwd && \
+ apt-get clean && \
+ rm -rf /var/lib/apt/lists/*
# Create knox user and group
# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID
-RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h
/home/knox knox
+RUN groupadd --system -g 8000 knox && useradd --system -u 8000 -g knox -d
/home/knox -m knox
# Dependencies
ARG RELEASE_FILE
@@ -42,7 +50,7 @@ RUN chmod 644 /home/knox/*.zip && \
RUN mkdir -p /home/knox/knox/data/security/keystores && \
mkdir -p /home/knox/knox/conf && \
chown -R knox:knox /home/knox && \
- chmod -R g+rwX /home/knox \
+ chmod -R g+rwX /home/knox
# Add the entrypoint script
ARG ENTRYPOINT
