eventRT/deploy/dockerfile/eventrt.Dockerfile

FROM golang:1.26-alpine AS builder
RUN apk --no-cache upgrade

WORKDIR /app
COPY go.mod go.sum ./
RUN GOPROXY="https://goproxy.cn,direct" go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build \
    -ldflags="-s -w" \
    -trimpath \
    -mod=readonly \
    -o eventrt main.go

# prepare runtime dependencies in a pinned alpine stage so they can be
# copied into scratch without pulling any vulnerable os packages at run time.
FROM alpine:3.21 AS certs
ARG USER_ID=1000
RUN apk --no-cache add ca-certificates tzdata && \
    adduser -D -u ${USER_ID} eventrt

FROM scratch
# CA certificates required for TLS connections (RabbitMQ amqps://)
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# timezone data
COPY --from=certs /usr/share/zoneinfo /usr/share/zoneinfo
# non-root user/group definitions
COPY --from=certs /etc/passwd /etc/passwd
COPY --from=certs /etc/group  /etc/group

WORKDIR /app
COPY --from=builder /app/eventrt ./eventrt

USER eventrt
CMD ["/app/eventrt", "-eventRT_config_dir=/app/configs"]
docs: expand eventRT image deploy guide and bump Go to 1.26 - add three-stage build table (builder/certs/runtime) to section 3.1 - add --build-arg USER_ID option for custom non-root UID - add method 2: load pre-built local image (e.g. eventrt:v1) into Minikube - add smoke test subsection 3.1.1 with size/inspect/run checks - bump base image from golang:1.25-alpine to golang:1.26-alpine - remove bundled config.example.yaml from image (config should be mounted at runtime) 2026-06-02 10:28:31 +08:00			`FROM golang:1.26-alpine AS builder`
feat: add Kubernetes deployment manifests and hardened Dockerfile - add multi-stage scratch-based Dockerfile with non-root user and mTLS cert support - add K8s Deployment, Service, ConfigMap, and Secret manifests with security hardening - bind MONGODB_PASSWORD and SERVICE_SECRET_KEY from environment variables via viper - restructure deploy/ directory and remove unused modelrt.cnf - bump Go version to 1.26.3 and add event-flow-analysis doc 2026-05-29 11:09:03 +08:00			`RUN apk --no-cache upgrade`

			`WORKDIR /app`
			`COPY go.mod go.sum ./`
			`RUN GOPROXY="https://goproxy.cn,direct" go mod download`
			`COPY . .`
			`RUN CGO_ENABLED=0 GOOS=linux go build \`
			`-ldflags="-s -w" \`
			`-trimpath \`
			`-mod=readonly \`
			`-o eventrt main.go`

docs: expand eventRT image deploy guide and bump Go to 1.26 - add three-stage build table (builder/certs/runtime) to section 3.1 - add --build-arg USER_ID option for custom non-root UID - add method 2: load pre-built local image (e.g. eventrt:v1) into Minikube - add smoke test subsection 3.1.1 with size/inspect/run checks - bump base image from golang:1.25-alpine to golang:1.26-alpine - remove bundled config.example.yaml from image (config should be mounted at runtime) 2026-06-02 10:28:31 +08:00			`# prepare runtime dependencies in a pinned alpine stage so they can be`
			`# copied into scratch without pulling any vulnerable os packages at run time.`
feat: add Kubernetes deployment manifests and hardened Dockerfile - add multi-stage scratch-based Dockerfile with non-root user and mTLS cert support - add K8s Deployment, Service, ConfigMap, and Secret manifests with security hardening - bind MONGODB_PASSWORD and SERVICE_SECRET_KEY from environment variables via viper - restructure deploy/ directory and remove unused modelrt.cnf - bump Go version to 1.26.3 and add event-flow-analysis doc 2026-05-29 11:09:03 +08:00			`FROM alpine:3.21 AS certs`
			`ARG USER_ID=1000`
			`RUN apk --no-cache add ca-certificates tzdata && \`
			`adduser -D -u ${USER_ID} eventrt`

			`FROM scratch`
			`# CA certificates required for TLS connections (RabbitMQ amqps://)`
			`COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/`
docs: expand eventRT image deploy guide and bump Go to 1.26 - add three-stage build table (builder/certs/runtime) to section 3.1 - add --build-arg USER_ID option for custom non-root UID - add method 2: load pre-built local image (e.g. eventrt:v1) into Minikube - add smoke test subsection 3.1.1 with size/inspect/run checks - bump base image from golang:1.25-alpine to golang:1.26-alpine - remove bundled config.example.yaml from image (config should be mounted at runtime) 2026-06-02 10:28:31 +08:00			`# timezone data`
feat: add Kubernetes deployment manifests and hardened Dockerfile - add multi-stage scratch-based Dockerfile with non-root user and mTLS cert support - add K8s Deployment, Service, ConfigMap, and Secret manifests with security hardening - bind MONGODB_PASSWORD and SERVICE_SECRET_KEY from environment variables via viper - restructure deploy/ directory and remove unused modelrt.cnf - bump Go version to 1.26.3 and add event-flow-analysis doc 2026-05-29 11:09:03 +08:00			`COPY --from=certs /usr/share/zoneinfo /usr/share/zoneinfo`
docs: expand eventRT image deploy guide and bump Go to 1.26 - add three-stage build table (builder/certs/runtime) to section 3.1 - add --build-arg USER_ID option for custom non-root UID - add method 2: load pre-built local image (e.g. eventrt:v1) into Minikube - add smoke test subsection 3.1.1 with size/inspect/run checks - bump base image from golang:1.25-alpine to golang:1.26-alpine - remove bundled config.example.yaml from image (config should be mounted at runtime) 2026-06-02 10:28:31 +08:00			`# non-root user/group definitions`
feat: add Kubernetes deployment manifests and hardened Dockerfile - add multi-stage scratch-based Dockerfile with non-root user and mTLS cert support - add K8s Deployment, Service, ConfigMap, and Secret manifests with security hardening - bind MONGODB_PASSWORD and SERVICE_SECRET_KEY from environment variables via viper - restructure deploy/ directory and remove unused modelrt.cnf - bump Go version to 1.26.3 and add event-flow-analysis doc 2026-05-29 11:09:03 +08:00			`COPY --from=certs /etc/passwd /etc/passwd`
			`COPY --from=certs /etc/group /etc/group`

			`WORKDIR /app`
			`COPY --from=builder /app/eventrt ./eventrt`

			`USER eventrt`
			`CMD ["/app/eventrt", "-eventRT_config_dir=/app/configs"]`