ory-am/hydra

View on GitHub
.docker/Dockerfile-hsm

Summary

Maintainability
Test Coverage
FROM golang:1.21 AS builder

WORKDIR /go/src/github.com/ory/hydra

RUN apt-get update && apt-get upgrade -y &&\
    mkdir -p /var/lib/sqlite &&\
    mkdir -p ./internal/httpclient

COPY go.mod go.sum ./
COPY internal/httpclient/go.* ./internal/httpclient

ENV GO111MODULE on
ENV CGO_ENABLED 1

RUN go mod download
COPY . .

###############################

FROM builder as build-hydra
RUN go build -tags sqlite,json1,hsm -o /usr/bin/hydra

###############################

FROM builder as test-hsm
ENV HSM_ENABLED=true
ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
ENV HSM_TOKEN_LABEL=hydra
ENV HSM_PIN=1234

RUN apt-get -y install softhsm opensc &&\
    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" &&\
    go test -p 1 -v -failfast -short -tags=sqlite,hsm ./...

###############################

FROM gcr.io/distroless/base-nossl-debian12:debug-nonroot AS runner

ENV HSM_ENABLED=true
ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
ENV HSM_TOKEN_LABEL=hydra
ENV HSM_PIN=1234

RUN apt-get -y install softhsm opensc &&\
    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"

RUN addgroup -S ory; \
    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
    chown -R ory:ory /home/ory; \
    chown -R ory:ory /var/lib/softhsm/tokens

COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra

# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
# is required for read/write of SQLite.
RUN mkdir -p /var/lib/sqlite && \
    chown ory:ory /var/lib/sqlite

VOLUME /var/lib/sqlite

# Exposing the ory home directory
VOLUME /home/ory

# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
EXPOSE 4444 4445

USER ory

ENTRYPOINT ["hydra"]
CMD ["serve"]