From e9f70c622f5a0c2d1dde462f8ea44ef6e643fecb Mon Sep 17 00:00:00 2001
From: Eno Compton <enocom@google.com>
Date: Wed, 12 Oct 2022 16:34:19 -0600
Subject: [PATCH] feat: add bullseye container (#147)

---
 .build/bullseye.yaml        | 59 +++++++++++++++++++++++++++++++++++++
 .build/release_artifacts.sh |  3 +-
 Dockerfile.bullseye         | 39 ++++++++++++++++++++++++
 README.md                   |  1 +
 4 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 .build/bullseye.yaml
 create mode 100644 Dockerfile.bullseye

diff --git a/.build/bullseye.yaml b/.build/bullseye.yaml
new file mode 100644
index 00000000..720ae5af
--- /dev/null
+++ b/.build/bullseye.yaml
@@ -0,0 +1,59 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+steps:
+- name: gcr.io/cloud-builders/docker
+  args:
+    - run
+    - '--privileged'
+    - 'linuxkit/binfmt:v0.7'
+  id: 'initialize-qemu'
+- name: gcr.io/cloud-builders/docker
+  args:
+    - buildx
+    - create
+    - '--name'
+    - multiarch-builder
+  id: 'create-builder'
+- name: gcr.io/cloud-builders/docker
+  args:
+    - buildx
+    - use
+    - multiarch-builder
+  id: 'select-builder'
+- name: gcr.io/cloud-builders/docker
+  args:
+    - buildx
+    - inspect
+    - '--bootstrap'
+  id: 'show-target-build-platforms'
+- name: 'gcr.io/cloud-builders/docker'
+  args:
+    - 'buildx'
+    - 'build'
+    - '--platform'
+    - $_DOCKER_BUILDX_PLATFORMS
+    - '--tag=gcr.io/$PROJECT_ID/gce-proxy:${_VERSION}-bullseye'
+    - '--tag=us.gcr.io/$PROJECT_ID/gce-proxy:${_VERSION}-bullseye'
+    - '--tag=eu.gcr.io/$PROJECT_ID/gce-proxy:${_VERSION}-bullseye'
+    - '--tag=asia.gcr.io/$PROJECT_ID/gce-proxy:${_VERSION}-bullseye'
+    - '-f=Dockerfile.bullseye'
+    - '--push'
+    - '.'
+  id: 'build-multi-architecture-container-image'
+options:
+  env:
+    - DOCKER_CLI_EXPERIMENTAL=enabled
+substitutions:
+  _DOCKER_BUILDX_PLATFORMS: 'linux/amd64,linux/arm64'
diff --git a/.build/release_artifacts.sh b/.build/release_artifacts.sh
index 2aa31827..2e80a876 100755
--- a/.build/release_artifacts.sh
+++ b/.build/release_artifacts.sh
@@ -38,8 +38,9 @@ fi
 
 # Build and push the container images
 gcloud builds submit --async --config .build/default.yaml --substitutions _VERSION=$VERSION
-gcloud builds submit --async --config .build/buster.yaml --substitutions _VERSION=$VERSION
 gcloud builds submit --async --config .build/alpine.yaml --substitutions _VERSION=$VERSION
+gcloud builds submit --async --config .build/buster.yaml --substitutions _VERSION=$VERSION
+gcloud builds submit --async --config .build/bullseye.yaml --substitutions _VERSION=$VERSION
 
 # Build the binarys and upload to GCS
 gcloud builds submit --config .build/gcs_upload.yaml --substitutions _VERSION=$VERSION
diff --git a/Dockerfile.bullseye b/Dockerfile.bullseye
new file mode 100644
index 00000000..7ed59d3f
--- /dev/null
+++ b/Dockerfile.bullseye
@@ -0,0 +1,39 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use the latest stable golang 1.x to compile to a binary
+FROM --platform=$BUILDPLATFORM golang:1 as build
+
+WORKDIR /go/src/alloydb-auth-proxy
+COPY . .
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN go get ./...
+RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -ldflags "-X main.metadataString=container.bullseye"
+
+# Final stage
+FROM debian:bullseye
+RUN apt-get update && apt-get install -y ca-certificates
+# Install fuse and allow enable non-root users to mount
+RUN apt-get update && apt-get install -y fuse && sed -i 's/^#user_allow_other$/user_allow_other/g' /etc/fuse.conf
+# Add a non-root user matching the nonroot user from the main container
+RUN groupadd -g 65532 -r nonroot && useradd -u 65532 -g 65532 -r nonroot
+# Set the uid as an integer for compatibility with runAsNonRoot in Kubernetes
+USER 65532
+
+COPY --from=build --chown=nonroot /go/src/alloydb-auth-proxy/alloydb-auth-proxy /alloydb-auth-proxy
+ENTRYPOINT ["/alloydb-auth-proxy"]
diff --git a/README.md b/README.md
index bdd99720..5eeae546 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,7 @@ currently supported:
 * `$VERSION-alpine` - uses [`alpine:3`](https://hub.docker.com/_/alpine) as a
   base image
 * `$VERSION-buster` - uses [`debian:buster`](https://hub.docker.com/_/debian) as
+* `$VERSION-bullseye` - uses [`debian:bullseye`](https://hub.docker.com/_/debian) as
   a base image
 
 We recommend using the latest version of the proxy and updating the version