fix(): critical vuln fixes, optimise multi arch build (#457)

* fix(): Optimise multi arch builds

Signed-off-by: gourishkb <gourish@aveshasystems.com>

* fix(): critical vuln issues

Signed-off-by: gourishkb <gourish@aveshasystems.com>

---------

Signed-off-by: gourishkb <gourish@aveshasystems.com>

Author: gourishkb

Dockerfile

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 ##########################################################
 #Dockerfile
 #Copyright (c) 2022 Avesha, Inc. All rights reserved.
@@ -16,31 +17,32 @@
 #See the License for the specific language governing permissions and
 #limitations under the License.
 ##########################################################
-
-# Build the manager binary
-FROM golang:1.24 AS builder
-
-WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-ADD vendor vendor
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-#RUN echo "[url \"git@bitbucket.org:\"]\n\tinsteadOf = https://bitbucket.org/" >> /root/.gitconfig
-
+FROM --platform=$BUILDPLATFORM golang:1.24 AS builder
+LABEL maintainer="Avesha Systems"
 ARG TARGETOS
-ARG TARGETPLATFORM
 ARG TARGETARCH
+ARG BUILDPLATFORM
+WORKDIR /workspace
+
+# Copy the Go Modules manifests first for better layer caching
+COPY go.mod go.sum ./
+# Copy vendor directory (required for -mod=vendor build)
+COPY vendor vendor/
 
 # Copy the go source
-COPY main.go main.go
+COPY main.go ./
 COPY api/ api/
 COPY controllers/ controllers/
 COPY pkg/ pkg/
 COPY events/ events/
-# Build
-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GO111MODULE=on go build -mod=vendor -a -o manager main.go
+
+# Cross-compile with optimizations and caching
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    CGO_ENABLED=0 \
+    GOOS=${TARGETOS:-linux} \
+    GOARCH=${TARGETARCH} \
+    go build -mod=vendor -ldflags="-w -s" -trimpath -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details

Makefile

@@ -114,14 +114,15 @@ run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
 .PHONY: docker-build
-docker-build: ## Build docker image with the manager.
-	docker buildx create --name container --driver=docker-container || true
-	docker build --builder container --platform linux/amd64,linux/arm64 -t ${IMG} .
+docker-build: ## Build docker image with the manager (multi-arch, requires --push to create manifest list).
+	docker buildx create --name container --driver=docker-container --use || docker buildx use container || true
+	docker buildx build --builder container --platform linux/amd64,linux/arm64 -t ${IMG} .
 
 .PHONY: docker-push
-docker-push: ## Push docker image with the manager.
-	docker buildx create --name container --driver=docker-container || true
-	docker build --push --builder container --platform linux/amd64,linux/arm64 -t ${IMG} .
+docker-push: ## Build and push docker image with the manager (multi-arch manifest list).
+	@echo "Note: BuildKit requires network access to verify image manifests. If offline, images must be pre-pulled."
+	docker buildx create --name container --driver=docker-container --use || docker buildx use container || true
+	docker buildx build --push --builder container --platform linux/amd64,linux/arm64 -t ${IMG} .
 
 ##@ Deployment
 

go.mod

@@ -2,6 +2,8 @@ module github.com/kubeslice/worker-operator
 
 go 1.24.0
 
+toolchain go1.24.11
+
 // replace github.com/kubeslice/apis => ../../misc/apis
 
 require (