Dockerfile

# Copyright Sunbeam Studios 2026
# SPDX-License-Identifier: Apache-2.0

# ── Stage 1: build ──────────────────────────────────────────────
FROM rust:slim AS builder

ARG TARGETARCH

RUN apt-get update && apt-get install -y musl-tools curl cmake && rm -rf /var/lib/apt/lists/*

RUN case "${TARGETARCH}" in \
      "amd64") RUST_TARGET="x86_64-unknown-linux-musl" ;; \
      "arm64") RUST_TARGET="aarch64-unknown-linux-musl" ;; \
      *) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; \
    esac && \
    echo "${RUST_TARGET}" > /rust-target && \
    rustup target add "${RUST_TARGET}" && \
    mkdir -p /root/.cargo && \
    printf '[target.%s]\nlinker = "musl-gcc"\n' "${RUST_TARGET}" \
      >> /root/.cargo/config.toml

ENV RUSTFLAGS="-C target-feature=+crt-static"
WORKDIR /build

COPY Cargo.toml Cargo.lock ./
RUN mkdir -p src benches && \
    echo 'fn main() {}' > src/main.rs && \
    echo 'fn main() {}' > benches/scanner_bench.rs && \
    echo 'fn main() {}' > benches/ddos_bench.rs && \
    cargo build --release --target "$(cat /rust-target)" ; \
    rm -rf src benches

COPY src/ ./src/
COPY benches/ ./benches/
RUN touch src/main.rs && \
    cargo build --release --target "$(cat /rust-target)" && \
    cp "target/$(cat /rust-target)/release/sunbeam-proxy" /sunbeam-proxy

RUN case "${TARGETARCH}" in \
      "amd64") TINI_ARCH="amd64" ;; \
      "arm64") TINI_ARCH="arm64" ;; \
      *) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; \
    esac && \
    curl -fsSL -o /tini \
      "https://github.com/krallin/tini/releases/download/v0.19.0/tini-static-${TINI_ARCH}" && \
    chmod +x /tini

# ── Stage 2: distroless final ────────────────────────────────────
FROM cgr.dev/chainguard/static:latest

COPY --from=builder /tini                       /tini
COPY --from=builder /sunbeam-proxy              /usr/local/bin/sunbeam-proxy

EXPOSE 80 443

ENTRYPOINT ["/tini", "--", "/usr/local/bin/sunbeam-proxy"]
chore: add SPDX copyright headers and update license year Add `// Copyright Sunbeam Studios 2026` and `// SPDX-License-Identifier: Apache-2.0` headers to all source files missing them. Update LICENSE copyright year, Dockerfile copyright header, and .dockerignore for new project structure (lean4/, docs/, training artifacts). Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:21 +00:00			`# Copyright Sunbeam Studios 2026`
			`# SPDX-License-Identifier: Apache-2.0`

feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`# ── Stage 1: build ──────────────────────────────────────────────`
			`FROM rust:slim AS builder`

			`ARG TARGETARCH`

			`RUN apt-get update && apt-get install -y musl-tools curl cmake && rm -rf /var/lib/apt/lists/*`

			`RUN case "${TARGETARCH}" in \`
			`"amd64") RUST_TARGET="x86_64-unknown-linux-musl" ;; \`
			`"arm64") RUST_TARGET="aarch64-unknown-linux-musl" ;; \`
			`*) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; \`
			`esac && \`
			`echo "${RUST_TARGET}" > /rust-target && \`
			`rustup target add "${RUST_TARGET}" && \`
			`mkdir -p /root/.cargo && \`
			`printf '[target.%s]\nlinker = "musl-gcc"\n' "${RUST_TARGET}" \`
			`>> /root/.cargo/config.toml`

			`ENV RUSTFLAGS="-C target-feature=+crt-static"`
			`WORKDIR /build`

			`COPY Cargo.toml Cargo.lock ./`
fix(docker): copy benches/ directory for Cargo.toml manifest parsing Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:20 +00:00			`RUN mkdir -p src benches && \`
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`echo 'fn main() {}' > src/main.rs && \`
fix(docker): copy benches/ directory for Cargo.toml manifest parsing Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:20 +00:00			`echo 'fn main() {}' > benches/scanner_bench.rs && \`
chore: add SPDX copyright headers and update license year Add `// Copyright Sunbeam Studios 2026` and `// SPDX-License-Identifier: Apache-2.0` headers to all source files missing them. Update LICENSE copyright year, Dockerfile copyright header, and .dockerignore for new project structure (lean4/, docs/, training artifacts). Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:21 +00:00			`echo 'fn main() {}' > benches/ddos_bench.rs && \`
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`cargo build --release --target "$(cat /rust-target)" ; \`
fix(docker): copy benches/ directory for Cargo.toml manifest parsing Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:20 +00:00			`rm -rf src benches`
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00
			`COPY src/ ./src/`
fix(docker): copy benches/ directory for Cargo.toml manifest parsing Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:20 +00:00			`COPY benches/ ./benches/`
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`RUN touch src/main.rs && \`
			`cargo build --release --target "$(cat /rust-target)" && \`
			`cp "target/$(cat /rust-target)/release/sunbeam-proxy" /sunbeam-proxy`

			`RUN case "${TARGETARCH}" in \`
			`"amd64") TINI_ARCH="amd64" ;; \`
			`"arm64") TINI_ARCH="arm64" ;; \`
			`*) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; \`
			`esac && \`
			`curl -fsSL -o /tini \`
			`"https://github.com/krallin/tini/releases/download/v0.19.0/tini-static-${TINI_ARCH}" && \`
			`chmod +x /tini`

			`# ── Stage 2: distroless final ────────────────────────────────────`
			`FROM cgr.dev/chainguard/static:latest`

			`COPY --from=builder /tini /tini`
			`COPY --from=builder /sunbeam-proxy /usr/local/bin/sunbeam-proxy`

			`EXPOSE 80 443`

			`ENTRYPOINT ["/tini", "--", "/usr/local/bin/sunbeam-proxy"]`