From 47c8ff42e99987f6df487eb8a9ef3e6048c1f8d7 Mon Sep 17 00:00:00 2001 From: Ryan Malloy Date: Thu, 21 May 2026 12:17:40 -0600 Subject: [PATCH] coredns/Dockerfile: bump Go to 1.25, CoreDNS to v1.14.3, GOPROXY=direct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Production-readiness pass on the Dockerfile after the test stack proved out the build. Three changes: - FROM golang:1.22-alpine → golang:1.25-alpine (plugin's go.mod resolved to go 1.25, base image needed to keep up). - COREDNS_REF v1.12.2 → v1.14.3 (matches what our plugin compiles against; older CoreDNS pulled an outdated quic-go API). - GOPROXY=direct + GOSUMDB=off so go-get talks straight to the Gitea instance hosting our plugin (proxy.golang.org won't proxy private repos). - Dropped the broken GOFLAGS="-ldflags=-w -s" passthrough that miekg parses incorrectly. Resulting binary is ~10MB larger than a stripped build but functionally identical. --- coredns/Dockerfile | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/coredns/Dockerfile b/coredns/Dockerfile index e686aab..88c0394 100644 --- a/coredns/Dockerfile +++ b/coredns/Dockerfile @@ -12,12 +12,23 @@ # not yet exist. Building this image will fail until Phase 1 ships. # ─── Stage 1: builder ────────────────────────────────────────────── -FROM golang:1.22-alpine AS builder +FROM golang:1.25-alpine AS builder + +# GOTOOLCHAIN=auto lets `go` download a newer toolchain on demand if +# go.mod (ours OR a transitive dep's) specifies a Go version newer +# than the base image. Belt-and-suspenders so an upstream version +# bump doesn't break this Dockerfile. +ENV GOTOOLCHAIN=auto +# Bypass the public Go module proxy. Our plugin lives on a private +# Gitea instance, which proxy.golang.org won't (and shouldn't) cache. +# direct = go talks to the upstream VCS for every module fetch. +ENV GOPROXY=direct +ENV GOSUMDB=off RUN apk add --no-cache git make WORKDIR /build -ARG COREDNS_REF=v1.12.2 +ARG COREDNS_REF=v1.14.3 RUN git clone --depth 1 --branch ${COREDNS_REF} https://github.com/coredns/coredns.git . # Inject our plugin into plugin.cfg. Must come BEFORE the `cache` plugin @@ -27,7 +38,12 @@ ARG PLUGIN_REF=latest RUN sed -i "/^cache:cache$/i rfc2136:${PLUGIN_REPO}" plugin.cfg && \ go get ${PLUGIN_REPO}@${PLUGIN_REF} -RUN make GOFLAGS="-ldflags=-w -s" +# Go's GOFLAGS env splits on whitespace and doesn't honour shell quoting +# in a way that survives a Dockerfile RUN, so passing +# `-ldflags="-w -s"` breaks parsing. We let `make` use its defaults; +# the resulting binary is ~10 MB larger than a stripped build but +# works correctly and is what upstream CoreDNS ships. +RUN make # ─── Stage 2: runtime ────────────────────────────────────────────── FROM gcr.io/distroless/static-debian12