# Multi-stage build for certctl agent
# Stage 1: Build
FROM golang:1.25-alpine AS builder

RUN apk add --no-cache git ca-certificates

WORKDIR /app

COPY go.mod go.sum ./
RUN go mod download

COPY . .

ARG TARGETARCH=amd64
RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build \
    -ldflags="-w -s" \
    -o bin/agent \
    ./cmd/agent

# Stage 2: Runtime
FROM alpine:3.19

RUN apk add --no-cache ca-certificates curl

RUN addgroup -g 1000 certctl && \
    adduser -D -u 1000 -G certctl certctl

WORKDIR /app

COPY --from=builder /app/bin/agent .

# Create key storage directory for agent-side keygen
RUN mkdir -p /var/lib/certctl/keys && \
    chown -R certctl:certctl /app /var/lib/certctl

USER certctl

ENTRYPOINT ["/app/agent"]