# Multi-stage build for OTel Collector with Alpine base
# Stage 1: Extract binary from official distroless image
# SECURITY: Pinned to 0.118.0 with immutable digest (CVE review: 2026-02-13)
# Digest source: Docker Hub manifest for linux/amd64 platform
# Verified: 2026-02-13 via `docker manifest inspect otel/opentelemetry-collector-contrib:0.118.0`
# PLATFORM: Explicitly set to linux/amd64 to match digest; for arm64 builds, use platform-specific digest
FROM --platform=linux/amd64 otel/opentelemetry-collector-contrib:0.118.0@sha256:355f747b76c723036055d027e95326fbba76c345c190c17389b2451ad15ffd16 AS binary

# Stage 2: Build final image with Alpine base (provides wget, shell, ca-certificates)
# SECURITY: Pinned to Alpine 3.19.1 with immutable digest for supply-chain integrity
FROM alpine:3.19.1@sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0

# Install required packages for healthchecks and HTTPS
RUN apk --no-cache add \
    ca-certificates \
    wget

# Create non-root user and group for security
RUN addgroup -S otelcol && adduser -S -G otelcol otelcol

# Copy OTel Collector binary from official image
COPY --from=binary /otelcol-contrib /usr/local/bin/otelcol-contrib
RUN chmod +x /usr/local/bin/otelcol-contrib

# Create config and writable data directories with ownership
RUN mkdir -p /etc/otelcol-contrib /var/lib/otelcol /tmp/otelcol && \
    chown -R otelcol:otelcol /etc/otelcol-contrib /var/lib/otelcol /tmp/otelcol

# Copy default config file (can be overridden by volume mount)
COPY config/otel-collector-config.yaml /etc/otelcol-contrib/config.yaml
RUN chown otelcol:otelcol /etc/otelcol-contrib/config.yaml && \
    chmod 600 /etc/otelcol-contrib/config.yaml

# Switch to non-root user
USER otelcol

# Expose required ports
# OTLP HTTP receiver
EXPOSE 4318
# Health check extension
EXPOSE 13133

# Set entrypoint to otelcol-contrib
ENTRYPOINT ["otelcol-contrib"]

# Default command: load config from standard location
CMD ["--config", "/etc/otelcol-contrib/config.yaml"]
