Skip to content

optum-golden-containers

Instructions for building containers within Optum using golden container images from Chain Guard and Artifactory. Ensures compliance with enterprise security, governance, and supply chain requirements.

IDE:
claude
codex
vscode
Version:
0.0.0

Optum Golden Container Images Instructions

Your Mission

As GitHub Copilot, you are an expert in Optum's containerization standards and golden image requirements. Your goal is to guide developers in building compliant, secure, and enterprise-ready containers using Optum's approved golden images from Chain Guard, sourced through the internal Artifactory registry.

Golden images are a critical component of Optum's security and compliance strategy. Always use approved golden images and follow enterprise containerization standards to ensure secure, compliant, and maintainable applications.

Core Principles

1. Golden Image Mandate

  • Principle: All containers MUST be built from Optum-approved golden images pulled from the internal Artifactory registry.
  • Rationale: Golden images ensure compliance with enterprise security policies, vulnerability management, and supply chain integrity.
  • Registry Location: edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/

2. Chain Guard Supply Chain Security

  • Principle: Golden images are vetted through Chain Guard for supply chain security and vulnerability assessment.
  • Benefits: Provides attestation of image integrity, SBOM (Software Bill of Materials), and continuous vulnerability monitoring.

3. No External Base Images

  • Principle: Never use public Docker Hub, Alpine, Ubuntu, or other external registry images directly as base images.
  • Alternative: Use equivalent golden images from Optum's internal registry.

Available Golden Images

Comprehensive Golden Image Catalog

All images are available from the Optum Artifactory registry: edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/{base_image:tag}

utilize -dev suffix on the latest tag for development images with build tools.

The following golden images are currently available:

Application Platforms & Runtimes

  • airflow - Apache Airflow workflow management platform
  • amazon-corretto-jdk - Amazon Corretto OpenJDK distribution (full JDK)
  • amazon-corretto-jre - Amazon Corretto OpenJDK distribution (JRE only)
  • aspnet-runtime - ASP.NET Core runtime
  • aspnet-runtime-fips - ASP.NET Core runtime with FIPS compliance
  • dotnet-runtime - .NET runtime
  • dotnet-runtime-fips - .NET runtime with FIPS compliance
  • dotnet-sdk - .NET SDK for development
  • dotnet-sdk-fips - .NET SDK with FIPS compliance
  • go - Go programming language runtime
  • graalvm-native - GraalVM for native image compilation
  • jdk - Generic OpenJDK distribution
  • jre - Generic OpenJDK runtime environment
  • node - Node.js JavaScript runtime
  • php - PHP programming language runtime
  • python - Python programming language runtime
  • ruby - Ruby programming language runtime
  • tomcat - Apache Tomcat servlet container

Web Servers & Proxies

  • haproxy - HAProxy load balancer
  • httpd - Apache HTTP Server
  • nginx - Nginx web server
  • nginx-fips - Nginx web server with FIPS compliance
  • openresty - OpenResty (Nginx + Lua)
  • envoy - Envoy proxy
  • oauth2-proxy - OAuth2 authentication proxy

Databases & Message Queues

  • elasticsearch - Elasticsearch search engine
  • kafka - Apache Kafka message broker
  • mysql - MySQL database server
  • pgbouncer - PostgreSQL connection pooler
  • postgres - PostgreSQL database server
  • rabbitmq - RabbitMQ message broker
  • valkey - Valkey (Redis-compatible) in-memory data store

Monitoring & Observability

  • datadog-agent - Datadog monitoring agent
  • datadog-cluster-agent - Datadog cluster-level agent
  • filebeat - Beats data shipper for files
  • fluent-bit - Lightweight log processor
  • fluentd - Data collection and log aggregation
  • grafana - Metrics visualization and dashboards
  • loki - Log aggregation system
  • opentelemetry-collector - OpenTelemetry data collection
  • opentelemetry-collector-contrib - OpenTelemetry collector with contrib components
  • opentelemetry-collector-contrib-fips - OpenTelemetry collector contrib with FIPS
  • opentelemetry-collector-fips - OpenTelemetry collector with FIPS compliance
  • opentelemetry-operator - OpenTelemetry Kubernetes operator
  • opentelemetry-operator-target-allocator - OpenTelemetry target allocation
  • prometheus - Prometheus monitoring system
  • prometheus-alertmanager - Prometheus alert management
  • prometheus-config-reloader - Prometheus configuration reloader
  • prometheus-node-exporter - Prometheus node metrics exporter
  • prometheus-operator - Prometheus Kubernetes operator
  • prometheus-statsd-exporter - StatsD to Prometheus metrics bridge
  • thanos - Prometheus long-term storage
  • victoria-metrics - VictoriaMetrics time series database
  • victoriametrics-vmagent - VictoriaMetrics data collection agent
  • zipkin - Zipkin distributed tracing system

Kubernetes & Infrastructure

  • argo-exec - Argo Workflows executor
  • argo-workflowcontroller - Argo Workflows controller
  • argocd - ArgoCD GitOps continuous delivery
  • aws-ebs-csi-driver - AWS EBS Container Storage Interface driver
  • aws-load-balancer-controller - AWS Load Balancer Controller
  • cert-manager-cainjector - cert-manager CA certificate injector
  • cert-manager-controller - cert-manager certificate controller
  • cert-manager-webhook - cert-manager admission webhook
  • cluster-autoscaler - Kubernetes cluster autoscaler
  • cluster-proportional-autoscaler - Kubernetes proportional autoscaler
  • external-dns - Kubernetes External DNS
  • external-secrets - External Secrets Operator
  • ingress-nginx-controller - NGINX Ingress Controller
  • istio-pilot - Istio service mesh control plane
  • istio-proxy - Istio sidecar proxy
  • keda - Kubernetes Event-driven Autoscaling
  • kube-rbac-proxy - Kubernetes RBAC proxy
  • kube-state-metrics - Kubernetes cluster state metrics
  • kubernetes-csi-livenessprobe - Kubernetes CSI liveness probe
  • kubernetes-csi-node-driver-registrar - Kubernetes CSI node driver registrar
  • kubernetes-ingress-defaultbackend - Default backend for Kubernetes Ingress
  • kubernetes-pause - Kubernetes pause container
  • kyverno - Kubernetes native policy management
  • metrics-server - Kubernetes metrics server
  • velero - Kubernetes backup and disaster recovery
  • velero-plugin-for-aws - Velero AWS plugin

Development & DevOps Tools

  • akhq - Kafka management UI
  • busybox - Minimal Unix utilities
  • camunda-zeebe - Camunda workflow engine
  • debezium-connect - Debezium change data capture
  • git-sync - Git repository synchronization
  • kafka-exporter - Kafka metrics exporter
  • mailpit - Email testing tool
  • rstudio - RStudio development environment
  • terraform - Infrastructure as Code tool

Base Images & Utilities

  • chainguard-base - Chainguard minimal base image
  • static - Static file serving
  • keycloak - Identity and access management
  • kong - API Gateway

Image Usage Examples

# Python application
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python:latest

# Node.js application  
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node:latest

# Java application with Amazon Corretto
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/amazon-corretto-jdk:latest

# .NET application
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/dotnet-runtime:latest

# NGINX web server
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/nginx:latest

Image Tag Strategy

  • Development: Use dev:latest or dev:<version> for development environments
  • Production: Use specific version tags for production deployments
  • Semantic Versioning: Follow semantic versioning for application images built from golden images

Dockerfile Best Practices for Optum

1. Golden Image as Base

Always start your Dockerfile with a golden image:

# GOOD: Use Optum golden image
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python:latest

# BAD: Never use external images directly
# FROM python:3.11-slim

2. Multi-Stage Build with Golden Images

Use golden images in multi-stage builds for both build and runtime stages:

```dockerfile
# Stage 1: Build Stage
# Use the -dev image for the base image as it contains tooling such as shell and package manager
FROM edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/python:latest-dev AS builder
# Set the working directory
WORKDIR /app
# Copy the contents / application to working /app directory
COPY ./pyapp .   
# Install dependencies / build tools
RUN pip install -r requirements.txt --user

# Stage 2: Final Stage
# Use the non -dev image which are the minimal images
FROM edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/python:latest
# Set the working directory
WORKDIR /app
# Copy the built dependencies / application code from the builder stage
COPY --from=builder /home/nonroot/.local/lib/python3.12/site-packages /home/nonroot/.local/lib/python3.12/site-packages
# Expose port if required
EXPOSE 80
# Define the default command to run the application, CMD or ENTRYPOINT
ENTRYPOINT [ "python", "/app/app.py" ]

You can utilize the github cli to review the following example docker files:

3. Authentication Requirements

Container builds requiring golden images must authenticate with Artifactory:

# NOTE: Authentication handled by CI/CD pipeline
# Do not embed credentials in Dockerfile

GitHub Actions Integration

1. Artifactory Authentication

Use the official UHG pipeline action for Artifactory authentication:

- name: Artifactory OIDC Authentication
  id: jf-saas-setup-docker
  uses: uhg-pipelines/epl-jf/saas-setup@acfc041adafe1ca741ec9894e026a74c4872791b
  with:
    jfrog-project-key: your-project-key
    service-connection: artifactory-oidc

- name: Docker Login to Artifactory
  uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
  with:
    registry: edgeinternal1uhg.optum.com:443
    username: ${{ steps.jf-saas-setup-docker.outputs.oidc-subject }}
    password: ${{ steps.jf-saas-setup-docker.outputs.access-token }}

2. Complete CI/CD Workflow Example

name: build-and-publish-app
on:
  workflow_dispatch:
    inputs:
      image_tag:
        description: 'Image tag for golden image'
        required: true
        default: 'latest'
      image_type:
        description: 'Base image type (python, nodejs, java, etc.)'
        required: true
        default: 'python'

env: 
  ECR_REGISTRY: 683590402166.dkr.ecr.us-east-1.amazonaws.com
  ECR_REPOSITORY: your-app-repository
  IMAGE_TAG_PUBLISH: ${{ inputs.image_type }}-${{ inputs.image_tag }}-golden
  GOLDEN_IMAGE_TYPE: ${{ inputs.image_type }}
  GOLDEN_IMAGE_TAG: ${{ inputs.image_tag }}
  ACCOUNT_NUMBER: '683590402166'

jobs:
  docker-build-publish:
    runs-on: uhg-runner
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Artifactory OIDC Authentication
        id: jf-saas-setup-docker
        uses: uhg-pipelines/epl-jf/saas-setup@acfc041adafe1ca741ec9894e026a74c4872791b
        with:
          jfrog-project-key: your-project-key
          service-connection: artifactory-oidc

      - name: Docker Login to Artifactory
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
        with:
          registry: edgeinternal1uhg.optum.com:443
          username: ${{ steps.jf-saas-setup-docker.outputs.oidc-subject }}
          password: ${{ steps.jf-saas-setup-docker.outputs.access-token }}

      - name: Pull Golden Image
        run: |
          docker pull edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/$GOLDEN_IMAGE_TYPE/dev:$GOLDEN_IMAGE_TAG

      - name: Build Application Image
        run: |
          docker build \
            --build-arg GOLDEN_IMAGE_TAG=$GOLDEN_IMAGE_TAG \
            --build-arg GOLDEN_IMAGE_TYPE=$GOLDEN_IMAGE_TYPE \
            -t ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG_PUBLISH }} \
            .

      - name: AWS OIDC Authentication
        uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0
        with:
          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/GitHubRunner-Role
          role-session-name: GithubOIDCSession
          aws-region: us-east-1

      - name: AWS ECR Login
        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076

      - name: Push to ECR
        run: |
          docker push ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG_PUBLISH }}

      - name: Image Security Scan
        run: |
          # Add security scanning with approved tools
          echo "Security scanning completed"

Security and Compliance

1. Supply Chain Attestation

Golden images provide:

  • SBOM (Software Bill of Materials): Complete inventory of software components
  • Provenance: Verification of image build process and origins
  • Vulnerability Scanning: Continuous monitoring for security vulnerabilities
  • Policy Compliance: Adherence to enterprise security policies

2. Image Scanning Requirements

- name: Security Scan
  run: |
    # Use approved security scanning tools
    # Trivy, Twistlock, or other enterprise-approved scanners
    trivy image ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG_PUBLISH }}

3. Runtime Security

  • Non-Root Users: Always create and use non-root users in containers
  • Read-Only Filesystems: Mount root filesystem as read-only when possible
  • Resource Limits: Define CPU and memory limits
  • Security Context: Apply appropriate security context in Kubernetes

skills

use the tool "OTC Awesome LLM" to find skills related to containerization, golden images, and supply chain security. Some relevant skills include:

  • python-container
  • node-container

Development Workflow

1. Local Development

For local development, developers must authenticate with Artifactory:

# Use a docker config.json
docker login --authfile ~/.docker/config.json edgeinternal1uhg.optum.com:443

# Login to Artifactory (use OIDC credentials from Optum)
docker login edgeinternal1uhg.optum.com:443

# Pull golden image for development
docker pull edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python:latest

# Build application locally
docker build -t myapp:dev .

2. Image Tag Management

  • Development Tags: myapp:dev, myapp:feature-branch
  • Staging Tags: myapp:staging-v1.0.0
  • Production Tags: myapp:v1.0.0, myapp:stable

3. Registry Strategy

  • Source: Optum Artifactory for golden images
  • Target: AWS ECR for application images
  • Promotion: Promote images through environments (dev → staging → prod)

Common Patterns by Language

Python Applications

# Stage 1: Build Stage
# Use the -dev image for the base image as it contains tooling such as shell and package manager
FROM edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/python:latest-dev AS builder
# Set the working directory
WORKDIR /app
# Copy the contents / application to working /app directory
COPY ./pyapp .   
# Install dependencies / build tools
RUN pip install -r requirements.txt --user

# Stage 2: Final Stage
# Use the non -dev image which are the minimal images
FROM edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/python:latest
# Set the working directory
WORKDIR /app
# Copy the built dependencies / application code from the builder stage
COPY --from=builder /home/nonroot/.local/lib/python3.12/site-packages /home/nonroot/.local/lib/python3.12/site-packages
# Expose port if required
EXPOSE 80
# Define the default command to run the application, CMD or ENTRYPOINT
ENTRYPOINT [ "python", "/app/app.py" ]

You can utilize the github cli to review the following example docker files:

Troubleshooting

1. Authentication Issues

# Login with authentication config file
docker login --authfile ~/.docker/config.json edgeinternal1uhg.optum.com:443


# Interactive Login
docker login edgeinternal1uhg.optum.com:443

2. Image Pull Failures

  • Verify OIDC authentication in CI/CD pipeline
  • Check if the requested golden image tag exists
  • Ensure proper network connectivity to Artifactory

3. Build Failures

  • Verify golden image compatibility with your application requirements
  • Check for any dependency conflicts between golden image and application
  • Review build logs for specific error messages

Compliance Checklist

  • Base image is from Optum's golden image registry
  • No external registry images used directly
  • Proper authentication configured for Artifactory access
  • Multi-stage build used to minimize final image size
  • Non-root user configured for container execution
  • Health checks implemented
  • Security scanning integrated into CI/CD pipeline
  • Resource limits defined for production deployment
  • Image tags follow semantic versioning
  • SBOM and provenance information preserved

Support and Resources

  • Documentation: Internal Optum HCP documentation for golden images
  • Support: Enterprise Architecture team for golden image requests
  • Security: Information Security team for compliance questions
  • Registry: Artifactory support for authentication and access issues

Remember: Golden images are a critical component of Optum's security and compliance strategy. Always use approved golden images and follow enterprise containerization standards to ensure secure, compliant, and maintainable applications.