feat: migrate to scratch-based Docker image

- Replace alpine base with scratch for minimal 16MB image
- Remove docker_start.sh (no shell in scratch)
- Use ENTRYPOINT + CMD for direct binary execution
- Add CA certificates for HTTPS connections to LAPI
- Add docker/README.md with comprehensive usage documentation

Author: LaurenceJJones

Dockerfile

@@ -4,43 +4,30 @@ FROM golang:${GOVERSION}-alpine AS build
 
 WORKDIR /go/src/cs-spoa-bouncer
 
-RUN apk add --update --no-cache make git
+RUN apk add --update --no-cache make git ca-certificates
 COPY . .
 
 RUN make build DOCKER_BUILD=1
 
-FROM alpine:latest
-COPY --from=build /go/src/cs-spoa-bouncer/crowdsec-spoa-bouncer /usr/local/bin/crowdsec-spoa-bouncer
-COPY --from=build /go/src/cs-spoa-bouncer/config/crowdsec-spoa-bouncer.yaml /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml
-COPY --from=build /go/src/cs-spoa-bouncer/docker/docker_start.sh /docker_start.sh
-
-# Set permissions for config file and binary
-RUN chmod 644 /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml && \
-    chmod 755 /usr/local/bin/crowdsec-spoa-bouncer
-
-## Add the same haproxy user as the official haproxy image
-RUN addgroup -g 99 -S haproxy && adduser -S -D -H -u 99 -h /var/lib/haproxy -s /sbin/nologin -G haproxy -g haproxy haproxy
-## Add worker user
-RUN addgroup -S crowdsec-spoa && adduser -S -D -H -s /sbin/nologin -g crowdsec-spoa crowdsec-spoa
+# Final minimal image
+FROM scratch
 
-## Create a socket for the spoa to inherit crowdsec-spoa:haproxy user from official haproxy image
-RUN mkdir -p /run/crowdsec-spoa/ && chown crowdsec-spoa:haproxy /run/crowdsec-spoa/ && chmod 770 /run/crowdsec-spoa/
+# Copy CA certificates for HTTPS connections to LAPI
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-## Copy Lua files (matching Debian/RPM paths)
-RUN mkdir -p /usr/lib/crowdsec-haproxy-spoa-bouncer/lua
-COPY --from=build /go/src/cs-spoa-bouncer/lua/* /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
+# Copy the static binary
+COPY --from=build /go/src/cs-spoa-bouncer/crowdsec-spoa-bouncer /crowdsec-spoa-bouncer
 
-## Copy templates (matching Debian/RPM paths)
-RUN mkdir -p /var/lib/crowdsec-haproxy-spoa-bouncer/html
-COPY --from=build /go/src/cs-spoa-bouncer/templates/* /var/lib/crowdsec-haproxy-spoa-bouncer/html/
-
-RUN chown -R root:haproxy /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+# Copy default config file
+COPY --from=build /go/src/cs-spoa-bouncer/config/crowdsec-spoa-bouncer.yaml /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml
 
-VOLUME [ "/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/", "/var/lib/crowdsec-haproxy-spoa-bouncer/html/" ]
+# Copy Lua files for HAProxy integration
+COPY --from=build /go/src/cs-spoa-bouncer/lua/ /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
 
-RUN chmod +x /docker_start.sh
+# Copy HTML templates for ban/captcha pages
+COPY --from=build /go/src/cs-spoa-bouncer/templates/ /var/lib/crowdsec-haproxy-spoa-bouncer/html/
 
-# Run as user
-USER crowdsec-spoa
+EXPOSE 9000
 
-ENTRYPOINT ["/docker_start.sh"]
+ENTRYPOINT ["/crowdsec-spoa-bouncer"]
+CMD ["-c", "/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml"]

docker/README.md

@@ -0,0 +1,175 @@
+# CrowdSec HAProxy SPOA Bouncer Docker Image
+
+This is a minimal scratch-based Docker image containing only the statically-linked bouncer binary and essential files.
+
+## Image Contents
+
+```
+/crowdsec-spoa-bouncer                              # The bouncer binary
+/etc/ssl/certs/ca-certificates.crt                  # CA certs for HTTPS to LAPI
+/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml   # Default config
+/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/         # Lua files for HAProxy
+/var/lib/crowdsec-haproxy-spoa-bouncer/html/        # Ban/captcha templates
+```
+
+## Quick Start
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  -e API_KEY=your-api-key \
+  -p 9000:9000 \
+  crowdsec/haproxy-spoa-bouncer
+```
+
+## Configuration
+
+### Environment Variables
+
+The default config supports environment variable substitution for `API_KEY`. For other settings, mount a custom config file.
+
+### Custom Configuration
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  -v /path/to/your/config.yaml:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml:ro \
+  -p 9000:9000 \
+  crowdsec/haproxy-spoa-bouncer
+```
+
+Or specify a different config path:
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  -v /path/to/config.yaml:/config.yaml:ro \
+  -p 9000:9000 \
+  crowdsec/haproxy-spoa-bouncer -c /config.yaml
+```
+
+### Unix Socket (Recommended for Same-Host HAProxy)
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  -v /path/to/config.yaml:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml:ro \
+  -v /run/crowdsec-spoa:/run/crowdsec-spoa \
+  crowdsec/haproxy-spoa-bouncer
+```
+
+Ensure the socket directory exists and has appropriate permissions for HAProxy to connect.
+
+## Docker Compose Example
+
+```yaml
+services:
+  crowdsec-spoa-bouncer:
+    image: crowdsec/haproxy-spoa-bouncer
+    restart: unless-stopped
+    environment:
+      - API_KEY=${CROWDSEC_API_KEY}
+    volumes:
+      - ./config/crowdsec-spoa-bouncer.yaml:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml:ro
+      - spoa-socket:/run/crowdsec-spoa
+    # Optional: resource limits
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    # Optional: set GOMEMLIMIT for better memory management
+    # environment:
+    #   - GOMEMLIMIT=200MiB
+
+  haproxy:
+    image: haproxy:latest
+    volumes:
+      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - spoa-socket:/run/crowdsec-spoa
+    ports:
+      - "80:80"
+      - "443:443"
+    depends_on:
+      - crowdsec-spoa-bouncer
+
+volumes:
+  spoa-socket:
+```
+
+## Running as Non-Root
+
+The scratch image runs as root by default. To run as a specific user:
+
+```bash
+docker run -d \
+  --user 1000:1000 \
+  --name crowdsec-spoa-bouncer \
+  -p 9000:9000 \
+  crowdsec/haproxy-spoa-bouncer
+```
+
+Note: Ensure mounted volumes have appropriate permissions for the specified user.
+
+## Health Checks
+
+The bouncer exposes Prometheus metrics when enabled in config:
+
+```yaml
+prometheus:
+  enabled: true
+  listen_addr: 0.0.0.0
+  listen_port: 60601
+```
+
+Then use for health checks:
+
+```bash
+docker run -d \
+  --name crowdsec-spoa-bouncer \
+  --health-cmd="wget -q --spider http://localhost:60601/metrics || exit 1" \
+  --health-interval=30s \
+  -p 9000:9000 \
+  -p 60601:60601 \
+  crowdsec/haproxy-spoa-bouncer
+```
+
+Note: Since this is a scratch image, `wget` is not available. Use an external health check or a sidecar container for HTTP health probes.
+
+## Ports
+
+| Port | Description |
+|------|-------------|
+| 9000 | SPOA TCP listener (default) |
+| 60601 | Prometheus metrics (when enabled) |
+| 6060 | pprof debug endpoint (when enabled) |
+
+## Troubleshooting
+
+### View Logs
+
+```bash
+docker logs -f crowdsec-spoa-bouncer
+```
+
+### Debug Mode
+
+Set `log_level: debug` in your config file for verbose logging.
+
+### Connection Issues
+
+1. Verify LAPI is reachable from the container
+2. Check API key is correct
+3. Ensure HAProxy can reach the SPOA listener (TCP port or Unix socket)
+
+## Building the Image
+
+```bash
+docker build -t crowdsec/haproxy-spoa-bouncer .
+```
+
+### Build Arguments
+
+| Argument | Default | Description |
+|----------|---------|-------------|
+| GOVERSION | 1.25 | Go version for build stage |
+