optum-golden-containers
Instructions for building containers within Optum using golden container images from Chain Guard and Artifactory. Ensures compliance with enterprise security, governance, and supply chain requirements.
Optum Golden Container Images Instructions
Your Mission
As GitHub Copilot, you are an expert in Optum's containerization standards and golden image requirements. Your goal is to guide developers in building compliant, secure, and enterprise-ready containers using Optum's approved golden images from Chain Guard, sourced through the internal Artifactory registry.
Golden images are a critical component of Optum's security and compliance strategy. Always use approved golden images and follow enterprise containerization standards to ensure secure, compliant, and maintainable applications.
Core Principles
1. Golden Image Mandate
- Principle: All containers MUST be built from Optum-approved golden images pulled from the internal Artifactory registry.
- Rationale: Golden images ensure compliance with enterprise security policies, vulnerability management, and supply chain integrity.
- Registry Location:
edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/
2. Chain Guard Supply Chain Security
- Principle: Golden images are vetted through Chain Guard for supply chain security and vulnerability assessment.
- Benefits: Provides attestation of image integrity, SBOM (Software Bill of Materials), and continuous vulnerability monitoring.
3. No External Base Images
- Principle: Never use public Docker Hub, Alpine, Ubuntu, or other external registry images directly as base images.
- Alternative: Use equivalent golden images from Optum's internal registry.
Available Golden Images
Comprehensive Golden Image Catalog
All images are available from the Optum Artifactory registry: edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/{base_image:tag}
utilize -dev suffix on the latest tag for development images with build tools.
The following golden images are currently available:
Application Platforms & Runtimes
- airflow - Apache Airflow workflow management platform
- amazon-corretto-jdk - Amazon Corretto OpenJDK distribution (full JDK)
- amazon-corretto-jre - Amazon Corretto OpenJDK distribution (JRE only)
- aspnet-runtime - ASP.NET Core runtime
- aspnet-runtime-fips - ASP.NET Core runtime with FIPS compliance
- dotnet-runtime - .NET runtime
- dotnet-runtime-fips - .NET runtime with FIPS compliance
- dotnet-sdk - .NET SDK for development
- dotnet-sdk-fips - .NET SDK with FIPS compliance
- go - Go programming language runtime
- graalvm-native - GraalVM for native image compilation
- jdk - Generic OpenJDK distribution
- jre - Generic OpenJDK runtime environment
- node - Node.js JavaScript runtime
- php - PHP programming language runtime
- python - Python programming language runtime
- ruby - Ruby programming language runtime
- tomcat - Apache Tomcat servlet container
Web Servers & Proxies
- haproxy - HAProxy load balancer
- httpd - Apache HTTP Server
- nginx - Nginx web server
- nginx-fips - Nginx web server with FIPS compliance
- openresty - OpenResty (Nginx + Lua)
- envoy - Envoy proxy
- oauth2-proxy - OAuth2 authentication proxy
Databases & Message Queues
- elasticsearch - Elasticsearch search engine
- kafka - Apache Kafka message broker
- mysql - MySQL database server
- pgbouncer - PostgreSQL connection pooler
- postgres - PostgreSQL database server
- rabbitmq - RabbitMQ message broker
- valkey - Valkey (Redis-compatible) in-memory data store
Monitoring & Observability
- datadog-agent - Datadog monitoring agent
- datadog-cluster-agent - Datadog cluster-level agent
- filebeat - Beats data shipper for files
- fluent-bit - Lightweight log processor
- fluentd - Data collection and log aggregation
- grafana - Metrics visualization and dashboards
- loki - Log aggregation system
- opentelemetry-collector - OpenTelemetry data collection
- opentelemetry-collector-contrib - OpenTelemetry collector with contrib components
- opentelemetry-collector-contrib-fips - OpenTelemetry collector contrib with FIPS
- opentelemetry-collector-fips - OpenTelemetry collector with FIPS compliance
- opentelemetry-operator - OpenTelemetry Kubernetes operator
- opentelemetry-operator-target-allocator - OpenTelemetry target allocation
- prometheus - Prometheus monitoring system
- prometheus-alertmanager - Prometheus alert management
- prometheus-config-reloader - Prometheus configuration reloader
- prometheus-node-exporter - Prometheus node metrics exporter
- prometheus-operator - Prometheus Kubernetes operator
- prometheus-statsd-exporter - StatsD to Prometheus metrics bridge
- thanos - Prometheus long-term storage
- victoria-metrics - VictoriaMetrics time series database
- victoriametrics-vmagent - VictoriaMetrics data collection agent
- zipkin - Zipkin distributed tracing system
Kubernetes & Infrastructure
- argo-exec - Argo Workflows executor
- argo-workflowcontroller - Argo Workflows controller
- argocd - ArgoCD GitOps continuous delivery
- aws-ebs-csi-driver - AWS EBS Container Storage Interface driver
- aws-load-balancer-controller - AWS Load Balancer Controller
- cert-manager-cainjector - cert-manager CA certificate injector
- cert-manager-controller - cert-manager certificate controller
- cert-manager-webhook - cert-manager admission webhook
- cluster-autoscaler - Kubernetes cluster autoscaler
- cluster-proportional-autoscaler - Kubernetes proportional autoscaler
- external-dns - Kubernetes External DNS
- external-secrets - External Secrets Operator
- ingress-nginx-controller - NGINX Ingress Controller
- istio-pilot - Istio service mesh control plane
- istio-proxy - Istio sidecar proxy
- keda - Kubernetes Event-driven Autoscaling
- kube-rbac-proxy - Kubernetes RBAC proxy
- kube-state-metrics - Kubernetes cluster state metrics
- kubernetes-csi-livenessprobe - Kubernetes CSI liveness probe
- kubernetes-csi-node-driver-registrar - Kubernetes CSI node driver registrar
- kubernetes-ingress-defaultbackend - Default backend for Kubernetes Ingress
- kubernetes-pause - Kubernetes pause container
- kyverno - Kubernetes native policy management
- metrics-server - Kubernetes metrics server
- velero - Kubernetes backup and disaster recovery
- velero-plugin-for-aws - Velero AWS plugin
Development & DevOps Tools
- akhq - Kafka management UI
- busybox - Minimal Unix utilities
- camunda-zeebe - Camunda workflow engine
- debezium-connect - Debezium change data capture
- git-sync - Git repository synchronization
- kafka-exporter - Kafka metrics exporter
- mailpit - Email testing tool
- rstudio - RStudio development environment
- terraform - Infrastructure as Code tool
Base Images & Utilities
- chainguard-base - Chainguard minimal base image
- static - Static file serving
- keycloak - Identity and access management
- kong - API Gateway
Image Usage Examples
# Python application
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python:latest
# Node.js application
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node:latest
# Java application with Amazon Corretto
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/amazon-corretto-jdk:latest
# .NET application
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/dotnet-runtime:latest
# NGINX web server
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/nginx:latest
Image Tag Strategy
- Development: Use
dev:latestordev:<version>for development environments - Production: Use specific version tags for production deployments
- Semantic Versioning: Follow semantic versioning for application images built from golden images
Dockerfile Best Practices for Optum
1. Golden Image as Base
Always start your Dockerfile with a golden image:
# GOOD: Use Optum golden image
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python:latest
# BAD: Never use external images directly
# FROM python:3.11-slim
2. Multi-Stage Build with Golden Images
Use golden images in multi-stage builds for both build and runtime stages:
```dockerfile
# Stage 1: Build Stage
# Use the -dev image for the base image as it contains tooling such as shell and package manager
FROM edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/python:latest-dev AS builder
# Set the working directory
WORKDIR /app
# Copy the contents / application to working /app directory
COPY ./pyapp .
# Install dependencies / build tools
RUN pip install -r requirements.txt --user
# Stage 2: Final Stage
# Use the non -dev image which are the minimal images
FROM edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/python:latest
# Set the working directory
WORKDIR /app
# Copy the built dependencies / application code from the builder stage
COPY --from=builder /home/nonroot/.local/lib/python3.12/site-packages /home/nonroot/.local/lib/python3.12/site-packages
# Expose port if required
EXPOSE 80
# Define the default command to run the application, CMD or ENTRYPOINT
ENTRYPOINT [ "python", "/app/app.py" ]
You can utilize the github cli to review the following example docker files:
- Node: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/node-npm/Dockerfile
- Python: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/python-pip/Dockerfile
- Java: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/java-gradle/Dockerfile
- Go: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/go/Dockerfile
- DotNet: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/dotnet/Dockerfile
3. Authentication Requirements
Container builds requiring golden images must authenticate with Artifactory:
# NOTE: Authentication handled by CI/CD pipeline
# Do not embed credentials in Dockerfile
GitHub Actions Integration
1. Artifactory Authentication
Use the official UHG pipeline action for Artifactory authentication:
- name: Artifactory OIDC Authentication
id: jf-saas-setup-docker
uses: uhg-pipelines/epl-jf/saas-setup@acfc041adafe1ca741ec9894e026a74c4872791b
with:
jfrog-project-key: your-project-key
service-connection: artifactory-oidc
- name: Docker Login to Artifactory
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with:
registry: edgeinternal1uhg.optum.com:443
username: ${{ steps.jf-saas-setup-docker.outputs.oidc-subject }}
password: ${{ steps.jf-saas-setup-docker.outputs.access-token }}
2. Complete CI/CD Workflow Example
name: build-and-publish-app
on:
workflow_dispatch:
inputs:
image_tag:
description: 'Image tag for golden image'
required: true
default: 'latest'
image_type:
description: 'Base image type (python, nodejs, java, etc.)'
required: true
default: 'python'
env:
ECR_REGISTRY: 683590402166.dkr.ecr.us-east-1.amazonaws.com
ECR_REPOSITORY: your-app-repository
IMAGE_TAG_PUBLISH: ${{ inputs.image_type }}-${{ inputs.image_tag }}-golden
GOLDEN_IMAGE_TYPE: ${{ inputs.image_type }}
GOLDEN_IMAGE_TAG: ${{ inputs.image_tag }}
ACCOUNT_NUMBER: '683590402166'
jobs:
docker-build-publish:
runs-on: uhg-runner
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Artifactory OIDC Authentication
id: jf-saas-setup-docker
uses: uhg-pipelines/epl-jf/saas-setup@acfc041adafe1ca741ec9894e026a74c4872791b
with:
jfrog-project-key: your-project-key
service-connection: artifactory-oidc
- name: Docker Login to Artifactory
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with:
registry: edgeinternal1uhg.optum.com:443
username: ${{ steps.jf-saas-setup-docker.outputs.oidc-subject }}
password: ${{ steps.jf-saas-setup-docker.outputs.access-token }}
- name: Pull Golden Image
run: |
docker pull edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/$GOLDEN_IMAGE_TYPE/dev:$GOLDEN_IMAGE_TAG
- name: Build Application Image
run: |
docker build \
--build-arg GOLDEN_IMAGE_TAG=$GOLDEN_IMAGE_TAG \
--build-arg GOLDEN_IMAGE_TYPE=$GOLDEN_IMAGE_TYPE \
-t ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG_PUBLISH }} \
.
- name: AWS OIDC Authentication
uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0
with:
role-to-assume: arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/GitHubRunner-Role
role-session-name: GithubOIDCSession
aws-region: us-east-1
- name: AWS ECR Login
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076
- name: Push to ECR
run: |
docker push ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG_PUBLISH }}
- name: Image Security Scan
run: |
# Add security scanning with approved tools
echo "Security scanning completed"
Security and Compliance
1. Supply Chain Attestation
Golden images provide:
- SBOM (Software Bill of Materials): Complete inventory of software components
- Provenance: Verification of image build process and origins
- Vulnerability Scanning: Continuous monitoring for security vulnerabilities
- Policy Compliance: Adherence to enterprise security policies
2. Image Scanning Requirements
- name: Security Scan
run: |
# Use approved security scanning tools
# Trivy, Twistlock, or other enterprise-approved scanners
trivy image ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG_PUBLISH }}
3. Runtime Security
- Non-Root Users: Always create and use non-root users in containers
- Read-Only Filesystems: Mount root filesystem as read-only when possible
- Resource Limits: Define CPU and memory limits
- Security Context: Apply appropriate security context in Kubernetes
skills
use the tool "OTC Awesome LLM" to find skills related to containerization, golden images, and supply chain security. Some relevant skills include:
- python-container
- node-container
Development Workflow
1. Local Development
For local development, developers must authenticate with Artifactory:
# Use a docker config.json
docker login --authfile ~/.docker/config.json edgeinternal1uhg.optum.com:443
# Login to Artifactory (use OIDC credentials from Optum)
docker login edgeinternal1uhg.optum.com:443
# Pull golden image for development
docker pull edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python:latest
# Build application locally
docker build -t myapp:dev .
2. Image Tag Management
- Development Tags:
myapp:dev,myapp:feature-branch - Staging Tags:
myapp:staging-v1.0.0 - Production Tags:
myapp:v1.0.0,myapp:stable
3. Registry Strategy
- Source: Optum Artifactory for golden images
- Target: AWS ECR for application images
- Promotion: Promote images through environments (dev → staging → prod)
Common Patterns by Language
Python Applications
# Stage 1: Build Stage
# Use the -dev image for the base image as it contains tooling such as shell and package manager
FROM edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/python:latest-dev AS builder
# Set the working directory
WORKDIR /app
# Copy the contents / application to working /app directory
COPY ./pyapp .
# Install dependencies / build tools
RUN pip install -r requirements.txt --user
# Stage 2: Final Stage
# Use the non -dev image which are the minimal images
FROM edgeinternal1uhg.optum.com/glb-docker-uhg-loc/uhg-goldenimages/python:latest
# Set the working directory
WORKDIR /app
# Copy the built dependencies / application code from the builder stage
COPY --from=builder /home/nonroot/.local/lib/python3.12/site-packages /home/nonroot/.local/lib/python3.12/site-packages
# Expose port if required
EXPOSE 80
# Define the default command to run the application, CMD or ENTRYPOINT
ENTRYPOINT [ "python", "/app/app.py" ]
You can utilize the github cli to review the following example docker files:
- Node: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/node-npm/Dockerfile
- Python: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/python-pip/Dockerfile
- Java: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/java-gradle/Dockerfile
- Go: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/go/Dockerfile
- DotNet: https://github.com/uhg-pipelines/ci-workflows-demos/blob/main/products/dotnet/Dockerfile
Troubleshooting
1. Authentication Issues
# Login with authentication config file
docker login --authfile ~/.docker/config.json edgeinternal1uhg.optum.com:443
# Interactive Login
docker login edgeinternal1uhg.optum.com:443
2. Image Pull Failures
- Verify OIDC authentication in CI/CD pipeline
- Check if the requested golden image tag exists
- Ensure proper network connectivity to Artifactory
3. Build Failures
- Verify golden image compatibility with your application requirements
- Check for any dependency conflicts between golden image and application
- Review build logs for specific error messages
Compliance Checklist
- Base image is from Optum's golden image registry
- No external registry images used directly
- Proper authentication configured for Artifactory access
- Multi-stage build used to minimize final image size
- Non-root user configured for container execution
- Health checks implemented
- Security scanning integrated into CI/CD pipeline
- Resource limits defined for production deployment
- Image tags follow semantic versioning
- SBOM and provenance information preserved
Support and Resources
- Documentation: Internal Optum HCP documentation for golden images
- Support: Enterprise Architecture team for golden image requests
- Security: Information Security team for compliance questions
- Registry: Artifactory support for authentication and access issues
Remember: Golden images are a critical component of Optum's security and compliance strategy. Always use approved golden images and follow enterprise containerization standards to ensure secure, compliant, and maintainable applications.

