feat: add chainguard dockerfile

Use chainguard images for base image and building image.
Remove shell script entrypoint and run apm-server directly. We lose the ability
to run other binaries as the entrypoint but that's fine since there are no other
binaries in the image.
Update apm-server config in the builder image since we do not have posix tools in the
static image.
Drop tini since it is now included in docker.

packaging/docker/Dockerfile.chainguard

@@ -1,2 +1,87 @@
-FROM docker.elastic.co/wolfi/chainguard-base:20230214
-RUN echo 'TBC'
+ARG GOLANG_IMAGE=docker.elastic.co/wolfi/go@sha256:fd5abcb518d757e393ab9a0a9836132aee1a9064cbf6e79639113269f68fc8f4
+
+################################################################################
+# Build stage 0
+# Build the apm-server binary. The golang image version is kept
+# up to date with go.mod by Makefile.
+################################################################################
+FROM ${GOLANG_IMAGE} as builder
+WORKDIR /src
+COPY go.mod go.sum .go-version /src/
+COPY internal/glog/go.mod /src/internal/glog/go.mod
+RUN --mount=type=cache,target=/go/pkg/mod go mod download
+COPY Makefile *.mk /src/
+COPY cmd /src/cmd
+COPY internal /src/internal
+COPY x-pack /src/x-pack
+COPY .git /src/.git
+COPY script /src/script
+
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    make apm-server
+
+COPY apm-server.yml ./apm-server.yml
+COPY --chmod=0644 apm-server.yml ./apm-server.yml
+RUN sed -i 's/127.0.0.1:8200/0.0.0.0:8200/' apm-server.yml
+RUN sed -i 's/localhost:9200/elasticsearch:9200/' apm-server.yml
+
+################################################################################
+# Build stage 1
+# Copy prepared files from the previous stage and complete the image.
+################################################################################
+FROM cgr.dev/chainguard/static@sha256:288b818c1b3dd89776d176f07f5f671b118fe836c4d80ec2cc3299b596fe71b7
+ARG TARGETARCH
+ARG BUILD_DATE
+ARG VERSION
+ARG VCS_REF
+
+# Statically defined labels.
+LABEL \
+  org.label-schema.schema-version="1.0" \
+  org.label-schema.vendor="Elastic" \
+  org.label-schema.license="Elastic License" \
+  org.label-schema.name="apm-server" \
+  org.label-schema.url="https://www.elastic.co/apm" \
+  org.label-schema.vcs-url="github.com/elastic/apm-server" \
+  io.k8s.description="Elastic APM Server" \
+  io.k8s.display-name="Apm-Server image" \
+  org.opencontainers.image.licenses="Elastic License" \
+  org.opencontainers.image.title="Apm-Server" \
+  org.opencontainers.image.vendor="Elastic" \
+  name="apm-server" \
+  maintainer="[email protected]" \
+  vendor="Elastic" \
+  release="1" \
+  url="https://www.elastic.co/apm" \
+  summary="apm-server" \
+  license="Elastic License" \
+  description="Elastic APM Server"
+
+# Dynamic labels, only set in published images.
+LABEL \
+  org.label-schema.build-date=${BUILD_DATE} \
+  org.label-schema.version=${VERSION} \
+  org.label-schema.vcs-ref=${VCS_REF} \
+  org.opencontainers.image.created=${BUILD_DATE} \
+  version=${VERSION}
+
+ENV ELASTIC_CONTAINER "true"
+
+# When running under Docker, we must ensure libbeat monitoring pulls cgroup
+# metrics from /sys/fs/cgroup/<subsystem>/, ignoring any paths found in
+# /proc/self/cgroup.
+ENV LIBBEAT_MONITORING_CGROUPS_HIERARCHY_OVERRIDE=/
+
+# Disable libbeat's strict permissions checking, which is not relevant when
+# running in Docker.
+ENV BEAT_STRICT_PERMS=false
+
+COPY --chmod=0644 --chown=nonroot:nonroot licenses/ELASTIC-LICENSE-2.0.txt NOTICE.txt /licenses/
+
+WORKDIR /usr/share/apm-server
+COPY --chmod=0755 --chown=nonroot:nonroot --from=builder /src/apm-server ./apm-server
+COPY --chmod=0644 --chown=nonroot:nonroot --from=builder /src/apm-server.yml ./apm-server.yml
+
+EXPOSE 8200
+ENTRYPOINT ["/usr/share/apm-server/apm-server", "--environment=container"]