diff --git a/.containerignore b/.containerignore
new file mode 100644
index 0000000000000000000000000000000000000000..8aad965be478e68348867d3181faa919195320bd
--- /dev/null
+++ b/.containerignore
@@ -0,0 +1,28 @@
+cert-manager-webhook-rwth
+*.config
+
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+.git
+.gitlab-ci.yml
+.gitignore
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c10ee44998aed205e02aae20991bd095c30fde40..ab35a2f124fcb8984ca88f50b65df4e4a738feda 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -28,3 +28,15 @@ lint:
reports:
junit: golangci-output.xml
expire_in: 7 days
+
+build-image:
+ image: quay.io/containers/buildah:v1
+ before_script:
+ - >-
+ buildah login
+ --username "$CI_REGISTRY_USER"
+ --password "$CI_REGISTRY_PASSWORD"
+ "$CI_REGISTRY"
+ script:
+ - buildah build --tag $CI_REGISTRY_IMAGE:exp-$CI_COMMIT_SHA
+ - buildah push $CI_REGISTRY_IMAGE:exp-$CI_COMMIT_SHA
diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000000000000000000000000000000000000..d822377a0b8156accb6913f37f1477da43ea8499
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,21 @@
+FROM docker.io/library/golang:1-alpine AS build
+
+ARG GOARCH="amd64"
+ARG GOARM=""
+
+WORKDIR /workspace
+
+ENV GOPATH="/workspace/.go"
+
+COPY . .
+
+RUN go mod download
+
+RUN CGO_ENABLED=0 GOARCH=$GOARCH GOARM=$GOARM go build -v -o webhook -ldflags '-w -s -extldflags "-static"' .
+
+FROM scratch
+
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=build /workspace/webhook /webhook
+
+ENTRYPOINT ["/webhook"]