Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parameterise runtime image #1478

Merged
merged 7 commits into from Apr 14, 2022
Merged

Parameterise runtime image #1478

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9ac787f
Use distroless debian11 docker image
omBratteng Dec 17, 2021
2a86a1b
Add `Dockerfile` to `.dockerignore`
omBratteng Dec 24, 2021
423e91f
Replace `nonroot` with the matching UID/GID
omBratteng Dec 24, 2021
5eb44e7
Use a build arg for setting the runtime image
omBratteng Dec 24, 2021
9e883b6
Explain why `ARG RUNTIME_IMAGE` is at the top
omBratteng Feb 24, 2022
0d50073
Add entry to CHANGELOG
omBratteng Feb 24, 2022
41e17e6
Move build-arg to `DOCKER_BUILDX_ARGS`
omBratteng Mar 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions .dockerignore
View file
Open in desktop
@@ -1,4 +1,5 @@
Dockerfile.dev
Dockerfile
docs
vendor
.git
Expand Down
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Expand Up @@ -9,10 +9,14 @@

## Important Notes

- [#1478](https://github.com/oauth2-proxy/oauth2-proxy/pull/1478) Changes the UID and GID of the runtime user to `65532`.
Which also is known as `nonroot` user in [distroless images](https://github.com/GoogleContainerTools/distroless).

## Breaking Changes

## Changes since v7.2.1

- [#1478](https://github.com/oauth2-proxy/oauth2-proxy/pull/1478) Parameterise the runtime image (@omBratteng)
- [#1583](https://github.com/oauth2-proxy/oauth2-proxy/pull/1583) Add groups to session too when creating session from bearer token (@adriananeci)
- [#1418](https://github.com/oauth2-proxy/oauth2-proxy/pull/1418) Support for passing arbitrary query parameters through from `/oauth2/start` to the identity provider's login URL. Configuration settings control which parameters are passed by default and precisely which values can be overridden per-request (@ianroberts)
- [#1559](https://github.com/oauth2-proxy/oauth2-proxy/pull/1559) Introduce ProviderVerifier to clean up OIDC discovery code (@JoelSpeed)
Expand Down
9 changes: 6 additions & 3 deletions Dockerfile
View file
Open in desktop
@@ -1,3 +1,6 @@
# This ARG has to be at the top, otherwise the docker daemon does not known what to do with FROM ${RUNTIME_IMAGE}
ARG RUNTIME_IMAGE=alpine:3.15

omBratteng marked this conversation as resolved.
Show resolved Hide resolved
# All builds should be done using the platform native to the build node to allow
# cache sharing of the go mod download step.
# Go cross compilation is also faster than emulation the go compilation across
Expand Down Expand Up @@ -38,12 +41,12 @@ RUN case ${TARGETPLATFORM} in \
GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem

# Copy binary to alpine
FROM alpine:3.15
FROM ${RUNTIME_IMAGE}
COPY nsswitch.conf /etc/nsswitch.conf
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem

USER 2000:2000
# UID/GID 65532 is also known as nonroot user in distroless image
USER 65532:65532
Comment on lines +49 to +50
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we expect users will be relying on the existing user number? We probably won't consider this a breaking change but we should definitely add an important note to the changelog for this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really doubt it would break for anyone. Only if they've added some restrictions to what UIDs can start processes on the host machine.

But a note in the changelog about the change sounds good.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added an entry under Important Notes

  • #1478 Changes the UID and GID of the runtime user to 65532.
    Which also is known as nonroot user in distroless images.


ENTRYPOINT ["/bin/oauth2-proxy"]
3 changes: 2 additions & 1 deletion Makefile
View file
Open in desktop
Expand Up @@ -40,7 +40,8 @@ $(BINARY):
CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X main.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7

DOCKER_BUILD_PLATFORM ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6
DOCKER_BUILDX_ARGS ?=
DOCKER_BUILD_RUNTIME_IMAGE ?= alpine:3.15
JoelSpeed marked this conversation as resolved.
Show resolved Hide resolved
DOCKER_BUILDX_ARGS ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE}
DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}
DOCKER_BUILDX_X_PLATFORM := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM}
DOCKER_BUILDX_PUSH := docker buildx build --push ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new build args will need to be added here as well else the push won't recognise the cached builds/won't have the correct RUNTIME_IMAGE

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved it to DOCKER_BUILDX_ARGS, as it's used in both DOCKER_BUILDX and DOCKER_BUILDX_PUSH

Expand Down