public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

enhancement: Change base image from alpine to distroless (#2295) 

* Changed base image from alpine to distroless

* chore: updated Makefile

* fix: removed arm/v6 and ppc64le for distroless variant

* Update Dockerfile

* Update Makefile

* docs: Add README-section, CHANGELOG-entry and --pull to prevent caching

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
Koen van Zuijlen 2024-01-20 19:48:04 +01:00 committed by GitHub
parent c7185e7005
commit be84906fbc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 43 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -22,6 +22,7 @@
- [#2299](https://github.com/oauth2-proxy/oauth2-proxy/pull/2299) bugfix: OIDCConfig based providers are not respecting flags and configs (@tuunit)
- [#2248](https://github.com/oauth2-proxy/oauth2-proxy/pull/2248) Added support for semicolons in query strings. (@timwsuqld)
- [#2196](https://github.com/oauth2-proxy/oauth2-proxy/pull/2196) Add GitHub groups (orgs/teams) support. Including `X-Forwarded-Groups` header (@tuunit)
- [#2295](https://github.com/oauth2-proxy/oauth2-proxy/pull/2295) Change base-image to [GoogleContainerTools/distroless](https://github.com/GoogleContainerTools/distroless) (@kvanzuijlen)
- [#2356](https://github.com/oauth2-proxy/oauth2-proxy/pull/2356) Update go-jose dependency (@dasvh)
- [#2357](https://github.com/oauth2-proxy/oauth2-proxy/pull/2357) Update ojg to latest release (@bitfehler)

7
Dockerfile
View File

@ -1,5 +1,5 @@
# This ARG has to be at the top, otherwise the docker daemon does not known what to do with FROM ${RUNTIME_IMAGE}
ARG RUNTIME_IMAGE=docker.io/library/alpine:3.18
ARG RUNTIME_IMAGE=gcr.io/distroless/static:nonroot
# All builds should be done using the platform native to the build node to allow
# cache sharing of the go mod download step.
@ -43,13 +43,10 @@ RUN case ${TARGETPLATFORM} in \
printf "Building OAuth2 Proxy for arch ${GOARCH}\n" && \
GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem
# Copy binary to alpine
# Copy binary to runtime image
FROM ${RUNTIME_IMAGE}
COPY nsswitch.conf /etc/nsswitch.conf
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem
# UID/GID 65532 is also known as nonroot user in distroless image
USER 65532:65532
ENTRYPOINT ["/bin/oauth2-proxy"]

48
Makefile
View File

@ -5,6 +5,8 @@ BINARY := oauth2-proxy
VERSION ?= $(shell git describe --always --dirty --tags 2>/dev/null || echo "undefined")
# Allow to override image registry.
REGISTRY ?= quay.io/oauth2-proxy
REPOSITORY ?= oauth2-proxy
DATE := $(shell date +"%Y%m%d")
.NOTPARALLEL:
@ -40,45 +42,55 @@ build: validate-go-version clean $(BINARY)
$(BINARY):
CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X main.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7
DOCKER_BUILD_PLATFORM ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7
DOCKER_BUILD_RUNTIME_IMAGE ?= alpine:3.18
DOCKER_BUILDX_ARGS ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE}
DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}
DOCKER_BUILD_PLATFORM ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v7
DOCKER_BUILD_RUNTIME_IMAGE ?= gcr.io/distroless/static:nonroot
DOCKER_BUILDX_ARGS ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE} --build-arg VERSION=${VERSION}
DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --pull
DOCKER_BUILDX_X_PLATFORM := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM}
DOCKER_BUILDX_PUSH := $(DOCKER_BUILDX) --push
DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD_PLATFORM}
DOCKER_BUILD_PLATFORM_ALPINE ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7
DOCKER_BUILD_RUNTIME_IMAGE_ALPINE ?= alpine:3.18.4
DOCKER_BUILDX_ARGS_ALPINE ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE_ALPINE} --build-arg VERSION=${VERSION}
DOCKER_BUILDX_X_PLATFORM_ALPINE := docker buildx build ${DOCKER_BUILDX_ARGS_ALPINE} --platform ${DOCKER_BUILD_PLATFORM_ALPINE}
DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE := $(DOCKER_BUILDX_X_PLATFORM_ALPINE) --push
.PHONY: docker
docker:
$(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest -t $(REGISTRY)/oauth2-proxy:${VERSION} .
$(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY):latest -t $(REGISTRY)/$(REPOSITORY):${VERSION} .
$(DOCKER_BUILDX_X_PLATFORM_ALPINE) -t $(REGISTRY)/$(REPOSITORY):latest-alpine -t $(REGISTRY)/$(REPOSITORY):${VERSION}-alpine .
.PHONY: docker-push
docker-push:
$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest -t $(REGISTRY)/oauth2-proxy:${VERSION} .
$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY):latest -t $(REGISTRY)/$(REPOSITORY):${VERSION} .
$(DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE) -t $(REGISTRY)/$(REPOSITORY):latest-alpine -t $(REGISTRY)/$(REPOSITORY):${VERSION}-alpine .
.PHONY: docker-all
docker-all: docker
$(DOCKER_BUILDX) --platform linux/amd64 -t $(REGISTRY)/oauth2-proxy:latest-amd64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-amd64 .
$(DOCKER_BUILDX) --platform linux/arm64 -t $(REGISTRY)/oauth2-proxy:latest-arm64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-arm64 .
$(DOCKER_BUILDX) --platform linux/ppc64le -t $(REGISTRY)/oauth2-proxy:latest-ppc64le -t $(REGISTRY)/oauth2-proxy:${VERSION}-ppc64le .
$(DOCKER_BUILDX) --platform linux/arm/v6 -t $(REGISTRY)/oauth2-proxy:latest-armv6 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv6 .
$(DOCKER_BUILDX) --platform linux/arm/v7 -t $(REGISTRY)/oauth2-proxy:latest-armv7 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv7 .
$(DOCKER_BUILDX) --platform linux/amd64 -t $(REGISTRY)/$(REPOSITORY):latest-amd64 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-amd64 .
$(DOCKER_BUILDX) --platform linux/arm64 -t $(REGISTRY)/$(REPOSITORY):latest-arm64 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-arm64 .
$(DOCKER_BUILDX) --platform linux/ppc64le -t $(REGISTRY)/$(REPOSITORY):latest-ppc64le -t $(REGISTRY)/$(REPOSITORY):${VERSION}-ppc64le .
$(DOCKER_BUILDX) --platform linux/arm/v6 -t $(REGISTRY)/$(REPOSITORY):latest-armv6 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv6 .
$(DOCKER_BUILDX) --platform linux/arm/v7 -t $(REGISTRY)/$(REPOSITORY):latest-armv7 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv7 .
.PHONY: docker-push-all
docker-push-all: docker-push
$(DOCKER_BUILDX_PUSH) --platform linux/amd64 -t $(REGISTRY)/oauth2-proxy:latest-amd64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-amd64 .
$(DOCKER_BUILDX_PUSH) --platform linux/arm64 -t $(REGISTRY)/oauth2-proxy:latest-arm64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-arm64 .
$(DOCKER_BUILDX_PUSH) --platform linux/ppc64le -t $(REGISTRY)/oauth2-proxy:latest-ppc64le -t $(REGISTRY)/oauth2-proxy:${VERSION}-ppc64le .
$(DOCKER_BUILDX_PUSH) --platform linux/arm/v6 -t $(REGISTRY)/oauth2-proxy:latest-armv6 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv6 .
$(DOCKER_BUILDX_PUSH) --platform linux/arm/v7 -t $(REGISTRY)/oauth2-proxy:latest-armv7 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv7 .
$(DOCKER_BUILDX_PUSH) --platform linux/amd64 -t $(REGISTRY)/$(REPOSITORY):latest-amd64 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-amd64 .
$(DOCKER_BUILDX_PUSH) --platform linux/arm64 -t $(REGISTRY)/$(REPOSITORY):latest-arm64 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-arm64 .
$(DOCKER_BUILDX_PUSH) --platform linux/ppc64le -t $(REGISTRY)/$(REPOSITORY):latest-ppc64le -t $(REGISTRY)/$(REPOSITORY):${VERSION}-ppc64le .
$(DOCKER_BUILDX_PUSH) --platform linux/arm/v6 -t $(REGISTRY)/$(REPOSITORY):latest-armv6 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv6 .
$(DOCKER_BUILDX_PUSH) --platform linux/arm/v7 -t $(REGISTRY)/$(REPOSITORY):latest-armv7 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv7 .
.PHONY: docker-nightly-build
docker-nightly-build:
$(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy-nightly:latest -t $(REGISTRY)/oauth2-proxy-nightly:${DATE} .
$(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY)-nightly:latest -t $(REGISTRY)/$(REPOSITORY)-nightly:${DATE} .
$(DOCKER_BUILDX_X_PLATFORM_ALPINE) -t ${REGISTRY}/$(REPOSITORY)-nightly:latest-alpine -t $(REGISTRY)/$(REPOSITORY)-nightly:${DATE}-alpine .
.PHONY: docker-nightly-push
docker-nightly-push:
$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy-nightly:latest -t $(REGISTRY)/oauth2-proxy-nightly:${DATE} .
$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY)-nightly:latest -t $(REGISTRY)/$(REPOSITORY)-nightly:${DATE} .
$(DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE) -t ${REGISTRY}/$(REPOSITORY)-nightly:latest-alpine -t $(REGISTRY)/$(REPOSITORY)-nightly:${DATE}-alpine .
.PHONY: generate
generate:

9
README.md
View File

@ -59,6 +59,15 @@ Read the docs on our [Docs site](https://oauth2-proxy.github.io/oauth2-proxy/doc
![OAuth2 Proxy Architecture](docs/static/img/architecture.svg)
## Images
From `v7.6.0` and up the base image has been changed from Alpine to [GoogleContainerTools/distroless](https://github.com/GoogleContainerTools/distroless).
This image comes with even fewer installed dependencies and thus should improve security. The image therefore is also slightly smaller than Alpine.
For debugging purposes (and those who really need it (i.e. `armv6`)) we still provide images based on Alpine. The tags of these images are suffixed with `-alpine`.
Since 2023-11-18 we provide nightly images. These images are build and pushed nightly to `quay.io/oauth2-proxy/oauth2-proxy-nightly` from `master`.
These images should be considered alpha and therefore *should not* be used for production purposes unless you know what you're doing.
## Getting Involved
If you would like to reach out to the maintainers, come talk to us in the `#oauth2-proxy` channel in the [Gophers slack](http://gophers.slack.com/).