oauth2-proxy/Dockerfile

# The image ARGs have to be at the top, otherwise the docker daemon cannot validate
# the FROM statements and overall Dockerfile
#
# Argument for setting the build image
ARG BUILD_IMAGE=placeholder
# Argument for setting the runtime image
ARG RUNTIME_IMAGE=placeholder
# Argument for setting the oauth2-proxy build version
ARG VERSION

# All builds should be done using the platform native to the build node to allow
#  cache sharing of the go mod download step.
# Go cross compilation is also faster than emulation the go compilation across
#  multiple platforms.
FROM --platform=${BUILDPLATFORM} ${BUILD_IMAGE} AS builder

# Copy sources
WORKDIR $GOPATH/src/github.com/oauth2-proxy/oauth2-proxy

# Fetch dependencies
COPY go.mod go.sum ./
RUN go mod download

# Now pull in our code
COPY . .

# Arguments go here so that the previous steps can be cached if no external sources
# have changed. These arguments are automatically set by the docker engine.
ARG TARGETPLATFORM
ARG BUILDPLATFORM

# Reload version argument
ARG VERSION

# Build binary and make sure there is at least an empty key file.
#  This is useful for GCP App Engine custom runtime builds, because
#  you cannot use multiline variables in their app.yaml, so you have to
#  build the key into the container and then tell it where it is
#  by setting OAUTH2_PROXY_JWT_KEY_FILE=/etc/ssl/private/jwt_signing_key.pem
#  in app.yaml instead.
# Set the cross compilation arguments based on the TARGETPLATFORM which is
#  automatically set by the docker engine.
RUN case ${TARGETPLATFORM} in \
         "linux/amd64")  GOARCH=amd64  ;; \
         # arm64 and arm64v8 are equivalent in go and do not require a goarm
         # https://github.com/golang/go/wiki/GoArm
         "linux/arm64" | "linux/arm/v8")  GOARCH=arm64  ;; \
         "linux/ppc64le")  GOARCH=ppc64le  ;; \
         "linux/s390x")  GOARCH=s390x  ;; \
         "linux/arm/v6") GOARCH=arm GOARM=6  ;; \
         "linux/arm/v7") GOARCH=arm GOARM=7 ;; \
    esac && \
    printf "Building OAuth2 Proxy for arch ${GOARCH}\n" && \
    GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem

# Reload runtime image
ARG RUNTIME_IMAGE
# Copy binary to runtime image
FROM ${RUNTIME_IMAGE}
# Reload version
ARG VERSION

COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem

LABEL org.opencontainers.image.licenses=MIT \
      org.opencontainers.image.description="A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers." \
      org.opencontainers.image.documentation=https://oauth2-proxy.github.io/oauth2-proxy/ \
      org.opencontainers.image.source=https://github.com/oauth2-proxy/oauth2-proxy \
      org.opencontainers.image.url=https://quay.io/oauth2-proxy/oauth2-proxy \
      org.opencontainers.image.title=oauth2-proxy \
      org.opencontainers.image.version=${VERSION}

ENTRYPOINT ["/bin/oauth2-proxy"]
chore(build): retrieve go version from go.mod as single point of truth 2025-01-17 17:56:28 +01:00			`# The image ARGs have to be at the top, otherwise the docker daemon cannot validate`
			`# the FROM statements and overall Dockerfile`
			`#`
			`# Argument for setting the build image`
			`ARG BUILD_IMAGE=placeholder`
			`# Argument for setting the runtime image`
			`ARG RUNTIME_IMAGE=placeholder`
			`# Argument for setting the oauth2-proxy build version`
doc: add standard opencontainer docker labels (#2800) 2024-10-09 06:01:36 -07:00			`ARG VERSION`
Parameterise runtime image (#1478) * Use distroless debian11 docker image * Add `Dockerfile` to `.dockerignore` * Replace `nonroot` with the matching UID/GID Alpine does not have that user, and it cause issues when trying to start the container * Use a build arg for setting the runtime image * Explain why `ARG RUNTIME_IMAGE` is at the top * Add entry to CHANGELOG * Move build-arg to `DOCKER_BUILDX_ARGS` 2022-04-14 15:10:59 +02:00
Improve build times by sharing cache and allowing platform selection 2021-10-05 16:58:54 +01:00			`# All builds should be done using the platform native to the build node to allow`
			`# cache sharing of the go mod download step.`
			`# Go cross compilation is also faster than emulation the go compilation across`
			`# multiple platforms.`
chore(build): retrieve go version from go.mod as single point of truth 2025-01-17 17:56:28 +01:00			`FROM --platform=${BUILDPLATFORM} ${BUILD_IMAGE} AS builder`
Docker build optimization Update Dockefile to get a much smaller footprint with alpine image. Optimize ordering of build steps to avoid needless downloads. Include CA certificates needed for practical use. 2019-01-22 02:50:50 +09:00
			`# Copy sources`
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 14:54:36 +01:00			`WORKDIR $GOPATH/src/github.com/oauth2-proxy/oauth2-proxy`
Add Dockerfile 2018-12-20 11:06:26 +00:00
			`# Fetch dependencies`
Merge branch 'master' into go-mod * master: Move docker dep commands to earlier in the build 2019-07-15 21:38:55 +01:00			`COPY go.mod go.sum ./`
Improve build times by sharing cache and allowing platform selection 2021-10-05 16:58:54 +01:00			`RUN go mod download`
Add Dockerfile 2018-12-20 11:06:26 +00:00
Move docker dep commands to earlier in the build This will let Docker cache the results of the vendor dependencies. Making re-builds during testing faster. Also clean-up spurious test & rm in ./configure 2019-07-11 17:18:07 -05:00			`# Now pull in our code`
			`COPY . .`

chore(build): retrieve go version from go.mod as single point of truth 2025-01-17 17:56:28 +01:00			`# Arguments go here so that the previous steps can be cached if no external sources`
			`# have changed. These arguments are automatically set by the docker engine.`
Improve build times by sharing cache and allowing platform selection 2021-10-05 16:58:54 +01:00			`ARG TARGETPLATFORM`
			`ARG BUILDPLATFORM`
chore(build): retrieve go version from go.mod as single point of truth 2025-01-17 17:56:28 +01:00
			`# Reload version argument`
fix: setting missing version during docker built 2025-01-14 16:29:26 +01:00			`ARG VERSION`
Minor change to the Dockerfile to improve build speed (#1139) "go mod download" does not depend on the VERSION env var, so moving the ARG directive after the RUN will allow better use of the Docker build cache - subsequent builds on the same machine need only re-run the "go mod download" if go.mod or go.sum has changed, rather than re-running it any time the VERSION value passed from the Makefile has changed Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2021-03-29 19:08:40 +01:00
added jwt-key-file option, update docs 2019-03-20 15:15:47 -07:00			`# Build binary and make sure there is at least an empty key file.`
			`# This is useful for GCP App Engine custom runtime builds, because`
			`# you cannot use multiline variables in their app.yaml, so you have to`
			`# build the key into the container and then tell it where it is`
			`# by setting OAUTH2_PROXY_JWT_KEY_FILE=/etc/ssl/private/jwt_signing_key.pem`
			`# in app.yaml instead.`
Improve build times by sharing cache and allowing platform selection 2021-10-05 16:58:54 +01:00			`# Set the cross compilation arguments based on the TARGETPLATFORM which is`
			`# automatically set by the docker engine.`
			`RUN case ${TARGETPLATFORM} in \`
			`"linux/amd64") GOARCH=amd64 ;; \`
doc: add standard opencontainer docker labels (#2800) 2024-10-09 06:01:36 -07:00			`# arm64 and arm64v8 are equivalent in go and do not require a goarm`
Build ARMv8 Docker Images (#1594) * Build ARMv8 Docker Images Fixes #1593 * Change platform to arm64/v8 * Drop separate tags for different architectures * Mark the architecture image tags for deprecation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2022-04-14 10:52:43 -04:00			`# https://github.com/golang/go/wiki/GoArm`
Set correct platform type for arm v8 docker images - A previous attempt used the wrong platform value which resulted in a build without the v8 variant being created. - Platform formatting is defined in the containerd source code as referenced by the docker documentation: https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63 Fixes #1593 - again 2022-11-03 21:24:52 -04:00			`"linux/arm64" \| "linux/arm/v8") GOARCH=arm64 ;; \`
Update Dockerfile Add ppc64le support 2022-02-17 22:55:57 +01:00			`"linux/ppc64le") GOARCH=ppc64le ;; \`
feature/s390x architecture support (#2734) * Add s390x architecture support * Update CHANGELOG 2024-08-23 02:02:02 -05:00			`"linux/s390x") GOARCH=s390x ;; \`
Improve build times by sharing cache and allowing platform selection 2021-10-05 16:58:54 +01:00			`"linux/arm/v6") GOARCH=arm GOARM=6 ;; \`
Added arch types to Docker and binary releases (#2220) * Added several arm builds to dist.sh * Added platforms to Dockerfile and updated docs * Reverted changes made for testing * Fix docker platform images * Fix docker platform images * Update Makefile Co-authored-by: Jan Larwig <jan@larwig.com> * Update Makefile Co-authored-by: Jan Larwig <jan@larwig.com> * Update Makefile Co-authored-by: Jan Larwig <jan@larwig.com> * Formatting improvements --------- Co-authored-by: Jan Larwig <jan@larwig.com> 2023-09-08 18:18:20 +02:00			`"linux/arm/v7") GOARCH=arm GOARM=7 ;; \`
Improve build times by sharing cache and allowing platform selection 2021-10-05 16:58:54 +01:00			`esac && \`
			`printf "Building OAuth2 Proxy for arch ${GOARCH}\n" && \`
Fix docker container multi arch build issue by passing GOARCH details to make build (#1445) * pass GOARCH details to make process Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com> * update changelog Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com> 2021-11-13 03:12:46 +05:30			`GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem`
Add Dockerfile 2018-12-20 11:06:26 +00:00
chore(build): retrieve go version from go.mod as single point of truth 2025-01-17 17:56:28 +01:00			`# Reload runtime image`
			`ARG RUNTIME_IMAGE`
enhancement: Change base image from alpine to distroless (#2295) * Changed base image from alpine to distroless * chore: updated Makefile * fix: removed arm/v6 and ppc64le for distroless variant * Update Dockerfile * Update Makefile * docs: Add README-section, CHANGELOG-entry and --pull to prevent caching --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2024-01-20 19:48:04 +01:00			`# Copy binary to runtime image`
Parameterise runtime image (#1478) * Use distroless debian11 docker image * Add `Dockerfile` to `.dockerignore` * Replace `nonroot` with the matching UID/GID Alpine does not have that user, and it cause issues when trying to start the container * Use a build arg for setting the runtime image * Explain why `ARG RUNTIME_IMAGE` is at the top * Add entry to CHANGELOG * Move build-arg to `DOCKER_BUILDX_ARGS` 2022-04-14 15:10:59 +02:00			`FROM ${RUNTIME_IMAGE}`
chore(build): retrieve go version from go.mod as single point of truth 2025-01-17 17:56:28 +01:00			`# Reload version`
doc: add standard opencontainer docker labels (#2800) 2024-10-09 06:01:36 -07:00			`ARG VERSION`

Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 14:54:36 +01:00			`COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy`
			`COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem`
Add Dockerfile 2018-12-20 11:06:26 +00:00
doc: add standard opencontainer docker labels (#2800) 2024-10-09 06:01:36 -07:00			`LABEL org.opencontainers.image.licenses=MIT \`
			`org.opencontainers.image.description="A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers." \`
			`org.opencontainers.image.documentation=https://oauth2-proxy.github.io/oauth2-proxy/ \`
			`org.opencontainers.image.source=https://github.com/oauth2-proxy/oauth2-proxy \`
			`org.opencontainers.image.url=https://quay.io/oauth2-proxy/oauth2-proxy \`
			`org.opencontainers.image.title=oauth2-proxy \`
			`org.opencontainers.image.version=${VERSION}`

Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 14:54:36 +01:00			`ENTRYPOINT ["/bin/oauth2-proxy"]`