go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-01-24 05:26:55 +02:00
Code Issues Releases Activity
oauth2-proxy/Dockerfile.arm64

32 lines
1.1 KiB
Docker
Raw Normal View History

Update go version to 1.16 This includes a fix for our samesite cookie parsing. The behaviour changed in 1.16 so that the default value now leaves it empty, so it's equivalent to not setting it (as per spec)
2021-02-17 20:59:46 +00:00
FROM golang:1.16-buster AS builder
Reduce docker context to improve build times
2020-07-07 09:53:32 +01:00
ARG VERSION
feat(arm): Cross build arm and arm64 docker images - Requires `qemu-user-static`, added to travis - maybe incorrect? - Add build guide - `.gitignore` `release/` directory
2019-02-02 12:08:19 +13:00
# Copy sources
Migrate to oauth2-proxy/oauth2-proxy
2020-03-29 14:54:36 +01:00
WORKDIR $GOPATH/src/github.com/oauth2-proxy/oauth2-proxy
feat(arm): Cross build arm and arm64 docker images - Requires `qemu-user-static`, added to travis - maybe incorrect? - Add build guide - `.gitignore` `release/` directory
2019-02-02 12:08:19 +13:00
# Fetch dependencies
Merge branch 'master' into go-mod * master: Move docker dep commands to earlier in the build
2019-07-15 21:38:55 +01:00
COPY go.mod go.sum ./
Ensure gomodules are used when downloading
2019-07-15 21:49:38 +01:00
RUN GO111MODULE=on go mod download
feat(arm): Cross build arm and arm64 docker images - Requires `qemu-user-static`, added to travis - maybe incorrect? - Add build guide - `.gitignore` `release/` directory
2019-02-02 12:08:19 +13:00
Move docker dep commands to earlier in the build This will let Docker cache the results of the vendor dependencies. Making re-builds during testing faster. Also clean-up spurious test & rm in ./configure
2019-07-11 17:18:07 -05:00
# Now pull in our code
COPY . .
added jwt-key-file option, update docs
2019-03-20 15:15:47 -07:00
# Build binary and make sure there is at least an empty key file.
# This is useful for GCP App Engine custom runtime builds, because
# you cannot use multiline variables in their app.yaml, so you have to
# build the key into the container and then tell it where it is
# by setting OAUTH2_PROXY_JWT_KEY_FILE=/etc/ssl/private/jwt_signing_key.pem
# in app.yaml instead.
Reduce docker context to improve build times
2020-07-07 09:53:32 +01:00
RUN VERSION=${VERSION} GOARCH=arm64 make build && touch jwt_signing_key.pem
feat(arm): Cross build arm and arm64 docker images - Requires `qemu-user-static`, added to travis - maybe incorrect? - Add build guide - `.gitignore` `release/` directory
2019-02-02 12:08:19 +13:00
# Copy binary to alpine
Update alpine version to 3.13 (#1013) * Update alpine version to 3.13 alpine 3.12 has a CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928 which got fixed in recent version * address review comments
2021-01-30 07:33:28 -08:00
FROM arm64v8/alpine:3.13
Add nsswitch.conf to Docker image (#400) * Add nsswitch.conf to Docker image Created nsswitch.conf to use locally defined translations before DNS. Copied to /etc/nsswitch.conf in the image. * Add new line * Updated Changelog Co-authored-by: Dan Bond <danbond@protonmail.com>
2020-02-23 18:16:18 +00:00
COPY nsswitch.conf /etc/nsswitch.conf
fix(docker): simplify build by copying ca-certificates.crt
2019-02-02 14:20:20 +13:00
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
Migrate to oauth2-proxy/oauth2-proxy
2020-03-29 14:54:36 +01:00
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem
feat(arm): Cross build arm and arm64 docker images - Requires `qemu-user-static`, added to travis - maybe incorrect? - Add build guide - `.gitignore` `release/` directory
2019-02-02 12:08:19 +13:00
fix Docker user on arm Use simple USER directive. Using `addgroup` in final `arm` image when building on amd64 doesn't work. I must have made a mistake during cross build verification. Alternative is to use qemu-static but it's not worth it for this.
2019-05-03 18:38:03 +12:00
USER 2000:2000
Potentially breaking change: docker user & group Run as non-root user and group In the unlikely event that you are currently persisting data to disk then this change may break file read/write access due to a change in the UID/GID that the oauth2_proxy process runs as. Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users. An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required. Least access privileges. Close: https://github.com/pusher/oauth2_proxy/issues/78 Locally with Docker (`-version`): ``` $ ps aux | grep oauth2 2000 25192 6.0 0.0 0 0 ? Ds 15:53 0:00 [oauth2_proxy] ``` Running in Kubernetes 1.13 with the following also specified: ``` securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10001 ``` ``` $ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh /opt $ whoami whoami: unknown uid 10001 /opt $ ps aux PID USER TIME COMMAND 1 10001 0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180 11 10001 0:00 sh 17 10001 0:00 ps aux ``` <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] My change requires a change to the documentation or CHANGELOG. - [x] I have updated the documentation/CHANGELOG accordingly. - [x] I have created a feature (non-master) branch for my PR.
2019-03-05 21:26:49 +13:00
Migrate to oauth2-proxy/oauth2-proxy
2020-03-29 14:54:36 +01:00
ENTRYPOINT ["/bin/oauth2-proxy"]
Reference in New Issue Copy Permalink