Parameterise runtime image (#1478)

* Use distroless debian11 docker image * Add `Dockerfile` to `.dockerignore` * Replace `nonroot` with the matching UID/GID Alpine does not have that user, and it cause issues when trying to start the container * Use a build arg for setting the runtime image * Explain why `ARG RUNTIME_IMAGE` is at the top * Add entry to CHANGELOG * Move build-arg to `DOCKER_BUILDX_ARGS`
2024-11-21 17:57:04 +02:00 · 2022-04-14 15:10:59 +02:00 · 2022-04-14 15:10:59 +02:00 · 2e9c30ac12
commit 2e9c30ac12
parent f820deb96d
4 changed files with 13 additions and 4 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,4 +1,5 @@
 Dockerfile.dev
+Dockerfile
 docs
 vendor
 .git
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,10 +9,14 @@

 ## Important Notes

+- [#1478](https://github.com/oauth2-proxy/oauth2-proxy/pull/1478) Changes the UID and GID of the runtime user to `65532`.
+  Which also is known as `nonroot` user in [distroless images](https://github.com/GoogleContainerTools/distroless).
+
 ## Breaking Changes

 ## Changes since v7.2.1

+- [#1478](https://github.com/oauth2-proxy/oauth2-proxy/pull/1478) Parameterise the runtime image (@omBratteng)
 - [#1583](https://github.com/oauth2-proxy/oauth2-proxy/pull/1583) Add groups to session too when creating session from bearer token (@adriananeci)
 - [#1418](https://github.com/oauth2-proxy/oauth2-proxy/pull/1418) Support for passing arbitrary query parameters through from `/oauth2/start` to the identity provider's login URL. Configuration settings control which parameters are passed by default and precisely which values can be overridden per-request (@ianroberts)
 - [#1559](https://github.com/oauth2-proxy/oauth2-proxy/pull/1559) Introduce ProviderVerifier to clean up OIDC discovery code (@JoelSpeed)
--- a/9
+++ b/9
@ -1,3 +1,6 @@
+# This ARG has to be at the top, otherwise the docker daemon does not known what to do with FROM ${RUNTIME_IMAGE}
+ARG RUNTIME_IMAGE=alpine:3.15
+
 # All builds should be done using the platform native to the build node to allow
 #  cache sharing of the go mod download step.
 # Go cross compilation is also faster than emulation the go compilation across
@ -38,12 +41,12 @@ RUN case ${TARGETPLATFORM} in \
    GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem

 # Copy binary to alpine
-FROM alpine:3.15
+FROM ${RUNTIME_IMAGE}
 COPY nsswitch.conf /etc/nsswitch.conf
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem

-USER 2000:2000
+# UID/GID 65532 is also known as nonroot user in distroless image
+USER 65532:65532

 ENTRYPOINT ["/bin/oauth2-proxy"]
--- a/3
+++ b/3
@ -40,7 +40,8 @@ $(BINARY):
 	CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X main.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7

 DOCKER_BUILD_PLATFORM ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6
-DOCKER_BUILDX_ARGS ?=
+DOCKER_BUILD_RUNTIME_IMAGE ?= alpine:3.15
+DOCKER_BUILDX_ARGS ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE}
 DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}
 DOCKER_BUILDX_X_PLATFORM := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM}
 DOCKER_BUILDX_PUSH := docker buildx build --push ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}