From 2e9c30ac12a2202e65212456f6ddba7f623456f2 Mon Sep 17 00:00:00 2001
From: Ole-Martin Bratteng <1681525+omBratteng@users.noreply.github.com>
Date: Thu, 14 Apr 2022 15:10:59 +0200
Subject: [PATCH] Parameterise runtime image (#1478)

* Use distroless debian11 docker image

* Add `Dockerfile` to `.dockerignore`

* Replace `nonroot` with the matching UID/GID
Alpine does not have that user, and it cause issues when trying to start the container

* Use a build arg for setting the runtime image

* Explain why `ARG RUNTIME_IMAGE` is at the top

* Add entry to CHANGELOG

* Move build-arg to `DOCKER_BUILDX_ARGS`
---
 .dockerignore | 1 +
 CHANGELOG.md  | 4 ++++
 Dockerfile    | 9 ++++++---
 Makefile      | 3 ++-
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 1bc5bbc6..dc32300f 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,5 @@
 Dockerfile.dev
+Dockerfile
 docs
 vendor
 .git
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9270443a..1971965e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,10 +9,14 @@
 
 ## Important Notes
 
+- [#1478](https://github.com/oauth2-proxy/oauth2-proxy/pull/1478) Changes the UID and GID of the runtime user to `65532`.
+  Which also is known as `nonroot` user in [distroless images](https://github.com/GoogleContainerTools/distroless).
+
 ## Breaking Changes
 
 ## Changes since v7.2.1
 
+- [#1478](https://github.com/oauth2-proxy/oauth2-proxy/pull/1478) Parameterise the runtime image (@omBratteng)
 - [#1583](https://github.com/oauth2-proxy/oauth2-proxy/pull/1583) Add groups to session too when creating session from bearer token (@adriananeci)
 - [#1418](https://github.com/oauth2-proxy/oauth2-proxy/pull/1418) Support for passing arbitrary query parameters through from `/oauth2/start` to the identity provider's login URL. Configuration settings control which parameters are passed by default and precisely which values can be overridden per-request (@ianroberts)
 - [#1559](https://github.com/oauth2-proxy/oauth2-proxy/pull/1559) Introduce ProviderVerifier to clean up OIDC discovery code (@JoelSpeed)
diff --git a/Dockerfile b/Dockerfile
index e6963e32..1615b9a8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,6 @@
+# This ARG has to be at the top, otherwise the docker daemon does not known what to do with FROM ${RUNTIME_IMAGE}
+ARG RUNTIME_IMAGE=alpine:3.15
+
 # All builds should be done using the platform native to the build node to allow
 #  cache sharing of the go mod download step.
 # Go cross compilation is also faster than emulation the go compilation across
@@ -38,12 +41,12 @@ RUN case ${TARGETPLATFORM} in \
     GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem
 
 # Copy binary to alpine
-FROM alpine:3.15
+FROM ${RUNTIME_IMAGE}
 COPY nsswitch.conf /etc/nsswitch.conf
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem
 
-USER 2000:2000
+# UID/GID 65532 is also known as nonroot user in distroless image
+USER 65532:65532
 
 ENTRYPOINT ["/bin/oauth2-proxy"]
diff --git a/Makefile b/Makefile
index a0ff29d9..965d00a2 100644
--- a/Makefile
+++ b/Makefile
@@ -40,7 +40,8 @@ $(BINARY):
 	CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X main.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7
 
 DOCKER_BUILD_PLATFORM ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6
-DOCKER_BUILDX_ARGS ?=
+DOCKER_BUILD_RUNTIME_IMAGE ?= alpine:3.15
+DOCKER_BUILDX_ARGS ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE}
 DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}
 DOCKER_BUILDX_X_PLATFORM := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM}
 DOCKER_BUILDX_PUSH := docker buildx build --push ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}