From be84906fbc137bf84aa0127bfc8c77920113abce Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Sat, 20 Jan 2024 19:48:04 +0100 Subject: [PATCH] enhancement: Change base image from alpine to distroless (#2295) * Changed base image from alpine to distroless * chore: updated Makefile * fix: removed arm/v6 and ppc64le for distroless variant * Update Dockerfile * Update Makefile * docs: Add README-section, CHANGELOG-entry and --pull to prevent caching --------- Co-authored-by: Joel Speed --- CHANGELOG.md | 1 + Dockerfile | 7 ++----- Makefile | 50 +++++++++++++++++++++++++++++++------------------- README.md | 9 +++++++++ 4 files changed, 43 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bee904e6..6fbc9775 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ - [#2299](https://github.com/oauth2-proxy/oauth2-proxy/pull/2299) bugfix: OIDCConfig based providers are not respecting flags and configs (@tuunit) - [#2248](https://github.com/oauth2-proxy/oauth2-proxy/pull/2248) Added support for semicolons in query strings. (@timwsuqld) - [#2196](https://github.com/oauth2-proxy/oauth2-proxy/pull/2196) Add GitHub groups (orgs/teams) support. Including `X-Forwarded-Groups` header (@tuunit) +- [#2295](https://github.com/oauth2-proxy/oauth2-proxy/pull/2295) Change base-image to [GoogleContainerTools/distroless](https://github.com/GoogleContainerTools/distroless) (@kvanzuijlen) - [#2356](https://github.com/oauth2-proxy/oauth2-proxy/pull/2356) Update go-jose dependency (@dasvh) - [#2357](https://github.com/oauth2-proxy/oauth2-proxy/pull/2357) Update ojg to latest release (@bitfehler) diff --git a/Dockerfile b/Dockerfile index e2726965..a997d295 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # This ARG has to be at the top, otherwise the docker daemon does not known what to do with FROM ${RUNTIME_IMAGE} -ARG RUNTIME_IMAGE=docker.io/library/alpine:3.18 +ARG RUNTIME_IMAGE=gcr.io/distroless/static:nonroot # All builds should be done using the platform native to the build node to allow # cache sharing of the go mod download step. @@ -43,13 +43,10 @@ RUN case ${TARGETPLATFORM} in \ printf "Building OAuth2 Proxy for arch ${GOARCH}\n" && \ GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem -# Copy binary to alpine +# Copy binary to runtime image FROM ${RUNTIME_IMAGE} COPY nsswitch.conf /etc/nsswitch.conf COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem -# UID/GID 65532 is also known as nonroot user in distroless image -USER 65532:65532 - ENTRYPOINT ["/bin/oauth2-proxy"] diff --git a/Makefile b/Makefile index 37d7ab71..bd55cfb2 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,9 @@ GOLANGCILINT ?= golangci-lint BINARY := oauth2-proxy VERSION ?= $(shell git describe --always --dirty --tags 2>/dev/null || echo "undefined") # Allow to override image registry. -REGISTRY ?= quay.io/oauth2-proxy +REGISTRY ?= quay.io/oauth2-proxy +REPOSITORY ?= oauth2-proxy + DATE := $(shell date +"%Y%m%d") .NOTPARALLEL: @@ -40,45 +42,55 @@ build: validate-go-version clean $(BINARY) $(BINARY): CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X main.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7 -DOCKER_BUILD_PLATFORM ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7 -DOCKER_BUILD_RUNTIME_IMAGE ?= alpine:3.18 -DOCKER_BUILDX_ARGS ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE} -DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION} +DOCKER_BUILD_PLATFORM ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v7 +DOCKER_BUILD_RUNTIME_IMAGE ?= gcr.io/distroless/static:nonroot +DOCKER_BUILDX_ARGS ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE} --build-arg VERSION=${VERSION} +DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --pull DOCKER_BUILDX_X_PLATFORM := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM} DOCKER_BUILDX_PUSH := $(DOCKER_BUILDX) --push DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD_PLATFORM} +DOCKER_BUILD_PLATFORM_ALPINE ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7 +DOCKER_BUILD_RUNTIME_IMAGE_ALPINE ?= alpine:3.18.4 +DOCKER_BUILDX_ARGS_ALPINE ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE_ALPINE} --build-arg VERSION=${VERSION} +DOCKER_BUILDX_X_PLATFORM_ALPINE := docker buildx build ${DOCKER_BUILDX_ARGS_ALPINE} --platform ${DOCKER_BUILD_PLATFORM_ALPINE} +DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE := $(DOCKER_BUILDX_X_PLATFORM_ALPINE) --push + .PHONY: docker docker: - $(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest -t $(REGISTRY)/oauth2-proxy:${VERSION} . + $(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY):latest -t $(REGISTRY)/$(REPOSITORY):${VERSION} . + $(DOCKER_BUILDX_X_PLATFORM_ALPINE) -t $(REGISTRY)/$(REPOSITORY):latest-alpine -t $(REGISTRY)/$(REPOSITORY):${VERSION}-alpine . .PHONY: docker-push docker-push: - $(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest -t $(REGISTRY)/oauth2-proxy:${VERSION} . + $(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY):latest -t $(REGISTRY)/$(REPOSITORY):${VERSION} . + $(DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE) -t $(REGISTRY)/$(REPOSITORY):latest-alpine -t $(REGISTRY)/$(REPOSITORY):${VERSION}-alpine . .PHONY: docker-all docker-all: docker - $(DOCKER_BUILDX) --platform linux/amd64 -t $(REGISTRY)/oauth2-proxy:latest-amd64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-amd64 . - $(DOCKER_BUILDX) --platform linux/arm64 -t $(REGISTRY)/oauth2-proxy:latest-arm64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-arm64 . - $(DOCKER_BUILDX) --platform linux/ppc64le -t $(REGISTRY)/oauth2-proxy:latest-ppc64le -t $(REGISTRY)/oauth2-proxy:${VERSION}-ppc64le . - $(DOCKER_BUILDX) --platform linux/arm/v6 -t $(REGISTRY)/oauth2-proxy:latest-armv6 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv6 . - $(DOCKER_BUILDX) --platform linux/arm/v7 -t $(REGISTRY)/oauth2-proxy:latest-armv7 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv7 . + $(DOCKER_BUILDX) --platform linux/amd64 -t $(REGISTRY)/$(REPOSITORY):latest-amd64 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-amd64 . + $(DOCKER_BUILDX) --platform linux/arm64 -t $(REGISTRY)/$(REPOSITORY):latest-arm64 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-arm64 . + $(DOCKER_BUILDX) --platform linux/ppc64le -t $(REGISTRY)/$(REPOSITORY):latest-ppc64le -t $(REGISTRY)/$(REPOSITORY):${VERSION}-ppc64le . + $(DOCKER_BUILDX) --platform linux/arm/v6 -t $(REGISTRY)/$(REPOSITORY):latest-armv6 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv6 . + $(DOCKER_BUILDX) --platform linux/arm/v7 -t $(REGISTRY)/$(REPOSITORY):latest-armv7 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv7 . .PHONY: docker-push-all docker-push-all: docker-push - $(DOCKER_BUILDX_PUSH) --platform linux/amd64 -t $(REGISTRY)/oauth2-proxy:latest-amd64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-amd64 . - $(DOCKER_BUILDX_PUSH) --platform linux/arm64 -t $(REGISTRY)/oauth2-proxy:latest-arm64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-arm64 . - $(DOCKER_BUILDX_PUSH) --platform linux/ppc64le -t $(REGISTRY)/oauth2-proxy:latest-ppc64le -t $(REGISTRY)/oauth2-proxy:${VERSION}-ppc64le . - $(DOCKER_BUILDX_PUSH) --platform linux/arm/v6 -t $(REGISTRY)/oauth2-proxy:latest-armv6 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv6 . - $(DOCKER_BUILDX_PUSH) --platform linux/arm/v7 -t $(REGISTRY)/oauth2-proxy:latest-armv7 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv7 . + $(DOCKER_BUILDX_PUSH) --platform linux/amd64 -t $(REGISTRY)/$(REPOSITORY):latest-amd64 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-amd64 . + $(DOCKER_BUILDX_PUSH) --platform linux/arm64 -t $(REGISTRY)/$(REPOSITORY):latest-arm64 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-arm64 . + $(DOCKER_BUILDX_PUSH) --platform linux/ppc64le -t $(REGISTRY)/$(REPOSITORY):latest-ppc64le -t $(REGISTRY)/$(REPOSITORY):${VERSION}-ppc64le . + $(DOCKER_BUILDX_PUSH) --platform linux/arm/v6 -t $(REGISTRY)/$(REPOSITORY):latest-armv6 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv6 . + $(DOCKER_BUILDX_PUSH) --platform linux/arm/v7 -t $(REGISTRY)/$(REPOSITORY):latest-armv7 -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv7 . .PHONY: docker-nightly-build docker-nightly-build: - $(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy-nightly:latest -t $(REGISTRY)/oauth2-proxy-nightly:${DATE} . + $(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY)-nightly:latest -t $(REGISTRY)/$(REPOSITORY)-nightly:${DATE} . + $(DOCKER_BUILDX_X_PLATFORM_ALPINE) -t ${REGISTRY}/$(REPOSITORY)-nightly:latest-alpine -t $(REGISTRY)/$(REPOSITORY)-nightly:${DATE}-alpine . .PHONY: docker-nightly-push docker-nightly-push: - $(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy-nightly:latest -t $(REGISTRY)/oauth2-proxy-nightly:${DATE} . + $(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY)-nightly:latest -t $(REGISTRY)/$(REPOSITORY)-nightly:${DATE} . + $(DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE) -t ${REGISTRY}/$(REPOSITORY)-nightly:latest-alpine -t $(REGISTRY)/$(REPOSITORY)-nightly:${DATE}-alpine . .PHONY: generate generate: diff --git a/README.md b/README.md index e4e6be68..324d0d89 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,15 @@ Read the docs on our [Docs site](https://oauth2-proxy.github.io/oauth2-proxy/doc ![OAuth2 Proxy Architecture](docs/static/img/architecture.svg) +## Images + +From `v7.6.0` and up the base image has been changed from Alpine to [GoogleContainerTools/distroless](https://github.com/GoogleContainerTools/distroless). +This image comes with even fewer installed dependencies and thus should improve security. The image therefore is also slightly smaller than Alpine. +For debugging purposes (and those who really need it (i.e. `armv6`)) we still provide images based on Alpine. The tags of these images are suffixed with `-alpine`. + +Since 2023-11-18 we provide nightly images. These images are build and pushed nightly to `quay.io/oauth2-proxy/oauth2-proxy-nightly` from `master`. +These images should be considered alpha and therefore *should not* be used for production purposes unless you know what you're doing. + ## Getting Involved If you would like to reach out to the maintainers, come talk to us in the `#oauth2-proxy` channel in the [Gophers slack](http://gophers.slack.com/).