-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Adding official Docker image #372
base: master
Are you sure you want to change the base?
Conversation
It would be better to actually build from local source with local go. If this is done by the maintainers as they make a release, it will be equivalent to the release built by dist.sh. (The download link will break often because the latest-go-version-at-release is also in it.) It would be better to not maintain a set of root CA certificates in this repo, particularly since it's not obvious where exactly they came from. A better option may be to download them (from e.g. a trusted Mozilla URL) in the build step of the Makefile. |
I agree with you. The problem is there is really no place I know online to get the .crt file (I pulled the one here from the latest Ubuntu). Mozilla only publishes a file which must be "processed" first. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ Does anyone know a good source? Or, I could use this approach: https://github.com/broady/cacerts |
I think debian ca-certificates is fine. Getting it from a docker image that contains just the ca-certificates is a bit odd (but would work). Another option is to download directly from https://raw.githubusercontent.com/certifi/python-certifi/master/certifi/cacert.pem |
I could use the dist.sh script to build the binary exactly as if was built otherwise, however it always builds the latest version. This also grabs the suggested cert file although I would prefer some way of getting it from Mozilla - I just can't figure that out. Thoughts about an approach like this? build:
# build the binary
cd .. && \
./dist.sh
# get binary
# cd docker && \
cp ../dist/*linux*.* binary.tar.gz && \
tar xfz binary.tar.gz --strip-components 1 \
rm -rf binary.tar.gz
# get the ca certificates. We get them from Certifi is a carefully curated
# collection of Root Certificates for validating the trustworthiness of
# SSL certificates while verifying the identity of TLS hosts.
# https://github.com/certifi/python-certifi
wget https://raw.githubusercontent.com/certifi/python-certifi/master/certifi/cacert.pem -O ca-certificates.crt
# build the docker image
docker build -t $(DOCKER_NAME)/$(IMAGE_NAME):latest . |
That is roughly what I had in mind, thanks. As another example, |
re ca-certificates, we use alpine and our dockerfile looks like this for pre-built binary which I think is pretty simple and lightweight:
or, we used this one before we started using custom prebuilt binary:
|
You could also use https://curl.haxx.se/ca/cacert.pem or https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt (though, seems the latter is deprecated in favor of the former). https://curl.haxx.se/docs/caextract.html has more information on this. |
Curl's website does look like a good source for such a CA bundle. It's probably equivalent to what is currently being fetched from the Certifi project. Interestingly, that page says:
... which makes me wonder how many such constrained domain-signing CAs are present, if they are similarly present in the Certifi bundle (probably?), if it would be practical to omit them ... but I think those are questions for another time, no need to answer them here. |
Bump! Is there anything blocking for this PR or way I could contribute? Would love an official image at Docker Hub or Quay (as I mentioned in the duplicate #416) so I could |
Bump, https://hub.docker.com/r/a5huynh/oauth2_proxy/ seems to be the only up to date one, but it's a 250MB image |
Docker 17.05 and up supports multistage builds. This would allow you to use It would be good to add a user in the container so it doesn't run as root. Should there be an I have done this with another golang project. Feel free to grab what you find useful from it. |
It's written to generate a small image - around 16 MB. Fixes bitly#372
I published a pull request to create a Docker image using multi-stage build (PR #460) It's recommended to build it at Docker Cloud - automated on every push and every tag. You will need to set this up yourself using your account, so that it's really official. I can help out if you want step-by-step instructions. (Yes, I realized now that I'm adding a "Fix" for a PR, not an issue. I thought this was an issue.) |
It's written to generate a small image - around 16 MB. Fixes bitly#372
It's written to generate a small image - around 16 MB. Fixes bitly#372
Any update on this? |
The offical PR is a ghost town, so.. bitly/oauth2_proxy#372
Fyi: there is an active discussion about forking this (obviously unmaintained) project here: #628 |
I know there is another pull request for this already. This addresses the idea that the docker container could be/should be tied to the version I check out and it creates a TINY container - literally the smallest possible.