Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Adding official Docker image #372

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Adding official Docker image #372

wants to merge 1 commit into from

Conversation

dstroot
Copy link

@dstroot dstroot commented Apr 10, 2017

I know there is another pull request for this already. This addresses the idea that the docker container could be/should be tied to the version I check out and it creates a TINY container - literally the smallest possible.

@dstroot dstroot mentioned this pull request Apr 10, 2017
@ploxiln
Copy link
Contributor

ploxiln commented Apr 10, 2017

It would be better to actually build from local source with local go. If this is done by the maintainers as they make a release, it will be equivalent to the release built by dist.sh. (The download link will break often because the latest-go-version-at-release is also in it.)

It would be better to not maintain a set of root CA certificates in this repo, particularly since it's not obvious where exactly they came from. A better option may be to download them (from e.g. a trusted Mozilla URL) in the build step of the Makefile.

@dstroot
Copy link
Author

dstroot commented Apr 10, 2017

I agree with you. The problem is there is really no place I know online to get the .crt file (I pulled the one here from the latest Ubuntu). Mozilla only publishes a file which must be "processed" first.

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/

Does anyone know a good source? Or, I could use this approach: https://github.com/broady/cacerts

@ploxiln
Copy link
Contributor

ploxiln commented Apr 11, 2017

I think debian ca-certificates is fine. Getting it from a docker image that contains just the ca-certificates is a bit odd (but would work). Another option is to download directly from https://raw.githubusercontent.com/certifi/python-certifi/master/certifi/cacert.pem

@dstroot
Copy link
Author

dstroot commented Apr 13, 2017

I could use the dist.sh script to build the binary exactly as if was built otherwise, however it always builds the latest version.

This also grabs the suggested cert file although I would prefer some way of getting it from Mozilla - I just can't figure that out.

Thoughts about an approach like this?

build:
	# build the binary
	cd .. && \
	./dist.sh
	
	# get binary
	# cd docker && \
	cp ../dist/*linux*.* binary.tar.gz && \
	tar xfz binary.tar.gz --strip-components 1 \
	rm -rf binary.tar.gz
	
	# get the ca certificates. We get them from Certifi is a carefully curated 
	# collection of Root Certificates for validating the trustworthiness of 
	# SSL certificates while verifying the identity of TLS hosts.
	# https://github.com/certifi/python-certifi
	wget https://raw.githubusercontent.com/certifi/python-certifi/master/certifi/cacert.pem -O ca-certificates.crt
	
	# build the docker image
	docker build -t $(DOCKER_NAME)/$(IMAGE_NAME):latest .

@ploxiln
Copy link
Contributor

ploxiln commented Apr 13, 2017

That is roughly what I had in mind, thanks. As another example, dist.sh for nsq runs "docker build" itself: https://github.com/nsqio/nsq/blob/master/dist.sh

@idntfy
Copy link
Contributor

idntfy commented Apr 17, 2017

re ca-certificates, we use alpine and our dockerfile looks like this for pre-built binary which I think is pretty simple and lightweight:

FROM alpine
RUN apk add --no-cache --virtual=build-dependencies ca-certificates
COPY oauth2_proxy /run
CMD /run/oauth2_proxy

or, we used this one before we started using custom prebuilt binary:

FROM alpine

RUN apk add --no-cache --virtual=build-dependencies wget ca-certificates && \
    wget -P /tmp https://github.com/bitly/oauth2_proxy/releases/download/v2.1/oauth2_proxy-2.1.linux-amd64.go1.6.tar.gz && \
    tar -C /tmp -zxvf /tmp/oauth2_proxy-2.1.linux-amd64.go1.6.tar.gz && \
    mv /tmp/oauth2_proxy-2.1.linux-amd64.go1.6/oauth2_proxy /run/oauth2_proxy

CMD /run/oauth2_proxy

@reedloden
Copy link
Contributor

You could also use https://curl.haxx.se/ca/cacert.pem or https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt (though, seems the latter is deprecated in favor of the former).

https://curl.haxx.se/docs/caextract.html has more information on this.

@ploxiln
Copy link
Contributor

ploxiln commented Apr 19, 2017

Curl's website does look like a good source for such a CA bundle. It's probably equivalent to what is currently being fetched from the Certifi project.

Interestingly, that page says:

The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus not brought along in this cacert file!

... which makes me wonder how many such constrained domain-signing CAs are present, if they are similarly present in the Certifi bundle (probably?), if it would be practical to omit them ... but I think those are questions for another time, no need to answer them here.

@ploxiln ploxiln mentioned this pull request Jul 5, 2017
@julianvmodesto
Copy link

Bump! Is there anything blocking for this PR or way I could contribute?

Would love an official image at Docker Hub or Quay (as I mentioned in the duplicate #416) so I could docker pull bitly/oauth2-proxy:2.2 && docker run ..., and further set up an oauth2-proxy sidecar in a Kubernetes Pod.

@buckhx
Copy link

buckhx commented Jul 11, 2017

Bump, https://hub.docker.com/r/a5huynh/oauth2_proxy/ seems to be the only up to date one, but it's a 250MB image

@skwashd
Copy link

skwashd commented Aug 20, 2017

Docker 17.05 and up supports multistage builds. This would allow you to use dist.sh to build the oauth2_proxy binary in the first stage and then copy it and anything else you need into a clean FROM scratch image in the second stage.

It would be good to add a user in the container so it doesn't run as root. Should there be an EXPOSE directive to make the service available on port 4180?

I have done this with another golang project. Feel free to grab what you find useful from it.

boivie added a commit to boivie/oauth2_proxy that referenced this pull request Sep 30, 2017
It's written to generate a small image - around 16 MB.

Fixes bitly#372
@boivie boivie mentioned this pull request Sep 30, 2017
@boivie
Copy link

boivie commented Sep 30, 2017

I published a pull request to create a Docker image using multi-stage build (PR #460)

It's recommended to build it at Docker Cloud - automated on every push and every tag. You will need to set this up yourself using your account, so that it's really official. I can help out if you want step-by-step instructions.

(Yes, I realized now that I'm adding a "Fix" for a PR, not an issue. I thought this was an issue.)

tanner-bruce pushed a commit to tanner-bruce/oauth2_proxy that referenced this pull request Oct 16, 2017
It's written to generate a small image - around 16 MB.

Fixes bitly#372
madmod pushed a commit to daffinity/oauth2_proxy that referenced this pull request Dec 1, 2017
It's written to generate a small image - around 16 MB.

Fixes bitly#372
@ploxiln ploxiln mentioned this pull request May 29, 2018
@adamdecaf
Copy link

Any update on this?

adamdecaf added a commit to adamdecaf/infra that referenced this pull request Sep 19, 2018
@martin-loetzsch
Copy link

Fyi: there is an active discussion about forking this (obviously unmaintained) project here: #628

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

10 participants