Commit Graph

13 Commits

Author SHA1 Message Date
Daniel Kimsey
816c2a6da9 Move docker dep commands to earlier in the build
This will let Docker cache the results of the vendor dependencies.
Making re-builds during testing faster.

Also clean-up spurious test & rm in ./configure
2019-07-15 10:00:34 -05:00
Henry Jenkins
27bdb194b1 Update to Alpine 3.10 2019-07-13 22:14:05 +01:00
Henry Jenkins
411adf6f21 Switch linter to golangci-lint 2019-06-23 20:44:16 +01:00
Karl Skewes
d3f0cb43ca Update Alpine to 3.9 2019-05-31 18:54:20 +12:00
Karl Skewes
308bcc06a4 fix Docker user on arm
Use simple USER directive.
Using `addgroup` in final `arm` image when building on amd64 doesn't work.
I must have made a mistake during cross build verification.

Alternative is to use qemu-static but it's not worth it for this.
2019-05-03 20:54:21 +12:00
timothy-spencer
1ae62a3343
added jwt-key-file option, update docs 2019-04-15 09:49:05 -07:00
Dan Bond
bf9fedb3cf
build: use go 1.12 (#124)
* build: use go 1.12

* Update CHANGELOG.md
2019-04-12 11:15:29 +01:00
Karl Skewes
80b5873a26 Potentially breaking change: docker user & group
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
2019-03-05 21:37:04 +13:00
Karl Skewes
f289543dc6 fix(docker): simplify build by copying ca-certificates.crt 2019-02-02 20:01:27 +13:00
YAEGASHI Takeshi
cb41a91a65 Docker build optimization
Update Dockefile to get a much smaller footprint with alpine image.

Optimize ordering of build steps to avoid needless downloads.

Include CA certificates needed for practical use.
2019-01-22 02:55:39 +09:00
Dan Bond
f35efd1e9c build: use go 1.11 2019-01-15 15:57:53 +00:00
Joel Speed
372ecd0cf8
Introduce Makefile 2019-01-04 10:58:30 +00:00
Joel Speed
7fa913e51c
Add Dockerfile 2018-12-20 11:06:26 +00:00