feat: Add gomplate to the docker image #1893
Conversation
nabokihms
force-pushed
the
add-dockerize
branch
from
53d2fce to
c56c38c
Compare
There was a problem hiding this comment.
I feel like there is more we can do here:
- I'd get rid of the entrypoint entirely
serveshould be the default command IMHOserverequires a config, so we need some sort of default
I'm not sure I'm a fan of reading config from stdin. I guess it's there so we don't write the resulting config to ephemeral storage, but it feels like a complication without benefits: anyone with access to the storage has already access to the container itself.
At least for now, I'd just write the configuration to /etc/dex/config.yaml.
WDYT?
|
Everything sounds reasonable to me. The only thing that remains is implementation. I will work on it. |
Dockerfile
Outdated
|
|
||
| CMD ["version"] | ||
| ENTRYPOINT ["dockerize", "-no-overwrite", "-template", "/etc/dex/config.tmpl:/etc/dex/config.yaml"] | ||
| CMD ["dex", "serve", "/etc/dex/config.yaml"] |
There was a problem hiding this comment.
What about moving "dex" to the end of ENTRYPOINT, to avoid a breaking change for current users of the Docker image?
ENTRYPOINT ["dockerize", "-no-overwrite", "-template", "/etc/dex/config.tmpl:/etc/dex/config.yaml", "dex"]
CMD ["serve", "/etc/dex/config.yaml"]
It may look less clean in the Dockerfile, but in my opinion it's better to avoid the breaking change.
If you still decide for the breaking change, at least it should be mentioned in the release notes ("Does this PR introduce a user-facing change?")
There was a problem hiding this comment.
Seems reasonable. Thanks!
There was a problem hiding this comment.
Personally, I never like when an application is the entrypoint. It just ties the user's hands. Although it is a breaking change, but I don't think it'll affect most users. We could think of some sort of deprecation for this change to warn users in advance, but I'm not sure how effective it would be.
There was a problem hiding this comment.
I hardly believe that adding a deprecation warning will help. Mentioning such a change in the RM should be enough. However, for me, it looks better to leave dex at the entry point just because changing behavior is not required by this PR.
|
Once my PR #1902 is merged, most Dockerize users will probably want to set |
examples/config.tmpl
Outdated
| passwordConnector: {{ .Env.DEX_OAUTH2_PASSWORD_CONNECTOR }} | ||
| {{- end }} | ||
|
|
||
| enablePasswordDB: {{ default .Env.DEX_ENABLE_PASSWORD_DB "true" }} |
There was a problem hiding this comment.
Question: What is the best way to pass an env variable that may contain YAML special characters like '"?
Is there a better solution than manually escaping single quotes?
bindPW: '{{ replace .Env.DEX_LDAP_BINDPW "'" "''" }}'
Since Dockerize uses text/template, I guess it's not aware of YAML syntax.
Of course the env variables could by convention already contain pre-escaped strings, but that would be rather strange.
There was a problem hiding this comment.
Good question. I think it should be raised in the dockerize project. Helm has a quote filter that does exactly that.
Also, I see open issues in the project asking to add the sprig template library.
Dockerfile
Outdated
| # Install dockerize to provide the way of config parametrization | ||
| ENV DOCKERIZE_VERSION v0.6.1 | ||
| RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ | ||
| && tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ |
There was a problem hiding this comment.
amd64 is going to be a problem form arm builds. And sadly it looks like arm builds are not available yet: jwilder/dockerize#154
There was a problem hiding this comment.
The kind of a problem we can't solve on our own. Looks like we need to search for a better solution.
There was a problem hiding this comment.
The templating code of Dockerize is only 200 lines, since it's basically Go's text/template with some helper functions added.
On first sight, the only other feature from Dockerize that could be helpful for Dex is waiting for other dependencies (-wait , -timeout & co). And that can usually be solved with a crash loop.
Would it be an option to glue together ourselves Go templating with helpers from a well-maintained library like https://github.com/Masterminds/sprig in Dex?
Could work like this for the user:
$ dex serve config.yaml
$ dex serve --template config.tmpl
Sprig already includes env and default functions, similar to Dockerize.
There was a problem hiding this comment.
FYI, if you want to use dockerize, I recommend using its fork https://github.com/powerman/dockerize
This fork was created by an active contributor who was not satisfied with Jwilder's project management, communication, and so on.
Since then, a lot of improvements were done in Powerman's fork, incl. arm builds, for example.
The original dockerize seems to be an abandoned project.
There was a problem hiding this comment.
I'm familiar with that fork, but I'm not sure I'm quite happy with the democratized maintenance model to implements:
Everyone who has contributed to the project may become a collaborator - just ask for it in PR comments after your PR has being merged.
Also, we really don't need all that functionality, so I'm happy with a simple templating solution. My only concern with gotemplate is its size.
nabokihms
force-pushed
the
add-dockerize
branch
from
8c798cf to
b0d2a1c
Compare
|
@sagikazarmark, I replaced dockerize with gomplate in this PR. Some concerns, problems, tasks to do:
Please take a look if you have time 🙏 |
nabokihms
force-pushed
the
add-dockerize
branch
2 times, most recently
from
1cb0da1 to
8afe5f0
Compare
sagikazarmark
changed the title
There was a problem hiding this comment.
Thanks @nabokihms !
This looks like a good approach.
I had a few comments, can you please take a look at them?
nabokihms
force-pushed
the
add-dockerize
branch
2 times, most recently
from
e62e270 to
394d7e5
Compare
nabokihms
force-pushed
the
add-dockerize
branch
4 times, most recently
from
46cc8d5 to
0c1feba
Compare
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com> Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
nabokihms
force-pushed
the
add-dockerize
branch
from
0c1feba to
3241fd4
Compare
| exec dex $@ | ||
| ;; | ||
| *) | ||
| exec $@ |
There was a problem hiding this comment.
I like this option, allowing it to bypass the templating by adding dex in front of the arguments. 👍
Maybe mention it in the "Usage" comment, so it's more obvious.
There was a problem hiding this comment.
You should also adapt the section "Does this PR introduce a user-facing change?":
- By default, Gomplate is now applied on the config file for
docker run quay.io/dexidp/dex serve .... - To opt out, one can either adapt the command:
docker run quay.io/dexidp/dex dex serve ...
or change the entrypoint:docker run --entrypoint dex quay.io/dexidp/dex serve ...
There was a problem hiding this comment.
Yes, you are right! Whole description has to be rewritten.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
| @@ -0,0 +1,46 @@ | |||
| issuer: {{ getenv "DEX_ISSUER" "http://127.0.0.1:5556/dex" }} | |||
|
|
|||
There was a problem hiding this comment.
Maybe add a comment that this config file is only an example / for development purposes?
And maybe mention in another comment that for escaping "unfriendly" input like passwords, this function could be used for escaping, to get valid YAML? https://docs.gomplate.ca/functions/strings/#strings-squote
(Sorry haven't tested it yet, but I'm assuming that such escaping is not done automatically by Gomplate)
There was a problem hiding this comment.
I think that makes sense. Let's add a comment
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com> Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
nabokihms
force-pushed
the
add-dockerize
branch
from
b599b16 to
dd4a62e
Compare
sagikazarmark
changed the title
There was a problem hiding this comment.
I think this is good overall, thanks for working on this @nabokihms
There are two comments left, can you please take a look at those? Thanks!
|
|
||
| ENV GOMPLATE_VERSION=v3.9.0 | ||
|
|
||
| RUN wget -O /usr/local/bin/gomplate \ |
There was a problem hiding this comment.
Maybe use the slim version instead for a smaller binary: https://github.com/hairyhenderson/gomplate/releases
There was a problem hiding this comment.
Actually, does this work with every arm version? arm64, armv7? (The first one is GOARCH, the latter is variant AFAIK)
There was a problem hiding this comment.
Yes, it does! I have tested with linux/arm/v7 and linux/arm64.
| @@ -0,0 +1,46 @@ | |||
| issuer: {{ getenv "DEX_ISSUER" "http://127.0.0.1:5556/dex" }} | |||
|
|
|||
There was a problem hiding this comment.
I think that makes sense. Let's add a comment
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com> Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
|
I have no time to change the description yet. Hope that I will be able to do it tonight. |
|
No worries, I've updated the PR description. |
The official docker release for this release can be pulled from ``` ghcr.io/dexidp/dex:v2.28.0 ``` **Features:** - Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (dexidp#1773, @HEllRZA) - Allow configuration of returned auth proxy header (dexidp#1839, @seuf) - Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (dexidp#1902, @heidemn-faro) - Added the possibility to activate lowercase for UPN-Strings (dexidp#1888, @VF-mbrauer) - Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (dexidp#1948, @nabokihms) - Add gomplate to the docker image (dexidp#1893, @nabokihms) - Graceful shutdown (dexidp#1963, @nabokihms) - Allow public clients created with API to have no client_secret (dexidp#1871, @spohner) **Bugfixes:** - Fix the etcd PKCE AuthCode deserialization (dexidp#1908, @bnu0) - Fix garbage collection logging of device codes and device request (dexidp#1918, @nabokihms) - Discovery endpoint contains updated claims and auth methods (dexidp#1951, @nabokihms) - Return invalid_grant error if auth code is invalid or expired (dexidp#1952, @nabokihms) - Return an error to auth requests with the "request" parameter (dexidp#1956, @nabokihms) **Minor changes:** - Change default themes to light/dark (dexidp#1858, @nabokihms) - Various developer experience improvements - Dependency upgrades - Tons of small fixes and changes
Overview
entrypoint.shscript that renders the config file as a templateWhat this PR does / why we need it
Closes #1838
This PR solves a long time issue in Dex, name injecting secrets into the config file (especially on Kubernetes) without actually saving those secrets in less/non-secure storage layers. By using templating (and environment variables) we can create a config file runtime (when the container starts, in the entrypoint).
Obviously, the rendered config file is still saved to ephemeral storage, so it's not all the way secure, but anyone with access to the storage layer would have other means to get the secrets anyway.
A better long-term solution for secrets would be using environment variables directly and/or secret storage solutions (like Vault) or even KMS integration.
Special notes for your reviewer
Does this PR introduce a user-facing change?