enhancement: Change base image from alpine to distroless #2295
Conversation
|
Ongoing testing:
|
|
With a distroless base image, you don't have any system roots of trust for certs. This cause issues for users before because it meant that they either had to mount them into the container, or build from our base onto their own image. Have we tested that the project is working correctly without having to provide additional CA certs with this distroless base? |
That was exactly my concern but maybe we can copy the alpine trust store from the build container into the distroless container 🤔 This change definitely cannot be done lightly and needs proper testing. |
|
@JoelSpeed not sure what you mean. The base image comes with ca-certificates, is that what you're looking for? I only have been able to test it with Google Cloud auth and that worked perfectly fine. Decided to open it as a draft so that @tuunit can do some testing as well and so that I can do some testing in the future as well. @tuunit Imo you can leave the Github environment for me to test as I also have ready access to it as well (as well as with orgs/teams testing) |
|
It's quite possible when we tried this before it was scratch rather than distroless, which would possibly explain the difference. But he's, the system ca certificates is what I want to make sure we continue to provide |
100%, also since some people maybe rely on some commands to be available for i.e. healthcheck probes.
Those are part of distroless base: see https://github.com/GoogleContainerTools/distroless/tree/main/base |
There is also some documentation / examples on how to for example include the java trust stores CAs in the distroless images: https://github.com/GoogleContainerTools/distroless/blob/main/cacerts/jksutil/BUILD |
|
The documentation mentions the follow image should be used for statically linked binaries like go:
https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md That is why it was working for you with your Goolge test because the static image you used has the most common ca-certificates included. I missed that you already shared the same url in your last comment. |
I'm not sure if we need libssl though. If that's not necessary then probably distroless/static will work as well. |
As we use the GitHub feature branch in one of my projects at work, I'll test it anyway. |
Everything seems to be working fine with the distroless image. I'll do some more testing in the upcoming does. I would suggest when all tests are successful, that we switch to the distroless base image for the default tags and additionally offer alpine as a custom tag |
|
Where are we at with testing this one? |
|
I only need to test that the custom CAs work. Other than that everything looks good to go. |
Full testing done. I even created a custom trust authority to be able to create rootCA file and test #2237. Fully working within alpine and distroless. No breaking changes as far as I can tell. Last question: Are we going to provide an official alpine image as well for debugging purposes? |
|
I'm going to open another PR for a complete overhaul of the local environment setup files soon. As I had to update a lot of them anyway. |
|
I'm open to providing a |
kvanzuijlen
changed the title
|
@kvanzuijlen @tuunit Any update on getting this merged? |
|
@kvanzuijlen testing on my part is done. ToDos:
|
|
Maybe we should mention both image versions in the readme and docs 🤔 To clarify that we use distroless as the default base image and that we offer the alpine tag for debugging purposes. |
|
Hi @tuunit, Thx for the todo, makes it easier for me to track what has to happen!
I see no merge conflict, just an outdated branch. Will resolve that while writing the changelog entry and updating the README.
Right now it has both images for the nightly build. Any reason why we shouldn't provide both images? I think it's easier to understand if we keep it the same as the regular images.
I'll write a changelog entry and add a section to the README |
| .PHONY: docker | ||
| docker: | ||
| $(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest -t $(REGISTRY)/oauth2-proxy:${VERSION} . | ||
| $(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/$(REPOSITORY):latest -t $(REGISTRY)/$(REPOSITORY):${VERSION} . | ||
| $(DOCKER_BUILDX_X_PLATFORM_ALPINE) -t $(REGISTRY)/$(REPOSITORY):latest-alpine -t $(REGISTRY)/$(REPOSITORY):${VERSION}-alpine . |
There was a problem hiding this comment.
I was thinking maybe instead of -alpine we should call it -debug. That's how fluenbit does it: https://docs.fluentbit.io/manual/installation/docker
| $(DOCKER_BUILDX_X_PLATFORM_ALPINE) -t $(REGISTRY)/$(REPOSITORY):latest-alpine -t $(REGISTRY)/$(REPOSITORY):${VERSION}-alpine . | |
| $(DOCKER_BUILDX_X_PLATFORM_ALPINE) -t $(REGISTRY)/$(REPOSITORY):latest-debug-t $(REGISTRY)/$(REPOSITORY):${VERSION}-debug . |
There was a problem hiding this comment.
I"m personally more a fan of -alpine, because it could also just be a conscious decision to work exclusively with alpine. It's also not an image that includes any extra debug tooling.
Since (imo) this is still a perfectly fine image for use in (regular) production, I think the -alpine is a better fit.
There was a problem hiding this comment.
I'm a plus one for keeping it as alpine, I agree that calling it debug implies something more, does a debug build mean we didn't strip the symbols when compiling the binary for example?
* enhancement: Change base image from alpine to distroless (oauth2-proxy#2295) * Changed base image from alpine to distroless * chore: updated Makefile * fix: removed arm/v6 and ppc64le for distroless variant * Update Dockerfile * Update Makefile * docs: Add README-section, CHANGELOG-entry and --pull to prevent caching --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Add possibility to encode the state param as UrlEncodedBase64 (oauth2-proxy#2312) * Add possibility to encode the state param as UrlEncodedBase64 * Update CHANGELOG.md * Update oauthproxy.go Co-authored-by: Jan Larwig <jan@larwig.com> --------- Co-authored-by: Jan Larwig <jan@larwig.com> * NGINX return 403 for sign_in (oauth2-proxy#2322) (oauth2-proxy#2323) Co-authored-by: Sven Ertel <sven.ertel@bayernwerk.de> * chore: Create sha256sum for tar instead of binary (oauth2-proxy#2343) * Create sha256sum for tar instead of binary * chore: Add checksum for binary * chore: Updated changelog --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Log error details when failed loading CSRF cookie (oauth2-proxy#2345) * Log error details when failed loading CSRF cookie * Add a record about this PR to CHANGELOG.md --------- Co-authored-by: Ondrej Charvat <ondrej.charvat@yunextraffic.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Feature - Add env variable support for alpha struct (oauth2-proxy#2375) * added envsubstring package and added simple test cases.imple tests. * added documentation * added changelog entry * added documentation to wrong file . * changed tests to ginkgo format * update project to use better maintained library * use defer to clear test variable after tests finished * updated docs for the new package documentation and fixed bad english * refactored function to "reduce" complexity. * updated changelog for new version updated readme * minor formatting --------- Co-authored-by: Haydn Evans <h.evans@douglas.de> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * remove nsswitch workaround (oauth2-proxy#2371) Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * feat: Added renovate configuration (oauth2-proxy#2377) * Feature/add option to skip loading claims from profile url (oauth2-proxy#2329) * add new flag skip-claims-from-profile-url * skip passing profile URL if SkipClaimsFromProfileURL * docs for --skip-claims-from-profile-url flag * update flag comment * update docs * update CHANGELOG.md * Update providers/provider_data.go Co-authored-by: Jan Larwig <jan@larwig.com> * Add tests for SkipClaimsFromProfileURL * simplify tests for SkipClaimsFromProfileURL * generate alpha_config.md --------- Co-authored-by: Jan Larwig <jan@larwig.com> * Add ability to configure username for Redis cluster connections (oauth2-proxy#2381) * Initial attempt. * Add CHANGELOG entry. * Drop commented-out Sentinel test. --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * chore(deps): update module golang.org/x/crypto to v0.17.0 [security] (oauth2-proxy#2400) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update github.com/ghodss/yaml digest to d8423dc (oauth2-proxy#2401) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Improved dev environment (oauth2-proxy#2211) * Improved dev env setup * Cleanup duplicate checks * Applied PR feedback * Updated go.mod/go.sum * go mod tidy * Update .devcontainer/devcontainer.json * Update pkg/http/server_test.go Co-authored-by: Jan Larwig <jan@larwig.com> * Create launch.json * Update .devcontainer/Dockerfile * Apply suggestions from code review --------- Co-authored-by: Jan Larwig <jan@larwig.com> * feature: add release automation workflows (oauth2-proxy#2224) * feature: add release automation workflows * deactivate provenancee because of behaviour change with buildx v0.10.0 * add changelog section extraction for github release notes * fix registry path; fix EOF * use correct version of golangci-lint; add additional workflow step for fetching all dependencies * chore(deps): update module github.com/bsm/redislock to v0.9.4 (oauth2-proxy#2406) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * initial commit for docusaurus 3 upgrade * fix mdx errors * fix mdx issues * fix routing issues * update docs generation workflow * fix version * fix permissions * move slack to header * remove background color and minify * Update docs/docs/configuration/providers/openid_connect.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * Update docs/docs/configuration/providers/openid_connect.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * Update docs/docs/configuration/providers/openid_connect.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * Update docs/docs/configuration/providers/gitlab.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * Update docs/docs/configuration/providers/gitlab.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * Update docs/docs/configuration/providers/github.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * Update docs/docs/configuration/providers/github.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * Update docs/docs/configuration/providers/github.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * Update docs/docs/configuration/providers/github.md Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> --------- Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Jan Brezina <brezinajn@users.noreply.github.com> Co-authored-by: WhiteRabbit-Code <sven@ertel-net.de> Co-authored-by: Sven Ertel <sven.ertel@bayernwerk.de> Co-authored-by: charvadzo <120425386+charvadzo@users.noreply.github.com> Co-authored-by: Ondrej Charvat <ondrej.charvat@yunextraffic.com> Co-authored-by: Haydn Evans <h.evans@douglas.de> Co-authored-by: Nils Gustav Stråbø <65334626+nilsgstrabo@users.noreply.github.com> Co-authored-by: Ross Golder <ross@golder.org> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Description
Motivation and Context
How Has This Been Tested?
Checklist: