From 7784a4727c2aaba712d8be5e0b1ee89635301b7a Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Tue, 22 Dec 2020 00:15:55 +0400 Subject: [PATCH 01/10] feat: Add dockerize to the Dex docker image Signed-off-by: m.nabokikh --- entrypoint.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100755 entrypoint.sh diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 00000000..65e074a8 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,11 @@ +#!/bin/sh -e + +### Usage: /entrypoint.sh +command=$1 + +if [ "$command" == "serve" ]; then + file="$2" + dockerize -template "$file" | dex serve - +else + dex $@ +fi From 891fa1785f02b2d957a16ac65b8c77b9c0bff8a6 Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Wed, 23 Dec 2020 01:14:25 +0400 Subject: [PATCH 02/10] Remove entrypoint.sh, add config template example Signed-off-by: m.nabokikh --- entrypoint.sh | 11 ----------- examples/config.tmpl | 44 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 11 deletions(-) delete mode 100755 entrypoint.sh create mode 100644 examples/config.tmpl diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100755 index 65e074a8..00000000 --- a/entrypoint.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -e - -### Usage: /entrypoint.sh -command=$1 - -if [ "$command" == "serve" ]; then - file="$2" - dockerize -template "$file" | dex serve - -else - dex $@ -fi diff --git a/examples/config.tmpl b/examples/config.tmpl new file mode 100644 index 00000000..43d12dbc --- /dev/null +++ b/examples/config.tmpl @@ -0,0 +1,44 @@ +issuer: {{ default .Env.DEX_ISSUER "http://127.0.0.1:5556/dex" }} + +storage: + type: sqlite3 + config: + file: {{ default .Env.DEX_STORAGE_SQLITE3_CONFIG_FILE "/etc/dex/dex.db" }} + +web: +{{- if .Env.DEX_WEB_HTTPS }} + https: {{ .Env.DEX_WEB_HTTPS }} +{{- else }} + http: {{ default .Env.DEX_WEB_HTTP "0.0.0.0:5556" }} +{{- end }} +{{- if .Env.DEX_WEB_TLS_KEY }} + tlsKey: {{ .Env.DEX_WEB_TLS_KEY }} +{{- end }} +{{- if .Env.DEX_WEB_TLS_CERT }} + tlsCert: {{ .Env.DEX_WEB_TLS_CERT }} +{{- end }} + +{{- if .Env.DEX_TELEMETRY_HTTP }} +telemetry: + http: {{ .Env.DEX_TELEMETRY_HTTP }} +{{- end }} + +expiry: + deviceRequests: {{ default .Env.DEX_EXPIRY_DEVICE_REQUESTS "5m" }} + signingKeys: {{ default .Env.DEX_EXPIRY_SIGNING_KEYS "6h" }} + idTokens: {{ default .Env.DEX_EXPIRY_ID_TOKENS "24h" }} + authRequests: {{ default .Env.DEX_EXPIRY_AUTH_REQUESTS "24h" }} + +logger: + level: {{ default .Env.DEX_LOGGER_LEVEL "info" }} + format: {{ default .Env.DEX_LOGGER_FORMAT "text" }} + +oauth2: + responseTypes: {{ default .Env.DEX_OAUTH2_RESPONSE_TYPES "[code]" }} + skipApprovalScreen: {{ default .Env.DEX_OAUTH2_SKIP_APPROVAL_SCREEN "false" }} + alwaysShowLoginScreen: {{ default .Env.DEX_OAUTH2_ALWAYS_SHOW_LOGIN_SCREEN "false" }} +{{- if .Env.DEX_OAUTH2_PASSWORD_CONNECTOR }} + passwordConnector: {{ .Env.DEX_OAUTH2_PASSWORD_CONNECTOR }} +{{- end }} + +enablePasswordDB: {{ default .Env.DEX_ENABLE_PASSWORD_DB "true" }} From e13aac496361f2df4cd2261db65a5f3e9868683d Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Thu, 28 Jan 2021 15:25:55 +0400 Subject: [PATCH 03/10] Switch to gomplate Signed-off-by: m.nabokikh --- Dockerfile | 16 +++++++++-- entrypoint.sh | 13 +++++++++ examples/config-example.tmpl | 54 ++++++++++++++++++++++++++++++++++++ examples/config.tmpl | 44 ----------------------------- 4 files changed, 81 insertions(+), 46 deletions(-) create mode 100755 entrypoint.sh create mode 100644 examples/config-example.tmpl delete mode 100644 examples/config.tmpl diff --git a/Dockerfile b/Dockerfile index cb410dab..41c0d6f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,11 +27,22 @@ FROM alpine:3.13.1 # experience when this doesn't work out of the box. # # OpenSSL is required so wget can query HTTPS endpoints for health checking. +ARG TARGETARCH +ARG TARGETVARIANT="" +ARG GOMPLATE_VERSION=v3.9.0 + RUN apk add --no-cache --update ca-certificates openssl +RUN wget -O /usr/local/bin/gomplate \ + "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_linux-${TARGETARCH:-amd64}${TARGETVARIANT}" \ + && chmod +x /usr/local/bin/gomplate RUN mkdir -p /var/dex RUN chown -R 1001:1001 /var/dex +RUN mkdir -p /etc/dex +COPY examples/config-example.tmpl /etc/dex/config.tmpl +RUN chown -R 1001:1001 /etc/dex + # Copy module files for CVE scanning / dependency analysis. COPY --from=builder /usr/local/src/dex/go.mod /usr/local/src/dex/go.sum /usr/local/src/dex/ COPY --from=builder /usr/local/src/dex/api/v2/go.mod /usr/local/src/dex/api/v2/go.sum /usr/local/src/dex/api/v2/ @@ -46,6 +57,7 @@ COPY --from=builder /usr/local/src/dex/web /web USER 1001:1001 -ENTRYPOINT ["dex"] +COPY entrypoint.sh / -CMD ["version"] +ENTRYPOINT ["/entrypoint.sh"] +CMD ["serve", "/etc/dex/config.tmpl"] diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 00000000..3e6a8e27 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,13 @@ +#!/bin/sh -e + +### Usage: /entrypoint.sh +set -e +command=$1 + +if [ "$command" == "serve" ]; then + file="$2" + gomplate -f "$file" -o "/etc/dex/config.yaml"; + exec dex serve "/etc/dex/config.yaml" +else + exec dex $@ +fi diff --git a/examples/config-example.tmpl b/examples/config-example.tmpl new file mode 100644 index 00000000..acbe90e2 --- /dev/null +++ b/examples/config-example.tmpl @@ -0,0 +1,54 @@ +issuer: {{ getenv "DEX_ISSUER" "http://127.0.0.1:5556/dex" }} + +storage: + type: sqlite3 + config: + file: {{ getenv "DEX_STORAGE_SQLITE3_CONFIG_FILE" "/etc/dex/dex.db" }} + +web: +{{- if getenv "DEX_WEB_HTTPS" "" }} + https: {{ .Env.DEX_WEB_HTTPS }} + {{- if getenv "DEX_WEB_TLS_KEY" }} + tlsKey: {{ .Env.DEX_WEB_TLS_KEY }} + {{- else }} +{{- fail "$DEX_WEB_TLS_KEY is required" }} + {{- end }} + {{- if getenv "DEX_WEB_TLS_CERT" "" }} + tlsCert: {{ .Env.DEX_WEB_TLS_CERT }} + {{- else }} +{{- fail "$DEX_WEB_TLS_CERT is required" }} + {{- end }} +{{- end }} + http: {{ getenv "DEX_WEB_HTTP" "0.0.0.0:5556" }} + +{{- if getenv "DEX_TELEMETRY_HTTP" "" }} +telemetry: + http: {{ .Env.DEX_TELEMETRY_HTTP }} +{{- end }} + +expiry: + deviceRequests: {{ getenv "DEX_EXPIRY_DEVICE_REQUESTS" "5m" }} + signingKeys: {{ getenv "DEX_EXPIRY_SIGNING_KEYS" "6h" }} + idTokens: {{ getenv "DEX_EXPIRY_ID_TOKENS" "24h" }} + authRequests: {{ getenv "DEX_EXPIRY_AUTH_REQUESTS" "24h" }} + +logger: + level: {{ getenv "DEX_LOGGER_LEVEL" "info" }} + format: {{ getenv "DEX_LOGGER_FORMAT" "text" }} + +oauth2: + responseTypes: {{ getenv "DEX_OAUTH2_RESPONSE_TYPES" "[code]" }} + skipApprovalScreen: {{ getenv "DEX_OAUTH2_SKIP_APPROVAL_SCREEN" "false" }} + alwaysShowLoginScreen: {{ getenv "DEX_OAUTH2_ALWAYS_SHOW_LOGIN_SCREEN" "false" }} +{{- if getenv "DEX_OAUTH2_PASSWORD_CONNECTOR" "" }} + passwordConnector: {{ .Env.DEX_OAUTH2_PASSWORD_CONNECTOR }} +{{- end }} + +enablePasswordDB: {{ getenv "DEX_ENABLE_PASSWORD_DB" "true" }} + +connectors: +{{- if getenv "DEX_CONNECTORS_ENABLE_MOCK" "" }} +- type: mockCallback + id: mock + name: Example +{{- end }} diff --git a/examples/config.tmpl b/examples/config.tmpl deleted file mode 100644 index 43d12dbc..00000000 --- a/examples/config.tmpl +++ /dev/null @@ -1,44 +0,0 @@ -issuer: {{ default .Env.DEX_ISSUER "http://127.0.0.1:5556/dex" }} - -storage: - type: sqlite3 - config: - file: {{ default .Env.DEX_STORAGE_SQLITE3_CONFIG_FILE "/etc/dex/dex.db" }} - -web: -{{- if .Env.DEX_WEB_HTTPS }} - https: {{ .Env.DEX_WEB_HTTPS }} -{{- else }} - http: {{ default .Env.DEX_WEB_HTTP "0.0.0.0:5556" }} -{{- end }} -{{- if .Env.DEX_WEB_TLS_KEY }} - tlsKey: {{ .Env.DEX_WEB_TLS_KEY }} -{{- end }} -{{- if .Env.DEX_WEB_TLS_CERT }} - tlsCert: {{ .Env.DEX_WEB_TLS_CERT }} -{{- end }} - -{{- if .Env.DEX_TELEMETRY_HTTP }} -telemetry: - http: {{ .Env.DEX_TELEMETRY_HTTP }} -{{- end }} - -expiry: - deviceRequests: {{ default .Env.DEX_EXPIRY_DEVICE_REQUESTS "5m" }} - signingKeys: {{ default .Env.DEX_EXPIRY_SIGNING_KEYS "6h" }} - idTokens: {{ default .Env.DEX_EXPIRY_ID_TOKENS "24h" }} - authRequests: {{ default .Env.DEX_EXPIRY_AUTH_REQUESTS "24h" }} - -logger: - level: {{ default .Env.DEX_LOGGER_LEVEL "info" }} - format: {{ default .Env.DEX_LOGGER_FORMAT "text" }} - -oauth2: - responseTypes: {{ default .Env.DEX_OAUTH2_RESPONSE_TYPES "[code]" }} - skipApprovalScreen: {{ default .Env.DEX_OAUTH2_SKIP_APPROVAL_SCREEN "false" }} - alwaysShowLoginScreen: {{ default .Env.DEX_OAUTH2_ALWAYS_SHOW_LOGIN_SCREEN "false" }} -{{- if .Env.DEX_OAUTH2_PASSWORD_CONNECTOR }} - passwordConnector: {{ .Env.DEX_OAUTH2_PASSWORD_CONNECTOR }} -{{- end }} - -enablePasswordDB: {{ default .Env.DEX_ENABLE_PASSWORD_DB "true" }} From d43053e11c016ca1869746a8e3b6c935c7979812 Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Thu, 28 Jan 2021 17:40:11 +0400 Subject: [PATCH 04/10] Download gomplate during building phase Signed-off-by: m.nabokikh --- Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 41c0d6f8..836b81fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,16 @@ RUN apk add --no-cache --update alpine-sdk ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT="" +ARG GOMPLATE_VERSION=v3.9.0 ENV GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT} ARG GOPROXY +RUN wget -O /usr/local/bin/gomplate \ + "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${GOOS:-linux}-${GOARCH:-amd64}${GOARM}" \ + && chmod +x /usr/local/bin/gomplate + COPY go.mod go.sum ./ COPY api/v2/go.mod api/v2/go.sum ./api/v2/ RUN go mod download @@ -27,14 +32,8 @@ FROM alpine:3.13.1 # experience when this doesn't work out of the box. # # OpenSSL is required so wget can query HTTPS endpoints for health checking. -ARG TARGETARCH -ARG TARGETVARIANT="" -ARG GOMPLATE_VERSION=v3.9.0 RUN apk add --no-cache --update ca-certificates openssl -RUN wget -O /usr/local/bin/gomplate \ - "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_linux-${TARGETARCH:-amd64}${TARGETVARIANT}" \ - && chmod +x /usr/local/bin/gomplate RUN mkdir -p /var/dex RUN chown -R 1001:1001 /var/dex @@ -47,6 +46,7 @@ RUN chown -R 1001:1001 /etc/dex COPY --from=builder /usr/local/src/dex/go.mod /usr/local/src/dex/go.sum /usr/local/src/dex/ COPY --from=builder /usr/local/src/dex/api/v2/go.mod /usr/local/src/dex/api/v2/go.sum /usr/local/src/dex/api/v2/ +COPY --from=builder /usr/local/bin/gomplate /usr/local/bin/gomplate COPY --from=builder /go/bin/dex /usr/local/bin/dex USER 1001:1001 From 226c91df064e01f65bad871427c06f72d888168f Mon Sep 17 00:00:00 2001 From: Maksim Nabokikh <32434187+nabokihms@users.noreply.github.com> Date: Fri, 29 Jan 2021 01:48:30 +0400 Subject: [PATCH 05/10] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Márk Sági-Kazár Signed-off-by: m.nabokikh --- Dockerfile | 22 +++++++-------- .../config-example.tmpl => config.docker.yaml | 22 +++++---------- docker-entrypoint.sh | 27 +++++++++++++++++++ entrypoint.sh | 13 --------- 4 files changed, 45 insertions(+), 39 deletions(-) rename examples/config-example.tmpl => config.docker.yaml (66%) create mode 100755 docker-entrypoint.sh delete mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 836b81fe..495f6404 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,16 +7,11 @@ RUN apk add --no-cache --update alpine-sdk ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT="" -ARG GOMPLATE_VERSION=v3.9.0 ENV GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT} ARG GOPROXY -RUN wget -O /usr/local/bin/gomplate \ - "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${GOOS:-linux}-${GOARCH:-amd64}${GOARM}" \ - && chmod +x /usr/local/bin/gomplate - COPY go.mod go.sum ./ COPY api/v2/go.mod api/v2/go.sum ./api/v2/ RUN go mod download @@ -27,26 +22,31 @@ RUN make release-binary FROM alpine:3.13.1 +ARG TARGETOS="linux" +ARG TARGETARCH="amd64" +ARG TARGETVARIANT="" +ARG GOMPLATE_VERSION=v3.9.0 # Dex connectors, such as GitHub and Google logins require root certificates. # Proper installations should manage those certificates, but it's a bad user # experience when this doesn't work out of the box. # # OpenSSL is required so wget can query HTTPS endpoints for health checking. - RUN apk add --no-cache --update ca-certificates openssl +RUN wget -O /usr/local/bin/gomplate \ + "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS}-${TARGETARCH}${TARGETVARIANT}" \ + && chmod +x /usr/local/bin/gomplate RUN mkdir -p /var/dex RUN chown -R 1001:1001 /var/dex RUN mkdir -p /etc/dex -COPY examples/config-example.tmpl /etc/dex/config.tmpl +COPY config.docker.yaml /etc/dex/config.docker.yaml RUN chown -R 1001:1001 /etc/dex # Copy module files for CVE scanning / dependency analysis. COPY --from=builder /usr/local/src/dex/go.mod /usr/local/src/dex/go.sum /usr/local/src/dex/ COPY --from=builder /usr/local/src/dex/api/v2/go.mod /usr/local/src/dex/api/v2/go.sum /usr/local/src/dex/api/v2/ -COPY --from=builder /usr/local/bin/gomplate /usr/local/bin/gomplate COPY --from=builder /go/bin/dex /usr/local/bin/dex USER 1001:1001 @@ -57,7 +57,7 @@ COPY --from=builder /usr/local/src/dex/web /web USER 1001:1001 -COPY entrypoint.sh / +COPY docker-entrypoint.sh / -ENTRYPOINT ["/entrypoint.sh"] -CMD ["serve", "/etc/dex/config.tmpl"] +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["serve", "/etc/dex/config.docker.yaml"] diff --git a/examples/config-example.tmpl b/config.docker.yaml similarity index 66% rename from examples/config-example.tmpl rename to config.docker.yaml index acbe90e2..341544e6 100644 --- a/examples/config-example.tmpl +++ b/config.docker.yaml @@ -3,25 +3,17 @@ issuer: {{ getenv "DEX_ISSUER" "http://127.0.0.1:5556/dex" }} storage: type: sqlite3 config: - file: {{ getenv "DEX_STORAGE_SQLITE3_CONFIG_FILE" "/etc/dex/dex.db" }} + file: {{ getenv "DEX_STORAGE_SQLITE3_CONFIG_FILE" "/var/dex/dex.db" }} web: {{- if getenv "DEX_WEB_HTTPS" "" }} https: {{ .Env.DEX_WEB_HTTPS }} - {{- if getenv "DEX_WEB_TLS_KEY" }} - tlsKey: {{ .Env.DEX_WEB_TLS_KEY }} - {{- else }} -{{- fail "$DEX_WEB_TLS_KEY is required" }} - {{- end }} - {{- if getenv "DEX_WEB_TLS_CERT" "" }} - tlsCert: {{ .Env.DEX_WEB_TLS_CERT }} - {{- else }} -{{- fail "$DEX_WEB_TLS_CERT is required" }} - {{- end }} + tlsKey: {{ getenv "DEX_WEB_TLS_KEY" | required "$DEX_WEB_TLS_KEY in case of web.https is enabled" }} + tlsCert: {{ getenv "DEX_WEB_TLS_CERT" | required "$DEX_WEB_TLS_CERT in case of web.https is enabled" }} {{- end }} http: {{ getenv "DEX_WEB_HTTP" "0.0.0.0:5556" }} -{{- if getenv "DEX_TELEMETRY_HTTP" "" }} +{{- if getenv "DEX_TELEMETRY_HTTP" }} telemetry: http: {{ .Env.DEX_TELEMETRY_HTTP }} {{- end }} @@ -33,8 +25,8 @@ expiry: authRequests: {{ getenv "DEX_EXPIRY_AUTH_REQUESTS" "24h" }} logger: - level: {{ getenv "DEX_LOGGER_LEVEL" "info" }} - format: {{ getenv "DEX_LOGGER_FORMAT" "text" }} + level: {{ getenv "DEX_LOG_LEVEL" "info" }} + format: {{ getenv "DEX_LOG_FORMAT" "text" }} oauth2: responseTypes: {{ getenv "DEX_OAUTH2_RESPONSE_TYPES" "[code]" }} @@ -47,7 +39,7 @@ oauth2: enablePasswordDB: {{ getenv "DEX_ENABLE_PASSWORD_DB" "true" }} connectors: -{{- if getenv "DEX_CONNECTORS_ENABLE_MOCK" "" }} +{{- if getenv "DEX_CONNECTORS_ENABLE_MOCK" }} - type: mockCallback id: mock name: Example diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100755 index 00000000..59bb34c6 --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/sh -e + +### Usage: /docker-entrypoint.sh +command=$1 + +case "$command" in + serve) + for file_candidate in $@ ; do + if test -f "$file_candidate"; then + tmpfile=$(mktemp /tmp/dex.config.yaml-XXXXXX) + gomplate -f "$file_candidate" -o "$tmpfile" + echo "config rendered successfully into the tmp file ${tmpfile}" + + args="${args} ${tmpfile}" + else + args="${args} ${file_candidate}" + fi + done + exec dex $args + ;; + --help|-h|version) + exec dex $@ + ;; + *) + exec $@ + ;; +esac diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100755 index 3e6a8e27..00000000 --- a/entrypoint.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -e - -### Usage: /entrypoint.sh -set -e -command=$1 - -if [ "$command" == "serve" ]; then - file="$2" - gomplate -f "$file" -o "/etc/dex/config.yaml"; - exec dex serve "/etc/dex/config.yaml" -else - exec dex $@ -fi From a6cb62776320bf37d0e5a66d34f45e100d1345c0 Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Fri, 29 Jan 2021 08:34:38 +0400 Subject: [PATCH 06/10] Add docker build args Signed-off-by: m.nabokikh --- Dockerfile | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 495f6404..edc2b9d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,18 +22,20 @@ RUN make release-binary FROM alpine:3.13.1 -ARG TARGETOS="linux" -ARG TARGETARCH="amd64" -ARG TARGETVARIANT="" -ARG GOMPLATE_VERSION=v3.9.0 # Dex connectors, such as GitHub and Google logins require root certificates. # Proper installations should manage those certificates, but it's a bad user # experience when this doesn't work out of the box. # # OpenSSL is required so wget can query HTTPS endpoints for health checking. RUN apk add --no-cache --update ca-certificates openssl + +ARG TARGETOS +ARG TARGETARCH +ARG TARGETVARIANT +ARG GOMPLATE_VERSION=v3.9.0 + RUN wget -O /usr/local/bin/gomplate \ - "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS}-${TARGETARCH}${TARGETVARIANT}" \ + "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \ && chmod +x /usr/local/bin/gomplate RUN mkdir -p /var/dex From 3241fd4ae28c6c595a5fd9d2f58c9e131487ccca Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Fri, 29 Jan 2021 13:46:47 +0400 Subject: [PATCH 07/10] Move downloading gomplate to separate stage Signed-off-by: m.nabokikh --- Dockerfile | 20 ++++++++++++-------- docker-entrypoint.sh | 1 - 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index edc2b9d5..c4db8435 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,14 +20,7 @@ COPY . . RUN make release-binary -FROM alpine:3.13.1 - -# Dex connectors, such as GitHub and Google logins require root certificates. -# Proper installations should manage those certificates, but it's a bad user -# experience when this doesn't work out of the box. -# -# OpenSSL is required so wget can query HTTPS endpoints for health checking. -RUN apk add --no-cache --update ca-certificates openssl +FROM alpine:3.13.1 AS gomplate ARG TARGETOS ARG TARGETARCH @@ -38,6 +31,16 @@ RUN wget -O /usr/local/bin/gomplate \ "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \ && chmod +x /usr/local/bin/gomplate + +FROM alpine:3.13.1 + +# Dex connectors, such as GitHub and Google logins require root certificates. +# Proper installations should manage those certificates, but it's a bad user +# experience when this doesn't work out of the box. +# +# OpenSSL is required so wget can query HTTPS endpoints for health checking. +RUN apk add --no-cache --update ca-certificates openssl + RUN mkdir -p /var/dex RUN chown -R 1001:1001 /var/dex @@ -50,6 +53,7 @@ COPY --from=builder /usr/local/src/dex/go.mod /usr/local/src/dex/go.sum /usr/loc COPY --from=builder /usr/local/src/dex/api/v2/go.mod /usr/local/src/dex/api/v2/go.sum /usr/local/src/dex/api/v2/ COPY --from=builder /go/bin/dex /usr/local/bin/dex +COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate USER 1001:1001 diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 59bb34c6..739af9a3 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -9,7 +9,6 @@ case "$command" in if test -f "$file_candidate"; then tmpfile=$(mktemp /tmp/dex.config.yaml-XXXXXX) gomplate -f "$file_candidate" -o "$tmpfile" - echo "config rendered successfully into the tmp file ${tmpfile}" args="${args} ${tmpfile}" else From 7f744598f5232ba4c5f1c458d7911785ca67311d Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Sat, 30 Jan 2021 14:54:17 +0400 Subject: [PATCH 08/10] Add detailed description to docker-entrypoint.sh Signed-off-by: m.nabokikh --- docker-entrypoint.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 739af9a3..def2baa4 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,6 +1,11 @@ #!/bin/sh -e ### Usage: /docker-entrypoint.sh +### * If command equals to "serve", config file for serving will be preprocessed using gomplate and saved to tmp dir. +### Example: docker-entrypoint.sh serve config.yaml = dex serve /tmp/dex-config.yaml-ABCDEFG +### * If command is not in the list of known dex commands, it will be executed bypassing entrypoint. +### Example: docker-entrypoint.sh echo "Hello!" = echo "Hello!" + command=$1 case "$command" in From dd4a62e64562ef82c2eb0c4aee34680a6fa50b8c Mon Sep 17 00:00:00 2001 From: Maksim Nabokikh <32434187+nabokihms@users.noreply.github.com> Date: Thu, 4 Feb 2021 19:43:00 +0400 Subject: [PATCH 09/10] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Márk Sági-Kazár Signed-off-by: m.nabokikh --- Dockerfile | 11 ++++----- docker-entrypoint.sh | 53 ++++++++++++++++++++++---------------------- 2 files changed, 33 insertions(+), 31 deletions(-) diff --git a/Dockerfile b/Dockerfile index c4db8435..9f3418c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,8 @@ FROM alpine:3.13.1 AS gomplate ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT -ARG GOMPLATE_VERSION=v3.9.0 + +ENV GOMPLATE_VERSION=v3.9.0 RUN wget -O /usr/local/bin/gomplate \ "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \ @@ -45,7 +46,7 @@ RUN mkdir -p /var/dex RUN chown -R 1001:1001 /var/dex RUN mkdir -p /etc/dex -COPY config.docker.yaml /etc/dex/config.docker.yaml +COPY config.docker.yaml /etc/dex/ RUN chown -R 1001:1001 /etc/dex # Copy module files for CVE scanning / dependency analysis. @@ -63,7 +64,7 @@ COPY --from=builder /usr/local/src/dex/web /web USER 1001:1001 -COPY docker-entrypoint.sh / +COPY docker-entrypoint.sh /entrypoint.sh -ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["serve", "/etc/dex/config.docker.yaml"] +ENTRYPOINT ["/entrypoint.sh"] +CMD ["dex", "serve", "/etc/dex/config.docker.yaml"] diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index def2baa4..bb12d313 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,31 +1,32 @@ #!/bin/sh -e ### Usage: /docker-entrypoint.sh -### * If command equals to "serve", config file for serving will be preprocessed using gomplate and saved to tmp dir. -### Example: docker-entrypoint.sh serve config.yaml = dex serve /tmp/dex-config.yaml-ABCDEFG -### * If command is not in the list of known dex commands, it will be executed bypassing entrypoint. -### Example: docker-entrypoint.sh echo "Hello!" = echo "Hello!" +function main() { + executable=$1 + command=$2 -command=$1 - -case "$command" in - serve) - for file_candidate in $@ ; do - if test -f "$file_candidate"; then - tmpfile=$(mktemp /tmp/dex.config.yaml-XXXXXX) - gomplate -f "$file_candidate" -o "$tmpfile" - - args="${args} ${tmpfile}" - else - args="${args} ${file_candidate}" - fi - done - exec dex $args - ;; - --help|-h|version) - exec dex $@ - ;; - *) + if [[ "$executable" != "dex" ]] && [[ "$executable" != "$(which dex)" ]]; then exec $@ - ;; -esac + fi + + if [[ "$command" != "serve" ]]; then + exec $@ + fi + + for tpl_candidate in $@ ; do + case "$tpl_candidate" in + *.tpl|*.tmpl|*.yaml) + tmp_file=$(mktemp /tmp/dex.config.yaml-XXXXXX) + gomplate -f "$tpl_candidate" -o "$tmp_file" + + args="${args} ${tmp_file}" + ;; + *) + args="${args} ${tpl_candidate}" + ;; + esac + done + exec $args +} + +main $@ From 715fee7a013237d52950f69e811b6f7e0619a38b Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Wed, 10 Feb 2021 19:44:05 +0400 Subject: [PATCH 10/10] Switch to slim version of a gomplate and add a comment to docker config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Márk Sági-Kazár Signed-off-by: m.nabokikh --- Dockerfile | 2 +- config.docker.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9f3418c8..6d6cbfe3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,7 +29,7 @@ ARG TARGETVARIANT ENV GOMPLATE_VERSION=v3.9.0 RUN wget -O /usr/local/bin/gomplate \ - "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \ + "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}-slim" \ && chmod +x /usr/local/bin/gomplate diff --git a/config.docker.yaml b/config.docker.yaml index 341544e6..c5d2a47b 100644 --- a/config.docker.yaml +++ b/config.docker.yaml @@ -1,3 +1,5 @@ +{{- /* NOTE: This configuration file is an example and exists only for development purposes. */ -}} +{{- /* To find more about gomplate formatting, please visit its documentation site - https://docs.gomplate.ca/ */ -}} issuer: {{ getenv "DEX_ISSUER" "http://127.0.0.1:5556/dex" }} storage: