diff --git a/Dockerfile b/Dockerfile
index 22198e65369bdadfa63e01edf3d6b29a840d6fe9..11d672f7331b3a3ebf7899a8d6754a87941be4fc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,10 @@
+ARG BASEIMAGE=alpine:3.15.0
+
FROM golang:1.17.6-alpine3.14 AS builder
WORKDIR /usr/local/src/dex
-RUN apk add --no-cache --update alpine-sdk
+RUN apk add --no-cache --update alpine-sdk ca-certificates openssl
ARG TARGETOS
ARG TARGETARCH
@@ -20,6 +22,12 @@ COPY . .
RUN make release-binary
+FROM alpine:3.15.0 AS stager
+
+RUN mkdir -p /var/dex
+RUN mkdir -p /etc/dex
+COPY config.docker.yaml /etc/dex/
+
FROM alpine:3.15.0 AS gomplate
ARG TARGETOS
@@ -33,34 +41,29 @@ RUN wget -O /usr/local/bin/gomplate \
&& chmod +x /usr/local/bin/gomplate
-FROM alpine:3.15.0
+FROM $BASEIMAGE
# Dex connectors, such as GitHub and Google logins require root certificates.
# Proper installations should manage those certificates, but it's a bad user
# experience when this doesn't work out of the box.
#
-# OpenSSL is required so wget can query HTTPS endpoints for health checking.
-RUN apk add --no-cache --update ca-certificates openssl
+# See https://go.dev/src/crypto/x509/root_linux.go for Go root CA bundle locations.
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-RUN mkdir -p /var/dex
-RUN chown -R 1001:1001 /var/dex
-
-RUN mkdir -p /etc/dex
-COPY config.docker.yaml /etc/dex/
-RUN chown -R 1001:1001 /etc/dex
+COPY --from=stager --chown=1001:1001 /var/dex /var/dex
+COPY --from=stager --chown=1001:1001 /etc/dex /etc/dex
# Copy module files for CVE scanning / dependency analysis.
COPY --from=builder /usr/local/src/dex/go.mod /usr/local/src/dex/go.sum /usr/local/src/dex/
COPY --from=builder /usr/local/src/dex/api/v2/go.mod /usr/local/src/dex/api/v2/go.sum /usr/local/src/dex/api/v2/
COPY --from=builder /go/bin/dex /usr/local/bin/dex
+COPY --from=builder /go/bin/docker-entrypoint /usr/local/bin/docker-entrypoint
COPY --from=builder /usr/local/src/dex/web /srv/dex/web
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
USER 1001:1001
-COPY docker-entrypoint.sh /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
CMD ["dex", "serve", "/etc/dex/config.docker.yaml"]
diff --git a/Makefile b/Makefile
index 3d68348477fc6683c5be0472a5eecb879c5e7324..b4f9ed12a2c3112de34338e0fc81aa9ca39f87e6 100644
--- a/Makefile
+++ b/Makefile
@@ -18,7 +18,7 @@ group=$(shell id -g -n)
export GOBIN=$(PWD)/bin
-LD_FLAGS="-w -X main.version=$(VERSION)"
+LD_FLAGS="-w -X main.version=$(VERSION) -extldflags \"-static\""
# Dependency versions
@@ -48,6 +48,7 @@ bin/example-app:
.PHONY: release-binary
release-binary: generate
@go build -o /go/bin/dex -v -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/dex
+ @go build -o /go/bin/docker-entrypoint -v -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/docker-entrypoint
docker-compose.override.yaml:
cp docker-compose.override.yaml.dist docker-compose.override.yaml
diff --git a/cmd/docker-entrypoint/main.go b/cmd/docker-entrypoint/main.go
new file mode 100644
index 0000000000000000000000000000000000000000..0c507d17121f00137ffcbc78bdcecf2a0534ba75
--- /dev/null
+++ b/cmd/docker-entrypoint/main.go
@@ -0,0 +1,92 @@
+// Package main provides a utility program to launch the Dex container process with an optional
+// templating step (provided by gomplate).
+//
+// This was originally written as a shell script, but we rewrote it as a Go program so that it could
+// run as a raw binary in a distroless container.
+package main
+
+import (
+ "fmt"
+ "os"
+ "os/exec"
+ "strings"
+ "syscall"
+)
+
+func main() {
+ // Note that this docker-entrypoint program is args[0], and it is provided with the true process
+ // args.
+ args := os.Args[1:]
+
+ if err := run(args, realExec, realWhich); err != nil {
+ fmt.Println("error:", err.Error())
+ os.Exit(1)
+ }
+}
+
+func realExec(fork bool, args ...string) error {
+ if fork {
+ if output, err := exec.Command(args[0], args[1:]...).CombinedOutput(); err != nil {
+ return fmt.Errorf("cannot fork/exec command %s: %w (output: %q)", args, err, string(output))
+ }
+ return nil
+ }
+
+ argv0, err := exec.LookPath(args[0])
+ if err != nil {
+ return fmt.Errorf("cannot lookup path for command %s: %w", args[0], err)
+ }
+
+ if err := syscall.Exec(argv0, args, os.Environ()); err != nil {
+ return fmt.Errorf("cannot exec command %s (%q): %w", args, argv0, err)
+ }
+
+ return nil
+}
+
+func realWhich(path string) string {
+ fullPath, err := exec.LookPath(path)
+ if err != nil {
+ return ""
+ }
+ return fullPath
+}
+
+func run(args []string, execFunc func(bool, ...string) error, whichFunc func(string) string) error {
+ if args[0] != "dex" && args[0] != whichFunc("dex") {
+ return execFunc(false, args...)
+ }
+
+ if args[1] != "serve" {
+ return execFunc(false, args...)
+ }
+
+ newArgs := []string{}
+ for _, tplCandidate := range args {
+ if hasSuffixes(tplCandidate, ".tpl", ".tmpl", ".yaml") {
+ tmpFile, err := os.CreateTemp("/tmp", "dex.config.yaml-*")
+ if err != nil {
+ return fmt.Errorf("cannot create temp file: %w", err)
+ }
+
+ if err := execFunc(true, "gomplate", "-f", tplCandidate, "-o", tmpFile.Name()); err != nil {
+ return err
+ }
+
+ newArgs = append(newArgs, tmpFile.Name())
+ } else {
+ newArgs = append(newArgs, tplCandidate)
+ }
+ }
+
+ return execFunc(false, newArgs...)
+}
+
+func hasSuffixes(s string, suffixes ...string) bool {
+ for _, suffix := range suffixes {
+ if strings.HasSuffix(s, suffix) {
+ return true
+ }
+ }
+ return false
+}
diff --git a/cmd/docker-entrypoint/main_test.go b/cmd/docker-entrypoint/main_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..c8aef16979c6ae3fb776a08890303e93ba8dd99b
--- /dev/null
+++ b/cmd/docker-entrypoint/main_test.go
@@ -0,0 +1,113 @@
+package main
+
+import (
+ "strings"
+ "testing"
+)
+
+type execArgs struct {
+ fork bool
+ argPrefixes []string
+}
+
+func TestRun(t *testing.T) {
+ tests := []struct {
+ name string
+ args []string
+ execReturns error
+ whichReturns string
+ wantExecArgs []execArgs
+ wantErr error
+ }{
+ {
+ name: "executable not dex",
+ args: []string{"tuna", "fish"},
+ wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"tuna", "fish"}}},
+ },
+ {
+ name: "executable is full path to dex",
+ args: []string{"/usr/local/bin/dex", "marshmallow", "zelda"},
+ whichReturns: "/usr/local/bin/dex",
+ wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"/usr/local/bin/dex", "marshmallow", "zelda"}}},
+ },
+ {
+ name: "command is not serve",
+ args: []string{"dex", "marshmallow", "zelda"},
+ wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "marshmallow", "zelda"}}},
+ },
+ {
+ name: "no templates",
+ args: []string{"dex", "serve", "config.yaml.not-a-template"},
+ wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "serve", "config.yaml.not-a-template"}}},
+ },
+ {
+ name: "no templates",
+ args: []string{"dex", "serve", "config.yaml.not-a-template"},
+ wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "serve", "config.yaml.not-a-template"}}},
+ },
+ {
+ name: ".tpl template",
+ args: []string{"dex", "serve", "config.tpl"},
+ wantExecArgs: []execArgs{
+ {fork: true, argPrefixes: []string{"gomplate", "-f", "config.tpl", "-o", "/tmp/dex.config.yaml-"}},
+ {fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
+ },
+ },
+ {
+ name: ".tmpl template",
+ args: []string{"dex", "serve", "config.tmpl"},
+ wantExecArgs: []execArgs{
+ {fork: true, argPrefixes: []string{"gomplate", "-f", "config.tmpl", "-o", "/tmp/dex.config.yaml-"}},
+ {fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
+ },
+ },
+ {
+ name: ".yaml template",
+ args: []string{"dex", "serve", "some/path/config.yaml"},
+ wantExecArgs: []execArgs{
+ {fork: true, argPrefixes: []string{"gomplate", "-f", "some/path/config.yaml", "-o", "/tmp/dex.config.yaml-"}},
+ {fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
+ },
+ },
+ }
+ for _, test := range tests {
+ t.Run(test.name, func(t *testing.T) {
+ var gotExecForks []bool
+ var gotExecArgs [][]string
+ fakeExec := func(fork bool, args ...string) error {
+ gotExecForks = append(gotExecForks, fork)
+ gotExecArgs = append(gotExecArgs, args)
+ return test.execReturns
+ }
+
+ fakeWhich := func(_ string) string { return test.whichReturns }
+
+ gotErr := run(test.args, fakeExec, fakeWhich)
+ if (test.wantErr == nil) != (gotErr == nil) {
+ t.Errorf("wanted error %s, got %s", test.wantErr, gotErr)
+ }
+ if !execArgsMatch(test.wantExecArgs, gotExecForks, gotExecArgs) {
+ t.Errorf("wanted exec args %+v, got %+v %+v", test.wantExecArgs, gotExecForks, gotExecArgs)
+ }
+ })
+ }
+}
+
+func execArgsMatch(wantExecArgs []execArgs, gotForks []bool, gotExecArgs [][]string) bool {
+ if len(wantExecArgs) != len(gotForks) {
+ return false
+ }
+
+ for i := range wantExecArgs {
+ if wantExecArgs[i].fork != gotForks[i] {
+ return false
+ }
+ for j := range wantExecArgs[i].argPrefixes {
+ if !strings.HasPrefix(gotExecArgs[i][j], wantExecArgs[i].argPrefixes[j]) {
+ return false
+ }
+ }
+ }
+
+ return true
+}
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
deleted file mode 100755
index bb12d313b38dc04e026aad79c751c9aab1b7cfb1..0000000000000000000000000000000000000000
--- a/docker-entrypoint.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh -e
-
-### Usage: /docker-entrypoint.sh <command> <args>
-function main() {
- executable=$1
- command=$2
-
- if [[ "$executable" != "dex" ]] && [[ "$executable" != "$(which dex)" ]]; then
- exec $@
- fi
-
- if [[ "$command" != "serve" ]]; then
- exec $@
- fi
-
- for tpl_candidate in $@ ; do
- case "$tpl_candidate" in
- *.tpl|*.tmpl|*.yaml)
- tmp_file=$(mktemp /tmp/dex.config.yaml-XXXXXX)
- gomplate -f "$tpl_candidate" -o "$tmp_file"
-
- args="${args} ${tmp_file}"
- ;;
- *)
- args="${args} ${tpl_candidate}"
- ;;
- esac
- done
- exec $args
-}
-
-main $@