Merging 7.4.0

.dockerignore

@@ -1,4 +1,5 @@
 Dockerfile.dev
+Dockerfile
 docs
 vendor
 .git

.github/workflows/docs.yaml

@@ -16,9 +16,11 @@ jobs:
       - uses: actions/checkout@v1
       - uses: actions/setup-node@v1
         with:
-          node-version: '12.x'
+          node-version: '17.x'
       - name: Test Build
         working-directory: ./docs
+        env:
+          NODE_OPTIONS: --openssl-legacy-provider
         run: |
           if [ -e yarn.lock ]; then
           yarn install --frozen-lockfile
@@ -35,10 +37,11 @@ jobs:
       - uses: actions/checkout@v1
       - uses: actions/setup-node@v1
         with:
-          node-version: '12.x'
+          node-version: '17.x'
       - name: Add key to allow access to repository
         env:
           SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+          NODE_OPTIONS: --openssl-legacy-provider
         run: |
           mkdir -p ~/.ssh
           ssh-keyscan github.com >> ~/.ssh/known_hosts
@@ -54,6 +57,7 @@ jobs:
         env:
           USE_SSH: true
           GIT_USER: git
+          NODE_OPTIONS: --openssl-legacy-provider
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "gh-actions"

.gitignore

@@ -18,6 +18,7 @@ c.out
 _obj
 _test
 .idea/
+.vscode/
 
 # Architecture specific extensions/prefixes
 *.[568vq]

AutomationTest/obj/Debug/netcoreapp3.1/Philips.EDI.Foundation.APIGateway.AutomationTest.AssemblyInfo.cs

@@ -1,22 +1,22 @@
-//------------------------------------------------------------------------------
-// <auto-generated>
-//     This code was generated by a tool.
-//
-//     Changes to this file may cause incorrect behavior and will be lost if
-//     the code is regenerated.
-// </auto-generated>
-//------------------------------------------------------------------------------
-
-using System;
-using System.Reflection;
-
-[assembly: System.Reflection.AssemblyCompanyAttribute("Philips")]
-[assembly: System.Reflection.AssemblyConfigurationAttribute("Debug")]
-[assembly: System.Reflection.AssemblyFileVersionAttribute("1.0.2.0")]
-[assembly: System.Reflection.AssemblyInformationalVersionAttribute("1.0.2")]
-[assembly: System.Reflection.AssemblyProductAttribute("Philips.EDI.Foundation.APIGateway.AutomationTest")]
-[assembly: System.Reflection.AssemblyTitleAttribute("Philips.EDI.Foundation.APIGateway.AutomationTest")]
-[assembly: System.Reflection.AssemblyVersionAttribute("1.0.2.0")]
-
-// Generated by the MSBuild WriteCodeFragment class.
-
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+using System;
+using System.Reflection;
+
+[assembly: System.Reflection.AssemblyCompanyAttribute("Philips")]
+[assembly: System.Reflection.AssemblyConfigurationAttribute("Debug")]
+[assembly: System.Reflection.AssemblyFileVersionAttribute("1.0.2.0")]
+[assembly: System.Reflection.AssemblyInformationalVersionAttribute("1.0.2")]
+[assembly: System.Reflection.AssemblyProductAttribute("Philips.EDI.Foundation.APIGateway.AutomationTest")]
+[assembly: System.Reflection.AssemblyTitleAttribute("Philips.EDI.Foundation.APIGateway.AutomationTest")]
+[assembly: System.Reflection.AssemblyVersionAttribute("1.0.2.0")]
+
+// Generated by the MSBuild WriteCodeFragment class.
+

AutomationTest/obj/Debug/netcoreapp3.1/Philips.EDI.Foundation.APIGateway.AutomationTest.AssemblyInfoInputs.cache

@@ -1 +1 @@
-7d70c0bc511987c3ae105cb98159f5949d6dabfa
+7d70c0bc511987c3ae105cb98159f5949d6dabfa

AutomationTest/obj/Debug/netcoreapp3.1/Philips.EDI.Foundation.APIGateway.AutomationTest.GeneratedMSBuildEditorConfig.editorconfig

@@ -1,3 +1,3 @@
-is_global = true
-build_property.RootNamespace = Philips.EDI.Foundation.APIGateway.AutomationTest
-build_property.ProjectDir = c:\oauth2-proxy\AutomationTest\
+is_global = true
+build_property.RootNamespace = Philips.EDI.Foundation.APIGateway.AutomationTest
+build_property.ProjectDir = c:\git\philips-forks\oauth2-proxy\AutomationTest\

Dockerfile

@@ -1,32 +1,54 @@
-FROM golang:1.16-buster AS builder
+# This ARG has to be at the top, otherwise the docker daemon does not known what to do with FROM ${RUNTIME_IMAGE}
+ARG RUNTIME_IMAGE=alpine:3.17.2
+
+# All builds should be done using the platform native to the build node to allow
+#  cache sharing of the go mod download step.
+# Go cross compilation is also faster than emulation the go compilation across
+#  multiple platforms.
+FROM --platform=${BUILDPLATFORM} golang:1.19-buster AS builder
 
 # Copy sources
 WORKDIR $GOPATH/src/github.com/oauth2-proxy/oauth2-proxy
 
 # Fetch dependencies
 COPY go.mod go.sum ./
-RUN GO111MODULE=on go mod download
+RUN go mod download
 
 # Now pull in our code
 COPY . .
 
+# Arguments go here so that the previous steps can be cached if no external
+#  sources have changed.
 ARG VERSION
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
 
 # Build binary and make sure there is at least an empty key file.
 #  This is useful for GCP App Engine custom runtime builds, because
 #  you cannot use multiline variables in their app.yaml, so you have to
 #  build the key into the container and then tell it where it is
 #  by setting OAUTH2_PROXY_JWT_KEY_FILE=/etc/ssl/private/jwt_signing_key.pem
 #  in app.yaml instead.
-RUN VERSION=${VERSION} make build && touch jwt_signing_key.pem
+# Set the cross compilation arguments based on the TARGETPLATFORM which is
+#  automatically set by the docker engine.
+RUN case ${TARGETPLATFORM} in \
+    "linux/amd64")  GOARCH=amd64  ;; \
+    # arm64 and arm64v8 are equivilant in go and do not require a goarm
+    # https://github.com/golang/go/wiki/GoArm
+    "linux/arm64" | "linux/arm64/v8")  GOARCH=arm64  ;; \
+    "linux/ppc64le")  GOARCH=ppc64le  ;; \
+    "linux/arm/v6") GOARCH=arm GOARM=6  ;; \
+    esac && \
+    printf "Building OAuth2 Proxy for arch ${GOARCH}\n" && \
+    GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem
 
 # Copy binary to alpine
-FROM alpine:3.17.2
+FROM ${RUNTIME_IMAGE}
 COPY nsswitch.conf /etc/nsswitch.conf
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem
 
-USER 2000:2000
+# UID/GID 65532 is also known as nonroot user in distroless image
+USER 65532:65532
 
 ENTRYPOINT ["/bin/oauth2-proxy"]

Makefile

@@ -10,11 +10,9 @@ REGISTRY ?= docker.na1.hsdp.io/edi
 GO_MAJOR_VERSION = $(shell $(GO) version | cut -c 14- | cut -d' ' -f1 | cut -d'.' -f1)
 GO_MINOR_VERSION = $(shell $(GO) version | cut -c 14- | cut -d' ' -f1 | cut -d'.' -f2)
 MINIMUM_SUPPORTED_GO_MAJOR_VERSION = 1
-MINIMUM_SUPPORTED_GO_MINOR_VERSION = 15
+MINIMUM_SUPPORTED_GO_MINOR_VERSION = 18
 GO_VERSION_VALIDATION_ERR_MSG = Golang version is not supported, please update to at least $(MINIMUM_SUPPORTED_GO_MAJOR_VERSION).$(MINIMUM_SUPPORTED_GO_MINOR_VERSION)
 
-DOCKER_BUILD := docker build --build-arg VERSION=${VERSION}
-
 ifeq ($(COVER),true)
 TESTCOVER ?= -coverprofile c.out
 endif
@@ -24,8 +22,8 @@ all: lint $(BINARY)
 
 .PHONY: clean
 clean:
-	rm -rf release
-	rm -f $(BINARY)
+	-rm -rf release
+	-rm -f $(BINARY)
 
 .PHONY: distclean
 distclean: clean
@@ -39,35 +37,47 @@ lint: validate-go-version
 build: validate-go-version clean $(BINARY)
 
 $(BINARY):
-	GO111MODULE=on CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X main.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7
+	CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X main.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7
+
+DOCKER_BUILD_PLATFORM ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm64/v8
+DOCKER_BUILD_RUNTIME_IMAGE ?= alpine:3.15
+DOCKER_BUILDX_ARGS ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE}
+DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}
+DOCKER_BUILDX_X_PLATFORM := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM}
+DOCKER_BUILDX_PUSH := docker buildx build --push ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION}
+DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD_PLATFORM}
 
 .PHONY: docker
 docker:
-	$(DOCKER_BUILD) -f Dockerfile -t $(REGISTRY)/oauth2-proxy:latest .
+	$(DOCKER_BUILDX_X_PLATFORM) -f Dockerfile -t $(REGISTRY)/oauth2-proxy:latest .
 
 .PHONY: docker-all
 docker-all: docker
-	$(DOCKER_BUILD) -f Dockerfile -t $(REGISTRY)/oauth2-proxy:latest-amd64 .
-	$(DOCKER_BUILD) -f Dockerfile -t $(REGISTRY)/oauth2-proxy:${VERSION} .
-	$(DOCKER_BUILD) -f Dockerfile -t $(REGISTRY)/oauth2-proxy:${VERSION}-amd64 .
-	$(DOCKER_BUILD) -f Dockerfile.arm64 -t $(REGISTRY)/oauth2-proxy:latest-arm64 .
-	$(DOCKER_BUILD) -f Dockerfile.arm64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-arm64 .
-	$(DOCKER_BUILD) -f Dockerfile.armv6 -t $(REGISTRY)/oauth2-proxy:latest-armv6 .
-	$(DOCKER_BUILD) -f Dockerfile.armv6 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv6 .
+	$(DOCKER_BUILDX) --platform linux/amd64 -t $(REGISTRY)/oauth2-proxy:latest-amd64 .
+	$(DOCKER_BUILDX_X_PLATFORM) -f Dockerfile -t $(REGISTRY)/oauth2-proxy:${VERSION} .
+	$(DOCKER_BUILDX) --platform linux/amd64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-amd64 .
+	$(DOCKER_BUILDX) --platform linux/arm64 -t $(REGISTRY)/oauth2-proxy:latest-arm64 .
+	$(DOCKER_BUILDX) --platform linux/arm64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-arm64 .
+	$(DOCKER_BUILDX) --platform linux/ppc64le -t $(REGISTRY)/oauth2-proxy:latest-ppc64le .
+	$(DOCKER_BUILDX) --platform linux/ppc64le -t $(REGISTRY)/oauth2-proxy:${VERSION}-ppc64le .
+	$(DOCKER_BUILDX) --platform linux/arm/v6 -t $(REGISTRY)/oauth2-proxy:latest-armv6 .
+	$(DOCKER_BUILDX) --platform linux/arm/v6 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv6 .
 
 .PHONY: docker-push
 docker-push:
-	docker push $(REGISTRY)/oauth2-proxy:latest
+	$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest .
 
 .PHONY: docker-push-all
 docker-push-all: docker-push
-	docker push $(REGISTRY)/oauth2-proxy:latest-amd64
-	docker push $(REGISTRY)/oauth2-proxy:${VERSION}
-	docker push $(REGISTRY)/oauth2-proxy:${VERSION}-amd64
-	docker push $(REGISTRY)/oauth2-proxy:latest-arm64
-	docker push $(REGISTRY)/oauth2-proxy:${VERSION}-arm64
-	docker push $(REGISTRY)/oauth2-proxy:latest-armv6
-	docker push $(REGISTRY)/oauth2-proxy:${VERSION}-armv6
+	$(DOCKER_BUILDX_PUSH) --platform linux/amd64 -t $(REGISTRY)/oauth2-proxy:latest-amd64 .
+	$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:${VERSION} .
+	$(DOCKER_BUILDX_PUSH) --platform linux/amd64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-amd64 .
+	$(DOCKER_BUILDX_PUSH) --platform linux/arm64 -t $(REGISTRY)/oauth2-proxy:latest-arm64 .
+	$(DOCKER_BUILDX_PUSH) --platform linux/arm64 -t $(REGISTRY)/oauth2-proxy:${VERSION}-arm64 .
+	$(DOCKER_BUILDX_PUSH) --platform linux/ppc64le -t $(REGISTRY)/oauth2-proxy:latest-ppc64le .
+	$(DOCKER_BUILDX_PUSH) --platform linux/ppc64le -t $(REGISTRY)/oauth2-proxy:${VERSION}-ppc64le .
+	$(DOCKER_BUILDX_PUSH) --platform linux/arm/v6 -t $(REGISTRY)/oauth2-proxy:latest-armv6 .
+	$(DOCKER_BUILDX_PUSH) --platform linux/arm/v6 -t $(REGISTRY)/oauth2-proxy:${VERSION}-armv6 .
 
 .PHONY: generate
 generate:

README.md

@@ -23,18 +23,18 @@ Going forward, all images shall be available at `quay.io/oauth2-proxy/oauth2-pro
 
 1.  Choose how to deploy:
 
-    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.1.0`)
+    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.4.0`)
 
-    b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy` which will put the binary in `$GOROOT/bin`
+    b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy/v7` which will put the binary in `$GOROOT/bin`
 
-    c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, ARMv6 and ARM64 tags available)
+    c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, PPC64LE, ARMv6, ARMv8 and ARM64 available)
 
-Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`.
+    Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`.
 
-```
-sha256sum -c sha256sum.txt 2>&1 | grep OK
-oauth2-proxy-x.y.z.linux-amd64: OK
-```
+    ```
+    sha256sum -c sha256sum.txt 2>&1 | grep OK
+    oauth2-proxy-x.y.z.linux-amd64: OK
+    ```
 
 2.  [Select a Provider and Register an OAuth Application with a Provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider)
 3.  [Configure OAuth2 Proxy using config file, command line options, or environment variables](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview)
@@ -44,7 +44,7 @@ oauth2-proxy-x.y.z.linux-amd64: OK
 ## Security
 
 If you are running a version older than v6.0.0 we **strongly recommend you please update** to a current version.
-See [open redirect vulnverability](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv) for details.
+See [open redirect vulnerability](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv) for details.
 
 ## Docs
 

contrib/local-environment/Makefile

@@ -12,7 +12,7 @@ alpha-config-up:
 
 .PHONY: alpha-config-%
 alpha-config-%:
-	docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml $*
+	docker-compose -f docker-compose.yaml -f docker-compose-alpha-config.yaml $*
 
 .PHONY: nginx-up
 nginx-up:

contrib/local-environment/docker-compose-keycloak.yaml

@@ -15,7 +15,7 @@ services:
 
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.2
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes: