Prepare usage of build secrets (#303)

* sort .gitignore and add apt_auth.conf to it
* add helper to setup.sh to create apt_auth.conf (user still needs to enter their own credentials)
   * only create apt_auth.conf in make if it doesn't already exist
* add tooling to core dockerfile and makefile to use build secrets
* add ignore for hadolint as mounting syntax is currently not supported so far
* update to latest docker on travis for buildkit support
* documentation
* sort gitignore
* add dockerfile syntax definition for build args

.ci/travis-buildkit.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+# update to latest docker for buildkit support
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
+
+# get base images to pull, as it will otherwise fail in travis
+# git ls-files | xargs awk -F' ' '/^FROM/ { print $2 }' | sort -n | uniq | xargs --max-lines=1 docker pull
+
+docker pull docker/dockerfile:1.0-experimental
+docker pull docker.io/docker/dockerfile-copy:v0.1.9

.gitignore

@@ -1,14 +1,14 @@
-.vscode/settings.json
-**/.vscode
 !.travis.yml
-.travis/config.yml
-data/*
-dive.log
 .env
+.travis/config.yml
+.vagrant
+.vscode/settings.json
 *.env
-docker-compose.override.yml
+*.pem
+**/.vscode
+apt_auth.conf
 build.tags
 calendar/kopano-calendar-*/
-*.pem
+data/*
-apt_auth.conf
+dive.log
-.vagrant
+docker-compose.override.yml

.markdownlint.json

@@ -0,0 +1,5 @@
+{
+    "MD013": false,
+    "MD026": false,
+    "MD034": false
+}

.travis.yml

@@ -9,6 +9,7 @@ services:
 before_install:
   - sudo rm /usr/local/bin/docker-compose # remove pre-installed docker-compose (too old)
   - bash .ci/setup-tools.sh
+  - .ci/travis-buildkit.sh # upgrade docker for buildkit support
 install:
   - "./version.sh"
   - make lint

Makefile

@@ -56,7 +56,10 @@ ifdef TRAVIS
 	@echo "fetching previous build to warm up build cache (only on travis)"
 	docker pull  $(docker_repo)/kopano_$(component):builder || true
 endif
-	docker build --rm \
+ifeq (,$(wildcard ./apt_auth.conf))
+	touch apt_auth.conf
+endif
+	DOCKER_BUILDKIT=1 docker build --rm \
 		--build-arg VCS_REF=$(vcs_ref) \
 		--build-arg docker_repo=${docker_repo} \
 		--build-arg KOPANO_CORE_VERSION=${core_download_version} \
@@ -76,6 +79,7 @@ endif
 		--build-arg KOPANO_GID=$(KOPANO_GID) \
 		--cache-from $(docker_repo)/kopano_$(component):builder \
 		--cache-from $(docker_repo)/kopano_$(component):latest \
+		--secret id=repocred,src=apt_auth.conf --progress=plain \
 		-t $(docker_repo)/kopano_$(component) $(component)/
 
 .PHONY: build-simple
@@ -94,7 +98,7 @@ ifdef TRAVIS
 	@echo "fetching previous build to warm up build cache (only on travis)"
 	docker pull  $(docker_repo)/kopano_$(component):builder || true
 endif
-	docker build --rm \
+	DOCKER_BUILDKIT=1 docker build --rm \
 		--target builder \
 		--build-arg VCS_REF=$(vcf_ref) \
 		--build-arg docker_repo=${docker_repo} \
@@ -159,7 +163,7 @@ build-kdav:
 	component=kdav make build
 
 build-scheduler:
-	docker pull docker:18.09
+	docker pull docker:19.03
 	component=scheduler make build-simple
 
 build-ssl:

README.md

@@ -1,4 +1,5 @@
 # (unofficial) Kopano Docker Images
+
 [![Build Status](https://travis-ci.com/zokradonh/kopano-docker.svg?branch=master)](https://travis-ci.com/zokradonh/kopano-docker)
 
 This repository contains an easy to replicate recipe to spin up a [Kopano](https://kopano.com/) demo environment, which can (through modification of `.env` and possibly `docker-compose.yml`/`docker-compose.override.yml`) also be used for production environments.
@@ -7,18 +8,21 @@ This repository contains an easy to replicate recipe to spin up a [Kopano](https
 
 - make sure that you are running at least Docker 17.06.0 and [Docker Compose](https://docs.docker.com/compose/install/) 1.19.0.
 - clone this repository to your local disk
-- run `setup.sh`
+- run `setup.sh`:
-  - this script will ask you a few questions about your environment.
+  - this script will ask you a few questions about your environment
   - If you are just interested in the demo environment you can accept the default values by pressing `Enter` on each question
 - now run `docker-compose up` and you will see how the remaining Docker images are pulled and then everything is started
 - after startup has succeeded you can access the Kopano WebApp by going to `https://kopano.demo/webapp`
-- there are already some users created in the demo LDAP. These users all have a password that is identical to the username, e.g. the password for `user1` user `user1`.
+- there are already some users created in the demo LDAP
+  - these users all have a password that is identical to the username, e.g. the password for `user1` user `user1`
+- to build own containers at least Docker 19.03 is required
+  - this is due to the usage of build-time secrets
 
 If you want to get an impression how the containers interact/relate with each other have a look at the [architecture](ARCHITECTURE.md) description.
 
 **Note:** There have been reports about the LDAP demo not starting up on MacOS. It is recommended to use a Linux OS if you want to use the bundled LDAP image.
 
-The `docker-compose.yml` file by default pulls Docker containers from https://hub.docker.com/r/zokradonh/kopano_core/ and https://hub.docker.com/r/zokradonh/kopano_webapp/. These images are based on the [Kopano nightly builds](https://download.kopano.io/community/) and will contain the latest version available from the time the image was built.
+The `docker-compose.yml` file by default pulls Docker containers from for example https://hub.docker.com/r/zokradonh/kopano_core/ and https://hub.docker.com/r/zokradonh/kopano_webapp/. These images are based on the [Kopano nightly builds](https://download.kopano.io/community/) and will contain the latest version available from the time the image was built.
 
 ## Troubleshooting
 
@@ -91,25 +95,30 @@ This project also makes it possible to build Docker images based on the official
 # Docker Repository to push to/pull from
 docker_repo=zokradonh
 COMPOSE_PROJECT_NAME=kopano
+COMPOSE_FILE=docker-compose.yml:docker-compose.ports.yml:docker-compose.db.yml:docker-compose.ldap.yml:docker-compose.mail.yml
 
-# Modify below to build a different version, than the kopano nightly release
+# Modify below to build a different version, than the Kopano nightly release
-#KOPANO_CORE_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/core:/final/Debian_9.0/
+# credentials for repositories are handled through a file called apt_auth.conf (which will be created through setup.sh or Makefile)
-#KOPANO_WEBAPP_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/webapp:/final/Debian_9.0/
+#KOPANO_CORE_REPOSITORY_URL=https://download.kopano.io/supported/core:/9.x/Debian_10/
-#KOPANO_WEBAPP_FILES_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/files:/final/Debian_9.0/
+#KOPANO_MEET_REPOSITORY_URL=https://download.kopano.io/supported/meet:/final/Debian_10/
-#KOPANO_WEBAPP_MDM_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/mdm:/final/Debian_9.0/
+#KOPANO_WEBAPP_REPOSITORY_URL=https://download.kopano.io/supported/webapp:/final/Debian_10/
-#KOPANO_WEBAPP_SMIME_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/smime:/final/Debian_9.0/
+#KOPANO_WEBAPP_FILES_REPOSITORY_URL=https://download.kopano.io/supported/files:/final/Debian_10/
-#KOPANO_ZPUSH_REPOSITORY_URL=http://repo.z-hub.io/z-push:/final/Debian_9.0/
+#KOPANO_WEBAPP_MDM_REPOSITORY_URL=https://download.kopano.io/supported/mdm:/final/Debian_10/
+#KOPANO_WEBAPP_SMIME_REPOSITORY_URL=https://download.kopano.io/supported/smime:/final/Debian_10/
+#KOPANO_ZPUSH_REPOSITORY_URL=http://repo.z-hub.io/z-push:/final/Debian_10/
 #RELEASE_KEY_DOWNLOAD=1
 #DOWNLOAD_COMMUNITY_PACKAGES=0
 ```
 
-Just uncomment the last four lines and insert your Kopano subscription key where it currently says `REPLACE-ME`. Once this is done a `make build-all` will rebuild the images based on the latest available Kopano release (don't forget to `make tag-core` and `make tag-webapp` your images after building them).
+The credentials for the Kopano package repositories can either be defined through the url itself, e.g. like `https://serial:REPLACE-ME@download.kopano.io/supported/core:/final/Debian_10/` or through an `apt_auth.conf` file. Using `apt_auth.conf` is preferred, since it does not "leak" credentials into the final image.
 
-If you are running a private Docker Registry then you may also change `docker_repo` to reference your internal registry.
+With the above lines uncommented and credentials in place running `make build-all` will rebuild the images based on the latest available Kopano release (don't forget to `make tag-core` and `make tag-webapp` your images after building them).
+
+If you are running a private Docker Registry then you have to change `docker_repo` to reference your internal registry. Afterward you can run for example `make publish-core` to push the image to your registry.
 
 ***WARNING***
 
-The built image includes your subscription key! Do not push this image to any public registry like e.g. https://hub.docker.com!
+When storing the credentials in the url the built image will include your subscription key! Do not push this image to any public registry like e.g. https://hub.docker.com!
 
 ### When building my own containers, how can I make sure my build works as expected?
 

core/Dockerfile

@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base
 
@@ -39,9 +40,10 @@ LABEL maintainer=az@zok.xyz \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # install Kopano Core and refresh ca-certificates
-# hadolint ignore=DL3015
+# hadolint currently does not understand the extended buildkit syntax https://github.com/hadolint/hadolint/issues/347
-RUN \
+# hadolint ignore=SC2215,DL3015
-    # apt key has already been installed in base
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    # apt key for this repo has already been installed in base
     echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
     # install
     apt-get update && \

kdav/Dockerfile

@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM composer:1.9 as builder
 
@@ -31,7 +32,9 @@ LABEL maintainer=az@zok.xyz \
     org.label-schema.schema-version="1.0"
 
 # install Kopano kDAV
-RUN \
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    # apt key for this repo has already been installed in base
     echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
     set -x && \
     apt-get update && apt-get install -y --no-install-recommends \

meet/Dockerfile

@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base:latest
 
@@ -30,8 +31,9 @@ LABEL maintainer=az@zok.xyz \
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# install Kopano Core and refresh ca-certificates
+# hadolint ignore=SC2215
-RUN \
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    # apt key for this repo has already been installed in base
     # community download and package as apt source repository
     . /kopano/helper/create-kopano-repo.sh && \
     if [ ${DOWNLOAD_COMMUNITY_PACKAGES} -eq 1 ]; then \

php/Dockerfile

@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base
 
@@ -28,8 +29,9 @@ LABEL maintainer=az@zok.xyz \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # add install common php dependencies
-# hadolint ignore=SC2129
+# hadolint ignore=SC2215
-RUN \
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    # apt key for this repo has already been installed in base
     echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
     # install
     set -x && \

playground/Dockerfile

@@ -10,7 +10,7 @@ RUN mv kapi/examples/* /web/kapi-playground
 WORKDIR /web/kapi-playground
 RUN rm Makefile && ln -s oidc-client-example.html index.html
 
-FROM halverneus/static-file-server:v1.7.0
+FROM halverneus/static-file-server:v1.8.0
 
 ARG CODE_VERSION
 

python/Dockerfile

@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base
 
@@ -27,8 +28,8 @@ LABEL maintainer=az@zok.xyz \
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# hadolint ignore=SC2129
+# hadolint ignore=SC2215
-RUN \
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
     echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
     # install
     set -x && \

scheduler/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker:18.09
+FROM docker:19.03
 
 ENV \
     DOCKERIZE_VERSION=v0.6.1 \

setup.sh

@@ -45,6 +45,11 @@ for dockerenv in ldap password-self-service mail db kopano_ssl kopano_server kop
 	touch ./"$dockerenv".env
 done
 
+if ! grep -q download.kopano.com ./apt_auth.conf 2&> /dev/null; then
+	echo "Adding example entry to local apt_auth.conf"
+	echo "machine download.kopano.com login serial REPLACE-ME" >> ./apt_auth.conf
+fi
+
 if [ ! -e ./.env ]; then
 	PRINT_SETUP_SUCCESS=""
 
@@ -334,13 +339,14 @@ docker_repo=zokradonh
 COMPOSE_PROJECT_NAME=kopano
 COMPOSE_FILE=docker-compose.yml:docker-compose.ports.yml:docker-compose.db.yml:docker-compose.ldap.yml:docker-compose.mail.yml
 
-# Modify below to build a different version, than the kopano nightly release
+# Modify below to build a different version, than the Kopano nightly release
-#KOPANO_CORE_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/core:/9.x/Debian_10/
+# credentials for repositories are handled through a file called apt_auth.conf (which will be created through setup.sh or Makefile)
-#KOPANO_MEET_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/meet:/final/Debian_10/
+#KOPANO_CORE_REPOSITORY_URL=https://download.kopano.io/supported/core:/9.x/Debian_10/
-#KOPANO_WEBAPP_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/webapp:/final/Debian_10/
+#KOPANO_MEET_REPOSITORY_URL=https://download.kopano.io/supported/meet:/final/Debian_10/
-#KOPANO_WEBAPP_FILES_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/files:/final/Debian_10/
+#KOPANO_WEBAPP_REPOSITORY_URL=https://download.kopano.io/supported/webapp:/final/Debian_10/
-#KOPANO_WEBAPP_MDM_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/mdm:/final/Debian_10/
+#KOPANO_WEBAPP_FILES_REPOSITORY_URL=https://download.kopano.io/supported/files:/final/Debian_10/
-#KOPANO_WEBAPP_SMIME_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/smime:/final/Debian_10/
+#KOPANO_WEBAPP_MDM_REPOSITORY_URL=https://download.kopano.io/supported/mdm:/final/Debian_10/
+#KOPANO_WEBAPP_SMIME_REPOSITORY_URL=https://download.kopano.io/supported/smime:/final/Debian_10/
 #KOPANO_ZPUSH_REPOSITORY_URL=http://repo.z-hub.io/z-push:/final/Debian_10/
 #RELEASE_KEY_DOWNLOAD=1
 #DOWNLOAD_COMMUNITY_PACKAGES=0
@@ -354,7 +360,6 @@ ADDITIONAL_KOPANO_WEBAPP_PLUGINS="$ADDITIONAL_KOPANO_WEBAPP_PLUGINS"
 
 EOF
 else
-
 	if ! grep -q COMPOSE_FILE ./.env; then
 		echo "Adding COMPOSE_FILE setting to .env (for docker-compose.ports.yml)"
 		echo "COMPOSE_FILE=docker-compose.yml:docker-compose.ports.yml" >> ./.env

utils/Dockerfile

@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_core
 
@@ -9,7 +10,9 @@ LABEL maintainer=az@zok.xyz \
     org.label-schema.version=$KOPANO_CORE_VERSION \
     org.label-schema.schema-version="1.0"
 
-RUN apt-get update && apt-get install --no-install-recommends -y \
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    apt-get update && apt-get install --no-install-recommends -y \
     git \
     iputils-ping \
     kopano-backup \

webapp/Dockerfile

@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_php
 
@@ -22,12 +23,13 @@ ENV \
     KOPANO_CORE_REPOSITORY_URL=$KOPANO_CORE_REPOSITORY_URL \
     KOPANO_CORE_VERSION=$KOPANO_CORE_VERSION \
     KOPANO_REPOSITORY_FLAGS=$KOPANO_REPOSITORY_FLAGS \
-    RELEASE_KEY_DOWNLOAD=$RELEASE_KEY_DOWNLOAD \
+    KOPANO_WEBAPP_FILES_REPOSITORY_URL=$KOPANO_WEBAPP_FILES_REPOSITORY_URL \
+    KOPANO_WEBAPP_MDM_REPOSITORY_URL=$KOPANO_WEBAPP_MDM_REPOSITORY_URL \
     KOPANO_WEBAPP_REPOSITORY_URL=$KOPANO_WEBAPP_REPOSITORY_URL \
     KOPANO_WEBAPP_SMIME_REPOSITORY_URL=$KOPANO_WEBAPP_SMIME_REPOSITORY_URL \
-    KOPANO_WEBAPP_MDM_REPOSITORY_URL=$KOPANO_WEBAPP_MDM_REPOSITORY_URL \
+    KOPANO_WEBAPP_VERSION=$KOPANO_WEBAPP_VERSION \
-    KOPANO_WEBAPP_FILES_REPOSITORY_URL=$KOPANO_WEBAPP_FILES_REPOSITORY_URL \
+    LANG=en_US.UTF-8 \
-    KOPANO_WEBAPP_VERSION=$KOPANO_WEBAPP_VERSION
+    RELEASE_KEY_DOWNLOAD=$RELEASE_KEY_DOWNLOAD
 
 LABEL maintainer=az@zok.xyz \
     org.label-schema.name="Kopano WebApp container" \
@@ -39,10 +41,11 @@ LABEL maintainer=az@zok.xyz \
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# install Kopano WebApp and refresh ca-certificates
+# install Kopano WebApp
-# hadolint ignore=SC2129
+# hadolint ignore=SC2129,SC2215
-RUN \
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
     # community download and package as apt source repository
+    # TODO is it neccesary to source this file here? was already sourced before
     . /kopano/helper/create-kopano-repo.sh && \
     if [ ${DOWNLOAD_COMMUNITY_PACKAGES} -eq 1 ]; then \
         dl_and_package_community "webapp" "Debian_10"; \
@@ -73,8 +76,6 @@ COPY kweb.cfg /etc/kweb.cfg
 COPY start.sh /kopano/start.sh
 COPY goss* /goss/
 
-ENV LANG en_US.UTF-8
-
 WORKDIR /kopano/path
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]

zpush/Dockerfile

@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base
 
@@ -17,9 +18,10 @@ ENV \
     KOPANO_CORE_REPOSITORY_URL=$KOPANO_CORE_REPOSITORY_URL \
     KOPANO_CORE_VERSION=$KOPANO_CORE_VERSION \
     KOPANO_REPOSITORY_FLAGS=$KOPANO_REPOSITORY_FLAGS \
-    RELEASE_KEY_DOWNLOAD=$RELEASE_KEY_DOWNLOAD \
     KOPANO_ZPUSH_REPOSITORY_URL=$KOPANO_ZPUSH_REPOSITORY_URL \
-    KOPANO_ZPUSH_VERSION=$KOPANO_ZPUSH_VERSION
+    KOPANO_ZPUSH_VERSION=$KOPANO_ZPUSH_VERSION \
+    LANG=en_US.UTF-8 \
+    RELEASE_KEY_DOWNLOAD=$RELEASE_KEY_DOWNLOAD
 
 LABEL maintainer=az@zok.xyz \
     org.label-schema.name="Kopano Z-Push container" \
@@ -32,7 +34,9 @@ LABEL maintainer=az@zok.xyz \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # install Z-Push
-RUN \
+# TODO secret handling could go away when kopano_php is used as a base image
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
     echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
     # prepare z-push installation
     echo "deb ${KOPANO_ZPUSH_REPOSITORY_URL} /" > /etc/apt/sources.list.d/zpush.list && \
@@ -96,8 +100,6 @@ EXPOSE 80/tcp
 
 COPY start.sh /kopano/start.sh
 
-ENV LANG en_US.UTF-8
-
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD [ "/kopano/start.sh" ]