fix Docker user on arm

[karlskewes]

Description

Use simple USER directive.
Using addgroup in final arm image when building on amd64 doesn't work.
I must have made a mistake during cross build verification in #85 .

Alternative is to use qemu-static but it's not worth it for this.

Motivation and Context

Currently make docker-all fails on arm image build:

 ---> c3d3a165fb2f                                                                                                              
Step 12/14 : RUN addgroup -S -g 2000 oauth2proxy && adduser -S -u 2000 oauth2proxy -G oauth2proxy                                                                  
 ---> Running in 9fa5a83bce05                                                                                                                                           
standard_init_linux.go:207: exec user process caused "no such file or directory"                                                                                        
The command '/bin/sh -c addgroup -S -g 2000 oauth2proxy && adduser -S -u 2000 oauth2proxy -G oauth2proxy' returned a non-zero code: 1                                   
Makefile:54: recipe for target 'docker-all' failed                                                                                                                      
make: *** [docker-all] Error 1     

How Has This Been Tested?

make docker-all succeeds.

Verifying --version on arm64.

karl@k8s-w-01:~$ docker run --rm -it oauth2_proxy:latest-arm64 --version                                
oauth2_proxy v3.2.0-22-g93b7d31-dirty (built with go1.11.9)  

Verifying user on arm64.

karl@k8s-w-01:~$ docker run --rm -it --entrypoint ash oauth2_proxy:latest-arm64      
/ $ ls                                           
bin    dev    etc    home   lib    media  mnt    proc   root   run    sbin   srv    sys    tmp    usr    var
/ $ whoami                                                                                                
whoami: unknown uid 2000

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[wonderhoss]

I was surprised that this should be a problem only on arm64, given that we're using the same Alpine base image for all architectures.

For what it's worth, the original (master) docker build works for me and I'm wondering whether your issue was just a fluke.

That said, I don't mind using a generic UID, however see my inline comments about the group.

[karlskewes]

Were you able to build all the docker images using make docker-all?
How are the current images being built and pushed to Quay? I can't see anything in Travis or (public) Quay.
Somehow they are getting built correctly though.

karl@k8s-w-01:~$ docker run --rm -it --entrypoint ash quay.io/pusher/oauth2_proxy:latest-arm64                                  
/ $ id                                         
uid=2000(oauth2proxy) gid=2000(oauth2proxy) groups=2000(oauth2proxy)                                                            
/ $ exit                                                                                         
karl@k8s-w-01:~$ docker run --rm -it quay.io/pusher/oauth2_proxy:latest-arm64 --version
oauth2_proxy v3.2.0 (built with go1.11.4)                                                           

When I run make docker-all on my amd64 laptop:

1. The builder image (golang-stretch) will build for all arches as expected.
2. For amd64 the final alpine image will also build.
3. However for arm the docker build fails at the addgroup command for me because it is attempting to run an arm process (per FROM arm64v8/alpine) addgroup on my amd64 laptop.

Note building arm on arm requires switching to arm go dep binary in builder image wget step.

[wonderhoss]

Thanks for the clarification. I understand the issue better now.
I missed the fact that you are building on arm64.

The images on quay are currently built and pushed manually by us while we work on revamping CI. This is a temporary state of affairs but for testing it may still be valuable to do it locally and your PR should allow that to succeed.

[karlskewes]

Thank you! Saw the other issue about Prow.

Sorry, I'm not building on arm.
I am cross building, using amd64 to build all docker images with make docker-all.
A better changelog entry would have been fix cross build of ARM Docker images.

Regardless, this PR does allow me to build all 3 arches (amd64, arm64, armv6) on my amd64 laptop.
Thank you for merging.