Remove elasticsearch from default capture proxy base image

[AndreKurait]

Description

Currently, the capture proxy container image builds on the es base image. This is not needed for running the capture proxy independently. This change modifies this base image to use AL2023.

This change uses a multi-staged build to generate the certs with openssl without including it in the final image.

Other Changes:

• Cleaned up how cdk references docker images (uses local tag instead of rebuilding from final build directory)
• Cleaned up how migration console is being built, made more robust by using dedicated build directory instead of the source directory and fixed it erroneously being built
• Fixed TrafficCaptureProxyServerTest dockerImageBuild by explicitly declaring dependencies

---

• Category: Enhancement
• Why these changes are required? Increased security
• What is the old behavior before changes and new behavior after changes?

Issues Resolved

https://opensearch.atlassian.net/browse/MIGRATIONS-2078

Is this a backport? If so, please add backport PR # and/or commits #

Testing

Local docker/gradle testing, cdk deploy in aws

akurait@80a9970d0850 opensearch-migrations % curl https://localhost:9200 --insecure -u admin:admin -v 
* Host localhost:9200 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9200...
* Connected to localhost (::1) port 9200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Certificate (11):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=localhost
*  start date: Oct 10 21:34:18 2024 GMT
*  expire date: Oct 10 21:34:18 2025 GMT
*  issuer: CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
* Server auth using Basic with user 'admin'
> GET / HTTP/1.1
> Host: localhost:9200
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 538
< 
{
  "name" : "10b92fdc2ca3",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "0MZAhMQlQzejHWzug61-rA",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "docker",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact

Check List

• New functionality includes testing
  • All tests pass, including unit test, integration test and doctest
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.19%. Comparing base (0b08287) to head (2bd40b8).
Report is 40 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #1061      +/-   ##
============================================
+ Coverage     80.16%   80.19%   +0.02%     
- Complexity     2744     2863     +119     
============================================
  Files           367      383      +16     
  Lines         13743    14333     +590     
  Branches        949      988      +39     
============================================
+ Hits          11017    11494     +477     
- Misses         2149     2245      +96     
- Partials        577      594      +17     

Flag	Coverage Δ
gradle-test	78.21% <ø> (+0.13%)	⬆️
python-test	90.24% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[lewijacn]

Thanks for refactoring some of this, left some comments

[lewijacn]

Is this much better than what existed previously? I guess it has the added benefit of not potentially rebuilding intermediary layers in our image, but does seem to subtly introduce a new wrapper layer that we are pushing to ECR. This is probably a good trade but curious if you had other thoughts

[AndreKurait]

The other benefit here is that we're not depending on the build output directory anymore. I don't know of any functional difference with the wrapper layer being here

[gregschohn]

This is just an alias, right? Please rename the function & explain why we need an alias.

[AndreKurait]

Updated, this is an alias, but it also pulls the image locally. This will add it to a private ECR instead of pulling on container start potentially from an outside source (which can add costly nat gateway bills)

[gregschohn]

we should really just kill this thing or figure out how to rig a valuable test with it (I'm fine yanking it until we do)

[gregschohn]

Call this something other than jmeter since it's pulling one of our packages in too?
Thanks for noticing that they were flipped.

[AndreKurait]

this is published under migrations/jmeter, can we keep this in this PR since this is an existing feature and we can make a separate one to review regarding removing it. I'd like to get more maintainers input on that.

[gregschohn]

This is just an alias, right? Please rename the function & explain why we need an alias.

[gregschohn]

awesome! This saves a big headache in an upcoming refactor!

[gregschohn]

I don't like the idea of using a mock image tag that resolves to a valid version of the image for potentially one image and for all others it resolves to some other equally valid image. If you need mock values, can you just hard code them? What are you trying to test here?

[AndreKurait]

resolves to a valid version of the image for potentially one image

This is not the case, this github step doesn't have any built images so this is using the default node docker image for all the tags.

This is verifying the cdk maps to these images and properly synthesizes with docker.

[gregschohn]

nit because it's style, but I miss the camel casing. The '' that was previously used was for effect to separate the auto-generated part from the task name. Other than that underscore, none of the other tasks in the tree use it (AFAIK).
Take a look at the gradle CLI on task names - w/ camel case (or kebab-case), you can do abbreviations like agradle :TC:DS:BDI_M - you can still put snake-case as that example shows, but it's a bit clunkier. I'd also be happy if we swapped the "buildDockerImage" prefix for an "Image" suffix or just a "build" prefix.

[gregschohn]

How does this line work? I'm not sure that it does since the capture_proxy_es builds off of elasticsearch + searchguard & I don't see any changes to that dockerfile.

[gregschohn]

Do we have tests for both proxy containers w/ & w/out TLS enabled?

[AndreKurait]

This line is without elastic

  capture-proxy:
    image: 'migrations/capture_proxy:latest'
    networks:

[AndreKurait]

All of our current testing has TLS

[gregschohn]

shoot - sorry, there was a collapse bar between this & the previous snippet!

[gregschohn]

shoot - sorry, there was a collapse bar between this & the previous snippet!