From ad59e07689ea1aec0fdfd1f245d8f3179d296a98 Mon Sep 17 00:00:00 2001
From: Stacky McStackface <95074132+stackable-bot@users.noreply.github.com>
Date: Wed, 18 Sep 2024 16:02:18 +0200
Subject: [PATCH] chore: Generated commit to update templated files since the
 last template run up to
 stackabletech/operator-templating@932368c8bb74fd94234e8e5cfd6506df879cc131
 (#584)

Reference-to: stackabletech/operator-templating@932368c (Update docker user and various dockerfile improvements)
---
 .github/actionlint.yaml              |   5 +
 .github/workflows/build.yml          |  21 ++--
 .github/workflows/pr_pre-commit.yaml |   2 +
 .pre-commit-config.yaml              |   4 +-
 docker/Dockerfile                    | 177 +++++++++++++++++++++++----
 5 files changed, 174 insertions(+), 35 deletions(-)
 create mode 100644 .github/actionlint.yaml

diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
new file mode 100644
index 00000000..8337548a
--- /dev/null
+++ b/.github/actionlint.yaml
@@ -0,0 +1,5 @@
+---
+self-hosted-runner:
+  # Ubicloud machines we are using
+  labels:
+    - ubicloud-standard-8-arm
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 203c2083..45f49b3c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -88,18 +88,18 @@ jobs:
           TRIGGER: ${{ github.event_name }}
           GITHUB_REF: ${{ github.ref }}
         run: |
-          if [[ $TRIGGER == "pull_request" ]]; then
+          if [[ "$TRIGGER" == "pull_request" ]]; then
             echo "exporting test as target helm repo: ${{ env.TEST_REPO_HELM_URL }}"
-            echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
-          elif [[ ( $TRIGGER == "push" || $TRIGGER == "schedule" || $TRIGGER == "workflow_dispatch" ) && $GITHUB_REF == "refs/heads/main" ]]; then
+            echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
+          elif [[ ( "$TRIGGER" == "push" || "$TRIGGER" == "schedule" || "$TRIGGER" == "workflow_dispatch" ) && "$GITHUB_REF" == "refs/heads/main" ]]; then
             echo "exporting dev as target helm repo: ${{ env.DEV_REPO_HELM_URL }}"
-            echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
-          elif [[ $TRIGGER == "push" && $GITHUB_REF == refs/tags/* ]]; then
+            echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
+          elif [[ "$TRIGGER" == "push" && $GITHUB_REF == refs/tags/* ]]; then
             echo "exporting stable as target helm repo: ${{ env.STABLE_REPO_HELM_URL }}"
-            echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
+            echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
           else
             echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF"
-            echo "helm_repo=skip" >> $GITHUB_OUTPUT
+            echo "helm_repo=skip" >> "$GITHUB_OUTPUT"
           fi
 
   run_cargodeny:
@@ -265,7 +265,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
-          version: v3.13.3
+          version: v3.16.1
       - name: Set up cargo
         uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
         with:
@@ -310,6 +310,7 @@ jobs:
       matrix:
         runner: ["ubuntu-latest", "ubicloud-standard-8-arm"]
     runs-on: ${{ matrix.runner }}
+    timeout-minutes: 120
     permissions:
       id-token: write
     env:
@@ -379,7 +380,7 @@ jobs:
       - id: printtag
         name: Output image name and tag
         if: ${{ !github.event.pull_request.head.repo.fork }}
-        run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> $GITHUB_OUTPUT
+        run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> "$GITHUB_OUTPUT"
 
   create_manifest_list:
     name: Build and publish manifest list
@@ -437,4 +438,4 @@ jobs:
           ARCH_FOR_PREFLIGHT="$(arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')"
           ./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out
       - name: "Passed?"
-        run: '[ "$(cat preflight.out | jq -r .passed)" == true ]'
+        run: '[ "$(jq -r .passed < preflight.out)" == true ]'
diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml
index c7df5b40..5050dc05 100644
--- a/.github/workflows/pr_pre-commit.yaml
+++ b/.github/workflows/pr_pre-commit.yaml
@@ -16,6 +16,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
+          submodules: recursive
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.12'
@@ -39,6 +40,7 @@ jobs:
           chmod 700 "${LOCATION_BIN}"
 
           echo "$LOCATION_DIR" >> "$GITHUB_PATH"
+      - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
         with:
           extra_args: "--from-ref ${{ github.event.pull_request.base.sha }} --to-ref ${{ github.event.pull_request.head.sha }}"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4b1c512f..f30ef3ab 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -66,13 +66,13 @@ repos:
       - id: regenerate-charts
         name: regenerate-charts
         language: system
-        entry: make regenerate-charts
+        entry: nix-shell --run 'make regenerate-charts'
         stages: [commit, merge-commit, manual]
         pass_filenames: false
 
       - id: cargo-test
         name: cargo-test
         language: system
-        entry: cargo test
+        entry: nix-shell --run 'cargo test'
         stages: [commit, merge-commit, manual]
         pass_filenames: false
diff --git a/docker/Dockerfile b/docker/Dockerfile
index fa61f4b2..74c67ca3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,40 +1,171 @@
+# syntax=docker/dockerfile:1.10.0@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5
+# NOTE: The syntax directive needs to be the first line in a Dockerfile
+
 # =============
 # This file is automatically generated from the templates in stackabletech/operator-templating
 # DON'T MANUALLY EDIT THIS FILE
 # =============
-FROM oci.stackable.tech/sdp/ubi9-rust-builder AS builder
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal AS operator
+# https://docs.docker.com/build/checks/#fail-build-on-check-violations
+# check=error=true
+
+# We want to automatically use the latest. We also don't tag our images with a version.
+# hadolint ignore=DL3007
+FROM oci.stackable.tech/sdp/ubi9-rust-builder:latest AS builder
+
+
+# We want to automatically use the latest.
+# hadolint ignore=DL3007
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS operator
 
 ARG VERSION
 ARG RELEASE="1"
 
-LABEL name="Stackable Operator for Apache HDFS" \
-  maintainer="info@stackable.tech" \
-  vendor="Stackable GmbH" \
-  version="${VERSION}" \
-  release="${RELEASE}" \
-  summary="Deploy and manage Apache HDFS clusters." \
-  description="Deploy and manage Apache HDFS clusters."
-
-# Update image and install kerberos client libraries
-# install_weak_deps in microdnf does not support the literal "False" as dnf does
-# https://github.com/rpm-software-management/microdnf/blob/a600c62f29262d71a6259b70dc220df65a2ab9b5/dnf/dnf-main.c#L176-L189
-RUN microdnf update -y --setopt=install_weak_deps=0 \
-    && microdnf install -y --setopt=install_weak_deps=0 \
-      krb5-libs \
-      libkadm5 \
-    && microdnf clean all \
-    && rm -rf /var/cache/yum
+# These are chosen at random and are this high on purpose to have very little chance to clash with an existing user or group on the host system
+ARG STACKABLE_USER_GID="574654813"
+ARG STACKABLE_USER_UID="782252253"
+
+# These labels have mostly been superceded by the OpenContainer spec annotations below but it doesn't hurt to include them
+# http://label-schema.org/rc1/
+LABEL name="Stackable Operator for Apache HDFS"
+LABEL maintainer="info@stackable.tech"
+LABEL vendor="Stackable GmbH"
+LABEL version="${VERSION}"
+LABEL release="${RELEASE}"
+LABEL summary="Deploy and manage Apache HDFS clusters."
+LABEL description="Deploy and manage Apache HDFS clusters."
+
+# Overwriting/Pinning UBI labels
+# https://github.com/projectatomic/ContainerApplicationGenericLabels
+LABEL vcs-ref=""
+LABEL distribution-scope="public"
+LABEL url="https://stackable.tech"
+ARG TARGETARCH
+LABEL architecture="${TARGETARCH}"
+LABEL com.redhat.component=""
+# It complains about it being an invalid label but RedHat uses it and we want to override it and it works....
+# hadolint ignore=DL3048
+LABEL com.redhat.license_terms=""
+LABEL io.buildah.version=""
+LABEL io.openshift.expose-services=""
+
+# https://github.com/opencontainers/image-spec/blob/036563a4a268d7c08b51a08f05a02a0fe74c7268/annotations.md#annotations
+LABEL org.opencontainers.image.authors="info@stackable.tech"
+LABEL org.opencontainers.image.url="https://stackable.tech"
+LABEL org.opencontainers.image.vendor="Stackable GmbH"
+LABEL org.opencontainers.image.licenses="OSL-3.0"
+LABEL org.opencontainers.image.documentation="https://docs.stackable.tech/home/stable/hdfs/"
+LABEL org.opencontainers.image.version="${VERSION}"
+LABEL org.opencontainers.image.revision="${RELEASE}"
+LABEL org.opencontainers.image.title="Stackable Operator for Apache HDFS"
+LABEL org.opencontainers.image.description="Deploy and manage Apache HDFS clusters."
+
+# https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#defining-image-metadata
+# https://github.com/projectatomic/ContainerApplicationGenericLabels/blob/master/vendor/redhat/labels.md
+LABEL io.openshift.tags="ubi9,stackable,sdp,hdfs"
+LABEL io.k8s.description="Deploy and manage Apache HDFS clusters."
+LABEL io.k8s.display-name="Stackable Operator for Apache HDFS"
+
+COPY <<EOF /etc/dnf/dnf.conf
+[main]
+install_weak_deps=0
+assumeyes=True
+tsflags=nodocs
+EOF
+
+RUN <<EOF
+# Update image and install kerberos client libraries as well as some other utilities
+microdnf update
+
+# **iputils**
+# To make debugging easier, includes things like ping
+# Added 2024-03: We cannot find any vulnerabilities in the past years
+# https://github.com/iputils/iputils
+#
+# **less**
+# To make debugging easier
+# Added 2024-03: less has seen three vulnerabilities between 2004 and 2022 which is a risk we're willing to accept for the added convenience
+# https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Agnu&cpe_product=cpe%3A%2F%3A%3Aless
+# cpe:2.3:a:gnu:less:*:*:*:*:*:*:*:*
+#
+# **nano**
+# To make debugging and changing things easier
+# Added 2024-03: We checked and it has not seen any vulnerabilities since 2010 (as of 2024-03) we decided to accept it into our base image
+# https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=cpe%3A2.3%3Aa%3Agnu%3Anano&search_type=all&isCpeNameSearch=false
+# cpe:2.3:a:gnu:nano:*:*:*:*:*:*:*:*
+#
+# **tar**
+# To enable kubectl cp
+# Added 2024-03: We checked and it has seen eight vulnerabilities since 2001, mostly minor and it's not in executable path so we decided to accept the risk
+# https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agnu%3Atar%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*
+# cpe:2.3:a:gnu:tar:-:*:*:*:*:*:*:*
+# NOTE (@NickLarsenNZ): Maybe we should consider pinning package versions?
+# hadolint ignore=DL3041
+microdnf install \
+  iputils \
+  krb5-libs \
+  less \
+  libkadm5 \
+  nano \
+  shadow-utils \
+  tar
+
+groupadd --gid ${STACKABLE_USER_GID} --system stackable
+# The --no-log-init is required to work around a bug/problem in Go/Docker when very large UIDs are used
+# See https://github.com/moby/moby/issues/5419#issuecomment-41478290 for more context
+# Making this a system user prevents a mail dir from being created, expiry of passwords etc. but it will warn:
+#   useradd warning: stackable's uid 782252253 is greater than SYS_UID_MAX 999
+# We can safely ignore this warning, to get rid of the warning we could change /etc/login.defs but that does not seem worth it
+# We'll leave the home directory hardcoded to /stackable because I don't want to deal with which chars might be valid and which might not in user name vs. directory
+useradd \
+  --no-log-init \
+  --gid ${STACKABLE_USER_GID} \
+  --uid ${STACKABLE_USER_UID} \
+  --system \
+  --create-home \
+  --home-dir /stackable \
+   stackable
+microdnf remove shadow-utils
+microdnf clean all
+rm -rf /var/cache/yum
+
+###
+### Make shell usage in our containers "nicer"
+###
+{
+  echo "alias ll='ls -alF --color=auto'"
+  echo "alias ls='ls --color=auto'"
+  echo "alias ..='cd ..'"
+  echo "export PS1='\u@\[\e[36m\]\H\[\e[m\] \[\e[32m\]\$(pwd)\[\e[m\] \\$ '"
+} >> /stackable/.bashrc
+
+echo -e "if [ -f ~/.bashrc ]; then\n\tsource ~/.bashrc\nfi" >> /stackable/.profile
+
+chown ${STACKABLE_USER_UID}:0 /stackable/.bashrc
+chown ${STACKABLE_USER_UID}:0 /stackable/.profile
+
+# All files and folders owned by root to support running as arbitrary users
+# This is best practice as all container users will belong to the root group (0)
+# This is not very relevant for the operator images but this makes it consistent with `docker-images`
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+COPY <<EOF /README.md
+# Stackable Operator for Apache HDFS
+
+* This image contains version ${VERSION} of the operator.
+* The operator binary can be found in `/usr/local/bin`
+* It is licensed under the OSL-3.0 - the full text can be found in `/licenses/LICENSE`
+EOF
 
 COPY LICENSE /licenses/LICENSE
 
-COPY --from=builder /app/* /usr/local/bin/
-COPY deploy/config-spec/properties.yaml /etc/stackable/hdfs-operator/config-spec/properties.yaml
+COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /app/* /usr/local/bin/
 
-RUN groupadd -g 1000 stackable && adduser -u 1000 -g stackable -c 'Stackable Operator' stackable
+COPY deploy/config-spec/properties.yaml /etc/stackable/hdfs-operator/config-spec/properties.yaml
 
-USER stackable:stackable
+USER ${STACKABLE_USER_UID}
 
 ENTRYPOINT ["stackable-hdfs-operator"]
 CMD ["run"]