Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Update templated files (932368c) #584

Merged
merged 1 commit into from
Sep 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/actionlint.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
self-hosted-runner:
# Ubicloud machines we are using
labels:
- ubicloud-standard-8-arm
21 changes: 11 additions & 10 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -88,18 +88,18 @@ jobs:
TRIGGER: ${{ github.event_name }}
GITHUB_REF: ${{ github.ref }}
run: |
if [[ $TRIGGER == "pull_request" ]]; then
if [[ "$TRIGGER" == "pull_request" ]]; then
echo "exporting test as target helm repo: ${{ env.TEST_REPO_HELM_URL }}"
echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
elif [[ ( $TRIGGER == "push" || $TRIGGER == "schedule" || $TRIGGER == "workflow_dispatch" ) && $GITHUB_REF == "refs/heads/main" ]]; then
echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
elif [[ ( "$TRIGGER" == "push" || "$TRIGGER" == "schedule" || "$TRIGGER" == "workflow_dispatch" ) && "$GITHUB_REF" == "refs/heads/main" ]]; then
echo "exporting dev as target helm repo: ${{ env.DEV_REPO_HELM_URL }}"
echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
elif [[ $TRIGGER == "push" && $GITHUB_REF == refs/tags/* ]]; then
echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
elif [[ "$TRIGGER" == "push" && $GITHUB_REF == refs/tags/* ]]; then
echo "exporting stable as target helm repo: ${{ env.STABLE_REPO_HELM_URL }}"
echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
else
echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF"
echo "helm_repo=skip" >> $GITHUB_OUTPUT
echo "helm_repo=skip" >> "$GITHUB_OUTPUT"
fi

run_cargodeny:
Expand Down Expand Up @@ -265,7 +265,7 @@ jobs:
- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.13.3
version: v3.16.1
- name: Set up cargo
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
with:
Expand Down Expand Up @@ -310,6 +310,7 @@ jobs:
matrix:
runner: ["ubuntu-latest", "ubicloud-standard-8-arm"]
runs-on: ${{ matrix.runner }}
timeout-minutes: 120
permissions:
id-token: write
env:
Expand Down Expand Up @@ -379,7 +380,7 @@ jobs:
- id: printtag
name: Output image name and tag
if: ${{ !github.event.pull_request.head.repo.fork }}
run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> $GITHUB_OUTPUT
run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> "$GITHUB_OUTPUT"

create_manifest_list:
name: Build and publish manifest list
Expand Down Expand Up @@ -437,4 +438,4 @@ jobs:
ARCH_FOR_PREFLIGHT="$(arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')"
./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out
- name: "Passed?"
run: '[ "$(cat preflight.out | jq -r .passed)" == true ]'
run: '[ "$(jq -r .passed < preflight.out)" == true ]'
2 changes: 2 additions & 0 deletions .github/workflows/pr_pre-commit.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
submodules: recursive
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: '3.12'
Expand All @@ -39,6 +40,7 @@ jobs:
chmod 700 "${LOCATION_BIN}"

echo "$LOCATION_DIR" >> "$GITHUB_PATH"
- uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
with:
extra_args: "--from-ref ${{ github.event.pull_request.base.sha }} --to-ref ${{ github.event.pull_request.head.sha }}"
4 changes: 2 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,13 +66,13 @@ repos:
- id: regenerate-charts
name: regenerate-charts
language: system
entry: make regenerate-charts
entry: nix-shell --run 'make regenerate-charts'
stages: [commit, merge-commit, manual]
pass_filenames: false

- id: cargo-test
name: cargo-test
language: system
entry: cargo test
entry: nix-shell --run 'cargo test'
stages: [commit, merge-commit, manual]
pass_filenames: false
177 changes: 154 additions & 23 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,40 +1,171 @@
# syntax=docker/dockerfile:1.10.0@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5
# NOTE: The syntax directive needs to be the first line in a Dockerfile

# =============
# This file is automatically generated from the templates in stackabletech/operator-templating
# DON'T MANUALLY EDIT THIS FILE
# =============
FROM oci.stackable.tech/sdp/ubi9-rust-builder AS builder

FROM registry.access.redhat.com/ubi9/ubi-minimal AS operator
# https://docs.docker.com/build/checks/#fail-build-on-check-violations
# check=error=true

# We want to automatically use the latest. We also don't tag our images with a version.
# hadolint ignore=DL3007
FROM oci.stackable.tech/sdp/ubi9-rust-builder:latest AS builder


# We want to automatically use the latest.
# hadolint ignore=DL3007
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS operator

ARG VERSION
ARG RELEASE="1"

LABEL name="Stackable Operator for Apache HDFS" \
maintainer="[email protected]" \
vendor="Stackable GmbH" \
version="${VERSION}" \
release="${RELEASE}" \
summary="Deploy and manage Apache HDFS clusters." \
description="Deploy and manage Apache HDFS clusters."

# Update image and install kerberos client libraries
# install_weak_deps in microdnf does not support the literal "False" as dnf does
# https://github.com/rpm-software-management/microdnf/blob/a600c62f29262d71a6259b70dc220df65a2ab9b5/dnf/dnf-main.c#L176-L189
RUN microdnf update -y --setopt=install_weak_deps=0 \
&& microdnf install -y --setopt=install_weak_deps=0 \
krb5-libs \
libkadm5 \
&& microdnf clean all \
&& rm -rf /var/cache/yum
# These are chosen at random and are this high on purpose to have very little chance to clash with an existing user or group on the host system
ARG STACKABLE_USER_GID="574654813"
ARG STACKABLE_USER_UID="782252253"

# These labels have mostly been superceded by the OpenContainer spec annotations below but it doesn't hurt to include them
# http://label-schema.org/rc1/
LABEL name="Stackable Operator for Apache HDFS"
LABEL maintainer="[email protected]"
LABEL vendor="Stackable GmbH"
LABEL version="${VERSION}"
LABEL release="${RELEASE}"
LABEL summary="Deploy and manage Apache HDFS clusters."
LABEL description="Deploy and manage Apache HDFS clusters."

# Overwriting/Pinning UBI labels
# https://github.com/projectatomic/ContainerApplicationGenericLabels
LABEL vcs-ref=""
LABEL distribution-scope="public"
LABEL url="https://stackable.tech"
ARG TARGETARCH
LABEL architecture="${TARGETARCH}"
LABEL com.redhat.component=""
# It complains about it being an invalid label but RedHat uses it and we want to override it and it works....
# hadolint ignore=DL3048
LABEL com.redhat.license_terms=""
LABEL io.buildah.version=""
LABEL io.openshift.expose-services=""

# https://github.com/opencontainers/image-spec/blob/036563a4a268d7c08b51a08f05a02a0fe74c7268/annotations.md#annotations
LABEL org.opencontainers.image.authors="[email protected]"
LABEL org.opencontainers.image.url="https://stackable.tech"
LABEL org.opencontainers.image.vendor="Stackable GmbH"
LABEL org.opencontainers.image.licenses="OSL-3.0"
LABEL org.opencontainers.image.documentation="https://docs.stackable.tech/home/stable/hdfs/"
LABEL org.opencontainers.image.version="${VERSION}"
LABEL org.opencontainers.image.revision="${RELEASE}"
LABEL org.opencontainers.image.title="Stackable Operator for Apache HDFS"
LABEL org.opencontainers.image.description="Deploy and manage Apache HDFS clusters."

# https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#defining-image-metadata
# https://github.com/projectatomic/ContainerApplicationGenericLabels/blob/master/vendor/redhat/labels.md
LABEL io.openshift.tags="ubi9,stackable,sdp,hdfs"
LABEL io.k8s.description="Deploy and manage Apache HDFS clusters."
LABEL io.k8s.display-name="Stackable Operator for Apache HDFS"

COPY <<EOF /etc/dnf/dnf.conf
[main]
install_weak_deps=0
assumeyes=True
tsflags=nodocs
EOF

RUN <<EOF

Check warning on line 76 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / hadolint

[hadolint] docker/Dockerfile#L76 <DL3038>(https://github.com/hadolint/hadolint/wiki/DL3038)

Use the -y switch to avoid manual input `dnf install -y <package`
Raw output
message:"Use the -y switch to avoid manual input `dnf install -y <package`" location:{path:"docker/Dockerfile" range:{start:{line:76 column:1}}} severity:WARNING source:{name:"hadolint" url:"https://github.com/hadolint/hadolint"} code:{value:"DL3038" url:"https://github.com/hadolint/hadolint/wiki/DL3038"}

Check warning on line 76 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / hadolint

[hadolint] docker/Dockerfile#L76 <DL3041>(https://github.com/hadolint/hadolint/wiki/DL3041)

Specify version with `dnf install -y <package>-<version>`.
Raw output
message:"Specify version with `dnf install -y <package>-<version>`." location:{path:"docker/Dockerfile" range:{start:{line:76 column:1}}} severity:WARNING source:{name:"hadolint" url:"https://github.com/hadolint/hadolint"} code:{value:"DL3041" url:"https://github.com/hadolint/hadolint/wiki/DL3041"}

Check warning on line 76 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / hadolint

[hadolint] docker/Dockerfile#L76 <SC3037>(https://github.com/koalaman/shellcheck/wiki/SC3037)

In POSIX sh, echo flags are undefined.
Raw output
message:"In POSIX sh, echo flags are undefined." location:{path:"docker/Dockerfile" range:{start:{line:76 column:1}}} severity:WARNING source:{name:"hadolint" url:"https://github.com/hadolint/hadolint"} code:{value:"SC3037" url:"https://github.com/koalaman/shellcheck/wiki/SC3037"}
# Update image and install kerberos client libraries as well as some other utilities
microdnf update

# **iputils**
# To make debugging easier, includes things like ping
# Added 2024-03: We cannot find any vulnerabilities in the past years
# https://github.com/iputils/iputils
#
# **less**
# To make debugging easier
# Added 2024-03: less has seen three vulnerabilities between 2004 and 2022 which is a risk we're willing to accept for the added convenience
# https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Agnu&cpe_product=cpe%3A%2F%3A%3Aless
# cpe:2.3:a:gnu:less:*:*:*:*:*:*:*:*
#
# **nano**
# To make debugging and changing things easier
# Added 2024-03: We checked and it has not seen any vulnerabilities since 2010 (as of 2024-03) we decided to accept it into our base image
# https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=cpe%3A2.3%3Aa%3Agnu%3Anano&search_type=all&isCpeNameSearch=false
# cpe:2.3:a:gnu:nano:*:*:*:*:*:*:*:*
#
# **tar**
# To enable kubectl cp
# Added 2024-03: We checked and it has seen eight vulnerabilities since 2001, mostly minor and it's not in executable path so we decided to accept the risk
# https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agnu%3Atar%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*
# cpe:2.3:a:gnu:tar:-:*:*:*:*:*:*:*
# NOTE (@NickLarsenNZ): Maybe we should consider pinning package versions?
# hadolint ignore=DL3041
microdnf install \
iputils \
krb5-libs \
less \
libkadm5 \
nano \
shadow-utils \
tar

groupadd --gid ${STACKABLE_USER_GID} --system stackable
# The --no-log-init is required to work around a bug/problem in Go/Docker when very large UIDs are used
# See https://github.com/moby/moby/issues/5419#issuecomment-41478290 for more context
# Making this a system user prevents a mail dir from being created, expiry of passwords etc. but it will warn:
# useradd warning: stackable's uid 782252253 is greater than SYS_UID_MAX 999
# We can safely ignore this warning, to get rid of the warning we could change /etc/login.defs but that does not seem worth it
# We'll leave the home directory hardcoded to /stackable because I don't want to deal with which chars might be valid and which might not in user name vs. directory
useradd \
--no-log-init \
--gid ${STACKABLE_USER_GID} \
--uid ${STACKABLE_USER_UID} \
--system \
--create-home \
--home-dir /stackable \
stackable
microdnf remove shadow-utils
microdnf clean all
rm -rf /var/cache/yum

###
### Make shell usage in our containers "nicer"
###
{
echo "alias ll='ls -alF --color=auto'"
echo "alias ls='ls --color=auto'"
echo "alias ..='cd ..'"
echo "export PS1='\u@\[\e[36m\]\H\[\e[m\] \[\e[32m\]\$(pwd)\[\e[m\] \\$ '"
} >> /stackable/.bashrc

echo -e "if [ -f ~/.bashrc ]; then\n\tsource ~/.bashrc\nfi" >> /stackable/.profile

chown ${STACKABLE_USER_UID}:0 /stackable/.bashrc
chown ${STACKABLE_USER_UID}:0 /stackable/.profile

# All files and folders owned by root to support running as arbitrary users
# This is best practice as all container users will belong to the root group (0)
# This is not very relevant for the operator images but this makes it consistent with `docker-images`
chown -R ${STACKABLE_USER_UID}:0 /stackable
chmod -R g=u /stackable
EOF

COPY <<EOF /README.md
# Stackable Operator for Apache HDFS

* This image contains version ${VERSION} of the operator.
* The operator binary can be found in `/usr/local/bin`
* It is licensed under the OSL-3.0 - the full text can be found in `/licenses/LICENSE`
EOF

COPY LICENSE /licenses/LICENSE

COPY --from=builder /app/* /usr/local/bin/
COPY deploy/config-spec/properties.yaml /etc/stackable/hdfs-operator/config-spec/properties.yaml
COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /app/* /usr/local/bin/

RUN groupadd -g 1000 stackable && adduser -u 1000 -g stackable -c 'Stackable Operator' stackable
COPY deploy/config-spec/properties.yaml /etc/stackable/hdfs-operator/config-spec/properties.yaml

USER stackable:stackable
USER ${STACKABLE_USER_UID}

ENTRYPOINT ["stackable-hdfs-operator"]
CMD ["run"]
Loading