Merge branch 'hardening_manifest' into '5.5.2'

Migrate to hardening_manifest.yaml

See merge request !2

.gitignore

+*.rpm
+*.rpm.dependencies
+*.rpm.sha256sum
+*.whl*
+*.gz*
+pip-20.2.2-py2.py3-none-any.whl
+Python-3.6.12.tgz
+archive.key
+build-container.sh
+python-libs_filelist.txt
+.env

Dockerfile

@@ -6,33 +6,17 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
 USER root
 
-ARG IMAGE_VERSION='5.5.2'
-ENV IMAGE_VERSION=${IMAGE_VERSION}
-ARG DOCKER_UPSTREAM_TAG
-ENV CONFLUENT_VERSION=${DOCKER_UPSTREAM_TAG}
-
 ENV CONTROL_CENTER_DATA_DIR=/mnt/data
 ENV CONTROL_CENTER_CONFIG_DIR=/mnt/config
 ENV CONTROL_CENTER_SECRETS_DIR=/mnt/secrets
 ENV DOCKER_SCRIPT_DIR=/opt/caas/bin
 ENV COMPONENT_SCRIPT_DIR=/opt/confluent/etc
 
-LABEL io.k8s.display-name="Confluent Enterprise ControlCenter (C3)" \
-      io.k8s.description="Confluent ControlCenter Image for Confluent Operator" \
-      io.openshift.tags="confluent operator,confluent platform,event-streaming,controlcenter, c3" \
-      name="ControlCenter" \
-      maintainer="Confluent Platform <operator@confluent.io>" \
-      vendor="Confluent, Inc" \
-      version="$IMAGE_VERSION" \
-      release="$IMAGE_VERSION" \
-      summary="Confluent ControlCenter Image for Confluent Operator" \
-      description="Confluent Control Center is a web-based tool for managing and monitoring Apache Kafka®. Control Center provides the functionality for building and monitoring production data pipelines and streaming applications"
-
 WORKDIR /opt
 
-COPY opt/caas/lib/ /opt/caas/lib/
-COPY opt/plugins/ /usr/share/java/cc-base/
-COPY include/opt/caas /opt/caas
+ADD operator-5.5.2-caas_lib.tar.gz /opt/caas/lib/
+ADD operator-5.5.2-plugins.tar.gz /usr/share/java/cc-base/
+ADD cp-enterprise-control-center-operator-5.5.2_caas.tar.gz /opt/caas/
 
 RUN yum install -y openssl findutils && yum clean all && mkdir -p "${CONTROL_CENTER_DATA_DIR}" "${CONTROL_CENTER_CONFIG_DIR}" "${COMPONENT_SCRIPT_DIR}/${COMPONENT}" \
    	&& chmod -R ag+w "${CONTROL_CENTER_DATA_DIR}" "${CONTROL_CENTER_CONFIG_DIR}" "/opt"	   

Jenkinsfile

-@Library('DCCSCR@master') _
-dccscrPipeline( version: "5.5.2" )
-

hardening_manifest.yaml

+---
+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "confluent/confluent-component-operator/cp-enterprise-control-center-operator-5.5.x"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+- "5.5.2"
+- "5.5.x"
+- "5.5"
+  
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/openjdk/openjdk11"
+  BASE_TAG: "1.11"
+
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "cp-enterprise-control-center-operator-5.5.x"
+  org.opencontainers.image.description: "Confluent Operator image for enterprise control center."
+  org.opencontainers.image.licenses: "CONFLUENT ENTERPRISE LICENSE"
+  org.opencontainers.image.url: "https://docs.confluent.io/5.5.2/installation/operator/index.html"
+  org.opencontainers.image.vendor: "Confluent"
+  org.opencontainers.image.version: "5.5.2"
+  mil.dso.ironbank.image.keywords: "confluent,kafka,zookeeper,operator"
+  mil.dso.ironbank.image.type: "commercial"
+  mil.dso.ironbank.product.name: "Confluent Platform"
+
+# List of resources to make available to the offline build context
+resources:
+- filename: operator-5.5.2-plugins.tar.gz
+  url: https://ironbank-files.s3.amazonaws.com/operator-5.5.2-plugins.tar.gz
+  validation:
+    type: sha256
+    value: 37adbede99aeaf765a9cc16ecdf0b0616f564ddd2cd7364540b186f222edc54d
+- filename: operator-5.5.2-caas_lib.tar.gz
+  url: https://ironbank-files.s3.amazonaws.com/operator-5.5.2-caas_lib.tar.gz
+  validation:
+    type: sha256
+    value: 11112ceb5f4ad55956b4cd631be598acaec7fe754baec52d454ab4bd6222769e  
+- filename: cp-enterprise-control-center-operator-5.5.2_caas.tar.gz
+  url: https://ironbank-files.s3.amazonaws.com/cp-enterprise-control-center-operator-5.5.2_caas.tar.gz
+  validation:
+    type: sha256
+    value: 0153d080fd48c851aef386f625530313666d3ee4e599950d67a4043ee187448c    
+    
+# List of project maintainers
+maintainers:
+- name: "Scott Stroud"
+  username: "scottstroud"
+  email: "confluent-fed@confluent.io"
+  cht_member: false  
+- name: "Preston McGowan"
+  username: "preston.mcgowan"
+  email: "confluent-fed@confluent.io"
+  cht_member: false  

include/opt/caas/bin/configure

-#!/usr/bin/env bash
-#
-# Copyright 2018 Confluent Inc.
-#
-set -o nounset \
-    -o errexit
-
-dub ensure CONTROL_CENTER_DATA_DIR
-dub ensure CONTROL_CENTER_CONFIG_DIR
-dub ensure CONTROL_CENTER_SECRETS_DIR
-dub ensure CAAS_POD_ID
-
-echo "===> Check if ${CONTROL_CENTER_CONFIG_DIR} is writable ..."
-dub path "${CONTROL_CENTER_CONFIG_DIR}" writable
-
-echo "===> Check if ${CONTROL_CENTER_DATA_DIR} is writable ..."
-dub path "${CONTROL_CENTER_DATA_DIR}" writable
-
-if [ -e /mnt/secrets/jksPassword.txt ]; then
-	export KEYSTOREPASSWORD=$(echo $(cat /mnt/secrets/jksPassword.txt | cut -d '='  -f2-) | sed 's/ *$//g')
-else
-	export KEYSTOREPASSWORD=mystorepassword
-fi
-
-## C3 SSL configuration
-##
-create_keystore() {
-	keystore_path=$1
-	extra_certfile=${2:-""}
-	if [ -e /mnt/sslcerts/fullchain.pem ] && [ -e /mnt/sslcerts/privkey.pem ]; then
-		args="-export
-			-in /mnt/sslcerts/fullchain.pem
-			-inkey /mnt/sslcerts/privkey.pem
-			-out /tmp/pkcs.p12
-			-name ${COMPONENT}
-			-passout pass:mykeypassword"
-
-		if [ ! -z ${extra_certfile} ] && [ -e ${extra_certfile} ]; then
-			args="${args} -certfile ${extra_certfile}"
-		fi
-		openssl pkcs12 ${args}
-
-		keytool -importkeystore \
-			-deststorepass ${KEYSTOREPASSWORD} \
-			-destkeypass ${KEYSTOREPASSWORD} \
-			-destkeystore ${keystore_path} \
-			-deststoretype pkcs12 \
-			-srckeystore /tmp/pkcs.p12 \
-			-srcstoretype PKCS12 \
-			-srcstorepass mykeypassword
-	fi
-}
-create_keystore /tmp/keystore.jks
-
-##
-## Put all CAs provided as part of caCerts.pem file to truststore
-##
-if [ -e /mnt/sslcerts/cacerts.pem ]; then
-mkdir -p /tmp/trustCAs
-cat /mnt/sslcerts/cacerts.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > ("/tmp/trustCAs/ca" n ".pem")}'
-for file in /tmp/trustCAs/*; do
-  fileName="${file##*/}"
-  keytool -import \
-          -trustcacerts \
-          -alias "$fileName" \
-          -file "$file" \
-          -keystore /tmp/truststore.jks \
-          -deststorepass ${KEYSTOREPASSWORD} \
-          -noprompt
-done
-fi
-
-##
-## Control-center configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/${COMPONENT}.properties > ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Pod specific configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/${COMPONENT}.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-##
-## Internal Topic configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/internal-topic.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Stream Monitoring Topic configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/monitoring-interceptor-topic.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-##
-## Metrics Topic configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/metrics-topic.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Components configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/components.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## kafka_security configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/streams.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## UI https configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/https.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Command topic configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/command-topic.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Producer/Consumer topic configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/producer-consumer.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Connect configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/connect.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Email configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/email.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Alert configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/alert.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-##
-## Log4J configuration
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/log4j.properties >  ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/log4j.properties
-cat ${CONTROL_CENTER_CONFIG_DIR}/log4j.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/log4j.properties
-##
-## UI Authentication configuration
-##
-if [ -e ${CONTROL_CENTER_CONFIG_DIR}/shared/ui-authentication.properties ] \
-    && [ -e ${CONTROL_CENTER_CONFIG_DIR}/shared/login.properties ] \
-	&& [ -e ${CONTROL_CENTER_CONFIG_DIR}/shared/propertyfile.jaas ] ; then
-
-	cat ${CONTROL_CENTER_CONFIG_DIR}/shared/ui-authentication.properties >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
-	cat ${CONTROL_CENTER_CONFIG_DIR}/shared/login.properties > ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/login.properties
-	cat ${CONTROL_CENTER_CONFIG_DIR}/shared/propertyfile.jaas > ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/propertyfile.jaas
-fi 
-##
-## Control-Center's managed Kafka JAAS file
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/c3-kafka-client-jaas.conf > ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/c3-kafka-client-jaas.conf
-##
-## JVM configurations
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/jvm.config > ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/jvm.config
-cat ${CONTROL_CENTER_CONFIG_DIR}/jvm.config >> ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/jvm.config
-##
-## JOLOKIA Configurations
-##
-if [ -e ${CONTROL_CENTER_CONFIG_DIR}/shared/jolokia.config ]; then
-	create_keystore /tmp/jolokia-keystore.jks /mnt/sslcerts/cacerts.pem
-	cat ${CONTROL_CENTER_CONFIG_DIR}/shared/jolokia.config > ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/jolokia.config
-fi
-##
-## JMX Prometheus Configurations
-##
-cp /opt/caas/templates/jmx-exporter.yaml.j2 ${COMPONENT_SCRIPT_DIR}/jmx-exporter.yaml
-##
-## Disk Usage agent that pushes information to mbeans which can be access through JMX
-##
-cat ${CONTROL_CENTER_CONFIG_DIR}/shared/disk-usage-agent.properties >  ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/disk-usage-agent.properties
-find ${COMPONENT_SCRIPT_DIR} -type f | xargs sed -i  "s/<<keystorepassword>>/${KEYSTOREPASSWORD}/g"

include/opt/caas/bin/ensure

-#!/usr/bin/env bash
-#
-# Copyright 2018 Confluent Inc.
-#
-set -o errexit
-
-echo "===> Check if Kafka is healthy ..."
-
-export CONTROL_CENTER_BOOTSTRAP_SERVERS=$(grep '^bootstrap.servers' ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties | cut -d '=' -f 2)
-export CONTROL_CENTER_REPLICATION_FACTOR=$(grep -w 'confluent.controlcenter.internal.topics.replication' ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties | cut -d '=' -f 2)
-
-cub kafka-ready "${CONTROL_CENTER_REPLICATION_FACTOR}" \
-  "${CONTROL_CENTER_CUB_KAFKA_TIMEOUT:-40}" \
-  -b "${CONTROL_CENTER_BOOTSTRAP_SERVERS}" \
-  --config "${COMPONENT_SCRIPT_DIR}/${COMPONENT}/c3-kafka-client-jaas.conf"

include/opt/caas/bin/launch

-#!/usr/bin/env bash
-#
-# Copyright 2018 Confluent Inc.
-#
-set -o errexit
-
-if [[ -e ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/propertyfile.jaas ]] ; then
-    export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=${COMPONENT_SCRIPT_DIR}/${COMPONENT}/propertyfile.jaas"
-fi
-
-echo "===> Adding disk usage agent to the java command ... " 
-export CONTROL_CENTER_OPTS="${CONTROL_CENTER_OPTS} -javaagent:/usr/share/java/cc-base/disk-usage-agent-${CONFLUENT_VERSION}.jar=${COMPONENT_SCRIPT_DIR}/${COMPONENT}/disk-usage-agent.properties"
-
-echo "===> Adding jolokia agent to the java command ... " 
-export JOLOKIA_AGENT_PORT=${JOLOKIA_AGENT_PORT:-7777}
-export JOLOKIA_AGENT_HOST=${JOLOKIA_AGENT_HOST:-"0.0.0.0"}
-if [ -e "${COMPONENT_SCRIPT_DIR}/${COMPONENT}/jolokia.config" ]; then
-export JOLOKIA_EXTRA_ARGS=",$(cat ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/jolokia.config | xargs)"
-fi
-export CONTROL_CENTER_OPTS="${CONTROL_CENTER_OPTS} -javaagent:/opt/caas/lib/jolokia/jolokia-jvm-1.6.2-agent.jar=port=${JOLOKIA_AGENT_PORT},host=${JOLOKIA_AGENT_HOST}${JOLOKIA_EXTRA_ARGS}"
-
-echo "===> Adding jmx exporter to the java command ... " 
-export JMX_EXPORTER_AGENT_PORT=${JMX_EXPORTER_AGENT_PORT:-7778}
-export JMX_EXPORTER_AGENT_HOST=${JMX_EXPORTER_AGENT_HOST:-"0.0.0.0"}
-
-export CONTROL_CENTER_OPTS="${CONTROL_CENTER_OPTS} -javaagent:/opt/caas/lib/jmx_prometheus_javaagent-0.14.0.jar=${JMX_EXPORTER_AGENT_PORT}:${COMPONENT_SCRIPT_DIR}/jmx-exporter.yaml"
-
-echo "===> Adding JVM config to the java command ... "
-export CONTROL_CENTER_OPTS="$(cat ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/jvm.config | xargs) ${CONTROL_CENTER_OPTS}"
-
-echo "===> Launching ${COMPONENT} ... "
-export CONTROL_CENTER_LOG4J_OPTS="-Dlog4j.configuration=file:${COMPONENT_SCRIPT_DIR}/${COMPONENT}/log4j.properties"
-export CONTROL_CENTER_HEAP_OPTS=' '
-export CONTROL_CENTER_JVM_PERFORMANCE_OPTS=' '
-export CONTROL_CENTER_JMX_OPTS=' '
-export JMX_PORT=' '
-exec ${COMPONENT}-start ${COMPONENT_SCRIPT_DIR}/${COMPONENT}/${COMPONENT}.properties
\ No newline at end of file

include/opt/caas/bin/run

-#!/usr/bin/env bash
-#
-# Copyright 2018 Confluent Inc.
-#
-set -o nounset \
-    -o errexit
-
-echo "===> User"
-id
-
-echo "===> Configuring ..."
-${DOCKER_SCRIPT_DIR}/configure
-
-echo "===> Running preflight checks ... "
-${DOCKER_SCRIPT_DIR}/ensure
-
-echo "===> Launching ... "
-exec ${DOCKER_SCRIPT_DIR}/launch
\ No newline at end of file

include/opt/caas/templates/jmx-exporter.yaml.j2

-lowercaseOutputLabelNames: false
-lowercaseOutputName: true

licenses/licenses/confluent.txt

-Copyright 2020 Confluent, Inc.