rpm key stuff

Dockerfile

@@ -48,6 +48,7 @@ RUN chown appuser:appuser -R /usr/logs
 
 # Copy required RPMs
 COPY *.rpm /tmp/
+COPY archive.key /tmp/
 
 ########################################
 # confluentinc/kafka-images/server
@@ -67,7 +68,8 @@ ENV DOCKER_SCRIPT_DIR=/opt/caas/bin
 EXPOSE 8088
 
 RUN echo "===> Installing ${COMPONENT}" \
-    && dnf install --nogpgcheck -y /tmp/confluent-common-${RPM_VERSION}.noarch.rpm \
+    && rpm --import /tmp/archive.key \
+    && dnf install -y /tmp/confluent-common-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-security-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-telemetry-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-hub-client-${RPM_VERSION}.noarch.rpm \        

build-image.sh

-#!/bin/bash
-start=`date +%s`
-
-##
-# Docker Dependencies: 
-#   https://docs.confluent.io/current/installation/docker/image-reference.html#image-reference
-
-##
-# Settings for the build process
-
-if [[ -f .env ]]; then
-    echo "Loading in '.env' for values ..."
-    export $(grep -v '^#' .env | xargs)
-    echo " "
-elif [[ -f ../.env ]]; then
-    echo "Loading in PARENT '.env' for values ..."
-    export $(grep -v '^#' ../.env | xargs)
-    echo " "
-fi
-
-# The BASE_ is used by PlatformOne to change the base image, we will make use of RedHat
-BASE_REGISTRY=${BASE_REGISTRY:-'registry1.dso.mil'}
-MANI='hardening_manifest.yaml'
-
-cd ../
-
-## parse manifest with yq (https://github.com/mikefarah/yq)
-name=$(yq e '.name' $MANI)
-tags=( $(yq e '.tags.[]' $MANI) )
-baseImage=$(yq e '.args.BASE_IMAGE' $MANI)
-baseTag=$(yq e '.args.BASE_TAG' $MANI)
-
-echo "Starting $name build ..."
-
-echo "$name docker build ..."
-
-if [[ "$1" == "--squash" ]]; then
-  echo "Squashing like a cockroach ..."
-  DOCKER_BUILDKIT=1 docker build \
-    --squash \
-    --tag $BASE_REGISTRY/$name:latest \
-    --build-arg BASE_REGISTRY=$BASE_REGISTRY \
-    --build-arg BASE_IMAGE=$baseImage \
-    --build-arg BASE_TAG=$baseTag \
-    . 
-else
-  DOCKER_BUILDKIT=1 docker build \
-    --tag $BASE_REGISTRY/$name:latest \
-    --build-arg BASE_REGISTRY=$BASE_REGISTRY \
-    --build-arg BASE_IMAGE=$baseImage \
-    --build-arg BASE_TAG=$baseTag \
-    .  
-fi
-
-for tag in "${tags[@]}";do
-  docker tag $BASE_REGISTRY/$name:latest $BASE_REGISTRY/$name:$tag
-  echo "🏷 Tagged build with $BASE_REGISTRY/$name:$tag" 
-done
-
-cd scripts
-
-end=`date +%s`
-duration=$((end-start))
-echo "🏁 Finished $CONTAINER build (${duration} seconds)"
\ No newline at end of file

hardening_manifest.yaml

@@ -217,6 +217,11 @@ resources:
   validation:
     type: sha256
     value: 7e2622a934f04a2e5b23a355f920473ccf0144e946b433bc619a9802c1e3785c
+- filename: archive.key
+  url: https://packages.confluent.io/rpm/6.1/archive.key
+  validation:
+    type: sha256
+    value: b569e9d80bc08b65d342491f8b94e47eb7032701ce17b091f212e1072672a4d5  
 - filename: confluent-common-6.1.1-1.noarch.rpm
   url: https://packages.confluent.io/rpm/6.1/confluent-common-6.1.1-1.noarch.rpm
   validation:

scripts/importArtifacts.sh

@@ -24,9 +24,6 @@ importArtifacts() {
     echo -e "\nImporting ${httpdomain} artifacts ..."
 
     maniDir=$(dirname "$manifestPath")
-    if [[ ! -f "$maniDir/build-image.sh" ]]; then
-        cp build-image.sh $maniDir/
-    fi
 
     # (re)set the filelist.txt
     mkdir -p $resourceDir