meh

.gitignore

+archive.key
+*.whl
+*.jar
+*.tar.gz
+*.rpm
\ No newline at end of file

Dockerfile

@@ -48,6 +48,7 @@ RUN chown appuser:appuser -R /usr/logs
 
 # Copy required RPMs
 COPY *.rpm /tmp/
+COPY archive.key /tmp/
 
 ########################################
 # confluentinc/kafka-images/server
@@ -67,7 +68,8 @@ ENV DOCKER_SCRIPT_DIR=/opt/caas/bin
 EXPOSE 8088
 
 RUN echo "===> Installing ${COMPONENT}" \
-    && dnf install --nogpgcheck -y /tmp/confluent-common-${RPM_VERSION}.noarch.rpm \
+    && rpm --import /tmp/archive.key \
+    && dnf install -y /tmp/confluent-common-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-security-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-telemetry-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-hub-client-${RPM_VERSION}.noarch.rpm \        
@@ -87,6 +89,7 @@ COPY cp-${COMPONENT}-operator-*_UsrBin.tar.gz /usr/bin/
 ## For auditing & debugging
 COPY Dockerfile /etc/confluent/ironbank/
 COPY hardening_manifest.yaml /etc/confluent/ironbank/
+COPY maven-artifact-3.8.1.jar /tmp/
 
 RUN echo "===> Installing operator stuff" \
     && cd /usr/share && tar -xvf *_UsrShareJava.tar.gz && rm *_UsrShareJava.tar.gz \
@@ -95,6 +98,8 @@ RUN echo "===> Installing operator stuff" \
     && cd /etc && tar -xvf *_EtcKsqldb.tar.gz && rm *_EtcKsqldb.tar.gz \
     && cd /opt/confluent/ksql && tar -xvf *_OptConfluentKsqlLibs.tar.gz && rm *_OptConfluentKsqlLibs.tar.gz \
     && cd /usr/bin && tar -xvf *_UsrBin.tar.gz && rm *_UsrBin.tar.gz \
+    && find /usr/share/java  /opt/confluent/ksql -name "maven-artifact-3.6.3.jar" -execdir cp /tmp/maven-artifact-3.8.1.jar . \; -exec rm {} \; \ 
+    && chown appuser:appuser /opt/confluent/ksql/libs/maven-artifact-3.8.1.jar && chmod 755 /opt/confluent/ksql/libs/maven-artifact-3.8.1.jar \
     && chown -R appuser:appuser /etc/confluent /etc/${COMPONENT} /usr/logs /usr/bin/ksql /usr/share/java \
     && mkdir -p "${KSQL_LOG4J_DIR}" "${KSQL_SECRETS_DIR}" "${KSQL_CONFIG_DIR}" "${KSQL_DATA_DIR}" "${COMPONENT_SCRIPT_DIR}/${COMPONENT}" \
    	&& chmod -R ag+w "${KSQL_LOG4J_DIR}" "${KSQL_SECRETS_DIR}" "${KSQL_CONFIG_DIR}" "${KSQL_DATA_DIR}" "/opt" \

hardening_manifest.yaml

@@ -217,6 +217,11 @@ resources:
   validation:
     type: sha256
     value: 7e2622a934f04a2e5b23a355f920473ccf0144e946b433bc619a9802c1e3785c
+- filename: archive.key
+  url: https://packages.confluent.io/rpm/6.1/archive.key
+  validation:
+    type: sha256
+    value: b569e9d80bc08b65d342491f8b94e47eb7032701ce17b091f212e1072672a4d5
 - filename: confluent-common-6.1.1-1.noarch.rpm
   url: https://packages.confluent.io/rpm/6.1/confluent-common-6.1.1-1.noarch.rpm
   validation:
@@ -271,7 +276,12 @@ resources:
   url: https://ironbank-files.s3.amazonaws.com/cp-ksqldb-server-operator-6.1.1.0_UsrBin.tar.gz
   validation:
     type: sha256
-    value: d76da0002ea5b36cf3ea788aaeacc55eafc5f8ab4e5807e9d6e3ecc4794066b4     
+    value: d76da0002ea5b36cf3ea788aaeacc55eafc5f8ab4e5807e9d6e3ecc4794066b4
+- filename: maven-artifact-3.8.1.jar
+  url: https://repo1.maven.org/maven2/org/apache/maven/maven-artifact/3.8.1/maven-artifact-3.8.1.jar
+  validation:
+    type: sha256
+    value: 9dbd3db15ac4816471e72981cb06ef90f3ffa8be6628dddf7135f7bd69bee0c0       
     
 # List of project maintainers
 maintainers:

scripts/build-image.sh

@@ -22,6 +22,8 @@ fi
 BASE_REGISTRY=${BASE_REGISTRY:-'registry1.dso.mil'}
 MANI='hardening_manifest.yaml'
 
+cd ../
+
 ## parse manifest with yq (https://github.com/mikefarah/yq)
 name=$(yq e '.name' $MANI)
 tags=( $(yq e '.tags.[]' $MANI) )
@@ -55,6 +57,8 @@ for tag in "${tags[@]}";do
   echo "🏷 Tagged build with $BASE_REGISTRY/$name:$tag" 
 done
 
+cd scripts
+
 end=`date +%s`
 duration=$((end-start))
 echo "🏁 Finished $CONTAINER build (${duration} seconds)"
\ No newline at end of file

scripts/importArtifacts.sh

+
+#!/bin/bash
+
+start=`date +%s`
+
+if [[ -f .env ]]; then
+    echo "Loading in '.env' for values ..."
+    export $(grep -v '^#' .env | xargs)
+    echo " "
+fi
+
+SCRIPTS_HOME="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+PROJECT_HOME=${PROJECT_HOME:-'../'}
+PROJECT_HOME=$(realpath $PROJECT_HOME)
+RESOURCE_HOME=${RESOURCE_HOME:-'../../resources'}
+RESOURCE_HOME=$(realpath $RESOURCE_HOME)
+
+importArtifacts() {
+    
+    manifestPath=$1
+    httpdomain=$2
+    resourceDir=$3
+
+    echo -e "\nImporting ${httpdomain} artifacts ..."
+
+    maniDir=$(dirname "$manifestPath")
+
+    # (re)set the filelist.txt
+    mkdir -p $resourceDir    
+    prefix="url: "
+    pushd $resourceDir
+        grep $httpdomain $manifestPath | while read -r line ; do
+            url=${line##*$prefix}
+            filename=$(basename "$url")
+            
+            if [[ ! -f "$filename" ]]; then
+                echo "downloading ${url} ..."
+                wget $url            
+            else
+                echo "Using existing $filename. Run ./clean.sh if thats not desired."
+            fi
+
+            if [[ ! -f "$maniDir/$filename" ]]; then
+                echo "copying ${filename} into ${maniDir} ..."
+                cp $filename $maniDir/
+            fi
+        done
+    popd
+}
+    
+mani=$(realpath "../hardening_manifest.yaml")
+
+importArtifacts $mani 'ironbank-files.s3.amazonaws.com' "$RESOURCE_HOME/ironbank-files"
+importArtifacts $mani 'packages.confluent.io' "$RESOURCE_HOME/confluent"
+importArtifacts $mani 'files.pythonhosted.org' "$RESOURCE_HOME/pythonhosted"
+importArtifacts $mani 'repo1.maven.org' "$RESOURCE_HOME/maven"
+
+echo "Generating hardening_manifest_template.yaml ..."
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/ironbank-files"
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/confluent"
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/pythonhosted"
+
+end=`date +%s`
+duration=$((end-start))
+echo "#########################"
+echo "All done (${duration} seconds)"
+echo "#########################"
+