Dockerfile

ARG CP_BASE_NEW_IMAGE=confluentinc/cp-base-new
ARG CP_BASE_NEW_TAG=7.8.2-1-ubi8

ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=redhat/openjdk/openjdk17
ARG BASE_TAG=1.17

FROM ${CP_BASE_NEW_IMAGE}:${CP_BASE_NEW_TAG} AS base
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

# This affects how strings in Java class files are interpreted.  
# We want UTF-8 and this is the only locale in the base image that supports it
ENV LANG="C.UTF-8"

# openjdk11 (base image) does not expose all the fips ciphers, like HmacSHA256, when fips enabled
# This causes issues with keytool & connect, so disable it for ONLY those java processes (not other processes, the OS, or K8S host)
ARG JAVA_OPTS="-Dsecurity.useSystemPropertiesFile=false -Dcom.redhat.fips=false"
ENV JDK_JAVA_OPTIONS=$JAVA_OPTS
ENV JAVA_TOOL_OPTIONS=$JAVA_OPTS

# Set the classpath for JARs required by `cub`
ENV CUB_CLASSPATH='"/usr/share/java/cp-base-new/*"'

USER root

COPY archive.key /tmp

## For auditing & debugging
COPY LICENSE /licenses/cp-base-new_LICENSE
COPY Dockerfile /etc/confluent/ironbank/cp-base-new_Dockerfile
COPY hardening_manifest.yaml /etc/confluent/ironbank/cp-base-new_Dockerfile
COPY --chmod=755 scripts/dnfupdate /usr/bin/
COPY --chmod=755 scripts/replacejar /usr/bin/

## copy from dockerhub image
COPY --from=base /etc/confluent /etc/confluent
COPY --from=base /etc/cp-base-new /etc/cp-base-new
COPY --from=base /licenses /licenses
COPY --from=base /usr/share/java/cp-base-new /usr/share/java/cp-base-new 
COPY --from=base /usr/share/doc /usr/share/doc
COPY --from=base /usr/local/lib /usr/local/lib
COPY --from=base /usr/local/lib64 /usr/local/lib64
COPY --from=base /usr/local/bin /usr/local/bin

RUN echo "===> dnf installs" \
        && dnf install -y --nodocs python39 openssl tar procps iputils hostname \
        && dnf install -y --nodocs glibc glibc-common glibc-minimal-langpack \
        && dnf install -y --nodocs tzdata libgcc libstdc++ cyrus-sasl-lib libsolv \
        && rpm --import /tmp/archive.key \
    && echo "===> python aliasing" \
        && ln -s /usr/bin/python3.9 /usr/bin/python \
        && ln -s /usr/bin/pip3 /usr/bin/pip \
        && alias python=python3.9 \
        && alias pip=pip3 \
        && alternatives --set python /usr/bin/python3.9 \
    && echo "===> manual hardening" \
        && python3 -m pip install --upgrade setuptools \
        && pip3 install urllib3 --upgrade \
        && dnf erase -y procps-ng gdb-gdbserver \
        && rm -Rf /usr/local/bin/openssl \
    && echo "===> appuser setup" \
        && mkdir -p /usr/logs /licenses \
        && useradd --no-log-init --create-home --shell /bin/bash appuser \
        && chown appuser:appuser -R /usr/logs \
    && dnfupdate 
    
# Disable setuid/setgid bits
RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
RUN find / -perm /6000 -type f -exec chmod g-s {} \; || true

USER appuser
WORKDIR /home/appuser

## healthcheck not applicable since this is ONLY used as a base image
HEALTHCHECK NONE