Merge branch 'Q2_2024_jdk17' into 'development'

Q2 2024 jdk17

See merge request dsop/confluent/confluentinc/cp-base-new-7.4.x!23

.gitignore

+ibscripts/build-image.sh
+ibscripts
+scripts/build-image.sh
+archive.key

Dockerfile

+ARG CP_BASE_NEW_IMAGE=confluentinc/cp-base-new
+ARG CP_BASE_NEW_TAG=7.7.0
+
 ARG BASE_REGISTRY=registry1.dso.mil
-ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
-ARG BASE_TAG=8.7
+ARG BASE_IMAGE=redhat/openjdk/openjdk17
+ARG BASE_TAG=1.17
 
+FROM ${CP_BASE_NEW_IMAGE}:${CP_BASE_NEW_TAG} AS base
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
-RUN dnf update -y --nodocs && \
-    dnf clean all && \
-    rm -rf /var/cache/dnf
+# This affects how strings in Java class files are interpreted.  
+# We want UTF-8 and this is the only locale in the base image that supports it
+ENV LANG="C.UTF-8"
+
+# openjdk11 (base image) does not expose all the fips ciphers, like HmacSHA256, when fips enabled
+# This causes issues with keytool & connect, so disable it for ONLY those java processes (not other processes, the OS, or K8S host)
+ARG JAVA_OPTS="-Dsecurity.useSystemPropertiesFile=false -Dcom.redhat.fips=false"
+ENV JDK_JAVA_OPTIONS=$JAVA_OPTS
+ENV JAVA_TOOL_OPTIONS=$JAVA_OPTS
+
+ENV CUB_CLASSPATH='"/usr/share/java/cp-base-new/*"'
+
+USER root
+
+## Add the Confluent Docker Utility Belt which helps with starting the proper applications
+## https://github.com/confluentinc/common-docker/tree/master/utility-belt
+
+COPY archive.key /tmp
+
+## For auditing & debugging
+COPY LICENSE /licenses/cp-base-new_LICENSE
+COPY Dockerfile /etc/confluent/ironbank/cp-base-new_Dockerfile
+COPY hardening_manifest.yaml /etc/confluent/ironbank/cp-base-new_Dockerfile
+COPY --chmod=755 scripts/dnfupdate /usr/bin/
+COPY --chmod=755 scripts/replacejar /usr/bin/
+
+## copy from dockerhub image
+COPY --from=base /etc/confluent /etc/confluent
+COPY --from=base /etc/cp-base-new /etc/cp-base-new
+COPY --from=base /licenses /licenses
+COPY --from=base /usr/share/java/cp-base-new /usr/share/java/cp-base-new 
+COPY --from=base /usr/share/doc /usr/share/doc
+COPY --from=base /usr/local/lib /usr/local/lib
+COPY --from=base /usr/local/lib64 /usr/local/lib64
+COPY --from=base /usr/local/bin /usr/local/bin
+
+RUN echo "===> dnf installs" \
+        && dnf install -y --nodocs python39 openssl tar procps iputils hostname \
+        && dnf install -y --nodocs glibc glibc-common glibc-minimal-langpack \
+        && dnf install -y --nodocs tzdata libgcc libstdc++ cyrus-sasl-lib libsolv \
+        && rpm --import /tmp/archive.key \
+    && echo "===> python aliasing" \
+        && ln -s /usr/bin/python3.9 /usr/bin/python \
+        && ln -s /usr/bin/pip3 /usr/bin/pip \
+        && alias python=python3.9 \
+        && alias pip=pip3 \
+        && alternatives --set python /usr/bin/python3.9 \
+    && echo "===> manual hardening" \
+        && python3 -m pip install --upgrade setuptools \
+        && pip3 install urllib3 --upgrade \
+        && dnf erase -y procps-ng gdb-gdbserver \
+    && echo "===> appuser setup" \
+        && mkdir -p /usr/logs /licenses \
+        && useradd --no-log-init --create-home --shell /bin/bash appuser \
+        && chown appuser:appuser -R /usr/logs \
+    && dnfupdate
+
+USER appuser
 
+## healthcheck not applicable since this is ONLY used as a base image
 HEALTHCHECK NONE
 
-USER nobody

LICENSE

+CONFLUENT LICENSE AGREEMENT
+This Confluent License Agreement (“Agreement”) is a legal agreement between you (either an individual or an entity) (“Customer”) and Confluent, Inc. a Delaware corporation with offices at 101 University Avenue, Suite 111, Palo Alto, CA 94301 (“Confluent”), regarding proprietary software made available by Confluent for download in object code format (“Confluent Software”). BY CLICKING ON THE CHECKBOX THAT DEMONSTRATES ACCEPTANCE OF THIS AGREEMENT, OR BY USING THE CONFLUENT SOFTWARE, CUSTOMER EXPRESSLY ACCEPTS AND AGREES TO THE TERMS OF THIS AGREEMENT. IF YOU ARE AN INDIVIDUAL AGREEING TO THE TERMS OF THIS AGREEMENT ON BEHALF OF AN ENTITY, SUCH AS YOUR EMPLOYER, YOU REPRESENT THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ENTITY AND “CUSTOMER” SHALL REFER HEREIN TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THE TERMS OF THIS AGREEMENT, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SOFTWARE.
+
+1. LICENSE
+
+1.1 Evaluation License. Subject to the terms of this Agreement, Confluent grants to Customer a limited, non-exclusive, non-transferable license solely during the Evaluation Term (as defined below) to use the Confluent Software solely for evaluation use in development and testing environments, and not for production use. As used herein, “Evaluation Term” means thirty (30) days from the date of download by Customer or such other period specified in writing by Confluent.
+
+1.2 Developer License. In addition to the license granted in Section 1.1, and subject to the terms of this Agreement, Confluent grants to Customer a limited, non-exclusive, non-transferable license to use the Confluent Software on one or more clusters with a single broker per cluster, solely for evaluation use in development and testing environments, and not for production use.
+
+1.3 Confluent Connectors. If Customer has an active subscription to the Confluent Platform, then, except for any Confluent Connectors that are designated as “preview” releases, any Confluent Connectors that Customer downloads from Confluent’s website or otherwise receives from Confluent will be subject to the terms of Customer’s Confluent subscription agreement applicable to Confluent’s proprietary software, not the terms of this Agreement.
+
+1.4 Additional Restrictions and Limitations. The licenses granted herein do not include a right to sublicense. Customer shall not, and shall not permit or encourage any third party to: (a) use the Confluent Software other than as expressly permitted by this Agreement, or use the Confluent Software for third-party training, software-as-a-service, time-sharing or service bureau use or (b) disassemble, decompile or reverse engineer any portions of the Confluent Software, or otherwise attempt to gain access to the source code to such Confluent Software (or the underlying ideas, algorithms, structure or organization of the object code in the Confluent Software). The foregoing restriction is inapplicable to the extent prohibited by applicable law; provided that, in the event that Customer intends to disassemble, decompile or reverse engineer such Confluent Software, Customer shall first provide Confluent with written notice thereof.
+
+1.5 Reservation of Rights. Confluent reserves all rights not expressly granted in this section. No rights are granted by implication.
+
+1.6 Delivery of Materials. The Confluent Software, and any versions, updates or maintenance releases of any component thereof, will be delivered only through an electronic transfer.
+
+1.7 Support and Maintenance. Confluent is not obligated to provide maintenance and support services for the Confluent Software licensed under this Agreement. In the event that Confluent, in its sole discretion, elects to make available to Customer any updates or maintenance releases of the Confluent Software, such updates or maintenance releases shall be deemed Confluent Software under this Agreement.
+
+1.8 Preview Releases. Confluent may make available for download a preview release or beta version of Confluent Software, and Customer may elect to use such preview release at its sole discretion. Preview releases are intended for evaluation use in development and testing environments only, and not for production use. Confluent may discontinue providing preview releases of the Confluent Software at any time in Confluent’s sole discretion. Confluent is undertaking no obligation to release a generally available version of a preview release or any specific feature thereof. If Customer provides Confluent any suggestions, enhancement requests, recommendations, or other feedback regarding preview releases (“Feedback”), Confluent may freely use and incorporate into Confluent’s products and services any such Feedback. Feedback shall be considered Confidential Information, regardless of whether marked as such.
+
+2. USER AND PERFORMANCE DATA. Confluent may from time to time use and process data about Customer’s use of the Confluent Software and Third Party Software for the purposes of creating statistics and analytics data. Confluent may use such data for its own business purposes, including to maintain and improve the Confluent Software, Third Party Software and other services and to monitor and analyse its activities in connection with the performance of such services. Customer acknowledges that certain features of the Confluent Software and Third Party Software are configured to collect and report telemetry data to Confluent as more particularly described in More Information Regarding Confluent Data Collection at https://www.confluent.io/moreinformation/. Customer may choose to disable transmission of this data to Confluent at any time. Confluent will use user data in accordance with Confluent’s Privacy Policy located at https://www.confluent.io/privacy/ subject, as applicable, to the Standard Contractual Clauses for Controllers as approved by the European Commission and available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915 (as amended, superseded or updated from time to time), which are incorporated by reference in, and form an integral part of, this Agreement.
+
+3. OWNERSHIP. Customer acknowledges that Confluent or its licensors retain all proprietary rights, title and interest, including all intellectual property rights, in and to the Confluent Software and any changes, corrections, bug fixes, enhancements, updates and other modifications thereto (collectively, “Modifications”), and as between the parties all such rights shall vest in Confluent. Customer acknowledges that the licenses granted in Section 1 do not include the right to prepare any Modifications of the Confluent Software.
+
+4. CONFIDENTIALITY
+
+4.1 Nondisclosure and Limited Use. Each party shall retain in confidence the non-public information and know-how disclosed or made available by the other party pursuant to this Agreement which is either designated in writing as proprietary and/or confidential, if disclosed in writing, or if disclosed orally, is designated in writing (which may be via email) as confidential within thirty (30) days of the oral disclosure or should reasonably be understood to be confidential by the recipient (the “Confidential Information”). The Confluent Software, Modifications, and the terms and conditions of this Agreement shall be Confluent’s Confidential Information. Each party agrees to: (a) maintain the confidentiality of the other party’s Confidential Information; (b) refrain from using the other party’s Confidential Information except for the purpose of performing its obligations under this Agreement; and (c) not disclose such Confidential Information to any third party except to employees and subcontractors as is reasonably required in connection with the exercise of its rights and obligations under this Agreement (and only subject to binding written use and disclosure restrictions at least as protective as those set forth herein). Each party shall immediately notify the other party of any unauthorized disclosure or use of any Confidential Information and assist the other party in remedying such unauthorized use or disclosure by taking such steps as are reasonably requested by such other party. The foregoing obligations will not apply to Confidential Information of the other party which is: (i) already publicly known without breach of this Agreement; (ii) discovered or created by the receiving party without use of, or reference to, the Confidential Information of the disclosing party, as shown in records of the receiving party; (iii) otherwise known to the receiving party through no wrongful conduct of the receiving party, or (iv) required to be disclosed by law or court order; provided that the receiving party shall provide prompt notice thereof and reasonable assistance to the disclosing party to enable the disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Moreover, either party hereto may disclose any Confidential Information hereunder to such party’s agents, attorneys and other representatives (and only subject to confidentiality obligations at least as protective as those set forth herein) or any court of competent jurisdiction as reasonably required to resolve any dispute between the parties hereto.
+
+4.2 Remedies. Any breach or threatened breach of this Section may cause irreparable injury to the disclosing party and, in addition to any other remedies that may be available, in law, in equity or otherwise, the disclosing party shall be entitled to seek injunctive relief against the threatened breach of this Agreement or the continuation of any such breach by the receiving party, without the necessity of proving actual damages or posting any bond, in addition to any other rights or remedies provided by law.
+
+5. DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY
+
+5.1 Disclaimer of Any Warranties. CONFLUENT MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, WITH RESPECT TO THE CONFLUENT SOFTWARE OR ANY OTHER MATERIALS PROVIDED HEREUNDER. CONFLUENT SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT AND THOSE ARISING FROM A COURSE OF DEALING OR USAGE OR TRADE, AND ALL SUCH WARRANTIES ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW. THE CONFLUENT SOFTWARE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS.
+
+5.2 Limitation of Liability. IN NO EVENT SHALL CONFLUENT’S LIABILITY ARISING UNDER THIS AGREEMENT EXCEED $500. CONFLUENT WILL NOT BE LIABLE TO CUSTOMER FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, INDIRECT, PUNITIVE OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS, BUSINESS, CONTRACTS, REVENUE, GOODWILL, PRODUCTION, ANTICIPATED SAVINGS, LOSS OF DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY CLAIM OR DEMAND BY ANY OTHER PARTY, HOWEVER CAUSED AND (TO THE FULLEST EXTENT PERMITTED BY LAW) UNDER ANY THEORY OF LIABILITY (INCLUDING NEGLIGENCE) EVEN IF CONFLUENT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CUSTOMER ACKNOWLEDGES THAT THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
+
+6. TERM AND TERMINATION
+
+6.2 Term. Unless earlier terminated as provided in this Section, this Agreement and the license granted hereunder will be effective as of the Effective Date and will immediately terminate if Customer breaches Section 1 of this Agreement, regardless of whether Confluent notifies Customer of such termination.
+
+6.2 Termination. Either party shall have the right to terminate this Agreement and the license granted herein upon written notice in the event the other party fails to perform or observe any material term or condition of this Agreement and such default has not been cured no later than ten (10) days after written notice of such default to the other party. Confluent may also terminate this Agreement immediately if the Customer: (a) terminates or suspends its business; (b) becomes subject to any bankruptcy or insolvency proceeding under Federal or state statute; (c) becomes insolvent or subject to direct control by a trustee, receiver or similar authority; or (d) has wound up or liquidated, voluntarily or otherwise.
+
+6.3 Effect of Termination. The provisions of this Agreement that by their nature extend beyond the termination of this Agreement will survive termination. All of Customer’s rights in the Confluent Software will terminate immediately upon termination of this Agreement. No later than five (5) days after termination of this Agreement, Customer shall return to Confluent or, upon Confluent’s request, destroy or render inaccessible, at Customer’s sole expense, all Confidential Information of Confluent and materials containing any Confidential Information of Confluent, and discontinue use of and uninstall the Confluent Software, including all copies thereof. Nothing contained herein shall limit any other remedies that Confluent may have for the default of Customer under this Agreement nor relieve Customer of any of its obligations incurred prior to such termination.
+
+7. MISCELLANEOUS
+
+7.1 Assignment. Customer shall not assign or otherwise transfer this Agreement or any rights or obligations hereunder, in whole or in part, whether by operation of law or otherwise, to any third party without Confluent’s prior written consent. Any purported transfer, assignment or delegation without such prior written consent will be null and void and of no force or effect. Confluent shall have the right to assign this Agreement to any successor to its business or assets to which this Agreement relates, whether by merger, sale of assets, sale of stock, reorganization or otherwise. Subject to this Section, this Agreement shall be binding upon and inure to the benefit of the parties hereto, and their respective successors and permitted assigns.
+
+7.2 Entire Agreement; Modification; Waiver. This Agreement represents the entire agreement between the parties, and supersedes all prior agreements and understandings, written or oral, with respect to the matters covered by this Agreement, and is not intended to confer upon any third party any rights or remedies hereunder. Customer acknowledges that it has not entered in this Agreement based on any representations other than those contained herein. No modification of or amendment to this Agreement, nor any waiver of any rights under this Agreement, shall be effective unless in writing and signed by both parties. The waiver of one breach or default or any delay in exercising any rights shall not constitute a waiver of any subsequent breach or default.
+
+7.3 Third Party Software. Confluent also makes available certain third party open source software as identified at http://www.confluent.io/third_party_software (“Third Party Software”). The Third Party Software shall be subject to the applicable open source license(s) and not this Agreement, and is provided by Confluent at no charge. To the extent the terms of open source licenses applicable to Third Party Software prohibit any of the restrictions in this Agreement, such restrictions will not apply to such Third Party Software. To the extent the terms of open source licenses applicable to Third Party Software require Confluent to make an offer to provide source code or related information in connection with the Third Party Software, such offer is made.
+
+7.4 Governing Law. This Agreement shall in all respects be governed by the laws of the State of California without reference to its principles of conflicts of laws. The parties hereby agree that all disputes arising out of this Agreement shall be subject to the exclusive jurisdiction of and venue in the federal and state courts within Santa Clara County, California. Customer hereby consents to the personal and exclusive jurisdiction and venue of these courts. The parties hereby disclaim and exclude the application hereto of the United Nations Convention on Contracts for the International Sale of Goods.
+
+7.5 Severability. If any provision of this Agreement is held invalid or unenforceable under applicable law by a court of competent jurisdiction, it shall be replaced with the valid provision that most closely reflects the intent of the parties and the remaining provisions of the Agreement will remain in full force and effect.
+
+7.7 Relationship of the Parties. Nothing in this Agreement is to be construed as creating an agency, partnership, or joint venture relationship between the parties hereto. Neither party shall have any right or authority to assume or create any obligations or to make any representations or warranties on behalf of any other party, whether express or implied, or to bind the other party in any respect whatsoever.
+
+7.7 Notices. All notices permitted or required under this Agreement shall be in writing and shall be deemed to have been given when delivered in person (including by overnight courier), or three (3) business days after being mailed by first class, registered or certified mail, postage prepaid, to the address of the party specified in this Agreement or such other address as either party may specify in writing.
+
+7.8 U.S. Government Restricted Rights. If Confluent Software is being licensed by the U.S. Government, the Confluent Software is deemed to be “commercial computer software” and “commercial computer documentation” developed exclusively at private expense, and (a) if acquired by or on behalf of a civilian agency, shall be subject solely to the terms of this computer software license as specified in 48 C.F.R. 12.212 of the Federal Acquisition Regulations and its successors; and (b) if acquired by or on behalf of units of the Department of Defense (“DOD”) shall be subject to the terms of this commercial computer software license as specified in 48 C.F.R. 227.7202-2, DOD FAR Supplement and its successors.
+
+7.9 Export Law Assurances. Customer understands that the Confluent Software is subject to export control laws and regulations. Customer may not download or otherwise export or re-export the Confluent Software or any underlying information or technology except in full compliance with all applicable laws and regulations, in particular, but without limitation, United States export control laws. None of the Confluent Software or any underlying information or technology may be downloaded or otherwise exported or re- exported: (a) into (or to a national or resident of) any country to which the United States has embargoed goods; or (b) to anyone on the U.S. Treasury Department’s list of specially designated nationals or the U.S. Commerce Department’s list of prohibited countries or debarred or denied persons or entities. Customer hereby agrees to the foregoing and represents and warrants that customer is not located in, under control of, or a national or resident of any such country or on any such list.
+
+7.10 Construction. The titles and section headings used in this Agreement are for ease of reference only and shall not be used in the interpretation or construction of this Agreement. No rule of construction resolving any ambiguity in favor of the non-drafting party shall be applied hereto. The word “including”, when used herein, is illustrative rather than exclusive and means “including, without limitation.”
+
+(v. March 2019)
+
+Link: https://www.confluent.io/confluent-software-evaluation-license/

README.md

-# <application name>
+# cp-base-new-jdk17
+
+This is the base image used to support the Confluent Platform images.  
+
+Architecture: https://www.confluent.io/resources/apache-kafka-confluent-enterprise-reference-architecture/
+
+Operator Deployment: https://docs.confluent.io/operator/current/co-deployment.html
+
+For questions on this container please contact: confluent-fed@confluent.io
 
-Project template for all Iron Bank container repositories.
\ No newline at end of file

hardening_manifest.yaml

 ---
 apiVersion: v1
+# The repository name in registry1, excluding /ironbank/
+name: "confluentinc/cp-base-new"
 
-name: "opensource/foo/bar"
-
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dso.mil
 tags:
-- "0.0.0"
-- "latest"
+  - "Q2_2024_jdk17"
+  - "2024-07-29"
+  - "7.7.0"
+  - "latest-ubi8.amd64"
+  - "latest.amd64"
+  - "latest_jdk17"
+  - "latest"
 
+# Build args passed to Dockerfile ARGs
 args:
-  BASE_IMAGE: "redhat/ubi/ubi8"
-  BASE_TAG: "8.7"
+  CP_BASE_NEW_IMAGE: "confluentinc/cp-base-new"
+  CP_BASE_NEW_TAG: "7.7.0"
+  BASE_IMAGE: "redhat/openjdk/openjdk17"
+  BASE_TAG: "1.17"
 
+# Docker image labels
 labels:
-  org.opencontainers.image.title: "title"
-  org.opencontainers.image.description: "description"
-  org.opencontainers.image.licenses: "Apache-2.0"
-  org.opencontainers.image.url: "https://url"
-  org.opencontainers.image.vendor: "vendor"
-  org.opencontainers.image.version: "0.0.0"
-  mil.dso.ironbank.image.keywords: "tag1,tag2,tag3"
-  mil.dso.ironbank.image.type: "opensource"
-  mil.dso.ironbank.product.name: "name"
-
+  org.opencontainers.image.title: "cp-base-new"
+  org.opencontainers.image.description: "Official Confluent Docker base image for other Confluent Platform images"
+  org.opencontainers.image.licenses: "CONFLUENT ENTERPRISE LICENSE"
+  org.opencontainers.image.url: "https://docs.confluent.io/platform/current/overview.html"
+  org.opencontainers.image.vendor: "Confluent"
+  org.opencontainers.image.version: "Q2_2024_jdk17"
+  mil.dso.ironbank.image.keywords: "confluent,cflt,kafka,operator,cfk"
+  mil.dso.ironbank.image.type: "commercial"
+  mil.dso.ironbank.product.name: "Confluent Platform"
+# List of resources to make available to the offline build context
 resources:
-- filename: 
-  url: 
-  validation:
-    type: sha256
-    value: 
-
+  - url: "docker://docker.io/confluentinc/cp-base-new@sha256:470903bc7130ae4a7fb366f5e48ccd0aeb7065a3873704beab2cfc25449d2f88"
+    tag: "confluentinc/cp-base-new:7.7.0"
+  - filename: archive.key
+    url: https://packages.confluent.io/rpm/7.0/archive.key
+    validation:
+      type: sha256
+      value: b569e9d80bc08b65d342491f8b94e47eb7032701ce17b091f212e1072672a4d5
+      
+# List of project maintainers
 maintainers:
-- email: "username@example.com"
-  name: "FirstName LastName"
-  username: "UserName"
-  cht_member: true/false
+  - name: "Scott Stroud"
+    username: "scottstroud"
+    email: "confluent-fed@confluent.io"
+    cht_member: false
+  - name: "Preston McGowan"
+    username: "preston.mcgowan"
+    email: "confluent-fed@confluent.io"
+    cht_member: false
+  - name: "Gary Hott"
+    username: "garyhott86"
+    email: "confluent-fed@confluent.io"
+    cht_member: false

renovate.json

+{
+    "assignees": [
+        "@scottstroud"
+    ],
+    "baseBranches": [
+        "development"
+    ],
+    "automerge": false,
+    "gitLabAutomerge": false,
+    "regexManagers": [
+        {
+            "fileMatch": [
+                "^hardening_manifest.yaml$"
+            ],
+            "matchStrings": [
+                "org\\.opencontainers\\.image\\.version:\\s+(\\s|\"|')?(?<currentValue>.+?)(\\s|\"|'|$)",
+                "tags:\\s+-(\\s|\"|')+(?<currentValue>.+?)(\\s|\"|'|$)+"
+            ],
+            "depNameTemplate": "confluentinc/cp-base-new",
+            "datasourceTemplate": "docker"
+        }
+    ]
+}
\ No newline at end of file

scripts/dnfupdate

+#!/bin/bash
+
+echo "===> Dependency update" \
+    && dnf update -y --nodocs \
+&& echo "===> Clean up, Clean up" \
+    && dnf clean all \
+    && yum clean all \
+    && rm -rf /tmp/* /var/cache/dnf \
+&& chmod gu-s /usr/bin/write

scripts/importArtifacts.sh

+
+#!/bin/bash
+
+start=`date +%s`
+
+if [[ -f .env ]]; then
+    echo "Loading in '.env' for values ..."
+    export $(grep -v '^#' .env | xargs)
+    echo " "
+fi
+
+SCRIPTS_HOME="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+PROJECT_HOME=${PROJECT_HOME:-'../'}
+PROJECT_HOME=$(realpath $PROJECT_HOME)
+RESOURCE_HOME=${RESOURCE_HOME:-'../../resources'}
+RESOURCE_HOME=$(realpath $RESOURCE_HOME)
+
+importArtifacts() {
+    
+    manifestPath=$1
+    httpdomain=$2
+    resourceDir=$3
+
+    echo -e "\nImporting ${httpdomain} artifacts ..."
+
+    maniDir=$(dirname "$manifestPath")
+
+    # (re)set the filelist.txt
+    mkdir -p $resourceDir    
+    prefix="url: "
+    pushd $resourceDir
+        grep $httpdomain $manifestPath | while read -r line ; do
+            url=${line##*$prefix}
+            filename=$(basename "$url")
+            
+            local=$(find $RESOURCE_HOME -name $filename)
+            echo "local $local"
+
+            if [[ -f "$filename" ]]; then
+                echo "AA"
+                echo "Using existing $filename. Run ./clean.sh if thats not desired."
+            elif [[ ! -z "$local" ]]; then
+                echo "BB"
+                echo "Using existing $local. Run ./clean.sh if thats not desired."
+                cp $local $maniDir/
+            else
+                echo "downloading ${url} ..."
+                wget $url            
+            fi
+
+            if [[ ! -f "$maniDir/$filename" ]]; then
+                echo "copying ${filename} into ${maniDir} ..."
+                cp $filename $maniDir/
+            fi
+        done
+    popd
+}
+    
+mani=$(realpath "../hardening_manifest.yaml")
+
+importArtifacts $mani 'ironbank-files.s3.amazonaws.com' "$RESOURCE_HOME/ironbank-files"
+importArtifacts $mani 'packages.confluent.io' "$RESOURCE_HOME/confluent"
+importArtifacts $mani 's3.us-west-2.amazonaws.com/staging-confluent-packages' "$RESOURCE_HOME/confluent"
+importArtifacts $mani 'files.pythonhosted.org' "$RESOURCE_HOME/pythonhosted"
+importArtifacts $mani 'repo1.maven.org' "$RESOURCE_HOME/maven"
+
+# echo "Generating hardening_manifest_template.yaml ..."
+# $SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/ironbank-files"
+# $SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/confluent"
+# $SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/pythonhosted"
+
+end=`date +%s`
+duration=$((end-start))
+echo "#########################"
+echo "All done (${duration} seconds)"
+echo "#########################"
+

scripts/include/etc/confluent/docker/bash-config

+#
+# Copyright 2018 Confluent Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o nounset \
+    -o errexit
+
+# Trace may expose passwords/credentials by printing them to stdout, so turn on with care.
+if [ "${TRACE:-}" == "true" ]; then
+  set -o verbose \
+      -o xtrace
+fi

scripts/include/etc/confluent/docker/configure

+#!/usr/bin/env bash
+#
+# Copyright 2019 Confluent Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+. /etc/confluent/docker/bash-config
+
+dub ensure KAFKA_ZOOKEEPER_CONNECT
+dub ensure KAFKA_ADVERTISED_LISTENERS
+
+# By default, LISTENERS is derived from ADVERTISED_LISTENERS by replacing
+# hosts with 0.0.0.0. This is good default as it ensures that the broker
+# process listens on all ports.
+if [[ -z "${KAFKA_LISTENERS-}" ]]
+then
+  export KAFKA_LISTENERS
+  KAFKA_LISTENERS=$(cub listeners "$KAFKA_ADVERTISED_LISTENERS")
+fi
+
+dub path /etc/kafka/ writable
+
+if [[ -z "${KAFKA_LOG_DIRS-}" ]]
+then
+  export KAFKA_LOG_DIRS
+  KAFKA_LOG_DIRS="/var/lib/kafka/data"
+fi
+
+# advertised.host, advertised.port, host and port are deprecated. Exit if these properties are set.
+if [[ -n "${KAFKA_ADVERTISED_PORT-}" ]]
+then
+  echo "advertised.port is deprecated. Please use KAFKA_ADVERTISED_LISTENERS instead."
+  exit 1
+fi
+
+if [[ -n "${KAFKA_ADVERTISED_HOST-}" ]]
+then
+  echo "advertised.host is deprecated. Please use KAFKA_ADVERTISED_LISTENERS instead."
+  exit 1
+fi
+
+if [[ -n "${KAFKA_HOST-}" ]]
+then
+  echo "host is deprecated. Please use KAFKA_ADVERTISED_LISTENERS instead."
+  exit 1
+fi
+
+if [[ -n "${KAFKA_PORT-}" ]]
+then
+  echo "port is deprecated. Please use KAFKA_ADVERTISED_LISTENERS instead."
+  exit 1
+fi
+
+# Set if ADVERTISED_LISTENERS has SSL:// or SASL_SSL:// endpoints.
+if [[ $KAFKA_ADVERTISED_LISTENERS == *"SSL://"* ]]
+then
+  echo "SSL is enabled."
+
+  dub ensure KAFKA_SSL_KEYSTORE_FILENAME
+  export KAFKA_SSL_KEYSTORE_LOCATION="/etc/kafka/secrets/$KAFKA_SSL_KEYSTORE_FILENAME"
+  dub path "$KAFKA_SSL_KEYSTORE_LOCATION" exists
+
+  dub ensure KAFKA_SSL_KEY_CREDENTIALS
+  KAFKA_SSL_KEY_CREDENTIALS_LOCATION="/etc/kafka/secrets/$KAFKA_SSL_KEY_CREDENTIALS"
+  dub path "$KAFKA_SSL_KEY_CREDENTIALS_LOCATION" exists
+  export KAFKA_SSL_KEY_PASSWORD
+  KAFKA_SSL_KEY_PASSWORD=$(cat "$KAFKA_SSL_KEY_CREDENTIALS_LOCATION")
+
+  dub ensure KAFKA_SSL_KEYSTORE_CREDENTIALS
+  KAFKA_SSL_KEYSTORE_CREDENTIALS_LOCATION="/etc/kafka/secrets/$KAFKA_SSL_KEYSTORE_CREDENTIALS"
+  dub path "$KAFKA_SSL_KEYSTORE_CREDENTIALS_LOCATION" exists
+  export KAFKA_SSL_KEYSTORE_PASSWORD
+  KAFKA_SSL_KEYSTORE_PASSWORD=$(cat "$KAFKA_SSL_KEYSTORE_CREDENTIALS_LOCATION")
+
+  if [[ -n "${KAFKA_SSL_CLIENT_AUTH-}" ]] && ( [[ $KAFKA_SSL_CLIENT_AUTH == *"required"* ]] || [[ $KAFKA_SSL_CLIENT_AUTH == *"requested"* ]] )
+  then
+      dub ensure KAFKA_SSL_TRUSTSTORE_FILENAME
+      export KAFKA_SSL_TRUSTSTORE_LOCATION="/etc/kafka/secrets/$KAFKA_SSL_TRUSTSTORE_FILENAME"
+      dub path "$KAFKA_SSL_TRUSTSTORE_LOCATION" exists
+
+      dub ensure KAFKA_SSL_TRUSTSTORE_CREDENTIALS
+      KAFKA_SSL_TRUSTSTORE_CREDENTIALS_LOCATION="/etc/kafka/secrets/$KAFKA_SSL_TRUSTSTORE_CREDENTIALS"
+      dub path "$KAFKA_SSL_TRUSTSTORE_CREDENTIALS_LOCATION" exists
+      export KAFKA_SSL_TRUSTSTORE_PASSWORD
+      KAFKA_SSL_TRUSTSTORE_PASSWORD=$(cat "$KAFKA_SSL_TRUSTSTORE_CREDENTIALS_LOCATION")
+  fi
+  
+fi
+
+# Set if KAFKA_ADVERTISED_LISTENERS has SASL_PLAINTEXT:// or SASL_SSL:// endpoints.
+if [[ $KAFKA_ADVERTISED_LISTENERS =~ .*SASL_.*://.* ]]
+then
+  echo "SASL" is enabled.
+
+  dub ensure KAFKA_OPTS
+
+  if [[ ! $KAFKA_OPTS == *"java.security.auth.login.config"*  ]]
+  then
+    echo "KAFKA_OPTS should contain 'java.security.auth.login.config' property."
+  fi
+fi
+
+if [[ -n "${KAFKA_JMX_OPTS-}" ]]
+then
+  if [[ ! $KAFKA_JMX_OPTS == *"com.sun.management.jmxremote.rmi.port"*  ]]
+  then
+    echo "KAFKA_OPTS should contain 'com.sun.management.jmxremote.rmi.port' property. It is required for accessing the JMX metrics externally."
+  fi
+fi
+
+if [[ -z "${KAFKA_CONFLUENT_BALANCER_ENABLE-}" ]]
+then
+  export KAFKA_CONFLUENT_BALANCER_ENABLE
+  KAFKA_CONFLUENT_BALANCER_ENABLE="true"
+fi
+
+dub template "/etc/confluent/docker/${COMPONENT}.properties.template" "/etc/${COMPONENT}/${COMPONENT}.properties"
+dub template "/etc/confluent/docker/log4j.properties.template" "/etc/${COMPONENT}/log4j.properties"
+dub template "/etc/confluent/docker/tools-log4j.properties.template" "/etc/${COMPONENT}/tools-log4j.properties"

scripts/include/etc/confluent/docker/ensure

+#!/usr/bin/env bash
+#
+# Copyright 2020 Confluent Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+. /etc/confluent/docker/bash-config
+
+export KAFKA_DATA_DIRS=${KAFKA_DATA_DIRS:-"/var/lib/kafka/data"}
+echo "===> Check if $KAFKA_DATA_DIRS is writable ..."
+dub path "$KAFKA_DATA_DIRS" writable
+
+if [[ -n "${KAFKA_ZOOKEEPER_SSL_CLIENT_ENABLE-}" ]] && [[ $KAFKA_ZOOKEEPER_SSL_CLIENT_ENABLE == "true" ]]
+then
+    echo "===> Skipping Zookeeper health check for SSL connections..."
+else
+    echo "===> Check if Zookeeper is healthy ..."
+    cub zk-ready "$KAFKA_ZOOKEEPER_CONNECT" "${KAFKA_CUB_ZK_TIMEOUT:-40}"
+fi

scripts/include/etc/confluent/docker/kafka.properties.template

+{% set excluded_props = ['KAFKA_VERSION',
+                         'KAFKA_HEAP_OPTS'
+                         'KAFKA_LOG4J_OPTS',
+                         'KAFKA_OPTS',
+                         'KAFKA_JMX_OPTS',
+                         'KAFKA_JVM_PERFORMANCE_OPTS',
+                         'KAFKA_GC_LOG_OPTS',
+                         'KAFKA_LOG4J_ROOT_LOGLEVEL',
+                         'KAFKA_LOG4J_LOGGERS',
+                         'KAFKA_TOOLS_LOG4J_LOGLEVEL',
+                         'KAFKA_ZOOKEEPER_CLIENT_CNXN_SOCKET']
+-%}
+
+{# properties that don't fit the standard format #}
+{% set other_props = {
+  'KAFKA_ZOOKEEPER_CLIENT_CNXN_SOCKET' : 'zookeeper.clientCnxnSocket'
+ } -%}
+
+{% set kafka_props = env_to_props('KAFKA_', '', exclude=excluded_props) -%}
+{% for name, value in kafka_props.items() -%}
+{{name}}={{value}}
+{% endfor -%}
+
+{% for k, property in other_props.items() -%}
+{% if env.get(k) != None -%}
+{{property}}={{env[k]}}
+{% endif -%}
+{% endfor -%}
+
+{% set confluent_support_props = env_to_props('CONFLUENT_SUPPORT_', 'confluent.support.') -%}
+{% for name, value in confluent_support_props.items() -%}
+{{name}}={{value}}
+{% endfor -%}
+
+{% set confluent_metric_props = env_to_props('CONFLUENT_METRICS_', 'confluent.metrics.') -%}
+{% for name, value in confluent_metric_props.items() -%}
+{{name}}={{value}}
+{% endfor -%}

scripts/include/etc/confluent/docker/launch

+#!/usr/bin/env bash
+#
+# Copyright 2019 Confluent Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Override this section from the script to include the com.sun.management.jmxremote.rmi.port property.
+if [ -z "$KAFKA_JMX_OPTS" ]; then
+  export KAFKA_JMX_OPTS="-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.authenticate=false  -Dcom.sun.management.jmxremote.ssl=false "
+fi
+
+# The JMX client needs to be able to connect to java.rmi.server.hostname.
+# The default for bridged n/w is the bridged IP so you will only be able to connect from another docker container.
+# For host n/w, this is the IP that the hostname on the host resolves to.
+
+# If you have more that one n/w configured, hostname -i gives you all the IPs,
+# the default is to pick the first IP (or network).
+export KAFKA_JMX_HOSTNAME=${KAFKA_JMX_HOSTNAME:-$(hostname -i | cut -d" " -f1)}
+
+if [ "$KAFKA_JMX_PORT" ]; then
+  # This ensures that the "if" section for JMX_PORT in kafka launch script does not trigger.
+  export JMX_PORT=$KAFKA_JMX_PORT
+  export KAFKA_JMX_OPTS="$KAFKA_JMX_OPTS -Djava.rmi.server.hostname=$KAFKA_JMX_HOSTNAME -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT -Dcom.sun.management.jmxremote.port=$JMX_PORT"
+fi
+
+echo "===> Launching ${COMPONENT} ... "
+exec "${COMPONENT}"-server-start /etc/"${COMPONENT}"/"${COMPONENT}".properties

scripts/include/etc/confluent/docker/log4j.properties.template

+
+log4j.rootLogger={{ env["KAFKA_LOG4J_ROOT_LOGLEVEL"] | default('INFO') }}, stdout
+
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n
+
+{% set loggers = {
+  'kafka': 'INFO',
+  'kafka.network.RequestChannel$': 'WARN',
+  'kafka.producer.async.DefaultEventHandler': 'DEBUG',
+  'kafka.request.logger': 'WARN',
+  'kafka.controller': 'TRACE',
+  'kafka.log.LogCleaner': 'INFO',
+  'state.change.logger': 'TRACE',
+  'kafka.authorizer.logger': 'WARN'
+  } -%}
+
+
+{% if env['KAFKA_LOG4J_LOGGERS'] %}
+{% set loggers = parse_log4j_loggers(env['KAFKA_LOG4J_LOGGERS'], loggers) %}
+{% endif %}
+
+{% for logger,loglevel in loggers.items() %}
+log4j.logger.{{logger}}={{loglevel}}
+{% endfor %}

scripts/include/etc/confluent/docker/mesos-setup.sh

+#!/usr/bin/env bash
+
+set +o nounset
+
+if [ -z $SKIP_MESOS_AUTO_SETUP ]; then
+    if [ -n $MESOS_SANDBOX ] && [ -e $MESOS_SANDBOX/.ssl/scheduler.crt ] && [ -e $MESOS_SANDBOX/.ssl/scheduler.key ]; then
+        echo "Entering Mesos auto setup for Java SSL truststore. You should not see this if you are not on mesos ..."
+
+        openssl pkcs12 -export -in $MESOS_SANDBOX/.ssl/scheduler.crt -inkey $MESOS_SANDBOX/.ssl/scheduler.key \
+                       -out /tmp/keypair.p12 -name keypair \
+                       -CAfile $MESOS_SANDBOX/.ssl/ca-bundle.crt -caname root -passout pass:export
+
+        keytool -importkeystore \
+                -deststorepass changeit -destkeypass changeit -destkeystore /tmp/kafka-keystore.jks \
+                -srckeystore /tmp/keypair.p12 -srcstoretype PKCS12 -srcstorepass export \
+                -alias keypair
+
+        keytool -import \
+                -trustcacerts \
+                -alias root \
+                -file $MESOS_SANDBOX/.ssl/ca-bundle.crt \
+                -storepass changeit \
+                -keystore /tmp/kafka-truststore.jks -noprompt
+    fi
+fi
+
+set -o nounset

scripts/include/etc/confluent/docker/run

+#!/usr/bin/env bash
+#
+# Copyright 2019 Confluent Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+. /etc/confluent/docker/bash-config
+
+# Set environment values if they exist as arguments
+if [ $# -ne 0 ]; then
+  echo "===> Overriding env params with args ..."
+  for var in "$@"
+  do
+    export "$var"
+  done
+fi
+
+echo "===> User"
+id
+
+echo "===> Configuring ..."
+/etc/confluent/docker/configure
+
+echo "===> Running preflight checks ... "
+/etc/confluent/docker/ensure
+
+echo "===> Launching ... "
+exec /etc/confluent/docker/launch

scripts/include/etc/confluent/docker/tools-log4j.properties.template

+
+log4j.rootLogger={{ env["KAFKA_TOOLS_LOG4J_LOGLEVEL"] | default('WARN') }}, stderr
+
+log4j.appender.stderr=org.apache.log4j.ConsoleAppender
+log4j.appender.stderr.layout=org.apache.log4j.PatternLayout
+log4j.appender.stderr.layout.ConversionPattern=[%d] %p %m (%c)%n
+log4j.appender.stderr.Target=System.err

scripts/log4j.properties

+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+log4j.rootLogger=OFF
+
+# Only log errors from Kafka and ZKClient
+log4j.logger.org.apache.kafka=ERROR
+log4j.logger.org.I0Itec.zkclient.ZkClient=ERROR
+
+# Log informational messages from the CLI and Zookeeper
+log4j.logger.io.confluent.admin.utils=INFO, stderr
+log4j.logger.org.apache.zookeeper=INFO, stderr
+# STDERR Appender
+log4j.appender.stderr=org.apache.log4j.ConsoleAppender
+log4j.appender.stderr.layout=org.apache.log4j.PatternLayout
+log4j.appender.stderr.Target=System.err
+log4j.appender.stderr.layout.ConversionPattern=%m%n
\ No newline at end of file

scripts/replacejar

+#!/bin/bash
+
+shopt -s globstar
+
+SRC_DIR=/tmp
+DEST_DIR=/usr/share/java
+
+echo "===> Replacing instances for $1 jars under ${DEST_DIR}"
+
+chown appuser:appuser $SRC_DIR/$1*.jar
+for i in $DEST_DIR/**/$1*.jar; do # Whitespace-safe and recursive
+    rm -f "$i"
+    cp $SRC_DIR/$1*.jar $(dirname "$i")/
+done