init

847672dd · Scott Stroud · 13fb1771 · 847672dd · 847672dd
Commit 847672dd authored 2 years ago by Scott Stroud
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,8 @@ ARG BASE_TAG=latest

 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

-ENV CONFLUENT_VERSION=7.2.1
+ENV COMPONENT=kafka-connect
+ENV CONFLUENT_VERSION=7.2.2

 # This affects how strings in Java class files are interpreted.  
 # We want UTF-8 and this is the only locale in the base image that supports it
@@ -12,33 +13,31 @@ ENV LANG="C.UTF-8"

 USER root

-# Copy required RPMs
-COPY *.rpm /tmp/
-COPY archive.key /tmp/
-COPY LICENSE /licenses
-
-ENV COMPONENT=kafka-connect
 # allow arg override of required env params
 ARG KAFKA_ZOOKEEPER_CONNECT
 ENV KAFKA_ZOOKEEPER_CONNECT=${KAFKA_ZOOKEEPER_CONNECT}
 ARG KAFKA_ADVERTISED_LISTENERS
 ENV KAFKA_ADVERTISED_LISTENERS=${KAFKA_ADVERTISED_LISTENERS}

+ENV CONNECT_PLUGIN_PATH=/usr/share/java/,/usr/share/confluent-hub-components/
+
+COPY *.rpm /tmp/
+COPY LICENSE /licenses
+COPY Dockerfile /etc/confluent/ironbank/
+COPY hardening_manifest.yaml /etc/confluent/ironbank/
+
+COPY --chown=appuser:appuser scripts/include/etc/confluent/docker /etc/confluent/docker
+
 # primary
 EXPOSE 9092

 # rest
 EXPOSE 8083

-## For auditing & debugging
-COPY Dockerfile /etc/confluent/ironbank/
-COPY hardening_manifest.yaml /etc/confluent/ironbank/
-
 RUN echo "===> Dependency update" \
-    && dnf update -y --nodocs \
+        && dnf update -y --nodocs \
    && echo "===> Installing ${COMPONENT}" \
-    && rpm --import /tmp/archive.key \
-    && rpm -ivh --nodigest /tmp/confluent-common-*.noarch.rpm \
+        && dnf install -y /tmp/confluent-common-*.noarch.rpm \
        /tmp/confluent-rest-utils-*.noarch.rpm \
        /tmp/confluent-metadata-service-*.noarch.rpm \
        /tmp/confluent-server-*.noarch.rpm \
@@ -53,22 +52,18 @@ RUN echo "===> Dependency update" \
        /tmp/confluent-control-center-fe-*.noarch.rpm \
        /tmp/confluent-hub-client-*.noarch.rpm \
        /tmp/confluent-kafka-connect-replicator-*.noarch.rpm \
-    && echo "===> Clean up, Clean up" \
-    && dnf clean all \
-    && yum clean all \
-    && rm -rf /tmp/* \
-    && rm -rf /var/cache/dnf \
    && echo "===> Setting up ${COMPONENT} dirs ..." \
-    && mkdir -p /usr/share/confluent-hub-components /var/lib/kafka/data /etc/kafka/secrets /etc/${COMPONENT} /etc/${COMPONENT}/secrets /etc/${COMPONENT}/jars /usr/logs \
-    && chown appuser:root -R /etc/${COMPONENT} /usr/logs /etc/schema-registry /usr/share/confluent-hub-components /var/log/kafka /var/log/confluent /var/lib/kafka /var/lib/zookeeper /etc/kafka/secrets \
-    && chmod -R ug+w /etc/kafka /var/lib/kafka/data /etc/kafka/secrets /etc/${COMPONENT} /etc/${COMPONENT}/secrets /etc/${COMPONENT}/jars /etc/schema-registry
-
-ENV CONNECT_PLUGIN_PATH=/usr/share/java/,/usr/share/confluent-hub-components/
+        && mkdir -p /usr/share/confluent-hub-components /var/lib/kafka/data /etc/kafka/secrets /etc/${COMPONENT} /etc/${COMPONENT}/secrets /etc/${COMPONENT}/jars /usr/logs \
+        && chown appuser:root -R /etc/${COMPONENT} /usr/logs /etc/schema-registry /usr/share/confluent-hub-components /var/log/kafka /var/log/confluent /var/lib/kafka /var/lib/zookeeper /etc/kafka/secrets \
+        && chmod -R ug+w /etc/kafka /var/lib/kafka/data /etc/kafka/secrets /etc/${COMPONENT} /etc/${COMPONENT}/secrets /etc/${COMPONENT}/jars /etc/schema-registry \
+        && chown -R appuser:appuser /etc/confluent \
+    && echo "===> Clean up, Clean up" \
+        && dnf clean all \
+        && yum clean all \
+        && rm -rf /tmp/* /var/cache/dnf

 VOLUME ["/var/lib/kafka/data", "/etc/kafka/secrets", "/etc/${COMPONENT}/jars", "/etc/${COMPONENT}/secrets"]

-COPY --chown=appuser:appuser scripts/include/etc/confluent/docker /etc/confluent/docker
-
 USER appuser

 CMD ["/etc/confluent/docker/run"]
@@ -79,4 +74,4 @@ CMD ["/etc/confluent/docker/run"]
 # Retry period    : 8 minutes (after which container is deemed unhealthy)
 # All settings can be overriden at run-time in Docker/Docker Compose. 
 HEALTHCHECK --start-period=120s --interval=5s --timeout=10s --retries=96 \ 
-    CMD /usr/bin/kafka-topics --version
+    CMD /usr/bin/kafka-topics --version
\ No newline at end of file
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -6,14 +6,14 @@ name: "confluentinc/cp-enterprise-replicator"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dso.mil
 tags:
-  - "7.2.1-1-ubi8"
-  - "7.2.1"
+  - "7.2.2-1-ubi8"
+  - "7.2.2"
  - "7.2.x"
  - "7.2"
 # Build args passed to Dockerfile ARGs
 args:
  BASE_IMAGE: "confluentinc/cp-base-new"
-  BASE_TAG: "Q2_2022"
+  BASE_TAG: "Q3_2022"
 # Docker image labels
 labels:
  org.opencontainers.image.title: "cp-enterprise-replicator"
@@ -21,91 +21,86 @@ labels:
  org.opencontainers.image.licenses: "CONFLUENT ENTERPRISE LICENSE"
  org.opencontainers.image.url: "https://docs.confluent.io/platform/current/overview.html"
  org.opencontainers.image.vendor: "Confluent"
-  org.opencontainers.image.version: "7.2.1"
+  org.opencontainers.image.version: "7.2.2"
  mil.dso.ironbank.image.keywords: "confluent,cflt,kafka,replicator,operator,cfk"
  mil.dso.ironbank.image.type: "commercial"
  mil.dso.ironbank.product.name: "Confluent Platform"
 resources:
-  - filename: archive.key
-    url: https://packages.confluent.io/rpm/7.2/archive.key
+  - filename: confluent-common-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-common-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 6753aba4eab80062784a903af0314877d36fa4f998333adffecb0fcba81113cd
-  - filename: confluent-common-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-common-7.2.1-1.noarch.rpm
+      value: 04a4496b5b258c1395afc07ea5021e20395e8eb4958a0cc25a793fd1d661ab86
+  - filename: confluent-rebalancer-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-rebalancer-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 88cb32f4db2b78ddfd8abddcc7f34a6d4ca2bb1dd807becfd4e93c9448790daa
-  - filename: confluent-rebalancer-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-rebalancer-7.2.1-1.noarch.rpm
+      value: 9db74b754c24b224793b1c0c11350c15aece745d0a8204fea2659b86523ecad4
+  - filename: confluent-rest-utils-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-rest-utils-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 9d207c10c8d6f6ce49a1f481f47610f35b4ab43067063b393c7213de7e20ce67
-  - filename: confluent-rest-utils-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-rest-utils-7.2.1-1.noarch.rpm
+      value: 2723c538f362706f2bff8903ffd9b199da5d4e203ebc8945c7494934082ec6f0
+  - filename: confluent-security-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-security-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: bf7fb81b49fe03d36f8ac9523dfff5f2f19951586a99b9d00de6199b37ccde9c
-  - filename: confluent-security-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-security-7.2.1-1.noarch.rpm
+      value: 9ab0616e65106c2ac8b8609818fadc2ab443e26935fb995f9d6df6f98eb794bc
+  - filename: confluent-metadata-service-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-metadata-service-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 3ea78af130b8254c6791a7cc901a7896a534d5aef855f207add248e09b2798ba
-  - filename: confluent-metadata-service-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-metadata-service-7.2.1-1.noarch.rpm
+      value: 64b59d07552795c58a38d71f93a2f211fee32ee68b36f5e08dece42ca096d299
+  - filename: confluent-server-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-server-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: b239f893749474bafbd99cf61a3e12878df5c6246ec109cc1be8e17df3e01e0c
-  - filename: confluent-server-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-server-7.2.1-1.noarch.rpm
+      value: 8ea7a535d7f4ae4366d85730e50c2ec061d3bb24523914cf7071757d076b3145
+  - filename: confluent-ce-kafka-http-server-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-ce-kafka-http-server-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: a655eec4576c8586720306f9abda728a859c3fb10727e96fe356c9441cb71edf
-  - filename: confluent-ce-kafka-http-server-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-ce-kafka-http-server-7.2.1-1.noarch.rpm
+      value: 452ea9a8a648b24c93d8503cfc4ce3ce9d9cf2582eda460aafcda6f1ed964cf1
+  - filename: confluent-server-rest-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-server-rest-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 3bffad1b3d10ecad9bc0cf7dc016f0621236dedcd14a8cb1964f570f5d597915
-  - filename: confluent-server-rest-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-server-rest-7.2.1-1.noarch.rpm
+      value: 792c41c7792d3d39c1247d0b6491ca6b26cf92a45294348f4d7f23b07ce8823d
+  - filename: confluent-telemetry-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-telemetry-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 78ece747a7d76f0a8bd84e70b470dce9e5f6114233a897802ae689c6381c9829
-  - filename: confluent-telemetry-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-telemetry-7.2.1-1.noarch.rpm
+      value: 75f42c016062a10f415dc4401971ca57d3e6185af193f549d3b3ae7b92c85587
+  - filename: confluent-kafka-rest-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-kafka-rest-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 5d24ab57555e884acdf01e01b6bccce24e1caead8a0331afc8c0b9f31e8738c7
-  - filename: confluent-kafka-rest-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-kafka-rest-7.2.1-1.noarch.rpm
+      value: dd96a4629bd3eccfc0a2303cfa20d1e4c154de07b7a41b8d3ea82252c2548823
+  - filename: confluent-hub-client-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-hub-client-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 0701c97adcaf9f3dd77714e75df349298160c183a200343b802ccc6075687c32
-  - filename: confluent-hub-client-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-hub-client-7.2.1-1.noarch.rpm
+      value: 33b08e8d3b4730d9dd8597e5659e33c85b547a7701325bc4c415b91d24aa6f20
+  - filename: confluent-control-center-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-control-center-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 0d2489cb248bcd483f9c808ed152641a06f35da74a317e082a76fc839f6f8a92
-  - filename: confluent-control-center-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-control-center-7.2.1-1.noarch.rpm
+      value: 181006b4ec8025e9d6f8a7270e048e476e2feb59bb11ef8f18089ea7243dddb1
+  - filename: confluent-control-center-fe-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-control-center-fe-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: b1962ac73d3a538004f32e816765abe99b21e73f03805c5e4246fd43228b2aa5
-  - filename: confluent-control-center-fe-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-control-center-fe-7.2.1-1.noarch.rpm
+      value: 48e2eda7aa887ba39b435ec3b2afaa0759e32d858974f9a3985fc8aca20478b3
+  - filename: confluent-schema-registry-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-schema-registry-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 595984382d5ab9c2a4ed44fce9a5fcad2768fcf4d4f787d60799d831fa6e9b81
-  - filename: confluent-schema-registry-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-schema-registry-7.2.1-1.noarch.rpm
+      value: c652963a0cac13a28308d68c632a810d85f2ce71d6606b64b958b2c003aa9eb1
+  - filename: confluent-kafka-connect-replicator-7.2.2-1.noarch.rpm
+    url: https://packages.confluent.io/rpm/7.2/confluent-kafka-connect-replicator-7.2.2-1.noarch.rpm
    validation:
      type: sha256
-      value: 4268ccfcb251e8e136276c38f2b44cb6782e1125c241d1df756a3493a1815816
-  - filename: confluent-kafka-connect-replicator-7.2.1-1.noarch.rpm
-    url: https://packages.confluent.io/rpm/7.2/confluent-kafka-connect-replicator-7.2.1-1.noarch.rpm
-    validation:
-      type: sha256
-      value: 290c4d3a827dc96cbf90d4fd4382609a5bb1862aa1055cdec425890e9ade6dd6
+      value: 2bb052377dfcf6d7ab2fb738379fe88d9f85f9c46e05d3de2c89378683963e7c
 # List of project maintainers
 maintainers:
  - name: "Scott Stroud"