ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9-minimal
ARG BASE_TAG=9.5

FROM quay.io/argoproj/argocd:v2.14.10 as argocd

FROM amazon/aws-cli:2.26.2 as awscli

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

ENV HOME=/home/argocd \
    USER=argocd

COPY --from=argocd --chown=root:root /usr/local/bin/argocd /usr/local/bin/
COPY --from=argocd --chown=root:root /usr/local/bin/helm* /usr/local/bin/
COPY --from=argocd --chown=root:root /usr/local/bin/kustomize /usr/local/bin/kustomize
COPY --from=argocd --chown=root:root /usr/bin/tini /usr/bin/tini
COPY --from=awscli --chown=root:root /usr/local/aws-cli /usr/local/aws-cli
COPY scripts/* /usr/local/bin/

RUN groupadd -g 1000 argocd && \
    useradd -r -u 1000 -m -s /sbin/nologin -g argocd argocd && \
    chown argocd:argocd ${HOME} && \
    chmod g=u ${HOME} && \
    microdnf upgrade -y && \
    microdnf install --nodocs -y git git-lfs nss_wrapper && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth && \
    mkdir -p /app/config/ssh /app/config/tls /app/config/gpg/{source,keys} && \
    chown argocd:0 /app/config/gpg/keys && \
    chmod 0700 /app/config/gpg/keys && \
    chmod 0755 /usr/local/bin/*.sh && \
    touch /app/config/ssh/ssh_known_hosts && \
    ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts && \
    ln -s /usr/local/aws-cli/v2/current/bin/aws /usr/local/bin/aws && \
    ln -s /usr/local/aws-cli/v2/current/bin/aws_completer /usr/local/bin/aws_completer && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-cmp-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-notifications && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-applicationset-controller && \
    ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh && \
    chmod -s /usr/libexec/openssh/ssh-keysign && \
    for i in /etc/pam.d/system-auth /etc/pam.d/password-auth; do sed -i "s/nullok//g" $i; done && \
    sed -iE '/password\s\+sufficient\s\+pam_unix.so/ s/$/ rounds=5000/' /etc/pam.d/password-auth && \
    sed -iE '/password\s\+sufficient\s\+pam_unix.so/ s/$/ rounds=5000/' /etc/pam.d/system-auth && \
    microdnf remove -y vim-filesystem cmake-data cmake && \
    microdnf clean all && \
    rm -rf /var/cache/yum /var/log/yum* /usr/local/aws-cli/v2/2.*/dist/awscli/examples/apigateway/*.rst

RUN chmod 750 -R /home/argocd

USER 1000
WORKDIR ${HOME}

ENTRYPOINT ["entrypoint.sh"]
CMD ["argocd-server"]