redo of keycloak: copied binaries from jboss/keycloak as a builder image

6.0.1/Dockerfile

-FROM registry.access.redhat.com/ubi8-minimal
-
-ENV KEYCLOAK_VERSION 7.0.1
-ENV JDBC_POSTGRES_VERSION 42.2.5
-ENV JDBC_MYSQL_VERSION 5.1.46
-ENV JDBC_MARIADB_VERSION 2.2.3
-ENV JDBC_MSSQL_VERSION 7.4.1.jre8
-
-ENV LAUNCH_JBOSS_IN_BACKGROUND 1
-ENV PROXY_ADDRESS_FORWARDING false
-ENV JBOSS_HOME /opt/jboss/keycloak
-ENV LANG en_US.UTF-8
+ARG BASE_REGISTRY=registry.access.redhat.com
+ARG BASE_IMAGE=ubi7/ubi
+ARG BASE_TAG=7.7
+
+FROM nexus-docker.52.61.140.4.nip.io/builder-opensource/keycloak:6.0.1 as builder
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+ENV KEYCLOAK_VERSION=6.0.1 \
+    JDBC_POSTGRES_VERSION=42.2.5 \
+    JDBC_MYSQL_VERSION=5.1.46 \
+    JDBC_MARIADB_VERSION=2.2.3 \
+    LAUNCH_JBOSS_IN_BACKGROUND=1 \
+    PROXY_ADDRESS_FORWARDING=false \
+    JBOSS_HOME=/opt/jboss/keycloak \
+    LANG=en_US.UTF-8 \
+    KEYCLOAK_USER_NAME=jboss \
+    KEYCLOAK_USER_ID=1001 \
+    KEYCLOAK_HOME=/opt/jboss
 
 ARG GIT_REPO
 ARG GIT_BRANCH
 ARG KEYCLOAK_DIST=https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/keycloak-$KEYCLOAK_VERSION.tar.gz
 
-USER root
+# Copy binaries
+COPY --from=builder /opt/jboss /opt/jboss
+
+#ADD tools /opt/jboss/tools
+#RUN /opt/jboss/tools/build-keycloak.sh
 
-RUN microdnf update -y && microdnf install -y gzip hostname java-11-openjdk-headless openssl tar which && microdnf clean all
+# Create the user, fix file system ownership
+RUN useradd -M -s /usr/sbin/nologin --uid ${KEYCLOAK_USER_ID} --user-group ${KEYCLOAK_USER_NAME} && \
+    chown -R ${KEYCLOAK_USER_NAME}:${KEYCLOAK_USER_NAME} ${KEYCLOAK_HOME} && \
+    chmod -R o-w /opt/jboss/keycloak
 
-ADD tools /opt/jboss/tools
-RUN /opt/jboss/tools/build-keycloak.sh
+# Install dependencies
+RUN yum install -y --disableplugin=subsciption-manager --nogpgcheck java-1.8.0-openjdk && \
+    yum clean all
 
-USER 1000
+USER ${KEYCLOAK_USER_ID}
 
 EXPOSE 8080
 EXPOSE 8443
 
 ENTRYPOINT [ "/opt/jboss/tools/docker-entrypoint.sh" ]
 
-CMD ["-b", "0.0.0.0"]
\ No newline at end of file
+CMD ["-b", "0.0.0.0"]

6.0.1/Dockerfile-deprecated

-FROM nexus-docker.52.61.140.4.nip.io/dsop/keycloak:latest
-
-MAINTAINER maintainer@dsop.io

6.0.1/Jenkinsfile

-@Library('DSOP@devel')_
-
-pipeline {
-  agent { label 'master' }
-
-  environment {
-    NEXUS_SERVER = credentials('NexusServerAddress')
-    OSCAP_NODE = credentials('OpenSCAPNode')
-    DOCKER_TAG = "${PROJECT}-${VERSION}"
-    NEXUS_URL = "nexus-docker.52.61.140.4.nip.io"
-    REPO_NAME = "${NAMESPACE}/${DOCKER_TAG}"
-  } //environment
-
-    parameters {
-    choice(choices : ['All','OpenSCAP','Twistlock','Anchore'],
-          description: "Which tools to run?",
-          name: 'toolsToRun')
-
-    choice(choices : ['Test','Production'],
-          description: "Is this a test run or for actual production?",
-          name: 'testOrProduction')
-
-    string(defaultValue: "latest",
-            name: 'IMAGE_TAG',
-            description: "Image tag to be used by Docker, Nexus and all Scanning tools")
-    
-    string(defaultValue: "keycloak",
-            name: 'PROJECT',
-            description: "Project name to use under Vendor")
-
-    string(defaultValue: "v6.0.1",
-            name: 'VERSION',
-            description: "Image tag to be used by Docker, Nexus and all Scanning tools")
-  
-    string(defaultValue: "ubi7",
-            name: 'BASE',
-            description: "Base image upon which to build container")
-    
-    string(defaultValue: "keycloak",
-            name: 'BRANCH',
-            description: "DCCSCR branch to clone and build")
-            
-    string(defaultValue: "dsop",
-           name: 'NAMESPACE',
-           description: "Which nexus namespace to push to")
-
-    choice(name: 'VENDOR_PRODUCT',
-           choices: ['opensource', 'cyberfactory', 'dsop',
-                     'gitlab', 'anchore', 'redhat',
-                     'twistlock'],
-           description: 'What vendor is being scanned')
-  } // parameters
-
-  stages {
-    stage('Build') {
-      steps {
-        script {
-          log.info('Building Container from Source')
-	      try {
-	  	    buildPlugin vendor: "${VENDOR_PRODUCT}", project: "${PROJECT}", version: "${VERSION}", branch: "${BRANCH}"
-	      } catch (Exception e) {
-	      	  log.error("${e}")
-          } // try/catch
-        } // script
-      } // steps
-    } // stage
-
-    stage('Functional Test - ToDo') {
-      steps {
-        script {
-          log.info('ToDo')
-        } // script
-      } // steps
-    } // stage
-
-
-    stage('Push to Registry') { 
-      steps {
-        script {
-	  log.info('Pushing container to registry')
-	    try {
-                pushPlugin()
-	    } catch (Exception e) {
-	        log.error("${e}")
-	  } // try/catch
-        } // script
-      } // steps
-    } // stage
-
-    stage('Call Image Scanning Pipeline') {
-      steps {
-        script {
-          log.info('Calling scanning pipeline')
-          scanningIntegrationPlugin()
-        }
-      } // steps
-    } // stage
-  } //stages
-} //pipeline

6.0.1/scripts/prebuild.sh

+#!/bin/bash
+
+VERSION=6.0.1
+IMAGE_NAME=opensource/keycloak
+IMAGE_DIGEST=sha256:3a6718ca4ee02c3a9e9f4a4982d40f04f3bbc2f4ee9b936459519ea125ab87a9
+IMAGE_ID=3a6718ca4ee02c3a9e9f4a4982d40f04f3bbc2f4ee9b936459519ea125ab87a9
+NEXUS_REGISTRY=nexus-docker.52.61.140.4.nip.io
+NEXUS_TAG=${NEXUS_REGISTRY}/builder-${IMAGE_NAME}:${VERSION}
+
+set -e
+
+# pull builder image; no GPG/sha checks are necessary because an explicit content hash (i.e. image digest) is used
+sudo podman pull docker.bintray.io/${IMAGE_NAME}@${IMAGE_DIGEST}
+
+# re-tag image for Nexus Registry
+sudo podman tag ${IMAGE_ID} ${NEXUS_TAG}
+
+# push newly tagged image
+sudo podman push ${NEXUS_TAG}
+
+# clean up, including all tags for image
+sudo podman rmi --force ${IMAGE_ID}
+
+# Image digest and ID can be retrieved by doing a `podman inspect` once you have pulled the Docker image by its tag on your local machine