feat: refactor tools dockerfile

.dockerignore

@@ -6,4 +6,3 @@
 /adr
 /docs
 /env
-/tools

package.json

@@ -150,7 +150,7 @@
     "tasks:copy-certs": "binzx/otomi task -n copyCerts",
     "test": "run-s test:ts lint validate-values validate-templates check-policies",
     "test:opa": "NODE_ENV=test binzx/otomi x opa test policies -v",
-    "test:ts": "NODE_ENV=test jest --detectOpenHandles",
+    "test:ts": "NODE_ENV=test jest",
     "test:ts-cov": "jest --coverage",
     "validate-templates": "NODE_ENV=test binzx/otomi validate-templates",
     "validate-templates:all": "set -e; i=25; while [ $i -le 28 ]; do NODE_ENV=test binzx/otomi validate-templates -k 1.$i; i=$(($i+1)); done",

tools/Dockerfile

@@ -1,78 +1,40 @@
 # syntax=docker/dockerfile:1.6
-# The above is needed for the "--checksum" argument to work in the ADD instruction
-FROM ubuntu:20.04
+FROM ubuntu:20.04 as builder
 
 ARG DEBIAN_FRONTEND=noninteractive
-
-ARG TARGETPLATFORM
 ARG TARGETARCH
-ARG BUILDPLATFORM
-
-RUN apt-get update && apt-get install -y curl
-
-ARG ARCH=${TARGETARCH}
-
-# https://github.com/kubernetes/kubernetes/releases
-ARG KUBECTL_VERSION=1.26.9
-# https://github.com/helm/helm/tags
-ARG HELM_VERSION=3.12.3
-# https://github.com/databus23/helm-diff/releases
-ARG HELM_DIFF_VERSION=3.8.0
-# https://github.com/jkroepke/helm-secrets/releases
-ARG HELM_SECRETS_VERSION=3.15.0
-# https://github.com/mozilla/sops/releases
-ARG SOPS_VERSION=3.7.3
-# https://github.com/noqcks/gucci/releases
-ARG GUCCI_VERSION=1.6.6
-# https://github.com/helmfile/helmfile/releases
-ARG HELMFILE_VERSION=0.156.0
-# https://github.com/open-policy-agent/opa/releases
-ARG OPA_VERSION=0.50.1
-# https://github.com/yannh/kubeconform/releases
-ARG KUBECONFORM_VERSION="v0.6.4"
-# https://github.com/open-policy-agent/conftest/releases
-ARG CONFTEST_VERSION=0.39.2
-# https://github.com/plexsystems/konstraint/releases
-ARG KONSTRAINT_VERSION=0.26.0
 # https://nodejs.org/en/download/
 ARG NODE_VERSION=16
 
-ARG HELM_FILE_NAME=helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz
-
 WORKDIR /
 
-RUN apt-get update -qq \
-  && apt install --reinstall coreutils \
-  && apt install -qqy --no-install-recommends \
-  apache2-utils \
-  apt-transport-https \
-  awscli \
-  ca-certificates \
-  curl \
-  gettext \
-  git \
-  gnupg \
-  gnupg2 \
-  groff \
-  locales \
-  nano \
-  netcat \
-  openssh-server \
-  python3 \
-  python3-pip \
-  python3-setuptools \
-  rlwrap \
-  vim \
-  nano \
-  groff \
-  rsync \
-  && rm -rf /var/lib/apt/lists/*
-
-# set locale
-RUN locale-gen en_US.UTF-8
+# Install all required packages in one layer
+RUN apt-get update && apt-get install -y \
+    curl \
+    coreutils \
+    apache2-utils \
+    apt-transport-https \
+    awscli \
+    ca-certificates \
+    gettext \
+    git \
+    gnupg \
+    gnupg2 \
+    groff \
+    locales \
+    nano \
+    netcat \
+    openssh-server \
+    python3 \
+    python3-pip \
+    python3-setuptools \
+    rlwrap \
+    vim \
+    rsync && \
+    rm -rf /var/lib/apt/lists/* && \
+    locale-gen en_US.UTF-8
 
 # jq
-#TODO check this one
 RUN jq_download_url="https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-${TARGETARCH}" && \
     if [ "${TARGETARCH}" = "amd64" ]; then \
         jq_expected_checksum="5942c9b0934e510ee61eb3e30273f1b3fe2590df93933a93d7c58b81d19c8ff5"; \
@@ -97,57 +59,7 @@ RUN mkdir $APP_HOME
 WORKDIR $APP_HOME
 ENV PATH $PATH:$APP_HOME
 
-# kubectl
-RUN curl -LO "https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/$TARGETARCH/kubectl" && \
-    curl -LO "https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/$TARGETARCH/kubectl.sha256" && \
-    echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check && \
-    chmod +x kubectl
-
-# sops
-ADD https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux sops
-RUN chmod +x sops
-
-# helm
-ADD https://get.helm.sh/${HELM_FILE_NAME} /tmp
-RUN tar -zxvf /tmp/${HELM_FILE_NAME} -C /tmp && mv /tmp/linux-${TARGETARCH}/helm helm && rm -rf /tmp/*
-RUN helm plugin install https://github.com/databus23/helm-diff --version ${HELM_DIFF_VERSION}
-RUN echo "exec \$*" > /usr/bin/sudo && chmod +x /usr/bin/sudo
-RUN helm plugin install https://github.com/jkroepke/helm-secrets --version ${HELM_SECRETS_VERSION}
-
-# helmfile
-ADD https://github.com/helmfile/helmfile/releases/download/v${HELMFILE_VERSION}/helmfile_${HELMFILE_VERSION}_linux_${TARGETARCH}.tar.gz /tmp
-RUN tar -zxvf /tmp/helmfile_${HELMFILE_VERSION}_linux_${TARGETARCH}.tar.gz -C /tmp && mv /tmp/helmfile helmfile
-
-# gucci
-ADD https://github.com/noqcks/gucci/releases/download/${GUCCI_VERSION}/gucci-v${GUCCI_VERSION}-linux-${TARGETARCH} gucci
-RUN chmod +x gucci
-
-# aws
-RUN pip3 install --upgrade --no-cache-dir awscli
-
-# aws-iam-authenticator
-ADD https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.2/2021-07-05/bin/linux/${TARGETARCH}/aws-iam-authenticator aws-iam-authenticator
-RUN chmod +x aws-iam-authenticator
-
-# opa
-#ADD https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION}/opa_linux_${TARGETARCH} opa
-#RUN chmod +x opa
-
-# kubeconform
-ADD https://github.com/yannh/kubeconform/releases/download/v0.6.4/kubeconform-linux-${TARGETARCH}.tar.gz /tmp
-RUN tar -zxvf /tmp/kubeconform-linux-${TARGETARCH}.tar.gz -C /tmp && mv /tmp/kubeconform kubeconform
-
-# conftest
-#TODO check this one
-#ADD https://github.com/open-policy-agent/conftest/releases/download/v$CONFTEST_VERSION/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz /tmp
-#RUN tar -zxvf /tmp/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz -C /tmp && mv /tmp/conftest conftest
-
-# konstraint
-#ADD https://github.com/plexsystems/konstraint/releases/download/v${KONSTRAINT_VERSION}/konstraint-linux-${TARGETARCH} /tmp
-#RUN mv /tmp/konstraint-linux-${TARGETARCH} konstraint && chmod +x konstraint
-
-# node
-# https://github.com/nodesource/distributions
+# Node.js installation
 RUN set -uex && \
   mkdir -p /etc/apt/keyrings && \
   curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
@@ -157,7 +69,26 @@ RUN set -uex && \
   apt-get install nodejs -y && \
   npm install -g ajv-cli@v3.3.0 json-dereference-cli@0.1.2 zx
 
+# Copy binaries and scripts
+COPY tools/download-binaries.sh .
+RUN chmod +x tools/download-binaries.sh && ./tools/download-binaries.sh $TARGETARCH
+
+FROM ubuntu:20.04 as final
+
+RUN mkdir -p /home/app
+RUN groupadd -r app &&\
+  useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app
+ENV HOME=/home/app
+ENV APP_HOME=/home/app/tools
+RUN mkdir $APP_HOME
+WORKDIR $APP_HOME
+ENV PATH $PATH:$APP_HOME
+
+COPY --from=builder /usr/bin /usr/bin
+COPY --from=builder /home/app/tools /home/app/tools
+
 RUN chown -R app:app /home/app
 USER app
 
-CMD "/bin/bash"
+
+CMD ["/bin/bash"]

tools/Dockerfile-2

@@ -0,0 +1,150 @@
+# syntax=docker/dockerfile:1.6
+# The above is needed for the "--checksum" argument to work in the ADD instruction
+FROM ubuntu:20.04
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+ARG TARGETPLATFORM
+ARG TARGETARCH
+ARG BUILDPLATFORM
+
+RUN apt-get update && apt-get install -y curl
+
+ARG ARCH=${TARGETARCH}
+
+# https://github.com/kubernetes/kubernetes/releases
+ARG KUBECTL_VERSION=1.26.9
+# https://github.com/helm/helm/tags
+ARG HELM_VERSION=3.12.3
+# https://github.com/databus23/helm-diff/releases
+ARG HELM_DIFF_VERSION=3.8.0
+# https://github.com/jkroepke/helm-secrets/releases
+ARG HELM_SECRETS_VERSION=3.15.0
+# https://github.com/mozilla/sops/releases
+ARG SOPS_VERSION=3.7.3
+# https://github.com/noqcks/gucci/releases
+ARG GUCCI_VERSION=1.6.6
+# https://github.com/helmfile/helmfile/releases
+ARG HELMFILE_VERSION=0.156.0
+# https://github.com/open-policy-agent/opa/releases
+ARG OPA_VERSION=0.50.1
+# https://github.com/yannh/kubeconform/releases
+ARG KUBECONFORM_VERSION="v0.6.4"
+# https://github.com/open-policy-agent/conftest/releases
+ARG CONFTEST_VERSION=0.39.2
+# https://github.com/plexsystems/konstraint/releases
+ARG KONSTRAINT_VERSION=0.26.0
+# https://nodejs.org/en/download/
+ARG NODE_VERSION=16
+
+ARG HELM_FILE_NAME=helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz
+
+WORKDIR /
+
+RUN apt-get update -qq \
+  && apt install --reinstall coreutils \
+  && apt install -qqy --no-install-recommends \
+  apache2-utils \
+  apt-transport-https \
+  awscli \
+  ca-certificates \
+  curl \
+  gettext \
+  git \
+  gnupg \
+  gnupg2 \
+  groff \
+  locales \
+  nano \
+  netcat \
+  openssh-server \
+  python3 \
+  python3-pip \
+  python3-setuptools \
+  rlwrap \
+  vim \
+  nano \
+  groff \
+  rsync \
+  && rm -rf /var/lib/apt/lists/*
+
+# set locale
+RUN locale-gen en_US.UTF-8
+
+# jq
+#TODO check this one
+RUN jq_download_url="https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-${TARGETARCH}" && \
+    if [ "${TARGETARCH}" = "amd64" ]; then \
+        jq_expected_checksum="5942c9b0934e510ee61eb3e30273f1b3fe2590df93933a93d7c58b81d19c8ff5"; \
+    elif [ "${TARGETARCH}" = "arm64" ]; then \
+        jq_expected_checksum="4dd2d8a0661df0b22f1bb9a1f9830f06b6f3b8f7d91211a1ef5d7c4f06a8b4a5"; \
+    else \
+        echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1; \
+    fi && \
+    curl -L "${jq_download_url}" --output /usr/bin/jq && \
+    echo "${jq_expected_checksum}  /usr/bin/jq" | sha256sum -c - && \
+    chmod +x /usr/bin/jq
+
+# yq
+COPY --from=mikefarah/yq:4 /usr/bin/yq /usr/bin/yq
+
+RUN mkdir -p /home/app
+RUN groupadd -r app &&\
+  useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app
+ENV HOME=/home/app
+ENV APP_HOME=/home/app/tools
+RUN mkdir $APP_HOME
+WORKDIR $APP_HOME
+ENV PATH $PATH:$APP_HOME
+
+# kubectl
+RUN curl -LO "https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/$TARGETARCH/kubectl" && \
+    curl -LO "https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/$TARGETARCH/kubectl.sha256" && \
+    echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check && \
+    chmod +x kubectl
+
+# sops
+ADD https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux sops
+RUN chmod +x sops
+
+# helm
+ADD https://get.helm.sh/${HELM_FILE_NAME} /tmp
+RUN tar -zxvf /tmp/${HELM_FILE_NAME} -C /tmp && mv /tmp/linux-${TARGETARCH}/helm helm && rm -rf /tmp/*
+RUN helm plugin install https://github.com/databus23/helm-diff --version ${HELM_DIFF_VERSION}
+RUN echo "exec \$*" > /usr/bin/sudo && chmod +x /usr/bin/sudo
+RUN helm plugin install https://github.com/jkroepke/helm-secrets --version ${HELM_SECRETS_VERSION}
+
+# helmfile
+ADD https://github.com/helmfile/helmfile/releases/download/v${HELMFILE_VERSION}/helmfile_${HELMFILE_VERSION}_linux_${TARGETARCH}.tar.gz /tmp
+RUN tar -zxvf /tmp/helmfile_${HELMFILE_VERSION}_linux_${TARGETARCH}.tar.gz -C /tmp && mv /tmp/helmfile helmfile
+
+# gucci
+ADD https://github.com/noqcks/gucci/releases/download/${GUCCI_VERSION}/gucci-v${GUCCI_VERSION}-linux-${TARGETARCH} gucci
+RUN chmod +x gucci
+
+# aws
+RUN pip3 install --upgrade --no-cache-dir awscli
+
+# aws-iam-authenticator
+ADD https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.2/2021-07-05/bin/linux/${TARGETARCH}/aws-iam-authenticator aws-iam-authenticator
+RUN chmod +x aws-iam-authenticator
+
+# kubeconform
+ADD https://github.com/yannh/kubeconform/releases/download/v0.6.4/kubeconform-linux-${TARGETARCH}.tar.gz /tmp
+RUN tar -zxvf /tmp/kubeconform-linux-${TARGETARCH}.tar.gz -C /tmp && mv /tmp/kubeconform kubeconform
+
+# node
+# https://github.com/nodesource/distributions
+RUN set -uex && \
+  mkdir -p /etc/apt/keyrings && \
+  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+  NODE_MAJOR=${NODE_VERSION} && \
+  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" > /etc/apt/sources.list.d/nodesource.list && \
+  apt-get update && \
+  apt-get install nodejs -y && \
+  npm install -g ajv-cli@v3.3.0 json-dereference-cli@0.1.2 zx
+
+RUN chown -R app:app /home/app
+USER app
+
+CMD "/bin/bash"