(scorecard): Add new images for default untar and storage options (operator-framework#6335)

* add images for scorecard untar and storage

Signed-off-by: Bryce Palmer <[email protected]>

* Add new images for scorecard

and use them as the default untar and storage images to ensure
that scorecard pods are fully compliant with restricted PSA. This
is done by making the images run as non-root by default (sets the user
to non-root in the Dockerfile)

fixes operator-framework#6295

Signed-off-by: Bryce Palmer <[email protected]>

* update images & docs;add changelog

Signed-off-by: Bryce Palmer <[email protected]>

* add missing newline

Signed-off-by: Bryce Palmer <[email protected]>

---------

Signed-off-by: Bryce Palmer <[email protected]>

Author: everettraven

.github/workflows/deploy-manual.yml

@@ -17,6 +17,13 @@ jobs:
     environment: deploy
     steps:
 
+    # https://github.com/orgs/community/discussions/47863
+    - name: update packages
+      run: |
+        # sudo apt-mark hold grub-efi-amd64-signed
+        sudo apt-get update --fix-missing
+        sudo apt upgrade -y
+
     - name: set up qemu
       uses: docker/setup-qemu-action@v2
 
@@ -48,7 +55,7 @@ jobs:
         fi
         echo "tag=${IMG}:${TAG}" >> $GITHUB_OUTPUT
         echo "git_commit=${GIT_COMMIT}" >> $GITHUB_OUTPUT
-    
+
     - name: create 2.11-base tag
       id: base_tag_211
       run: |
@@ -67,65 +74,65 @@ jobs:
       with:
         file: ./images/ansible-operator/base.Dockerfile
         context: ./images/ansible-operator
-        platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
+        platforms: linux/s390x
         push: true
         tags: ${{ steps.base_tag_29.outputs.tag }}
         build-args: |
           GIT_COMMIT=${{ steps.base_tag_29.outputs.git_commit }}
 
-    - name: build and push ansible 2.11 dep image
-      uses: docker/build-push-action@v3
-      with:
-        file: ./images/ansible-operator-2.11-preview/base.Dockerfile
-        context: ./images/ansible-operator-2.11-preview
-        platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
-        push: true
-        tags: ${{ steps.base_tag_211.outputs.tag }}
-        build-args: |
-          GIT_COMMIT=${{ steps.base_tag_211.outputs.git_commit }}
+    # - name: build and push ansible 2.11 dep image
+    #   uses: docker/build-push-action@v3
+    #   with:
+    #     file: ./images/ansible-operator-2.11-preview/base.Dockerfile
+    #     context: ./images/ansible-operator-2.11-preview
+    #     platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
+    #     push: true
+    #     tags: ${{ steps.base_tag_211.outputs.tag }}
+    #     build-args: |
+    #       GIT_COMMIT=${{ steps.base_tag_211.outputs.git_commit }}
 
-    # This change will be staged and committed in the PR pushed below.
-    # The script below will fail if no change was made.
-    - name: update base of ansible-operator 2.9
-      id: update_29
-      run: |
-        set -ex
-        sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-base:.+|FROM ${{ steps.base_tag_29.outputs.tag }}|g' images/ansible-operator/Dockerfile
-        git diff --exit-code --quiet && echo "Failed to update images/ansible-operator/Dockerfile" && exit 1
-        REF="${{ github.event.ref }}"
-        echo "branch_name=${REF##*/}" >> $GITHUB_OUTPUT
-
-    - name: create PR for ansible-operator 2.9 Dockerfile
-      uses: peter-evans/create-pull-request@v3
-      with:
-        title: "[${{ steps.update_29.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.base_tag_29.outputs.tag }}"
-        commit-message: |
-          [${{ steps.update_29.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.base_tag_29.outputs.tag }}
-
-          Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
-        body: "New ansible-operator-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-        delete-branch: true
-        branch-suffix: short-commit-hash
-
-    # This change will be staged and committed in the PR pushed below.
-    # The script below will fail if no change was made.
-    - name: update base of ansible-operator-2.11-preview
-      id: update_211
-      run: |
-        set -ex
-        sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-2.11-preview-base:.+|FROM ${{ steps.base_tag_211.outputs.tag }}|g' images/ansible-operator-2.11-preview/Dockerfile
-        git diff --exit-code --quiet && echo "Failed to update images/ansible-operator-11-preview-base/Dockerfile" && exit 1
-        REF="${{ github.event.ref }}"
-        echo "branch_name=${REF##*/}" >> $GITHUB_OUTPUT
-
-    - name: create PR for ansible-operator-2.11-preview Dockerfile
-      uses: peter-evans/create-pull-request@v3
-      with:
-        title: "[${{ steps.update_211.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.base_tag_211.outputs.tag }}"
-        commit-message: |
-          [${{ steps.update_211.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.base_tag_211.outputs.tag }}
-
-          Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
-        body: "New ansible-operator-2.11-preview-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-        delete-branch: true
-        branch-suffix: short-commit-hash
+    # # This change will be staged and committed in the PR pushed below.
+    # # The script below will fail if no change was made.
+    # - name: update base of ansible-operator 2.9
+    #   id: update_29
+    #   run: |
+    #     set -ex
+    #     sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-base:.+|FROM ${{ steps.base_tag_29.outputs.tag }}|g' images/ansible-operator/Dockerfile
+    #     git diff --exit-code --quiet && echo "Failed to update images/ansible-operator/Dockerfile" && exit 1
+    #     REF="${{ github.event.ref }}"
+    #     echo "branch_name=${REF##*/}" >> $GITHUB_OUTPUT
+
+    # - name: create PR for ansible-operator 2.9 Dockerfile
+    #   uses: peter-evans/create-pull-request@v3
+    #   with:
+    #     title: "[${{ steps.update_29.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.base_tag_29.outputs.tag }}"
+    #     commit-message: |
+    #       [${{ steps.update_29.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.base_tag_29.outputs.tag }}
+
+    #       Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+    #     body: "New ansible-operator-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+    #     delete-branch: true
+    #     branch-suffix: short-commit-hash
+
+    # # This change will be staged and committed in the PR pushed below.
+    # # The script below will fail if no change was made.
+    # - name: update base of ansible-operator-2.11-preview
+    #   id: update_211
+    #   run: |
+    #     set -ex
+    #     sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-2.11-preview-base:.+|FROM ${{ steps.base_tag_211.outputs.tag }}|g' images/ansible-operator-2.11-preview/Dockerfile
+    #     git diff --exit-code --quiet && echo "Failed to update images/ansible-operator-11-preview-base/Dockerfile" && exit 1
+    #     REF="${{ github.event.ref }}"
+    #     echo "branch_name=${REF##*/}" >> $GITHUB_OUTPUT
+
+    # - name: create PR for ansible-operator-2.11-preview Dockerfile
+    #   uses: peter-evans/create-pull-request@v3
+    #   with:
+    #     title: "[${{ steps.update_211.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.base_tag_211.outputs.tag }}"
+    #     commit-message: |
+    #       [${{ steps.update_211.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.base_tag_211.outputs.tag }}
+
+    #       Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+    #     body: "New ansible-operator-2.11-preview-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+    #     delete-branch: true
+    #     branch-suffix: short-commit-hash

.github/workflows/deploy.yml

@@ -72,7 +72,7 @@ jobs:
     environment: deploy
     strategy:
       matrix:
-        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview"]
+        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview", "scorecard-storage", "scorecard-untar"]
     steps:
 
     - name: set up qemu

Makefile

@@ -92,7 +92,7 @@ build/scorecard-test build/scorecard-test-kuttl build/custom-scorecard-tests:
 
 # Convenience wrapper for building all remotely hosted images.
 .PHONY: image-build
-IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl
+IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl scorecard-untar scorecard-storage
 image-build: $(foreach i,$(IMAGE_TARGET_LIST),image/$(i)) ## Build all images.
 
 # Convenience wrapper for building dependency base images.

changelog/fragments/03-scorecard-image-psa.yaml

@@ -0,0 +1,18 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      (scorecard): update default storage and untar images to images
+      that run as non-root users by default. This ensures full compliance
+      with restricted PSA guidelines when using `--pod-security=restricted`.
+
+    # kind is one of:
+    # - addition
+    # - change
+    # - deprecation
+    # - removal
+    # - bugfix
+    kind: "bugfix"
+
+    # Is this a breaking change?
+    breaking: false

images/ansible-operator/base.Dockerfile

@@ -10,7 +10,7 @@ ENV PATH="/root/.cargo/bin:${PATH}"
 RUN rustc --version
 
 # Copy python dependencies (including ansible) to be installed using Pipenv
-COPY Pipfile* ./
+COPY requirements.txt ./
 # Instruct pip(env) not to keep a cache of installed packages,
 # to install into the global site-packages and
 # to clear the pipenv cache as well
@@ -22,14 +22,9 @@ ENV PIP_NO_CACHE_DIR=1 \
 # pip3~=21.1 fixes a vulnerability described in https://github.com/pypa/pip/pull/9827.
 RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
   && yum update -y \
-  && yum install -y libffi-devel openssl-devel python38-devel gcc python38-pip python38-setuptools \
-  && pip3 install --upgrade pip~=23.0.1 \
-  && pip3 install pipenv==2023.2.18 \
-  && pipenv install --deploy \
-  && pipenv check  -i 42926 -i 42923 -i 45114 \
-  && yum remove -y gcc libffi-devel openssl-devel python38-devel \
-  && yum clean all \
-  && rm -rf /var/cache/yum
+  && yum install -y libffi-devel openssl-devel python38-devel gcc python38-pip \
+  && pip3 install --upgrade --force-reinstall pip setuptools \
+  && pip3 install -r requirements.txt
 
 FROM registry.access.redhat.com/ubi8/ubi:8.7
 ARG TARGETARCH
@@ -46,9 +41,8 @@ RUN mkdir -p /etc/ansible \
 
 RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
   && yum update -y \
-  && yum install -y python38-pip python38-setuptools \
-  && pip3 install --upgrade pip~=23.0.1 \
-  && pip3 install pipenv==2023.2.18 \
+  && yum install -y python38-pip \
+  && pip3 install --upgrade --force-reinstall pip setuptools \
   && yum clean all \
   && rm -rf /var/cache/yum
 

images/ansible-operator/requirements.txt

@@ -0,0 +1 @@
+cryptography

images/scorecard-storage/Dockerfile

@@ -0,0 +1,12 @@
+FROM docker.io/busybox:1.36
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}

images/scorecard-untar/Dockerfile

@@ -0,0 +1,12 @@
+FROM registry.access.redhat.com/ubi8:8.7
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}

internal/cmd/operator-sdk/scorecard/cmd.go

@@ -91,10 +91,10 @@ If the argument holds an image tag, it must be present remotely.`,
 	scorecardCmd.Flags().DurationVarP(&c.waitTime, "wait-time", "w", 30*time.Second,
 		"seconds to wait for tests to complete. Example: 35s")
 	scorecardCmd.Flags().StringVarP(&c.storageImage, "storage-image", "b",
-		"docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af",
+		"quay.io/operator-framework/scorecard-storage:latest",
 		"Storage image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u",
-		"registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7",
+		"quay.io/operator-framework/scorecard-untar:latest",
 		"Untar image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.testOutput, "test-output", "t", "test-output",
 		"Test output directory.")

internal/cmd/operator-sdk/scorecard/cmd_test.go

@@ -69,12 +69,12 @@ var _ = Describe("Running the scorecard command", func() {
 			flag = cmd.Flags().Lookup("storage-image")
 			Expect(flag).NotTo(BeNil())
 			Expect(flag.Shorthand).To(Equal("b"))
-			Expect(flag.DefValue).To(Equal("docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af"))
+			Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-storage:latest"))
 
 			flag = cmd.Flags().Lookup("untar-image")
 			Expect(flag).NotTo(BeNil())
 			Expect(flag.Shorthand).To(Equal("u"))
-			Expect(flag.DefValue).To(Equal("registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7"))
+			Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-untar:latest"))
 		})
 	})