CSPL-3434: Update dockerfile to work with al2023 base image (#1441)

rlieberman-splunk · web-flow · commit ae982a4c1adc · 2025-02-11T11:31:40.000-06:00
* update dockerfile to work with al2023 base image

* clean up
diff --git a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml
@@ -104,60 +104,8 @@ jobs:
       env:
         COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-  vulnerability-scan:
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    runs-on: ubuntu-latest
-    needs: build-operator-image-arm-al2023
-    env:
-      SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }}
-      SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
-      ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
-      S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
-      IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}
-    steps:
-    - name: Set up cosign
-      uses: sigstore/cosign-installer@main
-    - uses: actions/checkout@v2
-    - name: Dotenv Action
-      id: dotenv
-      uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2.5.0
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v1
-      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
-
-    - name: Login to Amazon ECR
-      uses: aws-actions/amazon-ecr-login@v1
-    - name: Pull Splunk Operator Image Locally
-      run: |
-        docker pull ${{ env.IMAGE_NAME }}
-    - name: Verify Signed Splunk Operator image 
-      run: |
-        cosign verify --key env://COSIGN_PUBLIC_KEY  ${{ env.IMAGE_NAME }}
-      env:
-        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
-    - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
-      with:
-        image-ref: '${{ env.IMAGE_NAME }}'
-        format: sarif
-        #exit-code: 1
-        severity: 'CRITICAL'
-        ignore-unfixed: true
-        output: 'trivy-results.sarif'
-    - name: Upload Trivy scan results to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: 'trivy-results.sarif'
   smoke-tests-arm-al2023:
-    needs: vulnerability-scan
+    needs: build-operator-image-arm-al2023
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml
@@ -104,60 +104,8 @@ jobs:
       env:
         COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-  vulnerability-scan:
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    runs-on: ubuntu-latest
-    needs: build-operator-image-arm-ubuntu
-    env:
-      SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }}
-      SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
-      ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
-      S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
-      IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}
-    steps:
-    - name: Set up cosign
-      uses: sigstore/cosign-installer@main
-    - uses: actions/checkout@v2
-    - name: Dotenv Action
-      id: dotenv
-      uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2.5.0
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v1
-      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
-
-    - name: Login to Amazon ECR
-      uses: aws-actions/amazon-ecr-login@v1
-    - name: Pull Splunk Operator Image Locally
-      run: |
-        docker pull ${{ env.IMAGE_NAME }}
-    - name: Verify Signed Splunk Operator image 
-      run: |
-        cosign verify --key env://COSIGN_PUBLIC_KEY  ${{ env.IMAGE_NAME }}
-      env:
-        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
-    - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
-      with:
-        image-ref: '${{ env.IMAGE_NAME }}'
-        format: sarif
-        #exit-code: 1
-        severity: 'CRITICAL'
-        ignore-unfixed: true
-        output: 'trivy-results.sarif'
-    - name: Upload Trivy scan results to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: 'trivy-results.sarif'
   smoke-tests-arm-ubuntu:
-    needs: vulnerability-scan
+    needs: build-operator-image-arm-ubuntu
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml
@@ -1,5 +1,10 @@
 name: Build and Test
-on: push
+on:
+  pull_request: {}
+  push:
+    branches:
+    - main
+    - develop
 jobs:
   check-formating:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml
@@ -1,5 +1,10 @@
 name: Build and Test Distroless
-on: push
+on:
+  pull_request: {}
+  push:
+    branches:
+    - main
+    - develop
 jobs:
   check-formating:
     runs-on: ubuntu-latest
@@ -149,6 +154,7 @@ jobs:
 #        with:
 #          sarif_file: 'trivy-results.sarif'
   smoke-tests:
+    needs: build-operator-image
     strategy:
       fail-fast: false
       matrix:
diff --git a/Dockerfile b/Dockerfile
@@ -48,6 +48,15 @@ RUN if grep -q 'Ubuntu' /etc/os-release; then \
         update-ca-certificates && \
         unattended-upgrades -v && \
         apt-get clean && rm -rf /var/lib/apt/lists/*; \
+    elif grep -q 'Amazon Linux' /etc/os-release; then \
+        yum -y install shadow-utils && \
+        useradd -ms /bin/bash nonroot -u 1001 && \
+        yum install -y ca-certificates && \
+        update-ca-trust &&  \
+        yum update -y krb5-libs && yum clean all && \
+        yum -y update-minimal --security --sec-severity=Important --sec-severity=Critical && \
+        yum -y update-minimal --security --sec-severity=Moderate && \
+        yum -y update-minimal --security --sec-severity=Low; \
     else \
         microdnf -y install shadow-utils && \
         useradd -ms /bin/bash nonroot -u 1001 && \
