[build] Generate ironbank docker context (#89933)

* [build] Generate ironbank docker context

* replace download.json with hardening_manifest.yml

* update dockerfile

* rm jenkinsfile

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

src/dev/build/tasks/os_packages/create_os_package_tasks.ts

@@ -54,15 +54,13 @@ export const CreateDockerCentOS: Task = {
 
   async run(config, log, build) {
     await runDockerGenerator(config, log, build, {
-      ubi: false,
-      context: false,
       architecture: 'x64',
+      context: false,
       image: true,
     });
     await runDockerGenerator(config, log, build, {
-      ubi: false,
-      context: false,
       architecture: 'aarch64',
+      context: false,
       image: true,
     });
   },
@@ -74,9 +72,9 @@ export const CreateDockerUBI: Task = {
   async run(config, log, build) {
     if (!build.isOss()) {
       await runDockerGenerator(config, log, build, {
-        ubi: true,
-        context: false,
         architecture: 'x64',
+        context: false,
+        ubi: true,
         image: true,
       });
     }
@@ -88,7 +86,6 @@ export const CreateDockerContexts: Task = {
 
   async run(config, log, build) {
     await runDockerGenerator(config, log, build, {
-      ubi: false,
       context: true,
       image: false,
     });
@@ -99,6 +96,11 @@ export const CreateDockerContexts: Task = {
         context: true,
         image: false,
       });
+      await runDockerGenerator(config, log, build, {
+        ironbank: true,
+        context: true,
+        image: false,
+      });
     }
   },
 };

src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts

@@ -7,18 +7,18 @@
  */
 
 import { resolve } from 'path';
+import { readFileSync } from 'fs';
 
 import { ToolingLog } from '@kbn/dev-utils';
+import Mustache from 'mustache';
 
 import { compressTar, copyAll, mkdirp, write, Config } from '../../../lib';
 import { dockerfileTemplate } from './templates';
 import { TemplateContext } from './template_context';
 
 export async function bundleDockerFiles(config: Config, log: ToolingLog, scope: TemplateContext) {
-  log.info(
-    `Generating kibana${scope.imageFlavor}${scope.ubiImageFlavor} docker build context bundle`
-  );
-  const dockerFilesDirName = `kibana${scope.imageFlavor}${scope.ubiImageFlavor}-${scope.version}-docker-build-context`;
+  log.info(`Generating kibana${scope.imageFlavor} docker build context bundle`);
+  const dockerFilesDirName = `kibana${scope.imageFlavor}-${scope.version}-docker-build-context`;
   const dockerFilesBuildDir = resolve(scope.dockerBuildDir, dockerFilesDirName);
   const dockerFilesOutputDir = config.resolveFromTarget(`${dockerFilesDirName}.tar.gz`);
 
@@ -38,6 +38,17 @@ export async function bundleDockerFiles(config: Config, log: ToolingLog, scope:
   // dockerfiles folder
   await copyAll(resolve(scope.dockerBuildDir, 'bin'), resolve(dockerFilesBuildDir, 'bin'));
   await copyAll(resolve(scope.dockerBuildDir, 'config'), resolve(dockerFilesBuildDir, 'config'));
+  if (scope.ironbank) {
+    await copyAll(resolve(scope.dockerBuildDir), resolve(dockerFilesBuildDir), {
+      select: ['LICENSE'],
+    });
+    const templates = ['hardening_manifest.yml', 'README.md'];
+    for (const template of templates) {
+      const file = readFileSync(resolve(__dirname, 'templates/ironbank', template));
+      const output = Mustache.render(file.toString(), scope);
+      await write(resolve(dockerFilesBuildDir, template), output);
+    }
+  }
 
   // Compress dockerfiles dir created inside
   // docker build dir as output it as a target

src/dev/build/tasks/os_packages/docker_generator/run.ts

@@ -12,6 +12,7 @@ import { promisify } from 'util';
 
 import { ToolingLog } from '@kbn/dev-utils';
 
+import { branch } from '../../../../../../package.json';
 import { write, copyAll, mkdirp, exec, Config, Build } from '../../../lib';
 import * as dockerTemplates from './templates';
 import { TemplateContext } from './template_context';
@@ -30,48 +31,54 @@ export async function runDockerGenerator(
     architecture?: string;
     context: boolean;
     image: boolean;
-    ubi: boolean;
+    ubi?: boolean;
+    ironbank?: boolean;
   }
 ) {
   // UBI var config
   const baseOSImage = flags.ubi ? 'docker.elastic.co/ubi8/ubi-minimal:latest' : 'centos:8';
   const ubiVersionTag = 'ubi8';
-  const ubiImageFlavor = flags.ubi ? `-${ubiVersionTag}` : '';
+
+  let imageFlavor = '';
+  if (flags.ubi) imageFlavor += `-${ubiVersionTag}`;
+  if (flags.ironbank) imageFlavor += '-ironbank';
+  if (build.isOss()) imageFlavor += '-oss';
 
   // General docker var config
   const license = build.isOss() ? 'ASL 2.0' : 'Elastic License';
-  const imageFlavor = build.isOss() ? '-oss' : '';
   const imageTag = 'docker.elastic.co/kibana/kibana';
   const version = config.getBuildVersion();
   const artifactArchitecture = flags.architecture === 'aarch64' ? 'aarch64' : 'x86_64';
-  const artifactPrefix = `kibana${imageFlavor}-${version}-linux`;
+  const artifactFlavor = build.isOss() ? '-oss' : '';
+  const artifactPrefix = `kibana${artifactFlavor}-${version}-linux`;
   const artifactTarball = `${artifactPrefix}-${artifactArchitecture}.tar.gz`;
   const artifactsDir = config.resolveFromTarget('.');
   const dockerBuildDate = new Date().toISOString();
   // That would produce oss, default and default-ubi7
   const dockerBuildDir = config.resolveFromRepo(
     'build',
     'kibana-docker',
-    build.isOss() ? `oss` : `default${ubiImageFlavor}`
+    build.isOss() ? `oss` : `default${imageFlavor}`
   );
   const imageArchitecture = flags.architecture === 'aarch64' ? '-aarch64' : '';
   const dockerTargetFilename = config.resolveFromTarget(
-    `kibana${imageFlavor}${ubiImageFlavor}-${version}-docker-image${imageArchitecture}.tar.gz`
+    `kibana${imageFlavor}-${version}-docker-image${imageArchitecture}.tar.gz`
   );
   const scope: TemplateContext = {
     artifactPrefix,
     artifactTarball,
     imageFlavor,
     version,
+    branch,
     license,
     artifactsDir,
     imageTag,
     dockerBuildDir,
     dockerTargetFilename,
     baseOSImage,
-    ubiImageFlavor,
     dockerBuildDate,
     ubi: flags.ubi,
+    ironbank: flags.ironbank,
     architecture: flags.architecture,
     revision: config.getBuildSha(),
   };
@@ -107,10 +114,17 @@ export async function runDockerGenerator(
   // in order to build the docker image accordingly the dockerfile defined
   // under templates/kibana_yml.template/js
   await copyAll(
-    config.resolveFromRepo('src/dev/build/tasks/os_packages/docker_generator/resources'),
+    config.resolveFromRepo('src/dev/build/tasks/os_packages/docker_generator/resources/base'),
     dockerBuildDir
   );
 
+  if (flags.ironbank) {
+    await copyAll(
+      config.resolveFromRepo('src/dev/build/tasks/os_packages/docker_generator/resources/ironbank'),
+      dockerBuildDir
+    );
+  }
+
   // Build docker image into the target folder
   // In order to do this we just call the file we
   // created from the templates/build_docker_sh.template.js

src/dev/build/tasks/os_packages/docker_generator/template_context.ts

@@ -9,6 +9,7 @@
 export interface TemplateContext {
   artifactPrefix: string;
   artifactTarball: string;
+  branch: string;
   imageFlavor: string;
   version: string;
   license: string;
@@ -17,10 +18,10 @@ export interface TemplateContext {
   dockerBuildDir: string;
   dockerTargetFilename: string;
   baseOSImage: string;
-  ubiImageFlavor: string;
   dockerBuildDate: string;
   usePublicArtifact?: boolean;
-  ubi: boolean;
+  ubi?: boolean;
+  ironbank?: boolean;
   revision: string;
   architecture?: string;
 }

src/dev/build/tasks/os_packages/docker_generator/templates/build_docker_sh.template.ts

@@ -16,7 +16,6 @@ function generator({
   version,
   dockerTargetFilename,
   baseOSImage,
-  ubiImageFlavor,
   architecture,
 }: TemplateContext) {
   return dedent(`
@@ -54,10 +53,10 @@ function generator({
 
   retry_docker_pull ${baseOSImage}
 
-  echo "Building: kibana${imageFlavor}${ubiImageFlavor}-docker"; \\
-  docker build -t ${imageTag}${imageFlavor}${ubiImageFlavor}:${version} -f Dockerfile . || exit 1;
+  echo "Building: kibana${imageFlavor}-docker"; \\
+  docker build -t ${imageTag}${imageFlavor}:${version} -f Dockerfile . || exit 1;
 
-  docker save ${imageTag}${imageFlavor}${ubiImageFlavor}:${version} | gzip -c > ${dockerTargetFilename}
+  docker save ${imageTag}${imageFlavor}:${version} | gzip -c > ${dockerTargetFilename}
 
   exit 0
   `);

src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts

@@ -13,10 +13,10 @@ import Mustache from 'mustache';
 import { TemplateContext } from '../template_context';
 
 function generator(options: TemplateContext) {
-  const template = readFileSync(resolve(__dirname, './Dockerfile'));
+  const dir = options.ironbank ? 'ironbank' : 'base';
+  const template = readFileSync(resolve(__dirname, dir, './Dockerfile'));
   return Mustache.render(template.toString(), {
-    packageManager: options.ubiImageFlavor ? 'microdnf' : 'yum',
-    tiniBin: options.architecture === 'aarch64' ? 'tini-arm64' : 'tini-amd64',
+    packageManager: options.ubi ? 'microdnf' : 'yum',
     ...options,
   });
 }

src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile

@@ -0,0 +1,77 @@
+################################################################################
+# Build stage 0
+# Extract Kibana and make various file manipulations.
+################################################################################
+ARG BASE_REGISTRY=registry1.dsop.io
+ARG BASE_IMAGE=redhat/ubi/ubi8
+ARG BASE_TAG=8.3
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as prep_files
+
+RUN yum update --setopt=tsflags=nodocs -y && \
+      yum install -y tar gzip && \
+      yum clean all
+
+RUN mkdir /usr/share/kibana
+WORKDIR /usr/share/kibana
+COPY --chown=1000:0 {{artifactTarball}} .
+RUN tar --strip-components=1 -zxf {{artifactTarball}}
+
+# Ensure that group permissions are the same as user permissions.
+# This will help when relying on GID-0 to run Kibana, rather than UID-1000.
+# OpenShift does this, for example.
+# REF: https://docs.openshift.org/latest/creating_images/guidelines.html
+RUN chmod -R g=u /usr/share/kibana
+
+
+################################################################################
+# Build stage 1
+# Copy prepared files from the previous stage and complete the image.
+################################################################################
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+EXPOSE 5601
+
+RUN yum update --setopt=tsflags=nodocs -y && \
+      yum install -y fontconfig freetype shadow-utils nss && \
+      yum clean all
+
+COPY LICENSE /licenses/elastic-kibana
+
+# Add a dumb init process
+COPY tini /bin/tini
+RUN chmod +x /bin/tini
+
+# Noto Fonts
+RUN mkdir /usr/share/fonts/local
+COPY NotoSansCJK-Regular.ttc /usr/share/fonts/local/NotoSansCJK-Regular.ttc
+RUN fc-cache -v
+
+# Bring in Kibana from the initial stage.
+COPY --from=prep_files --chown=1000:0 /usr/share/kibana /usr/share/kibana
+WORKDIR /usr/share/kibana
+RUN ln -s /usr/share/kibana /opt/kibana
+
+ENV ELASTIC_CONTAINER true
+ENV PATH=/usr/share/kibana/bin:$PATH
+
+# Set some Kibana configuration defaults.
+COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml
+
+# Add the launcher/wrapper script. It knows how to interpret environment
+# variables and translate them to Kibana CLI options.
+COPY --chown=1000:0 scripts/kibana-docker /usr/local/bin/
+
+# Remove the suid bit everywhere to mitigate "Stack Clash"
+RUN find / -xdev -perm -4000 -exec chmod u-s {} +
+
+# Provide a non-root user to run the process.
+RUN groupadd --gid 1000 kibana && \
+    useradd --uid 1000 --gid 1000 -G 0 \
+      --home-dir /usr/share/kibana --no-create-home \
+      kibana
+
+ENTRYPOINT ["/bin/tini", "--"]
+
+CMD ["/usr/local/bin/kibana-docker"]
+
+HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 http://localhost:5601 || exit 1

src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/README.md

@@ -0,0 +1,39 @@
+# Kibana
+
+**Kibana** lets you visualize your Elasticsearch data and navigate the Elastic Stack,
+so you can do anything from learning why you're getting paged at 2:00 a.m. to
+understanding the impact rain might have on your quarterly numbers.
+
+For more information about Kibana, please visit
+https://www.elastic.co/products/kibana.
+
+### Installation instructions
+
+Please follow the documentation on [running Kibana on Docker](https://www.elastic.co/guide/en/kibana/{{branch}}/docker.html).
+
+### Where to file issues and PRs
+
+- [Issues](https://github.com/elastic/kibana/issues)
+- [PRs](https://github.com/elastic/kibana/pulls)
+
+### DoD Restrictions
+
+Due to the [NODE-SECURITY-1184](https://www.npmjs.com/advisories/1184) issue, Kibana users should not use the `ALL_PROXY` environment variable to specify a proxy when installing Kibana plugins with the kibana-plugin command line application.
+
+### Where to get help
+
+- [Kibana Discuss Forums](https://discuss.elastic.co/c/kibana)
+- [Kibana Documentation](https://www.elastic.co/guide/en/kibana/current/index.html)
+
+### Still need help?
+
+You can learn more about the Elastic Community and also understand how to get more help
+visiting [Elastic Community](https://www.elastic.co/community).
+
+This software is governed by the [Elastic
+License](https://github.com/elastic/elasticsearch/blob/{{branch}}/licenses/ELASTIC-LICENSE.txt),
+and includes the full set of [free
+features](https://www.elastic.co/subscriptions).
+
+View the detailed release notes
+[here](https://www.elastic.co/guide/en/elasticsearch/reference/{{branch}}/es-release-notes.html).