fix: Re-apply rootless containers and fix ESP configs (#11731)

airbytehq · Mar 20, 2024 · 4836e3b · 4836e3b
1 parent 404ac8f
commit 4836e3b
Show file tree

Hide file tree

Showing 36 changed files with 305 additions and 110 deletions.
diff --git a/.env b/.env
@@ -65,14 +65,14 @@ CONFIGS_DATABASE_MINIMUM_FLYWAY_MIGRATION_VERSION=0.40.23.002
 TEMPORAL_HOST=airbyte-temporal:7233
 INTERNAL_API_HOST=airbyte-server:8001
 INTERNAL_API_URL=http://airbyte-server:8001
-CONNECTOR_BUILDER_API_HOST=airbyte-connector-builder-server:80
+CONNECTOR_BUILDER_API_HOST=airbyte-connector-builder-server:8080
 WEBAPP_URL=http://localhost:8000/
 WORKLOAD_API_HOST=workload-api-server:8007
 WORKLOAD_API_URL=http://workload-api-server:8007
 # Although not present as an env var, required for webapp configuration.
 CONNECTOR_BUILDER_API_URL=/connector-builder-api
 AIRBYTE_API_HOST=airbyte-api-server:8006
-CONNECTOR_BUILDER_SERVER_API_HOST=http://airbyte-connector-builder-server:80
+CONNECTOR_BUILDER_SERVER_API_HOST=http://airbyte-connector-builder-server:8080
 # Replace with the commented-out line below to use a locally-run connector-builder-server
 # image, e.g. when developing the CDK's builder server command runner.
 # CONNECTOR_BUILDER_SERVER_API_HOST=http://host.docker.internal:80

diff --git a/airbyte-api-server/Dockerfile b/airbyte-api-server/Dockerfile
@@ -1,12 +1,16 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE} AS server
 EXPOSE 8006 5005
 ENV APPLICATION airbyte-api-server
 ENV VERSION ${VERSION}
+
 WORKDIR /app
 
 # This is automatically unzipped by Docker
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/${APPLICATION}"]
diff --git a/airbyte-base-java-python-image/Dockerfile b/airbyte-base-java-python-image/Dockerfile
diff --git a/airbyte-bootloader/Dockerfile b/airbyte-bootloader/Dockerfile
@@ -1,5 +1,11 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE}
+
 WORKDIR /app
+
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
+
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/airbyte-bootloader"]
diff --git a/airbyte-config/init/Dockerfile b/airbyte-config/init/Dockerfile
@@ -1,4 +1,4 @@
-ARG ALPINE_IMAGE=alpine:3.13
+ARG ALPINE_IMAGE=alpine:3.18
 FROM ${ALPINE_IMAGE} AS seed
 
 WORKDIR /app

diff --git a/airbyte-connector-builder-server/Dockerfile b/airbyte-connector-builder-server/Dockerfile
@@ -1,5 +1,5 @@
-ARG BASE_IMAGE=airbyte/airbyte-base-java-python-image:1.1.0
-FROM ${BASE_IMAGE} AS connector-builder-server
+ARG JAVA_PYTHON_BASE_IMAGE_VERSION=2.1.0
+FROM airbyte/airbyte-base-java-python-image:${JAVA_PYTHON_BASE_IMAGE_VERSION} AS connector-builder-server
 
 # Set up CDK requirements
 ARG CDK_VERSION=0.65.0
@@ -18,7 +18,10 @@ ENV VERSION ${VERSION}
 WORKDIR /app
 
 # This is automatically unzipped by Docker
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/${APPLICATION}"]

diff --git a/airbyte-connector-builder-server/src/main/resources/application.yml b/airbyte-connector-builder-server/src/main/resources/application.yml
@@ -25,7 +25,7 @@ micronaut:
     authentication-provider-strategy: ALL
     enabled: ${API_AUTHORIZATION_ENABLED:false}
   server:
-    port: 80
+    port: 8080
     cors:
       enabled: true
     netty:

diff --git a/airbyte-connector-sidecar/Dockerfile b/airbyte-connector-sidecar/Dockerfile
@@ -1,4 +1,5 @@
-FROM amazoncorretto:21 AS connector-sidecar
+ARG JAVA_WORKER_BASE_IMAGE_VERSION=2.1.0
+FROM airbyte/airbyte-base-java-worker-image:${JAVA_WORKER_BASE_IMAGE_VERSION}
 
 ARG DOCKER_BUILD_ARCH=amd64
 
@@ -8,12 +9,13 @@ ARG VERSION=dev
 ENV APPLICATION airbyte-connector-sidecar
 ENV VERSION=${VERSION}
 
-WORKDIR /app
-
+USER root
 COPY WellKnownTypes.json /app
 
 # Move connector-sidecar app
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "/app/airbyte-app/bin/${APPLICATION}"]
diff --git a/airbyte-container-orchestrator/Dockerfile b/airbyte-container-orchestrator/Dockerfile
@@ -1,4 +1,5 @@
-FROM airbyte/airbyte-base-java-worker-image:2.0.1
+ARG JAVA_WORKER_BASE_IMAGE_VERSION=2.1.0
+FROM airbyte/airbyte-base-java-worker-image:${JAVA_WORKER_BASE_IMAGE_VERSION}
 
 # Don't change this manually.  Bump version expects to make moves based on this string
 ARG VERSION=dev
@@ -8,10 +9,13 @@ ENV VERSION=${VERSION}
 
 WORKDIR /app
 
+USER root
 COPY WellKnownTypes.json /app
 
 # Move orchestrator app
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "/app/airbyte-app/bin/${APPLICATION}"]
diff --git a/airbyte-cron/Dockerfile b/airbyte-cron/Dockerfile
@@ -1,5 +1,11 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE}
+
 WORKDIR /app
+
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
+
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/airbyte-cron"]
diff --git a/airbyte-keycloak-setup/Dockerfile b/airbyte-keycloak-setup/Dockerfile
@@ -1,5 +1,11 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE} AS keycloak-setup
+
 WORKDIR /app
+
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
+
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/airbyte-keycloak-setup"]
diff --git a/airbyte-metrics/reporter/Dockerfile b/airbyte-metrics/reporter/Dockerfile
@@ -1,5 +1,11 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE}
+
 WORKDIR /app
+
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
+
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/airbyte-metrics-reporter"]
diff --git a/airbyte-proxy/Dockerfile b/airbyte-proxy/Dockerfile
@@ -10,9 +10,9 @@ ENV VERSION ${VERSION}
 RUN apt-get update -y && apt-get install -y apache2-utils && rm -rf /var/lib/apt/lists/*
 
 # This variable can be used to update the destination containers that Nginx proxies to.
-ENV PROXY_PASS_WEB "http://airbyte-webapp:80"
+ENV PROXY_PASS_WEB "http://airbyte-webapp:8080"
 ENV PROXY_PASS_API "http://airbyte-server:8001"
-ENV CONNECTOR_BUILDER_SERVER_API "http://airbyte-connector-builder-server:80"
+ENV CONNECTOR_BUILDER_SERVER_API "http://airbyte-connector-builder-server:8080"
 ENV PROXY_PASS_AIRBYTE_API_SERVER "http://airbyte-api-server:8006"
 
 # Nginx config file

diff --git a/airbyte-server/Dockerfile b/airbyte-server/Dockerfile
@@ -1,4 +1,4 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE} AS server
 
 EXPOSE 8000 5005
@@ -11,7 +11,10 @@ ENV VERSION ${VERSION}
 WORKDIR /app
 
 # This is automatically unzipped by Docker
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/${APPLICATION}"]
diff --git a/airbyte-webapp/Dockerfile b/airbyte-webapp/Dockerfile
@@ -1,8 +1,14 @@
-ARG NGINX_IMAGE=nginx:alpine
+ARG NGINX_IMAGE=nginxinc/nginx-unprivileged:alpine3.18
 FROM ${NGINX_IMAGE}
 
-EXPOSE 80
+EXPOSE 8080
+
+USER root
 
 COPY bin/build /usr/share/nginx/html
 RUN find /usr/share/nginx/html -type d -exec chmod 755 '{}' \; -o -type f -exec chmod 644 '{}' \;
 COPY bin/nginx/default.conf.template /etc/nginx/templates/default.conf.template
+
+RUN chown -R nginx:nginx /usr/share/nginx/html
+
+USER nginx:nginx
diff --git a/airbyte-webapp/Dockerfile.cloud b/airbyte-webapp/Dockerfile.cloud
@@ -1,4 +1,4 @@
-ARG NGINX_IMAGE=nginx:alpine
+ARG NGINX_IMAGE=nginxinc/nginx-unprivileged:alpine3.18
 FROM ${NGINX_IMAGE}
 
 COPY build/app /usr/share/nginx/html

diff --git a/airbyte-webapp/nginx/cloud.conf.template b/airbyte-webapp/nginx/cloud.conf.template
@@ -1,6 +1,6 @@
 server {
-    listen       80;
-    listen  [::]:80;
+    listen       8080;
+    listen  [::]:8080;
     server_name  localhost;
 
     gzip on;

diff --git a/airbyte-webapp/nginx/default.conf.template b/airbyte-webapp/nginx/default.conf.template
@@ -11,8 +11,8 @@ upstream keycloak {
 }
 
 server {
-    listen       80;
-    listen  [::]:80;
+    listen       8080;
+    listen  [::]:8080;
     server_name  localhost;
 
     add_header Content-Security-Policy "script-src * 'unsafe-inline'; worker-src 'self' blob:;";

diff --git a/airbyte-webapp/release.dockerfile b/airbyte-webapp/release.dockerfile
@@ -1,8 +1,9 @@
 ARG BUILD_IMAGE
-FROM ${BUILD_IMAGE} AS builder
+ARG NGINX_IMAGE=nginxinc/nginx-unprivileged:alpine3.18
 
+FROM ${BUILD_IMAGE} AS builder
 
-FROM nginx:alpine AS release 
+FROM ${NGINX_IMAGE}
 
 EXPOSE 80
 

diff --git a/airbyte-workers/Dockerfile b/airbyte-workers/Dockerfile
@@ -1,14 +1,18 @@
-FROM airbyte/airbyte-base-java-worker-image:2.0.1
+ARG JAVA_WORKER_BASE_IMAGE_VERSION=2.1.0
+FROM airbyte/airbyte-base-java-worker-image:${JAVA_WORKER_BASE_IMAGE_VERSION}
 
 ENV APPLICATION airbyte-workers
 ENV VERSION ${VERSION}
 
 WORKDIR /app
 
+USER root
 COPY WellKnownTypes.json /app
 
 # Move worker app
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 EXPOSE 5005
 

diff --git a/airbyte-workload-api-server/Dockerfile b/airbyte-workload-api-server/Dockerfile
@@ -1,12 +1,15 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE} AS server
 EXPOSE 8007 5005
 ENV APPLICATION airbyte-workload-api-server
 ENV VERSION ${VERSION}
 WORKDIR /app
 
 # This is automatically unzipped by Docker
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/${APPLICATION}"]
diff --git a/airbyte-workload-launcher/Dockerfile b/airbyte-workload-launcher/Dockerfile
@@ -1,12 +1,16 @@
-FROM airbyte/airbyte-base-java-worker-image:2.0.1
+ARG JAVA_WORKER_BASE_IMAGE_VERSION=2.1.0
+FROM airbyte/airbyte-base-java-worker-image:${JAVA_WORKER_BASE_IMAGE_VERSION}
 
 ENV APPLICATION airbyte-workload-launcher
 ENV VERSION ${VERSION}
 
 WORKDIR /app
 
 # This is automatically unzipped by Docker
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # 8016 is the port micronaut listens on
 # 5005 is the remote debug port

diff --git a/build.gradle b/build.gradle
@@ -25,11 +25,11 @@ buildscript {
 plugins {
     id "base"
     id "com.dorongold.task-tree" version "2.1.1"
-    id "io.airbyte.gradle.jvm" version "0.28.0" apply false
-    id "io.airbyte.gradle.jvm.app" version "0.28.0" apply false
-    id "io.airbyte.gradle.jvm.lib" version "0.28.0" apply false
-    id "io.airbyte.gradle.docker" version "0.28.0" apply false
-    id "io.airbyte.gradle.publish" version "0.28.0" apply false
+    id "io.airbyte.gradle.jvm" version "0.31.0" apply false
+    id "io.airbyte.gradle.jvm.app" version "0.31.0" apply false
+    id "io.airbyte.gradle.jvm.lib" version "0.31.0" apply false
+    id "io.airbyte.gradle.docker" version "0.31.0" apply false
+    id "io.airbyte.gradle.publish" version "0.31.0" apply false
     // uncomment for testing plugin locally
     // id "io.airbyte.gradle.jvm" version "local-test" apply false
     // id "io.airbyte.gradle.jvm.app" version "local-test" apply false
@@ -158,17 +158,15 @@ subprojects { sp ->
         def buildArch = System.getenv('DOCKER_BUILD_ARCH') ?: isArm64 ? 'arm64' : 'amd64'
         def buildPlatform = System.getenv('DOCKER_BUILD_PLATFORM') ?: isArm64 ? 'linux/arm64' : 'linux/amd64'
         def alpineImage = System.getenv('ALPINE_IMAGE') ?: isArm64 ? 'arm64v8/alpine:3.14' : 'amd64/alpine:3.14'
-        def nginxImage = System.getenv('NGINX_IMAGE') ?: isArm64 ? 'arm64v8/nginx:alpine' : 'amd64/nginx:alpine'
 
         // Used by the platform -- Must be an Amazon Corretto-based image for build to work without modification to Dockerfile instructions
-        def openjdkImage = System.getenv('JDK_IMAGE') ?: 'airbyte/airbyte-base-java-image:3.0.1'
+        def openjdkImage = System.getenv('JDK_IMAGE') ?: 'airbyte/airbyte-base-java-image:3.1.0'
 
         platform = buildPlatform
         images.add("airbyte/$sp.dockerImageName:$rootProject.ext.image_tag")
         buildArgs.put('JDK_VERSION', jdkVersion)
         buildArgs.put('DOCKER_BUILD_ARCH', buildArch)
         buildArgs.put('ALPINE_IMAGE', alpineImage)
-        buildArgs.put('NGINX_IMAGE', nginxImage)
         buildArgs.put('JDK_IMAGE', openjdkImage)
         buildArgs.put('VERSION', rootProject.ext.version)
 

diff --git a/charts/airbyte-connector-builder-server/templates/deployment.yaml b/charts/airbyte-connector-builder-server/templates/deployment.yaml
@@ -146,7 +146,7 @@ spec:
 
         ports:
         - name: http
-          containerPort: 80
+          containerPort: 8080
           protocol: TCP
         {{- if .Values.debug.enabled }}
         - name: debug 

diff --git a/charts/airbyte-webapp/templates/deployment.yaml b/charts/airbyte-webapp/templates/deployment.yaml
@@ -141,7 +141,7 @@ spec:
         {{- end }}
         ports:
         - name: http
-          containerPort: 80
+          containerPort: 8080
           protocol: TCP
         {{- if .Values.resources }}
         resources: {{- toYaml .Values.resources | nindent 10 }}