RHOAIENG-72: Update Dockerfile for odh-notebook-controller component

This commit modifies the Dockerfile for the {odh-}notebook-controller component in the Kubeflow project. The changes include updating the base image, specifying the Golang version to 1.20, and configuring a non-root user for execution. More robust and secure build processes are now used including different steps for package installation, code copying, and building the notebook-controller.

The Dockerfile closely corresponds to what is used in OpenShift AI build. This way we will have closer match between what we release upstream and downstream.

components/notebook-controller/Dockerfile

@@ -3,32 +3,62 @@
 # The Docker context is expected to be:
 #
 # ${PATH_TO_KUBEFLOW/KUBEFLOW repo}/components
-#
-# This is necessary because the Jupyter controller now depends on
-# components/common
+
+
+# Build arguments
+ARG SOURCE_CODE=.
 ARG GOLANG_VERSION=1.20
-FROM golang:${GOLANG_VERSION} as builder
 
+# Use ubi8/go-toolset as base image
+FROM registry.redhat.io/ubi8/go-toolset:${GOLANG_VERSION} as builder
+
+## Build args to be used at this step
+ARG SOURCE_CODE
+
+# Set building workdir
 WORKDIR /workspace
 
 # Copy the Go Modules manifests
-COPY notebook-controller /workspace/notebook-controller
-COPY common /workspace/common
-
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN cd /workspace/notebook-controller && go mod download all
+COPY ${SOURCE_CODE}/notebook-controller ./notebook-controller
+# This is necessary because the Jupyter controller now depends on
+# components/common
+COPY ${SOURCE_CODE}/common ./common
 
+# Update building workdir
 WORKDIR /workspace/notebook-controller
 
-# Build
-RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -mod=mod -o manager main.go
+## Build the kf-notebook-controller
+USER root
+
+RUN if [ -z ${CACHITO_ENV_FILE} ]; then \
+       go mod download all; \
+    else \
+       source ${CACHITO_ENV_FILE}; \
+    fi
+
+RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -mod=mod \
+        -o ./bin/manager main.go
+
+# Use ubi8/ubi-minimal as base image
+FROM registry.redhat.io/ubi8/ubi-minimal:latest
+
+## Install additional packages
+RUN microdnf install -y shadow-utils &&\
+    microdnf clean all
 
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/base:debug
-WORKDIR /
-COPY --from=builder /workspace/notebook-controller/manager .
+## Create a non-root user with UID 1001
+RUN useradd --uid 1001 --create-home --user-group --system rhods
+
+## Set workdir directory to user home
+WORKDIR /home/rhods
+
+## Copy kf-notebook-controller-manager binary from builder stage
+COPY --from=builder /workspace/notebook-controller/bin/manager /manager
 COPY --from=builder /workspace/notebook-controller/third_party/license.txt third_party/license.txt
-COPY --from=builder /go/pkg/mod/github.com/hashicorp third_party/hashicorp
-ENTRYPOINT ["/manager"]
+# in builder image, `go env GOPATH` outputs `/opt/app-root/src/go`
+COPY --from=builder /opt/app-root/src/go/pkg/mod/github.com/hashicorp third_party/hashicorp
+
+## Switch to a non-root user
+USER rhods
+
+ENTRYPOINT [ "/manager" ]

components/odh-notebook-controller/Dockerfile

@@ -4,33 +4,60 @@
 #
 # ${PATH_TO_KUBEFLOW/KUBEFLOW repo}/components
 #
+
+# Build arguments
+ARG SOURCE_CODE=.
 ARG GOLANG_VERSION=1.20
-FROM golang:${GOLANG_VERSION} as builder
 
+# Use ubi8/go-toolset as base image
+FROM registry.redhat.io/ubi8/go-toolset:${GOLANG_VERSION} as builder
+
+## Build args to be used at this step
+ARG SOURCE_CODE
+
+# Set building workdir
 WORKDIR /workspace
 
 # Copy the Go Modules manifests
-COPY notebook-controller /workspace/notebook-controller
-COPY odh-notebook-controller /workspace/odh-notebook-controller
-
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN cd /workspace/odh-notebook-controller && go mod download all
+COPY ${SOURCE_CODE}/notebook-controller ./notebook-controller
+COPY ${SOURCE_CODE}/odh-notebook-controller ./odh-notebook-controller
 
+# Update building workdir
 WORKDIR /workspace/odh-notebook-controller
 
-# Build
-RUN if [ "$(uname -m)" = "aarch64" ]; then \
-        CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GO111MODULE=on go build -a -mod=mod -o manager main.go; \
+## Build the kf-notebook-controller
+USER root
+
+RUN if [ -z ${CACHITO_ENV_FILE} ]; then \
+       go mod download all; \
     else \
-        CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -mod=mod -o manager main.go; \
+       source ${CACHITO_ENV_FILE}; \
     fi
 
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/base:debug
-WORKDIR /
-COPY --from=builder /workspace/odh-notebook-controller/manager .
+RUN go build \
+        -o ./bin/manager main.go
+
+# Use ubi8/ubi-minimal as base image
+FROM registry.redhat.io/ubi8/ubi-minimal:latest
+
+## Install additional packages
+RUN microdnf install -y shadow-utils &&\
+    microdnf clean all
+
+## Create a non-root user with UID 1001
+RUN useradd --uid 1001 --create-home --user-group --system rhods
+
+## Set workdir directory to user home
+WORKDIR /home/rhods
+
+## Copy kf-notebook-controller-manager binary from builder stage
+COPY --from=builder /workspace/odh-notebook-controller/bin/manager /manager
 COPY --from=builder /workspace/odh-notebook-controller/third_party/license.txt third_party/license.txt
-COPY --from=builder /go/pkg/mod/github.com/hashicorp third_party/hashicorp
-ENTRYPOINT ["/manager"]
+# in builder image, `go env GOPATH` outputs `/opt/app-root/src/go`
+COPY --from=builder //opt/app-root/src/go/pkg/mod/github.com/hashicorp third_party/hashicorp
+
+
+## Switch to a non-root user
+USER rhods
+
+ENTRYPOINT [ "/manager" ]