NETOBSERV-2150: add license to downstream container (#768)

* NETOBSERV-2150: add license to downstream container

* Fix license and other issues in dockerfile

* fix front build

* fix go build

* Run as non root

Author: jotak

.tekton/network-observability-console-plugin-pull-request.yaml

@@ -26,26 +26,11 @@ spec:
     value: quay.io/redhat-user-workloads/ocp-network-observab-tenant/netobserv-operator/network-observability-console-plugin:on-pr-{{revision}}
   - name: image-expires-after
     value: 5d
+  - name: build-args-file
+    value: Dockerfile-args.downstream
   - name: dockerfile
     value: Dockerfile.downstream
   - name: build-platforms
     value: ["linux/x86_64"]
   pipelineRef:
     name: build-pipeline
-  taskRunTemplate: {}
-  workspaces:
-  - name: workspace
-    volumeClaimTemplate:
-      metadata:
-        creationTimestamp: null
-      spec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-      status: {}
-  - name: git-auth
-    secret:
-      secretName: '{{ git_auth_secret }}'
-status: {}

.tekton/network-observability-console-plugin-push.yaml

@@ -24,24 +24,11 @@ spec:
     value: '{{revision}}'
   - name: output-image
     value: quay.io/redhat-user-workloads/ocp-network-observab-tenant/netobserv-operator/network-observability-console-plugin:{{revision}}
+  - name: image-expires-after
+    value: 14d
+  - name: build-args-file
+    value: Dockerfile-args.downstream
   - name: dockerfile
     value: Dockerfile.downstream
   pipelineRef:
     name: build-pipeline
-  taskRunTemplate: {}
-  workspaces:
-  - name: workspace
-    volumeClaimTemplate:
-      metadata:
-        creationTimestamp: null
-      spec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-      status: {}
-  - name: git-auth
-    secret:
-      secretName: '{{ git_auth_secret }}'
-status: {}

.tekton/pipeline-ref.yaml

@@ -21,10 +21,6 @@ spec:
   - description: Source Repository URL
     name: git-url
     type: string
-  - description: Version to build
-    name: build-version
-    type: string
-    default: "main"
   - default: ""
     description: Revision of the Source Repository
     name: revision
@@ -197,9 +193,6 @@ spec:
     - name: BUILD_ARGS
       value:
       - $(params.build-args[*])
-      - "COMMIT=$(tasks.clone-repository.results.commit)"
-      - "BUILDVERSION=$(params.build-version)"
-      - "DATE=$(tasks.clone-repository.results.commit-timestamp)"
     - name: BUILD_ARGS_FILE
       value: $(params.build-args-file)
     - name: SOURCE_ARTIFACT
@@ -248,9 +241,6 @@ spec:
     - name: BUILD_ARGS
       value:
       - $(params.build-args[*])
-      - "COMMIT=$(tasks.clone-repository.results.commit)"
-      - "BUILDVERSION=$(params.build-version)"
-      - "DATE=$(tasks.clone-repository.results.commit-timestamp)"
       - "FRONTBUILD=$(params.output-image)-front"
     - name: BUILD_ARGS_FILE
       value: $(params.build-args-file)
@@ -332,20 +322,20 @@ spec:
       operator: in
       values:
       - "true"
-  - name: rpms-signature-scan
+  - name: deprecated-base-image-check
     params:
-    - name: image-url
+    - name: IMAGE_URL
       value: $(tasks.build-image-index.results.IMAGE_URL)
-    - name: image-digest
+    - name: IMAGE_DIGEST
       value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     runAfter:
     - build-image-index
     taskRef:
       params:
       - name: name
-        value: rpms-signature-scan
+        value: deprecated-image-check
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:e603b3df510aeefeaa12e8778c4642b21743cb0ae68704359dc7ffd2814249d2
+        value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:ced089bd8d86f95ee70f6ee1a6941d677f1c66c3b8f02fa60f9309c6c32e1929
       - name: kind
         value: task
       resolver: bundles
@@ -354,20 +344,20 @@ spec:
       operator: in
       values:
       - "false"
-  - name: deprecated-base-image-check
+  - name: rpms-signature-scan
     params:
-    - name: IMAGE_URL
+    - name: image-url
       value: $(tasks.build-image-index.results.IMAGE_URL)
-    - name: IMAGE_DIGEST
+    - name: image-digest
       value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     runAfter:
     - build-image-index
     taskRef:
       params:
       - name: name
-        value: deprecated-image-check
+        value: rpms-signature-scan
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:ced089bd8d86f95ee70f6ee1a6941d677f1c66c3b8f02fa60f9309c6c32e1929
+        value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:e603b3df510aeefeaa12e8778c4642b21743cb0ae68704359dc7ffd2814249d2
       - name: kind
         value: task
       resolver: bundles

Dockerfile-args.downstream

@@ -0,0 +1 @@
+BUILDVERSION=1.9.0

Dockerfile.downstream

@@ -1,29 +1,31 @@
-ARG COMMIT
+ARG BUILDVERSION
 ARG FRONTBUILD
 
 FROM $FRONTBUILD as web-builder
 
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23 as go-builder
 
 ARG BUILDVERSION
-ARG DATE
 
 WORKDIR /opt/app-root
 
 COPY go.mod go.mod
 COPY go.sum go.sum
 COPY vendor/ vendor/
-COPY .mk/ .mk/
 COPY cmd/ cmd/
 COPY pkg/ pkg/
 
 ENV GOEXPERIMENT strictfipsruntime
-RUN go build -tags strictfipsruntime -ldflags "-X main.buildVersion=$BUILDVERSION -X main.buildDate=$DATE" -mod vendor -o plugin-backend cmd/plugin-backend.go
+RUN go build -tags strictfipsruntime -ldflags "-X 'main.buildVersion=$BUILDVERSION' -X 'main.buildDate=`date +%Y-%m-%d\ %H:%M`'" -mod vendor -o plugin-backend cmd/plugin-backend.go
 
 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5-1739420147
+ARG BUILDVERSION
 
 COPY --from=web-builder /opt/app-root/web/dist ./web/dist
 COPY --from=go-builder /opt/app-root/plugin-backend ./
+COPY LICENSE /licenses/
+
+USER 65532:65532
 
 ENTRYPOINT ["./plugin-backend"]
 
@@ -34,7 +36,5 @@ LABEL io.k8s.description="Network Observability Console Plugin"
 LABEL summary="Network Observability Console Plugin"
 LABEL maintainer="[email protected]"
 LABEL io.openshift.tags="network-observability-console-plugin"
-LABEL upstream-vcs-ref="$COMMIT"
-LABEL upstream-vcs-type="git"
-LABEL description="Based on Openshift Console dynamic plugin, this plugin implement the console elements for Network Observability."
-LABEL version="1.9.0"
+LABEL description="Network Observability visualization tool for the OpenShift Console."
+LABEL version=$BUILDVERSION