address feedback in PR

Author: labrenbe

.github/ISSUE_TEMPLATE/early-pre-release.md

@@ -45,6 +45,7 @@ Part of stackabletech/issues#xxx.
 - [ ] [Create issue from template: update-product-kafka.md](https://github.com/stackabletech/docker-images/issues/new?template=update-product-kafka.md)
 - [ ] [Create issue from template: update-product-nifi.md](https://github.com/stackabletech/docker-images/issues/new?template=update-product-nifi.md)
 - [ ] [Create issue from template: update-product-opa.md](https://github.com/stackabletech/docker-images/issues/new?template=update-product-opa.md)
+- [ ] [Create issue from template: update-product-opensearch.md](https://github.com/stackabletech/docker-images/issues/new?template=update-product-opensearch.md)
 - [ ] [Create issue from template: update-product-spark.md](https://github.com/stackabletech/docker-images/issues/new?template=update-product-spark.md)
 - [ ] [Create issue from template: update-product-superset.md](https://github.com/stackabletech/docker-images/issues/new?template=update-product-superset.md)
 - [ ] [Create issue from template: update-product-trino.md](https://github.com/stackabletech/docker-images/issues/new?template=update-product-trino.md)

.github/ISSUE_TEMPLATE/update-product-opensearch.md

@@ -0,0 +1,79 @@
+---
+name: Update OpenSearch
+about: >-
+  This template contains instructions specific to updating this product and/or
+  container image(s).
+title: >-
+  chore(opensearch): Update container images ahead of Stackable Release YY.M.X
+labels: []
+# Currently, projects cannot be assigned via front-matter.
+projects: ['stackabletech/10']
+assignees: ''
+---
+
+Part of #xxx.
+
+<!--
+This gives hints to the person doing the work.
+Add/Change/Remove anything that isn't applicable anymore
+-->
+- Add: `x.x.x`
+- Remove: `y.y.y`
+
+> [!TIP]
+> Please add the `scheduled-for/20XX-XX` label, and add to the [Stackable Engineering][1] project.
+>
+> [1]: https://github.com/orgs/stackabletech/projects/10
+
+## Update tasks
+
+- [ ] Update `versions.py` to reflect the agreed upon versions in the spreadsheet (including the removal of old versions).
+- [ ] Update `versions.py` to the latest supported version of JVM (base and devel).
+- [ ] Update other dependencies if applicable (eg: security-plugin, etc).
+- [ ] Check other operators (getting_started / kuttl / supported-versions) for usage of the versions. Add the PR(s) to the list below.
+- [ ] Update the version in demos. Add the PR(s) to the list below.
+
+## Related Pull Requests
+
+> [!TIP]
+> Delete any items that do not apply so that all applicable items can be checked.
+> For example, if you add release notes to the documentation repository, you do not need the latter two criteria.
+
+- _Link to the docker-images PR (product update)_
+- _Link to the operator PR (getting_started / kuttl / supported-versions)_
+- _Link to any other operator PRs (getting_started / kuttl)_
+- _Link to demo PR (raise against the `main` branch)_
+- _Link to the Release Notes PR in the documentation repo (if not a comment below)_
+
+## Acceptance
+
+> [!TIP]
+> This list should be completed by the assignee(s), once respective PRs have been merged. Once all items have been
+> checked, the issue can be moved into _Development: Done_.
+
+- [ ] Can build image (either locally, or in CI)
+- [ ] Kuttl smoke tests passes (either locally, or in CI)
+- [ ] Release notes added to documentation and linked as a PR above
+- [ ] Release notes written in a comment below
+- [ ] Applicable `release-note` label added to this issue
+
+<details>
+<summary>Testing instructions</summary>
+
+```shell
+# See the latest version at https://pypi.org/project/image-tools-stackabletech/
+pip install image-tools-stackabletech==0.0.16
+
+bake --product opensearch=x.y.z # where x.y.z is the new version added in this PR
+
+kind load docker-image oci.stackable.tech/sdp/opensearch:x.y.z-stackable0.0.0-dev
+
+# Change directory into the opa-operator repository and update the
+# product version in tests/test-definition.yaml
+./scripts/run-tests --test-suite smoke-latest # or similar
+```
+
+</details>
+
+_Please consider updating this template if these instructions are wrong, or
+could be made clearer._

.github/workflows/build_opensearch.yaml

@@ -0,0 +1,35 @@
+---
+name: Build OpenSearch
+run-name: |
+  Build OpenSearch (attempt #${{ github.run_attempt }})
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 2/2 * *' # https://crontab.guru/#0_0_2/2_*_*
+  push:
+    branches: [main]
+    tags: ['*']
+    paths:
+      # To check dependencies, run this ( you will need to consider transitive dependencies)
+      # bake --product PRODUCT -d | grep -v 'docker buildx bake' | jq '.target | keys[]'
+      - opensearch/**
+      - vector/**
+      - stackable-base/**
+      - java-base/**
+      - java-devel/**
+      - .github/actions/**
+      - .github/workflows/build_opensearch.yaml
+      - .github/workflows/reusable_build_image.yaml
+
+jobs:
+  build_image:
+    name: Reusable Workflow
+    uses: ./.github/workflows/reusable_build_image.yaml
+    secrets:
+      harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+      slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    with:
+      product-name: kafka
+      sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}
+      registry-namespace: sdp

.github/workflows/preflight.yaml

@@ -66,6 +66,7 @@ jobs:
           - nifi
           - omid
           - opa
+          - opensearch
           - spark-k8s
           - superset
           - trino

.scripts/enumerate-product-versions.py

@@ -18,6 +18,7 @@
     "krb5",
     "nifi",
     "opa",
+    "opensearch",
     "omid",
     "spark-k8s",
     "superset",

.scripts/update_feature_tracker_db.sh

@@ -33,6 +33,7 @@ PRODUCT_CODE_NAMES=(
   hive
   kafka
   nifi
+  opensearch
   spark-k8s
   superset
   trino

README.md

@@ -8,9 +8,9 @@ This repository contains Dockerfiles and scripts to build base images for use wi
 | [![Build Airflow]][build_airflow.yaml] | [![Build Druid]][build_druid.yaml] | [![Build Hadoop]][build_hadoop.yaml] | [![Build HBase]][build_hbase.yaml] |
 | [![Build Hive]][build_hive.yaml] | [![Build Java Base]][build_java-base.yaml] | [![Build Java Development]][build_java-devel.yaml] | [![Build Kafka Testing Tools]][build_kafka-testing-tools.yaml] |
 | [![Build Kafka]][build_kafka.yaml] | [![Build Krb5]][build_krb5.yaml] | [![Build NiFi]][build_nifi.yaml] | [![Build Omid]][build_omid.yaml] |
-| [![Build OPA]][build_opa.yaml] | [![Build Spark Connect Client]][build_spark-connect-client.yaml] | [![Build Spark K8s]][build_spark-k8s.yaml] | [![Build Stackable Base]][build_stackable-base.yaml] |
-| [![Build Superset]][build_superset.yaml] | [![Build Testing Tools]][build_testing-tools.yaml] | [![Build Tools]][build_tools.yaml] | [![Build Trino CLI]][build_trino-cli.yaml] |
-| [![Build Trino]][build_trino.yaml] | [![Build Vector]][build_vector.yaml] | [![Build ZooKeeper]][build_zookeeper.yaml] | |
+| [![Build OPA]][build_opa.yaml] | [![Build OpenSearch]][build_opensearch.yaml] | [![Build Spark Connect Client]][build_spark-connect-client.yaml] | [![Build Spark K8s]][build_spark-k8s.yaml] |
+| [![Build Stackable Base]][build_stackable-base.yaml] | [![Build Superset]][build_superset.yaml] | [![Build Testing Tools]][build_testing-tools.yaml] | [![Build Tools]][build_tools.yaml] |
+| [![Build Trino CLI]][build_trino-cli.yaml] | [![Build Trino]][build_trino.yaml] | [![Build Vector]][build_vector.yaml] | [![Build ZooKeeper]][build_zookeeper.yaml] |
 <!-- end:badges -->
 
 ## Prerequisites
@@ -239,6 +239,8 @@ ENTRYPOINT ["/stackable-zookeeper-operator"]
 [build_omid.yaml]: https://github.com/stackabletech/docker-images/actions/workflows/build_omid.yaml
 [Build OPA]: https://github.com/stackabletech/docker-images/actions/workflows/build_opa.yaml/badge.svg
 [build_opa.yaml]: https://github.com/stackabletech/docker-images/actions/workflows/build_opa.yaml
+[Build OpenSearch]: https://github.com/stackabletech/docker-images/actions/workflows/build_opensearch.yaml/badge.svg
+[build_opensearch.yaml]: https://github.com/stackabletech/docker-images/actions/workflows/build_opensearch.yaml
 [Build Spark Connect Client]: https://github.com/stackabletech/docker-images/actions/workflows/build_spark-connect-client.yaml/badge.svg
 [build_spark-connect-client.yaml]: https://github.com/stackabletech/docker-images/actions/workflows/build_spark-connect-client.yaml
 [Build Spark K8s]: https://github.com/stackabletech/docker-images/actions/workflows/build_spark-k8s.yaml/badge.svg

opensearch/Dockerfile

@@ -32,7 +32,7 @@ NEW_VERSION="${PRODUCT}-stackable${RELEASE}"
 # Create snapshot of the source code including custom patches
 tar -czf /stackable/opensearch-${NEW_VERSION}-src.tar.gz .
 ./scripts/build.sh -v "${PRODUCT}" -s false -a "${ARCH}"
-tar -xzf artifacts/dist/opensearch-min-${PRODUCT}-linux-${ARCH}.tar.gz -C /stackable
+tar -xzf "artifacts/dist/opensearch-min-${PRODUCT}-linux-${ARCH}.tar.gz" -C /stackable
 unzip artifacts/core-plugins/repository-s3-${PRODUCT}.zip -d /stackable/opensearch-${PRODUCT}/plugins/repository-s3/
 mv /stackable/opensearch-${PRODUCT}/plugins/repository-s3/config /stackable/opensearch-${PRODUCT}/config/repository-s3
 unzip artifacts/core-plugins/telemetry-otel-${PRODUCT}.zip -d /stackable/opensearch-${PRODUCT}/plugins/telemetry-otel/
@@ -65,14 +65,14 @@ rm -r jdk
 # Change the group permissions already in the builder image to reduce
 # the size of the final image.
 # see https://github.com/stackabletech/docker-images/issues/961
-chmod -R g=u "${HOME}"
 chmod +x /stackable/opensearch-${PRODUCT}/opensearch-docker-entrypoint.sh
+chmod -R g=u /stackable
 EOF
 
 # The OpenSearch Performance Analyzer needs a JDK, not just a JRE.
 # With a JRE, the following exception is thrown:
 # java.lang.ClassNotFoundException: com.sun.tools.attach.VirtualMachine
-FROM stackable/image/jdk-base
+FROM stackable/image/jdk-base AS final
 
 ARG PRODUCT
 ARG RELEASE
@@ -129,18 +129,22 @@ COPY \
     --from=opensearch-security-plugin \
     /stackable/src/opensearch/security-plugin/patchable-work/worktree/${OPENSEARCH_SECURITY_PLUGIN}/build/reports/bom.json \
     /stackable/opensearch-security-${OPENSEARCH_SECURITY_PLUGIN}-stackable${RELEASE}.cdx.json
+
 RUN <<EOF
 microdnf update
 microdnf clean all
 rm -rf /var/cache/yum
 
 # All files and folders owned by root group to support running as arbitrary users.
 # This is best practice as all container users will belong to the root group (0).
-chown -R ${STACKABLE_USER_UID}:0 ${HOME}
-chmod -R g=u ${HOME}
+chown ${STACKABLE_USER_UID}:0 ${HOME}
+chmod g=u /stackable/opensearch-${PRODUCT}-stackable${RELEASE}
+chmod g=u /stackable/opensearch-${PRODUCT}-stackable${RELEASE}/plugins/opensearch-security
+chmod g=u /stackable/*-src.tar.gz
+chmod g=u /stackable/*.cdx.json
 ln -s /stackable/opensearch-${PRODUCT}-stackable${RELEASE} ${OPENSEARCH_HOME}
 chown -h ${STACKABLE_USER_UID}:0 ${OPENSEARCH_HOME}
-EOF
+
 
 # ----------------------------------------
 # Checks
@@ -151,7 +155,7 @@ EOF
 
 # Check that permissions and ownership in /stackable are set correctly
 # This will fail and stop the build if any mismatches are found.
-RUN <<EOF
+
 /bin/check-permissions-ownership.sh /stackable ${STACKABLE_USER_UID} 0
 EOF
 

opensearch/README.md

@@ -0,0 +1,12 @@
+# OpenSearch
+
+This is the Stackable Data Platform (SDP) OCI image for [OpenSearch](https://github.com/opensearch-project/opensearch).
+
+The image includes:
+
+- OpenSearch
+- `security` plugin
+- `telemetry-otel` plugin
+- `repository-s3` plugin
+- Source code as tarball
+- SBOMs in CycloneDX format

opensearch/security-plugin/Dockerfile

@@ -25,5 +25,5 @@ EOF
 RUN <<EOF
 # Change the group permissions already in the builder image to reduce the size of the final image.
 # see https://github.com/stackabletech/docker-images/issues/961
-chmod -R g=u "${HOME}"
+chmod -R g=u /stackable
 EOF