Adds more global hadolint ignores with reasoning (#782)

* Adds more global hadolint ignores with reasoning

* Move all hadolint ignores to a config file

* Soothe yamllint

* Test if hadolint still works

* Anoter test

* More testing

* More testing

* Revert test

Author: lfrancke

.hadolint.yaml

@@ -0,0 +1,31 @@
+---
+ignored:
+  # Warning: Use WORKDIR to switch to a directory.
+  # https://github.com/hadolint/hadolint/wiki/DL3003
+  # Reason: We use WORKDIR where appropriate and `cd` otherwise to condense RUN blocks, this warning is annoying
+  - DL3003
+
+  # Warning: Always tag the version of an image explicitly.
+  # https://github.com/hadolint/hadolint/wiki/DL3006
+  # Reason: We use buildx which handles the build graph, no explicit image tags necessary
+  - DL3006
+
+  # Warning: Use the -y switch to avoid manual input dnf install -y <package>
+  # https://github.com/hadolint/hadolint/wiki/DL3038
+  # Reason: We set `assumeyes=True` in dnf.conf in our base image
+  - DL3038
+
+  # Warning: Specify version with dnf install -y <package>-<version>
+  # https://github.com/hadolint/hadolint/wiki/DL3041
+  # Reason: It's good advice, but we're not set up to pin versions just yet
+  - DL3041
+
+  # Warning: Set the SHELL option -o pipefail before RUN with a pipe in it
+  # https://github.com/hadolint/hadolint/wiki/DL4006
+  # Reason: We inherit the SHELL from our base image and that sets it
+  - DL4006
+
+  # Use cd ... || exit in case cd fails.
+  # https://github.com/koalaman/shellcheck/wiki/SC2164
+  # Reason: Ignoring because we inherit SHELL from the base image which contains "-e" for bash
+  - SC2164

airflow/Dockerfile

@@ -1,17 +1,11 @@
 # syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
 
-# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
-# Ignoring DL4006 globally because we inherit the SHELL from our base image
-# hadolint global ignore=DL3038,DL4006
-
 ARG GIT_SYNC
 
 # For updated versions check https://github.com/kubernetes/git-sync/releases
 # which should contain a image location (e.g. registry.k8s.io/git-sync/git-sync:v3.6.8)
 FROM oci.stackable.tech/sdp/git-sync:${GIT_SYNC} as gitsync-image
 
-# Not tagging base image because it is built as part of the same process
-# hadolint ignore=DL3006
 FROM stackable/image/statsd_exporter AS statsd_exporter-builder
 
 FROM stackable/image/vector AS airflow-build-image

druid/Dockerfile

@@ -1,11 +1,5 @@
 # syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
 
-# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
-# Ignoring DL4006 globally because we inherit the SHELL from our base image
-# Ignoring SC2164 globally because we inherit SHELL from the base image which contains "-e" for bash
-# hadolint global ignore=DL3038,DL4006,SC2164
-
-# hadolint ignore=DL3006
 FROM stackable/image/java-devel AS druid-builder
 
 ARG PRODUCT
@@ -50,9 +44,6 @@ COPY --chown=stackable:stackable druid/stackable/patches/${PRODUCT} /stackable/a
 # with a "directory not empty" error on the first builder to finish, as other builders
 # are still working in the cache directory.
 
-# Ignoring this lint because we need to use `cd` in order to keep everything in one command
-# (and therefore layer)
-# hadolint ignore=DL3003
 RUN --mount=type=cache,id=maven-${PRODUCT},uid=1000,target=/stackable/.m2/repository \
     --mount=type=cache,id=npm-${PRODUCT},uid=1000,target=/stackable/.npm \
     --mount=type=cache,id=cache-${PRODUCT},uid=1000,target=/stackable/.cache \
@@ -82,7 +73,6 @@ fi
 curl --fail -L "https://repo.stackable.tech/repository/packages/druid/druid-opa-authorizer-${AUTHORIZER}.tar.gz" | tar -xzC /stackable/apache-druid-${PRODUCT}/extensions
 EOF
 
-# hadolint ignore=DL3006
 FROM stackable/image/java-base AS final
 
 ARG PRODUCT

hadoop/Dockerfile

@@ -1,10 +1,5 @@
 # syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
 
-# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
-# Ignoring DL4006 globally because we inherit the SHELL from our base image
-# hadolint global ignore=DL3038,DL4006
-
-# hadolint ignore=DL3006
 FROM stackable/image/java-devel AS builder
 
 ARG PRODUCT

hbase/Dockerfile

@@ -1,13 +1,7 @@
 # syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
 
-# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
-# Ignoring DL4006 globally because we inherit the SHELL from our base image
-# Ignoring SC2164 globally because we inherit SHELL from the base image which contains "-e" for bash
-# hadolint global ignore=DL3038,DL4006,SC2164
-
 FROM stackable/image/hadoop AS hadoop-builder
 
-# hadolint ignore=DL3006
 FROM stackable/image/java-devel AS hbase-builder
 
 ARG PRODUCT
@@ -44,11 +38,6 @@ COPY --chown=stackable:stackable hbase/stackable/jmx/config${JMX_EXPORTER} /stac
 # builder containers will share the same cache and the `rm -rf` commands will fail
 # with a "directory not empty" error on the first builder to finish, as other builders
 # are still working in the cache directory.
-
-# Ignoring this because we set the shell to bash in our base image and hadolint/shellcheck doesn't know about it
-# DL3003 Ignoring the lint about using workdir instead of cd because we need to use `cd` in order
-# to keep everything in one command (and therefore layer)
-# hadolint ignore=SC3060,SC3010,DL3003
 RUN --mount=type=cache,id=maven-hbase-${PRODUCT},uid=1000,target=/stackable/.m2/repository <<EOF
 ###
 ### HBase
@@ -97,7 +86,6 @@ if [ "${DELETE_CACHES}" = "true" ] ; then
 fi
 EOF
 
-# hadolint ignore=DL3006
 FROM stackable/image/java-devel AS opa-authorizer-builder
 
 ARG OPA_AUTHORIZER
@@ -106,8 +94,6 @@ ARG DELETE_CACHES
 USER stackable
 WORKDIR /stackable
 
-# Ignoring this because we set the shell to bash in our base image and hadolint/shellcheck doesn't know about it
-# hadolint ignore=SC3060,SC3010
 RUN --mount=type=cache,id=maven-opa,uid=1000,target=/stackable/.m2/repository <<EOF
 
 ###
@@ -133,7 +119,6 @@ if [ "${DELETE_CACHES}" = "true" ] ; then
 fi
 EOF
 
-# hadolint ignore=DL3006
 FROM stackable/image/java-devel AS hbase-operator-tools-builder
 
 ARG HBASE_OPERATOR_TOOLS
@@ -195,7 +180,6 @@ EOF
 
 # Splitting this out into its own builder so that Hadoop & HBase can be built in parallel
 # envsubst is only available in java-devel which is why we don't just do this in the final image
-# hadolint ignore=DL3006
 FROM stackable/image/java-devel AS hadoop-s3-builder
 
 ARG PRODUCT
@@ -223,8 +207,6 @@ chmod +x /stackable/bin/export-snapshot-to-s3
 rm /stackable/bin/export-snapshot-to-s3.env
 EOF
 
-
-# hadolint ignore=DL3006
 FROM stackable/image/java-devel AS phoenix-builder
 
 ARG PRODUCT

hello-world/Dockerfile

@@ -1,9 +1,5 @@
 # syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
 
-# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
-# Ignoring DL4006 globally because we inherit the SHELL from our base image
-# hadolint global ignore=DL3038,DL4006
-
 FROM stackable/image/java-base
 
 ARG PRODUCT

hive/Dockerfile

@@ -1,13 +1,7 @@
 # syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
 
-# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
-# Ignoring DL4006 globally because we inherit the SHELL from our base image
-# hadolint global ignore=DL3038,DL4006
-
 FROM stackable/image/hadoop AS hadoop-builder
 
-# This layer has Java 8 installed.
-# hadolint ignore=DL3006
 FROM stackable/image/java-devel AS builder
 
 # Apache Hive up t0 4.x(!) officially requires Java 8 (there is no distincion between building and running). As of

java-base/Dockerfile

@@ -2,10 +2,6 @@
 #
 # Provides the common Java Runtime for SDP products
 #
-# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
-# Ignoring DL4006 globally because we inherit the SHELL from our base image
-# hadolint global ignore=DL3038,DL4006
-
 FROM stackable/image/vector
 
 ARG PRODUCT

java-devel/Dockerfile

@@ -4,15 +4,13 @@
 # Base imaege for builder stages
 #
 
-# hadolint ignore=DL3006
 FROM stackable/image/stackable-base
 
 ARG PRODUCT
 
 # We need to use EPEL, as openjdk 22 is not shipped with UBI9
 RUN rpm --install --replacepkgs https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
 
-# hadolint ignore=DL3041
 RUN microdnf update && \
     microdnf install -y \
     cmake \

kafka-testing-tools/Dockerfile

@@ -1,15 +1,7 @@
 # syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
 
-# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
-# Ignoring DL4006 globally because we inherit the SHELL from our base image
-# hadolint global ignore=DL3038,DL4006
-
-# Not tagging base image because it is built as part of the same process
-# hadolint ignore=DL3006
 FROM stackable/image/kcat AS kcat
 
-# Not tagging base image because it is built as part of the same process
-# hadolint ignore=DL3006
 FROM stackable/image/stackable-base AS final
 
 ARG PRODUCT