ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi8/ubi
ARG BASE_TAG=8.5

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

COPY bundle.tar.gz /
WORKDIR /bundle
RUN tar -zxf /bundle.tar.gz

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

LABEL name="main" \
      vendor="StackRox" \
      maintainer="support@stackrox.com" \
      summary="The StackRox Kubernetes Security Platform" \
      description="This image contains components required to operate the StackRox Kubernetes Security Platform."

ARG ROX_IMAGE_FLAVOR

ENV PATH="/stackrox:$PATH" \
    ROX_ROXCTL_IN_MAIN_IMAGE="true" \
    ROX_IMAGE_FLAVOR=${ROX_IMAGE_FLAVOR}

COPY signatures/RPM-GPG-KEY-CentOS-Official /
COPY scripts /stackrox/
COPY --from=extracted_bundle /bundle/assets/ /assets/
COPY --from=extracted_bundle /bundle/stackrox/ /stackrox/
COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
COPY --from=extracted_bundle /bundle/ui/ /ui/
COPY --from=extracted_bundle /bundle/usr/local/bin/ldb /usr/local/bin/
COPY --from=extracted_bundle /bundle/snappy.rpm /tmp/
COPY --from=extracted_bundle /bundle/go/ /go/

RUN ln -s entrypoint-wrapper.sh /stackrox/admission-control && \
    ln -s entrypoint-wrapper.sh /stackrox/compliance && \
    ln -s entrypoint-wrapper.sh /stackrox/kubernetes-sensor && \
    ln -s entrypoint-wrapper.sh /stackrox/sensor-upgrader && \
    ln -s /assets/downloads/cli/roxctl-linux /stackrox/roxctl && \
    rpm --import RPM-GPG-KEY-CentOS-Official && \
    dnf upgrade -y && \
    dnf install -y lz4 bzip2 /tmp/snappy.rpm && \
    dnf clean all && \
    rm /tmp/snappy.rpm RPM-GPG-KEY-CentOS-Official && \
    # (Optional) Remove line below to keep package management utilities
    rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
    rm -rf /var/cache/dnf && \
    # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
    # by the script `save-dir-contents` during the image build. The directory
    # contents are then restored by the script `restore-all-dir-contents`
    # during the container start.
    chown -R 4000:4000 /etc/pki /etc/ssl && save-dir-contents /etc/pki/ca-trust /etc/ssl && \
    mkdir -p /var/lib/stackrox && chown -R 4000:4000 /var/lib/stackrox && \
    mkdir -p /var/log/stackrox && chown -R 4000:4000 /var/log/stackrox && \
    mkdir -p /var/cache/stackrox && chown -R 4000:4000 /var/cache/stackrox && \
    chown -R 4000:4000 /tmp

EXPOSE 8443

USER 4000:4000

ENTRYPOINT ["/assets/downloads/cli/roxctl-linux"]

HEALTHCHECK CMD curl --insecure --fail https://127.0.0.1:8443/v1/ping
