@sw-tsdk/connector 3.23.0-alpha.24827b5 → 3.23.0-alpha.5b3d9ec

package/lib/templates/python_310_definition_fips/Dockerfile

@@ -1,23 +1,16 @@
 # syntax=docker/dockerfile:1.2
-ARG COMPILE_BASE=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.10-latest
-
 ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.10-latest
 
 ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.10-latest
 ARG RUNTIME_IMAGE=runtime-image
 
-# Stage 1: reference-only — pull the published compile-fips base to copy pre-installed swimlane libs
-FROM ${COMPILE_BASE} AS compile-base-libs
-LABEL stage=compile-base-libs
-# Stage 2: builder — dev image has shell, apk, and pip for all build-time operations.
+# Stage 1: builder — dev image has shell, apk, and pip for all build-time operations.
 # The final FIPS image is distroless (no shell), so ALL RUN commands must happen here.
 FROM ${PYTHON_DEV_IMAGE} AS builder
 USER root
 
 # Carry over pre-installed swimlane SDK packages from the compile-fips base
-COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.10-latest /usr/local/lib /usr/local/lib
-COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.10-latest /usr/local/bin /usr/local/bin
-
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.10-latest /usr/lib/python3.10/site-packages /usr/lib/python3.10/site-packages
 
 # Run compile-time OS package installs and custom scripts
 COPY compile.* /scripts/
@@ -25,10 +18,17 @@ RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $
 RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
 
 # Run runner-time OS package installs and custom scripts here too,
-# since the final runner FIPS image has no shell
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
 COPY runner.* /scripts/
-RUN if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/runner.txt); fi
-RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN mkdir -p /runner-os-pkgs && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
 
 RUN rm -rf /scripts
 
@@ -39,19 +39,30 @@ RUN pip install --target /connector-deps -r requirements.txt
 
 # Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
 FROM ${RUNNER_IMAGE_NAME} AS runtime-image
-USER root
 ARG ASSET_KEYS
 ENV ASSET_KEYS=$ASSET_KEYS
 
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.10/site-packages /usr/lib/python3.10/site-packages/
+
 # Copy only the connector-specific packages into site-packages.
 # The runner's own FIPS Python installation remains intact.
-COPY --from=builder /connector-deps /usr/local/lib/python3.10/site-packages/
+COPY --from=builder /connector-deps /usr/lib/python3.10/site-packages/
 
 COPY connector /app
 WORKDIR /app
+USER nonroot
 ENTRYPOINT ["python", "run.py"]
 
 FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
 {{#each labels}}
 LABEL {{{@key}}}="{{{this}}}"
 {{/each}}

package/lib/templates/python_311_definition_fips/Dockerfile

@@ -1,22 +1,16 @@
 # syntax=docker/dockerfile:1.2
-ARG COMPILE_BASE=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.11-latest
-
 ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.11-latest
 
 ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.11-latest
 ARG RUNTIME_IMAGE=runtime-image
 
-# Stage 1: reference-only — pull the published compile-fips base to copy pre-installed swimlane libs
-FROM ${COMPILE_BASE} AS compile-base-libs
-LABEL stage=compile-base-libs
-# Stage 2: builder — dev image has shell, apk, and pip for all build-time operations.
+# Stage 1: builder — dev image has shell, apk, and pip for all build-time operations.
 # The final FIPS image is distroless (no shell), so ALL RUN commands must happen here.
 FROM ${PYTHON_DEV_IMAGE} AS builder
 USER root
 
 # Carry over pre-installed swimlane SDK packages from the compile-fips base
-COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.11-latest /usr/local/lib /usr/local/lib
-COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.11-latest /usr/local/bin /usr/local/bin
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.11-latest /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages
 
 # Run compile-time OS package installs and custom scripts
 COPY compile.* /scripts/
@@ -24,10 +18,23 @@ RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $
 RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
 
 # Run runner-time OS package installs and custom scripts here too,
-# since the final runner FIPS image has no shell
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
 COPY runner.* /scripts/
-RUN if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/runner.txt); fi
-RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN mkdir -p /runner-os-pkgs/etc/apk/keys && \
+    cp /etc/apk/repositories /runner-os-pkgs/etc/apk/repositories && \
+    cp /etc/apk/keys/* /runner-os-pkgs/etc/apk/keys/ && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi && \
+    rm -rf /runner-os-pkgs/etc/passwd \
+           /runner-os-pkgs/etc/group \
+           /runner-os-pkgs/etc/shadow \
+           /runner-os-pkgs/etc/apk
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
 
 RUN rm -rf /scripts
 
@@ -38,19 +45,30 @@ RUN pip install --target /connector-deps -r requirements.txt
 
 # Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
 FROM ${RUNNER_IMAGE_NAME} AS runtime-image
-USER root
 ARG ASSET_KEYS
 ENV ASSET_KEYS=$ASSET_KEYS
 
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages/
+
 # Copy only the connector-specific packages into site-packages.
 # The runner's own FIPS Python installation remains intact.
-COPY --from=builder /connector-deps /usr/local/lib/python3.11/site-packages/
+COPY --from=builder /connector-deps /usr/lib/python3.11/site-packages/
 
 COPY connector /app
 WORKDIR /app
+USER nonroot
 ENTRYPOINT ["python", "run.py"]
 
 FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
 {{#each labels}}
 LABEL {{{@key}}}="{{{this}}}"
 {{/each}}

package/lib/templates/python_312_definition_fips/Dockerfile

@@ -1,23 +1,16 @@
 # syntax=docker/dockerfile:1.2
-ARG COMPILE_BASE=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.12-latest
-
 ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.12-latest
 
 ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.12-latest
 ARG RUNTIME_IMAGE=runtime-image
 
-# Stage 1: reference-only — pull the published compile-fips base to copy pre-installed swimlane libs
-FROM ${COMPILE_BASE} AS compile-base-libs
-LABEL stage=compile-base-libs
-# Stage 2: builder — dev image has shell, apk, and pip for all build-time operations.
+# Stage 1: builder — dev image has shell, apk, and pip for all build-time operations.
 # The final FIPS image is distroless (no shell), so ALL RUN commands must happen here.
 FROM ${PYTHON_DEV_IMAGE} AS builder
 USER root
 
 # Carry over pre-installed swimlane SDK packages from the compile-fips base
-COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.12-latest /usr/local/lib /usr/local/lib
-COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.12-latest /usr/local/bin /usr/local/bin
-
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.12-latest /usr/lib/python3.12/site-packages /usr/lib/python3.12/site-packages
 
 # Run compile-time OS package installs and custom scripts
 COPY compile.* /scripts/
@@ -25,10 +18,17 @@ RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $
 RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
 
 # Run runner-time OS package installs and custom scripts here too,
-# since the final runner FIPS image has no shell
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
 COPY runner.* /scripts/
-RUN if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/runner.txt); fi
-RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN mkdir -p /runner-os-pkgs && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
 
 RUN rm -rf /scripts
 
@@ -39,19 +39,30 @@ RUN pip install --target /connector-deps -r requirements.txt
 
 # Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
 FROM ${RUNNER_IMAGE_NAME} AS runtime-image
-USER root
 ARG ASSET_KEYS
 ENV ASSET_KEYS=$ASSET_KEYS
 
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.12/site-packages /usr/lib/python3.12/site-packages/
+
 # Copy only the connector-specific packages into site-packages.
 # The runner's own FIPS Python installation remains intact.
-COPY --from=builder /connector-deps /usr/local/lib/python3.12/site-packages/
+COPY --from=builder /connector-deps /usr/lib/python3.12/site-packages/
 
 COPY connector /app
 WORKDIR /app
+USER nonroot
 ENTRYPOINT ["python", "run.py"]
 
 FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
 {{#each labels}}
 LABEL {{{@key}}}="{{{this}}}"
 {{/each}}

package/lib/templates/python_39_definition_fips/Dockerfile

@@ -1,24 +1,16 @@
 # syntax=docker/dockerfile:1.2
-ARG COMPILE_BASE=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.9-latest
-
 ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.9-latest
 
 ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.9-latest
 ARG RUNTIME_IMAGE=runtime-image
 
-# Stage 1: reference-only — pull the published compile-fips base to copy pre-installed swimlane libs
-FROM ${COMPILE_BASE} AS compile-base-libs
-LABEL stage=compile-base-libs
-# Stage 2: builder — dev image has shell, apk, and pip for all build-time operations.
+# Stage 1: builder — dev image has shell, apk, and pip for all build-time operations.
 # The final FIPS image is distroless (no shell), so ALL RUN commands must happen here.
 FROM ${PYTHON_DEV_IMAGE} AS builder
 USER root
 
 # Carry over pre-installed swimlane SDK packages from the compile-fips base
-
-COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.9-latest /usr/local/lib /usr/local/lib
-COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.9-latest /usr/local/bin /usr/local/bin
-
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.9-latest /usr/lib/python3.9/site-packages /usr/lib/python3.9/site-packages
 
 # Run compile-time OS package installs and custom scripts
 COPY compile.* /scripts/
@@ -26,10 +18,23 @@ RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $
 RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
 
 # Run runner-time OS package installs and custom scripts here too,
-# since the final runner FIPS image has no shell
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
 COPY runner.* /scripts/
-RUN if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/runner.txt); fi
-RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN mkdir -p /runner-os-pkgs/etc/apk/keys && \
+    cp /etc/apk/repositories /runner-os-pkgs/etc/apk/repositories && \
+    cp /etc/apk/keys/* /runner-os-pkgs/etc/apk/keys/ && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi && \
+    rm -rf /runner-os-pkgs/etc/passwd \
+           /runner-os-pkgs/etc/group \
+           /runner-os-pkgs/etc/shadow \
+           /runner-os-pkgs/etc/apk
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
 
 RUN rm -rf /scripts
 
@@ -40,19 +45,30 @@ RUN pip install --target /connector-deps -r requirements.txt
 
 # Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
 FROM ${RUNNER_IMAGE_NAME} AS runtime-image
-USER root
 ARG ASSET_KEYS
 ENV ASSET_KEYS=$ASSET_KEYS
 
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.9/site-packages /usr/lib/python3.9/site-packages/
+
 # Copy only the connector-specific packages into site-packages.
 # The runner's own FIPS Python installation remains intact.
-COPY --from=builder /connector-deps /usr/local/lib/python3.9/site-packages/
+COPY --from=builder /connector-deps /usr/lib/python3.9/site-packages/
 
 COPY connector /app
 WORKDIR /app
+USER nonroot
 ENTRYPOINT ["python", "run.py"]
 
 FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
 {{#each labels}}
 LABEL {{{@key}}}="{{{this}}}"
 {{/each}}

package/package.json

@@ -9,9 +9,9 @@
     "@oclif/core": "2.8.5",
     "@oclif/plugin-help": "5.2.9",
     "@oclif/plugin-plugins": "3.1.2",
-    "@sw-tsdk/common": "3.23.0-alpha.24827b5",
-    "@sw-tsdk/core": "3.23.0-alpha.24827b5",
-    "@sw-tsdk/docker": "3.23.0-alpha.24827b5",
+    "@sw-tsdk/common": "3.23.0-alpha.5b3d9ec",
+    "@sw-tsdk/core": "3.23.0-alpha.5b3d9ec",
+    "@sw-tsdk/docker": "3.23.0-alpha.5b3d9ec",
     "@swimlane/connector-interfaces": "1.11.0",
     "@swimlane/cosign": "1.4.1",
     "archiver": "5.3.1",
@@ -66,6 +66,6 @@
     "test": "jest --passWithNoTests"
   },
   "types": "lib/index.d.ts",
-  "version": "3.23.0-alpha.24827b5",
-  "gitHead": "24827b5a6055cf3592906d105357ae5589c04efc"
+  "version": "3.23.0-alpha.5b3d9ec",
+  "gitHead": "5b3d9ec2021ddce7964b0cd920030fee2876557a"
 }