Merge pull request #6032 from gchq/6031-docker-images

Issue 6031 - Disable provenance in Docker images for lambdas

Author: patchwork01

java/clients/src/main/java/sleeper/clients/deploy/container/UploadDockerImages.java

@@ -100,7 +100,13 @@ private void buildAndPushImage(String tag, StackDockerImage image) throws IOExce
         if (image.isMultiplatform()) {
             commandRunner.runOrThrow("docker", "buildx", "build", "--platform", "linux/amd64,linux/arm64", "-t", tag, "--push", dockerfileDirectory.toString());
         } else {
-            commandRunner.runOrThrow("docker", "build", "-t", tag, dockerfileDirectory.toString());
+            if (image.getLambdaJar().isPresent()) {
+                // At time of writing AWS Lambda does not support images with provenance enabled.
+                // See https://docs.aws.amazon.com/lambda/latest/dg/java-image.html
+                commandRunner.runOrThrow("docker", "build", "--provenance=false", "-t", tag, dockerfileDirectory.toString());
+            } else {
+                commandRunner.runOrThrow("docker", "build", "-t", tag, dockerfileDirectory.toString());
+            }
             commandRunner.runOrThrow("docker", "push", tag);
         }
     }

java/clients/src/test/java/sleeper/clients/deploy/container/DockerImagesTestBase.java

@@ -104,10 +104,8 @@ protected CommandPipeline buildImageCommand(String tag, String dockerDirectory)
         return pipeline(command("docker", "build", "-t", tag, dockerDirectory));
     }
 
-    protected CommandPipeline buildImageCommandWithArgs(String... args) {
-        List<String> fullArgs = new ArrayList<>(List.of("docker", "build"));
-        fullArgs.addAll(List.of(args));
-        return pipeline(command(fullArgs.toArray(String[]::new)));
+    protected CommandPipeline buildLambdaImageCommand(String tag, String dockerDirectory) {
+        return pipeline(command("docker", "build", "--provenance=false", "-t", tag, dockerDirectory));
     }
 
     protected CommandPipeline pullImageCommand(String tag) {

java/clients/src/test/java/sleeper/clients/deploy/container/UploadDockerImagesToEcrFileIT.java

@@ -68,9 +68,9 @@ void shouldUploadTwoLambdaImagesOverwritingJarEachTime() throws Exception {
         String expectedTag2 = "123.dkr.ecr.test-region.amazonaws.com/test-instance/ingest-task-creator-lambda:1.0.0";
         assertThat(commandsThatRan).containsExactly(
                 dockerLoginToEcrCommand(),
-                buildImageCommandWithArgs("-t", expectedTag1, lambdaImageDir.toString()),
+                buildLambdaImageCommand(expectedTag1, lambdaImageDir.toString()),
                 pushImageCommand(expectedTag1),
-                buildImageCommandWithArgs("-t", expectedTag2, lambdaImageDir.toString()),
+                buildLambdaImageCommand(expectedTag2, lambdaImageDir.toString()),
                 pushImageCommand(expectedTag2));
 
         assertThat(fileToContentUnder(dir)).isEqualTo(Map.of(

java/clients/src/test/java/sleeper/clients/deploy/container/UploadDockerImagesToEcrTest.java

@@ -120,7 +120,7 @@ void shouldPushCoreImage() throws Exception {
             String expectedTag = "123.dkr.ecr.test-region.amazonaws.com/test-instance/statestore-lambda:1.0.0";
             assertThat(commandsThatRan).containsExactly(
                     dockerLoginToEcrCommand(),
-                    buildImageCommandWithArgs("-t", expectedTag, "./docker/lambda"),
+                    buildLambdaImageCommand(expectedTag, "./docker/lambda"),
                     pushImageCommand(expectedTag));
             assertThat(files).isEqualTo(Map.of(
                     Path.of("./jars/statestore.jar"), "statestore-jar-content",
@@ -143,9 +143,9 @@ void shouldPushImageForCoreAndOptionalLambdaInNewInstance() throws Exception {
             String expectedTag2 = "123.dkr.ecr.test-region.amazonaws.com/test-instance/ingest-task-creator-lambda:1.0.0";
             assertThat(commandsThatRan).containsExactly(
                     dockerLoginToEcrCommand(),
-                    buildImageCommandWithArgs("-t", expectedTag1, "./docker/lambda"),
+                    buildLambdaImageCommand(expectedTag1, "./docker/lambda"),
                     pushImageCommand(expectedTag1),
-                    buildImageCommandWithArgs("-t", expectedTag2, "./docker/lambda"),
+                    buildLambdaImageCommand(expectedTag2, "./docker/lambda"),
                     pushImageCommand(expectedTag2));
             assertThat(files).isEqualTo(Map.of(
                     Path.of("./jars/statestore.jar"), "statestore-jar-content",
@@ -169,7 +169,7 @@ void shouldPushImageForOptionalLambdaWhenAdded() throws Exception {
             String expectedTag = "123.dkr.ecr.test-region.amazonaws.com/test-instance/ingest-task-creator-lambda:1.0.0";
             assertThat(commandsThatRan).containsExactly(
                     dockerLoginToEcrCommand(),
-                    buildImageCommandWithArgs("-t", expectedTag, "./docker/lambda"),
+                    buildLambdaImageCommand(expectedTag, "./docker/lambda"),
                     pushImageCommand(expectedTag));
             assertThat(files).isEqualTo(Map.of(
                     Path.of("./jars/ingest.jar"), "ingest-jar-content",
@@ -192,7 +192,7 @@ void shouldPushImageForOptionalLambdaWhenOneOfItsStacksIsAdded() throws Exceptio
             String expectedTag = "123.dkr.ecr.test-region.amazonaws.com/test-instance/bulk-import-starter-lambda:1.0.0";
             assertThat(commandsThatRan).containsExactly(
                     dockerLoginToEcrCommand(),
-                    buildImageCommandWithArgs("-t", expectedTag, "./docker/lambda"),
+                    buildLambdaImageCommand(expectedTag, "./docker/lambda"),
                     pushImageCommand(expectedTag));
             assertThat(files).isEqualTo(Map.of(
                     Path.of("./jars/bulk-import-starter.jar"), "bulk-import-starter-jar-content",
@@ -215,7 +215,7 @@ void shouldPushImageForOptionalLambdaWhenSeveralOfItsStacksAreAdded() throws Exc
             String expectedTag = "123.dkr.ecr.test-region.amazonaws.com/test-instance/bulk-import-starter-lambda:1.0.0";
             assertThat(commandsThatRan).containsExactly(
                     dockerLoginToEcrCommand(),
-                    buildImageCommandWithArgs("-t", expectedTag, "./docker/lambda"),
+                    buildLambdaImageCommand(expectedTag, "./docker/lambda"),
                     pushImageCommand(expectedTag));
             assertThat(files).isEqualTo(Map.of(
                     Path.of("./jars/bulk-import-starter.jar"), "bulk-import-starter-jar-content",
@@ -249,7 +249,7 @@ void shouldDeployLambdaByDockerWhenConfiguredToAlwaysDeployByDocker() throws Exc
             String expectedTag = "123.dkr.ecr.test-region.amazonaws.com/test-instance/athena-lambda:1.0.0";
             assertThat(commandsThatRan).containsExactly(
                     dockerLoginToEcrCommand(),
-                    buildImageCommandWithArgs("-t", expectedTag, "./docker/lambda"),
+                    buildLambdaImageCommand(expectedTag, "./docker/lambda"),
                     pushImageCommand(expectedTag));
             assertThat(files).isEqualTo(Map.of(
                     Path.of("./jars/athena.jar"), "athena-jar-content",

java/clients/src/test/java/sleeper/clients/deploy/container/UploadDockerImagesToRepositoryTest.java

@@ -104,13 +104,13 @@ void shouldBuildAndPushLambdaImages() throws Exception {
         String expectedBulkImportTag = "www.somedocker.com/prefix/bulk-import-starter-lambda:1.0.0";
         String expectedAthenaTag = "www.somedocker.com/prefix/athena-lambda:1.0.0";
         assertThat(commandsThatRan).containsExactly(
-                buildImageCommandWithArgs("-t", expectedStatestoreTag, "./docker/lambda"),
+                buildLambdaImageCommand(expectedStatestoreTag, "./docker/lambda"),
                 pushImageCommand(expectedStatestoreTag),
-                buildImageCommandWithArgs("-t", expectedIngestTaskTag, "./docker/lambda"),
+                buildLambdaImageCommand(expectedIngestTaskTag, "./docker/lambda"),
                 pushImageCommand(expectedIngestTaskTag),
-                buildImageCommandWithArgs("-t", expectedBulkImportTag, "./docker/lambda"),
+                buildLambdaImageCommand(expectedBulkImportTag, "./docker/lambda"),
                 pushImageCommand(expectedBulkImportTag),
-                buildImageCommandWithArgs("-t", expectedAthenaTag, "./docker/lambda"),
+                buildLambdaImageCommand(expectedAthenaTag, "./docker/lambda"),
                 pushImageCommand(expectedAthenaTag));
 
         assertThat(files).isEqualTo(Map.of(