working around INFRA-24621

Author: ndimiduk

dev-support/jenkins/Jenkinsfile

@@ -49,6 +49,34 @@ pipeline {
         YETUS_DRIVER = "${WORKDIR}/${YETUS_DRIVER_REL}"
         YETUSDIR = "${WORKDIR}/${YETUS_REL}"
         PLUGINS = 'all'
+        // workaround for INFRA-24621
+        NON_ROOT_AS_JENKINS = 'true'
+        NON_ROOT_USER = """${sh(
+                returnStdout: true,
+                script: '''#!/usr/bin/env bash
+set -e
+
+if [ "${DEBUG}" = 'true' ] ; then
+  set -x
+fi
+
+whoami
+'''
+        )}
+""".trim()
+        NON_ROOT_UID = """${sh(
+                returnStdout: true,
+                script: '''#!/usr/bin/env bash
+set -e
+
+if [ "${DEBUG}" = 'true' ] ; then
+  set -x
+fi
+
+echo "${UID}"
+'''
+        )}
+""".trim()
     }
 
     parameters {
@@ -78,6 +106,7 @@ pipeline {
                         usernameVariable: 'GITHUB_USER'
                       )]) {
                         sh label: 'test-patch', script: '''#!/bin/bash -e
+                            docker container run --rm --user=0 --mount type=bind,source=${SOURCEDIR},target=/sourcedir --workdir /sourcedir alpine:latest rm -rfv hbase-kubernetes-deployment/hbase-kubernetes-kustomize/target
                             printenv 2>&1 | sort
                             echo "[INFO] Launching Yetus via ${YETUS_DRIVER}"
                             "${YETUS_DRIVER}"
@@ -138,4 +167,4 @@ pipeline {
             }
         }
     }
-}
+}

hbase-kubernetes-deployment/hbase-kubernetes-testing-image/pom.xml

@@ -62,7 +62,7 @@
                 <argument>-c</argument>
                 <argument>
                   2>&amp;1 \
-                  docker buildx bake \
+                  src/build/shell/exec_docker_buildx_bake.sh \
                     --print \
                     --file src/main/docker/docker-bake.hcl \
                     --file src/main/docker/docker-bake.override.hcl
@@ -83,7 +83,7 @@
                 <argument>-c</argument>
                 <argument>
                   2>&amp;1 \
-                  docker buildx bake \
+                  src/build/shell/exec_docker_buildx_bake.sh \
                     --progress plain \
                     --pull \
                     --load \

hbase-kubernetes-deployment/hbase-kubernetes-testing-image/src/build/shell/exec_docker_buildx_bake.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# A work-around for INFRA-24621 establishing container user name and id in the jenkins environment.
+# When `NON_ROOT_AS_JENKINS=true`, injects the values of `NON_ROOT_USER` and `NON_ROOT_UID` into
+# the bake environment.
+
+set -e
+set -o pipefail
+set -x
+
+declare NON_ROOT_AS_JENKINS
+declare NON_ROOT_USER
+declare NON_ROOT_UID
+declare -a bake_args=( "$@" )
+
+NON_ROOT_AS_JENKINS="${NON_ROOT_AS_JENKINS:-false}"
+
+if [ "${NON_ROOT_AS_JENKINS}" = 'true' ] ; then
+    bake_args+=( "--set=*.args.NON_ROOT_USER=${NON_ROOT_USER}" )
+    bake_args+=( "--set=*.args.NON_ROOT_USER_ID=${NON_ROOT_UID}" )
+fi
+
+docker buildx bake "${bake_args[@]}"

hbase-kubernetes-deployment/hbase-kubernetes-testing-image/src/main/docker/Dockerfile

@@ -129,6 +129,9 @@ RUN tar xzf "/tmp/${KUSTOMIZE_BIN_TGZ}" \
 FROM ${IMG_BASE}:${IMG_BASE_TAG} as final
 ARG IMG_BASE
 ARG IMG_BASE_TAG
+ARG NON_ROOT_USER
+ARG NON_ROOT_USER_ID
+ARG NON_ROOT_USER_HOME
 
 COPY --from=yq /usr/bin/yq /usr/bin/yq
 COPY --from=kubectl /tmp/kubectl /usr/local/bin/
@@ -137,9 +140,9 @@ COPY --from=kustomize /tmp/kustomize /usr/local/bin/
 COPY src/main/docker/entrypoint.sh /bin/
 
 # nonroot user as defined in https://github.com/GoogleContainerTools/distroless
-ENV NON_ROOT_USER=nonroot
-ENV NON_ROOT_USER_ID=65532
-ENV NON_ROOT_USER_HOME=/home/nonroot
+ENV NON_ROOT_USER="${NON_ROOT_USER}"
+ENV NON_ROOT_USER_ID="${NON_ROOT_USER_ID}"
+ENV NON_ROOT_USER_HOME="${NON_ROOT_USER_HOME}"
 
 # hadolint ignore=DL3018
 RUN apk add --update --no-cache \

hbase-kubernetes-deployment/hbase-kubernetes-testing-image/src/main/docker/docker-bake.hcl

@@ -41,6 +41,15 @@ variable KUSTOMIZE_BIN_ARM64_TGZ_URL {}
 variable KUSTOMIZE_BIN_ARM64_TGZ {}
 
 # output variables
+variable NON_ROOT_USER {
+  default = "nonroot"
+}
+variable NON_ROOT_USER_ID {
+  default = "65532"
+}
+variable NON_ROOT_USER_HOME {
+  default = "/home/${NON_ROOT_USER}"
+}
 variable USER {
   default = "apache"
 }
@@ -78,6 +87,9 @@ target kuttl {
     KUSTOMIZE_BIN_AMD64_TGZ = KUSTOMIZE_BIN_AMD64_TGZ
     KUSTOMIZE_BIN_ARM64_TGZ_URL = KUSTOMIZE_BIN_ARM64_TGZ_URL
     KUSTOMIZE_BIN_ARM64_TGZ = KUSTOMIZE_BIN_ARM64_TGZ
+    NON_ROOT_USER = NON_ROOT_USER
+    NON_ROOT_USER_ID = NON_ROOT_USER_ID
+    NON_ROOT_USER_HOME = NON_ROOT_USER_HOME
   }
   target = "final"
   platforms = [