Fix Dockerfile to have the proper permissions in directories

[amartinezfayo]

In the Dockerfile, proper permissions in directories were intended to be set in the install commands that are run when setting up the directories. But those directories are then copied using the COPY instruction.
With the COPY instruction, all files and directories copied from the build context are created with a UID and GID of 0 unless the --chown flag specifies a given username, groupname, or UID/GID combination to request specific ownership of the copied content.

This PR fixes the Dockerfile to use --chown and --chmod flags in the COPY instructions to set the permissions.

Fixes #4903.
Supersedes #4871.

[maxlambrecht]

I've seen that several test suites currently create workload entries using the selector "unix:uid:0":

• ghostunnel-federation
• join-token
• envoy-sds-v3-spiffe-auth

Should we also update these to use a "unix:uid:1000"?

[amartinezfayo]

Should we also update these to use a "unix:uid:1000"?

Thank you for the observation, @maxlambrecht. Yes, I've already added a commit to have that fixed.
Unfortunately, there are still errors caused by "permission denied" issues that I'm looking into.

[maxlambrecht]

Could we use separate stages for creating the directories and then apply the permissions when they are copied to the final images? Something like this:

# Setting up SPIRE Server directories
FROM alpine as prep-server
RUN mkdir -p /opt/spire/bin \
    /etc/spire/server \
    /run/spire/server/private \
    /tmp/spire-server/private \
    /var/lib/spire/server

# Setting up SPIRE Agent directories
FROM alpine as prep-agent
RUN mkdir -p /opt/spire/bin \
    /etc/spire/agent \
    /run/spire/agent/public \
    /tmp/spire-agent/public \
    /var/lib/spire/agent

# SPIRE Server
FROM spire-base AS spire-server
ARG spireuid=1000
ARG spiregid=1000
USER ${spireuid}:${spiregid}
COPY --link --from=prep-server --chown=${spireuid}:${spiregid} --chmod=755 / /
COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server /opt/spire/bin/
ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]

# Similar configuration for SPIRE Agent

[maxlambrecht]

Also spire-base could be just:

FROM --platform=${BUILDPLATFORM} scratch AS spire-base
COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
WORKDIR /opt/spire

[amartinezfayo]

Thank you @maxlambrecht for the suggestions, I think that they make sense.
I've updated the Dockerfile accordingly.

[maxlambrecht]

I noticed that my earlier suggestion would include the entire alpine filesystem in our final image, which isn't ideal. Here's an optimized approach:

FROM alpine as prep-server
RUN mkdir -p /spire/opt/spire/bin \
             /spire/etc/spire/server \
             /spire/run/spire/server/private \
             /spire/tmp/spire-server/private \
             /spire/var/lib/spire/server

We should only copy the /spire directory:

COPY --link --from=prep-server --chown=${spireuid}:${spiregid} --chmod=755 /spire /

[amartinezfayo]

Oh right. Yeah, I thought about that at some point and then didn't check it properly.
Thanks again for the suggestions!

[maxlambrecht]

LGTM!

[rturner3]

Why does only this one test need to run as root to create the socket directory? Could this be avoided with a config change in the test?

[amartinezfayo]

This is needed because we use a hostPath volume to share the socket for the Workload API. I've moved the securityContext field to affect the spire-agent container only.

[azdagron]

Closing this for now. We can re-open and merge after 1.9.3 ships.