From a1520093dbea0f77b89548db91c4fd3a92aff563 Mon Sep 17 00:00:00 2001
From: Phil Bracikowski <pbracikowski+git@influxdata.com>
Date: Fri, 22 Dec 2023 14:21:56 -0800
Subject: [PATCH 1/4] fix(container image): update to dedian 12 bookworm

Sinker got ssl security updates that requires libssl.so.3 which debian
bullseye doesn't have. Update to bookworm image.
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 16cc2bf..2658894 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,7 +16,7 @@ COPY . .
 RUN cargo build --release --bin sinker
 
 # We do not need the Rust toolchain to run the binary!
-FROM debian:bullseye-slim@sha256:77f46c1cf862290e750e913defffb2828c889d291a93bdd10a7a0597720948fc AS runtime
+FROM debian:bookworm-slim@sha256:45287d89d96414e57c7705aa30cb8f9836ef30ae8897440dd8f06c4cff801eec AS runtime
 WORKDIR app
 COPY --from=builder /app/target/release/sinker /usr/local/bin
-ENTRYPOINT ["/usr/local/bin/sinker"]
\ No newline at end of file
+ENTRYPOINT ["/usr/local/bin/sinker"]

From 2dbe8785b4dbed2495ea04bc04669241eb13cf3b Mon Sep 17 00:00:00 2001
From: Phil Bracikowski <pbracikowski+git@influxdata.com>
Date: Tue, 26 Dec 2023 16:01:47 +0000
Subject: [PATCH 2/4] chore: install libssl3, create sinker user

Updates the sinker dockerfile following what iox does for a runtime
image with libssl3 libraries, also create sinker user and group
on the container.
---
 Dockerfile | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2658894..836e6b0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # Leveraging the pre-built Docker images with
 # cargo-chef and the Rust toolchain
-FROM lukemathwalker/cargo-chef:latest-rust-1.73.0@sha256:09ec7a922dc592d980f3fcfa97b873e1a678ad2fb252671569a65187f1cd4a75 AS chef
+FROM lukemathwalker/cargo-chef:latest-rust-1.74-bookworm@sha256:f2f6e652c5aa759f9ff6b1f97062da912babc9c92641156c0c1723690448d384 AS chef
 WORKDIR app
 
 FROM chef AS planner
@@ -16,7 +16,16 @@ COPY . .
 RUN cargo build --release --bin sinker
 
 # We do not need the Rust toolchain to run the binary!
-FROM debian:bookworm-slim@sha256:45287d89d96414e57c7705aa30cb8f9836ef30ae8897440dd8f06c4cff801eec AS runtime
+FROM debian:bookworm-slim@sha256:45287d89d96414e57c7705aa30cb8f9836ef30ae8897440dd8f06c4cff801eec
+
+RUN apt update \
+    && apt install --yes ca-certificates libssl3 --no-install-recommends \
+    && rm -rf /var/lib/{apt,dpkg,cache,log} \
+    && groupadd --gid 1500 sinker \
+    && useradd --uid 1500 --gid sinker --shell /bin/bash --create-home sinker
+
+USER sinker
+
 WORKDIR app
 COPY --from=builder /app/target/release/sinker /usr/local/bin
 ENTRYPOINT ["/usr/local/bin/sinker"]

From 7acf1acdbaab630813efc8203deb2683beb6c79f Mon Sep 17 00:00:00 2001
From: Phil Bracikowski <pbracikowski+git@influxdata.com>
Date: Tue, 26 Dec 2023 08:31:56 -0800
Subject: [PATCH 3/4] chore: remove image shas for multiplatform build

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 836e6b0..010dcbe 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # Leveraging the pre-built Docker images with
 # cargo-chef and the Rust toolchain
-FROM lukemathwalker/cargo-chef:latest-rust-1.74-bookworm@sha256:f2f6e652c5aa759f9ff6b1f97062da912babc9c92641156c0c1723690448d384 AS chef
+FROM lukemathwalker/cargo-chef:latest-rust-1.74-bookworm AS chef
 WORKDIR app
 
 FROM chef AS planner
@@ -16,7 +16,7 @@ COPY . .
 RUN cargo build --release --bin sinker
 
 # We do not need the Rust toolchain to run the binary!
-FROM debian:bookworm-slim@sha256:45287d89d96414e57c7705aa30cb8f9836ef30ae8897440dd8f06c4cff801eec
+FROM debian:bookworm-slim
 
 RUN apt update \
     && apt install --yes ca-certificates libssl3 --no-install-recommends \

From 3eb4bb1f007b3319047c5315cfd6ddf03f933958 Mon Sep 17 00:00:00 2001
From: Phil Bracikowski <pbracikowski+git@influxdata.com>
Date: Tue, 26 Dec 2023 08:45:33 -0800
Subject: [PATCH 4/4] chore: use multiplatform shas for images

docker buildx imagetools inspect <image> will show the overall
manifest sha unlike docker hub which only shows shas for specific
platforms.
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 010dcbe..304b258 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # Leveraging the pre-built Docker images with
 # cargo-chef and the Rust toolchain
-FROM lukemathwalker/cargo-chef:latest-rust-1.74-bookworm AS chef
+FROM lukemathwalker/cargo-chef:latest-rust-1.74-bookworm@sha256:f2be0d7e17e30166653ccc67498e82759d8124ed8770b48f06395caa8e95c97f AS chef
 WORKDIR app
 
 FROM chef AS planner
@@ -16,7 +16,7 @@ COPY . .
 RUN cargo build --release --bin sinker
 
 # We do not need the Rust toolchain to run the binary!
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 
 RUN apt update \
     && apt install --yes ca-certificates libssl3 --no-install-recommends \