feat: replace openjdk with amazoncorretto:17.0.4 on platform for security compliance (#16919)

airbyte-bootloader/Dockerfile

@@ -1,5 +1,5 @@
-ARG JDK_VERSION=19-slim-bullseye
-ARG JDK_IMAGE=openjdk:${JDK_VERSION}
+ARG JDK_VERSION=17.0.4
+ARG JDK_IMAGE=amazoncorretto:${JDK_VERSION}
 FROM ${JDK_IMAGE}
 
 ARG VERSION=0.40.7

airbyte-container-orchestrator/Dockerfile

@@ -1,31 +1,14 @@
-ARG JDK_VERSION=19-slim-bullseye
-ARG JDK_IMAGE=openjdk:${JDK_VERSION}
+ARG JDK_VERSION=17.0.4
+ARG JDK_IMAGE=amazoncorretto:${JDK_VERSION}
 FROM ${JDK_IMAGE} AS orchestrator
 
 ARG DOCKER_BUILD_ARCH=amd64
 
-# Install Docker to launch worker images. Eventually should be replaced with Docker-java.
-# See https://gitter.im/docker-java/docker-java?at=5f3eb87ba8c1780176603f4e for more information on why we are not currently using Docker-java
-# See https://docs.docker.com/engine/install/debian/ to understand what the following commands are
-# doing.
-RUN apt-get update && apt-get install -y \
-                          ca-certificates \
-                          wget \
-                          gnupg \
-                          lsb-release
-RUN mkdir -p /etc/apt/keyrings && \
-        wget -O - https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
-        echo \
-          "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
-          $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-RUN apt-get update && apt-get install -y docker-ce-cli jq
+RUN amazon-linux-extras install -y docker
+RUN yum install -y jq tar && yum clean all
 
-# Install kubectl for copying files to kube pods. Eventually should be replaced with a kube java client.
-# See https://github.com/airbytehq/airbyte/issues/8643 for more information on why we are using kubectl for copying.
-# The following commands were taken from https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-using-native-package-management
-RUN wget -O /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg && \
-        echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list
-RUN apt-get update && apt-get install -y kubectl
+RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${DOCKER_BUILD_ARCH}/kubectl" \
+        && chmod +x kubectl && mv kubectl /usr/local/bin/
 
 # Don't change this manually.  Bump version expects to make moves based on this string
 ARG VERSION=0.40.7

airbyte-cron/Dockerfile

@@ -1,5 +1,5 @@
-ARG JDK_VERSION=19-slim-bullseye
-ARG JDK_IMAGE=openjdk:${JDK_VERSION}
+ARG JDK_VERSION=17.0.4
+ARG JDK_IMAGE=amazoncorretto:${JDK_VERSION}
 FROM ${JDK_IMAGE} AS cron
 
 ARG VERSION=0.40.7

airbyte-metrics/reporter/Dockerfile

@@ -1,5 +1,5 @@
-ARG JDK_VERSION=19-slim-bullseye
-ARG JDK_IMAGE=openjdk:${JDK_VERSION}
+ARG JDK_VERSION=17.0.4
+ARG JDK_IMAGE=amazoncorretto:${JDK_VERSION}
 FROM ${JDK_IMAGE} AS metrics-reporter
 
 ARG VERSION=0.40.7

airbyte-server/Dockerfile

@@ -1,5 +1,5 @@
-ARG JDK_VERSION=19-slim-bullseye
-ARG JDK_IMAGE=openjdk:${JDK_VERSION}
+ARG JDK_VERSION=17.0.4
+ARG JDK_IMAGE=amazoncorretto:${JDK_VERSION}
 FROM ${JDK_IMAGE} AS server
 
 EXPOSE 8000

airbyte-workers/Dockerfile

@@ -1,31 +1,14 @@
-ARG JDK_VERSION=19-slim-bullseye
-ARG JDK_IMAGE=openjdk:${JDK_VERSION}
+ARG JDK_VERSION=17.0.4
+ARG JDK_IMAGE=amazoncorretto:${JDK_VERSION}
 FROM ${JDK_IMAGE} AS worker
 
 ARG DOCKER_BUILD_ARCH=amd64
 
-# Install Docker to launch worker images. Eventually should be replaced with Docker-java.
-# See https://gitter.im/docker-java/docker-java?at=5f3eb87ba8c1780176603f4e for more information on why we are not currently using Docker-java
-# See https://docs.docker.com/engine/install/debian/ to understand what the following commands are
-# doing.
-RUN apt-get update && apt-get install -y \
-                          ca-certificates \
-                          wget \
-                          gnupg \
-                          lsb-release
-RUN mkdir -p /etc/apt/keyrings && \
-        wget -O - https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
-        echo \
-          "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
-          $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-RUN apt-get update && apt-get install -y docker-ce-cli jq
+RUN amazon-linux-extras install -y docker
+RUN yum install -y jq tar && yum clean all
 
-# Install kubectl for copying files to kube pods. Eventually should be replaced with a kube java client.
-# See https://github.com/airbytehq/airbyte/issues/8643 for more information on why we are using kubectl for copying.
-# The following commands were taken from https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-using-native-package-management
-RUN wget -O /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg && \
-        echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list
-RUN apt-get update && apt-get install -y kubectl
+RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${DOCKER_BUILD_ARCH}/kubectl" \
+        && chmod +x kubectl && mv kubectl /usr/local/bin/
 
 # Don't change this manually.  Bump version expects to make moves based on this string
 ARG VERSION=0.40.7

build.gradle

@@ -231,7 +231,7 @@ subprojects { subproj ->
 
         tasks.register("buildDockerImage", DockerBuildImage) {
             // This is currently only used for connectors.
-            def jdkVersion = System.getenv('JDK_VERSION') ?: '17.0.1'
+            def jdkVersion = System.getenv('JDK_VERSION') ?: '17.0.4'
 
             def arch = System.getenv('BUILD_ARCH') ?: System.getProperty("os.arch").toLowerCase()
             def isArm64 = arch == "aarch64" || arch == "arm64"
@@ -239,7 +239,7 @@ subprojects { subproj ->
             def buildPlatform = System.getenv('DOCKER_BUILD_PLATFORM') ?: isArm64 ? 'linux/arm64' : 'linux/amd64'
             def alpineImage = System.getenv('ALPINE_IMAGE') ?: isArm64 ? 'arm64v8/alpine:3.14' : 'amd64/alpine:3.14'
             def nginxImage = System.getenv('NGINX_IMAGE') ?: isArm64 ? 'arm64v8/nginx:alpine' : 'amd64/nginx:alpine'
-            def openjdkImage = System.getenv('JDK_IMAGE') ?: isArm64 ? "arm64v8/openjdk:19-slim-bullseye" : "amd64/openjdk:19-slim-bullseye"
+            def openjdkImage = System.getenv('JDK_IMAGE') ?: isArm64 ? "arm64v8/amazoncorretto:17.0.4" : "amd64/amazoncorretto:17.0.4"
             def buildArch = System.getenv('DOCKER_BUILD_ARCH') ?: isArm64 ? 'arm64' : 'amd64'
 
             platform = buildPlatform

buildSrc/src/main/groovy/airbyte-docker.gradle

@@ -117,8 +117,8 @@ class AirbyteDockerPlugin implements Plugin<Project> {
         return "$stdout".toString().trim()
     }
 
-    // Some image tags rely on environment variables (e.g. "FROM openjdk:${JDK_VERSION}-slim").
-    // dump those into a "sh -c 'echo ...'" command to resolve them (e.g. "openjdk:17-slim")
+    // Some image tags rely on environment variables (e.g. "FROM amazoncorretto:${JDK_VERSION}").
+    // dump those into a "sh -c 'echo ...'" command to resolve them (e.g. "amazoncorretto:17.0.4")
     static String resolveEnvironmentVariables(Project project, String str) {
         def stdout = new ByteArrayOutputStream()
 

tools/bin/publish_docker.sh

@@ -18,7 +18,7 @@ projectDir=(
 
 # Set default values to required vars. If set in env, values will be taken from there.
 # Primarily for testing.
-JDK_VERSION=${JDK_VERSION:-19-slim-bullseye}
+JDK_VERSION=${JDK_VERSION:-17.0.4}
 ALPINE_IMAGE=${ALPINE_IMAGE:-alpine:3.14}
 POSTGRES_IMAGE=${POSTGRES_IMAGE:-postgres:13-alpine}