Update platform containers to use non-root users

[Dracyr]

What

Currently all of the airbyte containers run as root users, this is not really needed, as well as an issue in locked-down kubernetes clusters (such as ours) where there is a restrictive PodSecurityPolicy with runAsNonRoot set.

While it is possible to create our own wrapper images that creates and uses their own non-root users, it would be nice to have this upstream as well. I only added this change now for the core platform containers. It would be nice to have for all sources/destinations as well, but that would be a bigger change, and I wanted to see if this is something you want first.

How

For scheduler/worker/server, create a new user and switch to it in the Dockerfiles.

For the webapp, change base image to nginxinc/nginx-unprivileged, and use port 8080 instead of 80.
There's a little bit of confusing config here, as port 8080 is used throughout the helm chart for the webapp, but it's served through 8000 in the docker-compose file, I kept the user facing behaviour the same for now.

Recommended reading order

1. Dockerfiles

Pre-merge Checklist

Expand the relevant checklist and delete the others.

New Connector

Community member or Airbyter

• Community member? Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Connector's bootstrap.md. See description and examples
  • docs/SUMMARY.md
  • docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
  • docs/integrations/README.md
  • airbyte-integrations/builds.md
• PR name follows PR naming conventions

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• Credentials added to Github CI. Instructions.
• /test connector=connectors/<name> command is passing.
• New Connector version released on Dockerhub by running the /publish command described here
• After the connector is published, connector added to connector index as described here
• Seed specs have been re-generated by building the platform and committing the changes to the seed spec files, as described here

Updating a connector

Community member or Airbyter

• Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Connector's bootstrap.md. See description and examples
  • Changelog updated in docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
• PR name follows PR naming conventions

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• Credentials added to Github CI. Instructions.
• /test connector=connectors/<name> command is passing.
• New Connector version released on Dockerhub by running the /publish command described here
• After the new connector version is published, connector version bumped in the seed directory as described here
• Seed specs have been re-generated by building the platform and committing the changes to the seed spec files, as described here

Connector Generator

• Issue acceptance criteria met
• PR name follows PR naming conventions
• If adding a new generator, add it to the list of scaffold modules being tested
• The generator test modules (all connectors with -scaffold in their name) have been updated with the latest scaffold by running ./gradlew :airbyte-integrations:connector-templates:generator:testScaffoldTemplates then checking in your changes
• Documentation which references the generator is updated as needed.

[jrhizor]

Can you also change the port in kube/resources/webapp.yaml?

Otherwise looks good.

[Dracyr]

@jrhizor Of course, looks like I missed that. Should be updated now in the latest commit 115e3e4

EDIT: I see that the helm ci run failed. Trying to reproduce locally now
EDIT 2: It's failing because the CI run is using the tag 0.32.0-alpha as configured, in which this has not been merged yet, so still running on port 80.

What is the intention of the helm chart PR check? To have it be green in this pipeline, we'd need to update it to use images built for this PR.

[alafanechere]

Hi @Dracyr and @jrhizor I think I spotted some missing port changes from 80 to 8080 for the webapp, I commited some changes. @jrhizor do you think we're ready for approve / merge?

[jrhizor]

Thanks!

[jrhizor]

We need to fix the acceptance tests in #8612 to get this in all of the way.