control-service: run data job as non-root user (#710)

Currently data job docker container is run as root user . This is not
considered best practice
(https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)

And in environment where root is forbidden it won't work. For example
the job would fail if data job kubernetes pod is set to run as specific
user e.g using:

```
securityContext:
  fsGroup: 1000
  runAsGroup: 1000
  runAsUser: 1000
```

We are making sure that when building the data job we are  setting up
permissions and users and starting the docker container with new user.

The UID and GID can be passed as argument during docker build but that
is not currently exposed to operators when deploying jobs. So the
UID/GID is currently required to be 1000

Testing Done: deployed locally job with runAsUser securityContext (as
above) and the job succeeded. The integration test would verify end to
end as well.

Signed-off-by: Antoni Ivanov <aivanov@vmware.com>

projects/control-service/CHANGELOG.md

@@ -11,6 +11,10 @@ MAJOR.MINOR - dd.MM.yyyy
 
 * **Breaking Changes**
 
+1.3 - 18.02.2022
+----
+* **Improvement**
+  * Support rootless data job deployment container images and builder jobs
 
 1.3 - 27.01.2022
 ----

projects/control-service/projects/helm_charts/pipelines-control-service/values.yaml

@@ -25,7 +25,7 @@ image:
 deploymentBuilderImage:
   registry: registry.hub.docker.com/versatiledatakit
   repository: job-builder
-  tag: "1.2.2"
+  tag: "1.2.3"
 
 
 ## String to partially override pipelines-control-service.fullname template (will maintain the release name)

projects/control-service/projects/job-builder-rootless/Dockerfile.python.vdk

@@ -4,15 +4,21 @@ ARG base_image=python:3.9-slim
 
 FROM $base_image
 
+ARG UID=1000
+ARG GID=1000
+
 # Set the working directory
 WORKDIR /job
 
-# Make sure base image is python based
+# Validate base image is python based
 RUN python -V
+# Create necessary users and set home directory to /job
+RUN groupadd -r -g $GID vdkgroup && useradd -u $UID -g $GID -r vdkuser && chown -R $UID:$GID /job
+ENV HOME=/job
 
 # Copy the actual job that has to be executed
 ARG job_name
-COPY $job_name $job_name/
+COPY --chown=$UID:$GID $job_name $job_name/
 
 # TODO: this would trigger for any change in job even if requirements.txt does not change
 # but there's no COPY_IF_EXISTS command in docker to try copy it.
@@ -22,3 +28,5 @@ RUN if [ -f "$job_name/$requirements_file" ]; then pip3 install --disable-pip-ve
 ARG job_githash
 ENV JOB_NAME $job_name
 ENV VDK_JOB_GITHASH $job_githash
+
+USER $UID

projects/control-service/projects/job-builder-rootless/version.txt

@@ -1 +1 @@
-1.3.0dev2
+1.3.1dev2

projects/control-service/projects/job-builder/Dockerfile.python.vdk

@@ -4,15 +4,21 @@ ARG base_image=python:3.9-slim
 
 FROM $base_image
 
+ARG UID=1000
+ARG GID=1000
+
 # Set the working directory
 WORKDIR /job
 
-# Make sure base image is python based
+# Validate base image is python based
 RUN python -V
+# Create necessary users and set home directory to /job
+RUN groupadd -r -g $GID group && useradd -u $UID -g $GID -r user && chown -R $UID:$GID /job
+ENV HOME=/job
 
 # Copy the actual job that has to be executed
 ARG job_name
-COPY $job_name $job_name/
+COPY --chown=$UID:$GID $job_name $job_name/
 
 # TODO: this would trigger for any change in job even if requirements.txt does not change
 # but there's no COPY_IF_EXISTS command in docker to try copy it.
@@ -22,3 +28,5 @@ RUN if [ -f "$job_name/$requirements_file" ]; then pip3 install --disable-pip-ve
 ARG job_githash
 ENV JOB_NAME $job_name
 ENV VDK_JOB_GITHASH $job_githash
+
+USER $UID

projects/control-service/projects/job-builder/version.txt

@@ -1 +1 @@
-1.2.2
+1.2.3