Summary

Kibana image needs to be properly scanned using prodsec tooling at build time. This comes from a higher company directive. The current image is missed in scanning because it is missing a dependency lock file. Additionally it packages a number of dependencies that may only be required by development.

Acceptance Criteria

This task would resolve that by:

• Adding a yarn.lock file to the repo
• Updating container.yaml to identify the dependency manager to be yarn

Challenges

• Kibana only builds and runs using node 10.x
• The build targets only work locally with 10.15.x
• The only node version available to us is 10.40.0 which is incompatible with the build targets
• The Dockerfile must install node 10 directly and will also need yarn, which may require a "2 stage" setup

Notes

One approach is to try to build from the actual Kibana src by:

• Updating the package.json to explicitly use the versions int the rh-manifest.txt
• If the above succeeds we may need to establish a kibana GH repo and abandon origin-aggregated-logging

Sample of projects using "2 stage" approach to make yarn available:

• https://pkgs.devel.redhat.com/cgit/containers/osbs-buildroot/tree/container.yaml?h=private-acmiel-cachito-yarn-demo
• https://pkgs.devel.redhat.com/cgit/containers/osbs-buildroot/tree/Dockerfile?h=private-acmiel-cachito-yarn-demo