From 8c22bbe816cd14eb05c2ce8a06d1084571b778e7 Mon Sep 17 00:00:00 2001
From: Victor Engmark <vengmark@linz.govt.nz>
Date: Thu, 7 Jan 2021 15:58:35 +1300
Subject: [PATCH] feat: Lint Dockerfiles

Ignore rule to force setting specific package versions since

- Ubuntu should only be receiving non-breaking patches,
- we don't want the overhead of having to follow up on every package
  upgrade manually (see
  https://github.com/dependabot/dependabot-core/issues/2129), and
- locking only the top level packages means we'd still get arbitrary
  versions of their dependencies.
---
 .hadolint.yaml                                    |  3 +++
 .pre-commit-config.yaml                           |  6 ++++++
 .../processing/check_files_checksums/Dockerfile   |  4 +++-
 .../check_flat_directory_structure/Dockerfile     |  4 +++-
 .../processing/check_stac_metadata/Dockerfile     | 15 +++++++++++----
 ignored:   - DL3000   - SC1010                    |  0
 6 files changed, 26 insertions(+), 6 deletions(-)
 create mode 100644 .hadolint.yaml
 create mode 100644 ignored:   - DL3000   - SC1010

diff --git a/.hadolint.yaml b/.hadolint.yaml
new file mode 100644
index 000000000..85539d16c
--- /dev/null
+++ b/.hadolint.yaml
@@ -0,0 +1,3 @@
+---
+ignored:
+    - DL3008
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a15021255..01e357142 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,6 +19,12 @@ repos:
             language: system
             stages: [commit-msg]
 
+          - id: hadolint
+            name: hadolint
+            language: docker_image
+            entry: hadolint/hadolint hadolint
+            files: Dockerfile
+
           - id: isort
             name: isort
             entry: isort
diff --git a/datalake/backend/processing/check_files_checksums/Dockerfile b/datalake/backend/processing/check_files_checksums/Dockerfile
index 656aa09ef..eca3b12db 100644
--- a/datalake/backend/processing/check_files_checksums/Dockerfile
+++ b/datalake/backend/processing/check_files_checksums/Dockerfile
@@ -1,6 +1,8 @@
 FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND noninteractive
-RUN apt update && apt install -y python3 && rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+    && apt-get install --assume-yes --no-install-recommends python3 \
+    && rm -rf /var/lib/apt/lists/*
 COPY datalake/backend/processing/check_files_checksums/task.py /opt/task.py
 RUN chmod +x /opt/task.py
 ENTRYPOINT ["/opt/task.py"]
diff --git a/datalake/backend/processing/check_flat_directory_structure/Dockerfile b/datalake/backend/processing/check_flat_directory_structure/Dockerfile
index 268776b9c..86547f778 100644
--- a/datalake/backend/processing/check_flat_directory_structure/Dockerfile
+++ b/datalake/backend/processing/check_flat_directory_structure/Dockerfile
@@ -1,6 +1,8 @@
 FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND noninteractive
-RUN apt update && apt install -y python3 && rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+    && apt-get install --assume-yes --no-install-recommends python3 \
+    && rm -rf /var/lib/apt/lists/*
 COPY datalake/backend/processing/check_flat_directory_structure/task.py /opt/task.py
 RUN chmod +x /opt/task.py
 ENTRYPOINT ["/opt/task.py"]
diff --git a/datalake/backend/processing/check_stac_metadata/Dockerfile b/datalake/backend/processing/check_stac_metadata/Dockerfile
index 6bf9f7290..774f80835 100644
--- a/datalake/backend/processing/check_stac_metadata/Dockerfile
+++ b/datalake/backend/processing/check_stac_metadata/Dockerfile
@@ -1,11 +1,16 @@
 FROM ubuntu:20.04 as build
 
 RUN apt-get update \
-    && apt-get install -y curl python3-pip \
+    && apt-get install --assume-yes --no-install-recommends curl python3-pip \
     && rm -rf /var/lib/apt/lists/*
-RUN curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python3 -
+RUN curl --location --show-error --silent --output get-poetry.py https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py \
+    && echo 'bfc42cff9cb49bb74f6a1fe12c37fb08bcf7a49245a441c272dfd25254d8ae39 get-poetry.py' > get-poetry.py.sha256 \
+    && sha256sum --check get-poetry.py.sha256 \
+    && python3 get-poetry.py \
+    && rm get-poetry.py get-poetry.py.sha256
 COPY poetry.lock poetry.toml pyproject.toml /opt/
-RUN cd /opt && ~/.poetry/bin/poetry install --extras=check-stac-metadata-job --no-dev
+WORKDIR /opt
+RUN ~/.poetry/bin/poetry install --extras=check-stac-metadata-job --no-dev
 
 
 FROM ubuntu:20.04
@@ -13,7 +18,9 @@ FROM ubuntu:20.04
 ENTRYPOINT ["/opt/.venv/bin/python", "/opt/task.py"]
 
 ENV DEBIAN_FRONTEND noninteractive
-RUN apt-get update && apt-get install -y python3 && rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+    && apt-get install --assume-yes --no-install-recommends python3 \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY --from=build /opt/.venv /opt/.venv
 
diff --git a/ignored:   - DL3000   - SC1010 b/ignored:   - DL3000   - SC1010
new file mode 100644
index 000000000..e69de29bb