Improve database testing for security compliance

[KyleAure]

User Story:
As a developer of Open Liberty, I need to test against various databases to ensure that Open Liberty features that depend on persisted data are work against the production databases used by our customers while also maintaining a secure build platform and reducing the security risk of running our tests for external contributors.

Current status:

• We pull and run databases images from DockerHub (via Artifactory mirror) at test runtime.
• This includes verified images, community images, and custom images (built in-house)

Main goals:

• Only pull verified images from an alternative source to DockerHub
• Remove dependencies on custom images
  • These are risky because they are pulled without a known and trusted source
  • Instead, pull a verified image, and build the custom image at runtime
  • Internal and external users can see exactly how the image was created from source code
• Internally, cache built custom images so that runtime performance is minimally impacted (is this possible?)
• Collaborate with build team to setup an Artifactory mirror that can pull from alternative sources
  • icr.io, mcr.microsoft.com, ghcr.io, public.ecr.aws
• Figure out how to get the community image ghcr.io/gvenzl/oracle-free approved for use

Scope:

Images we currently use:

• [Verified] icr.io/db2_community/db2:11.5.9.0
• [Verified] mcr.microsoft.com/mssql/server:2019-CU28-ubuntu-20.04
• [Community] gvenzl/oracle-free:23.3-full-faststart
• [Community] gvenzl/oracle-free:23.3-slim-faststart
• [Verified] mongo:6.0.6
• [Verified] postgres:17.0-alpine
• [Custom] kyleaure/cloudant-developer:1.0
• [Custom] kyleaure/couchdb-ssl:1.0
• [Custom] kyleaure/db2-krb5:2.0
• [Custom] kyleaure/db2-ssl:3.0
• [Custom] kyleaure/krb5-server:1.0
• [Custom] kyleaure/oracle-21.3.0-faststart:1.0.full.krb5
• [Custom] kyleaure/oracle-21.3.0-faststart:1.0.full.ssl
• [Custom] kyleaure/postgres-krb5:1.0
• [Custom] kyleaure/postgres-ssl:1.0
• [Custom] kyleaure/postgres-test-table:3.0
• [Custom] kyleaure/sqlserver-ssl:2019-CU18-ubuntu-20.04

Images we should be using:

• [Verified] icr.io/db2_community/db2:11.5.9.0
• [Verified] mcr.microsoft.com/mssql/server:2019-CU28-ubuntu-20.04
• [Community] ghcr.io/gvenzl/oracle-free:23.5-slim-faststart
• [Community] ghcr.io/gvenzl/oracle-free:23.5-full-faststart
• [Verified] public.ecr.aws/docker/library/mongo:6.0.6
• [Verified] public.ecr.aws/docker/library/postgres:17.0-alpine
• [Verified] public.ecr.aws/docker/library/couchdb:3.2.0

Images that need more consideration:

• kyleaure/cloudant-developer:1.0
  • Uses: FROM ibmcom/cloudant-developer:2.0.1
  • We have no replacement for ibmcom/cloudant-developer because it is deprecated
  • This image is only used in com.ibm.ws.rest.handler.validator.cloudant_fat
  • All other Cloudant testing uses CouchDB as a backend
  • Since the cloudant-1.0 feature is stabilized can we consider disabling this test?
  • Or should we try replacing this image with CouchDB?
• kyleaure/krb5-server:1.0
  • Uses: FROM gcavalcante8808/krb5-server
  • We already replace the docker-entrypoint.sh
  • Replace: FROM public.ecr.aws/docker/library/alpine:3.17
  • Install required binaries krb5-server krb5 supervisor tini