ci: build and push Docker image based on Chainguard base image

[v1v]

What does this pull request do?

Release two flavours of Docker images:

• the one we always do
• the one based on Wolfi from Chainguard

Please note that we are going to preserve the current Dockerfile, so that users will still be able to build their custom images based on Alpine: this is needed because docker.elastic.co/wolfi/chainguard-base is not a public base image, so docker build would fail for unauthenticated users.

Tests

I created a feature branch test/docker-images-wolfi and ran the snapshot workflow:

• https://github.com/elastic/apm-agent-java/actions/runs/9019062649/job/24781080512

Checklist

• [ ] This is an enhancement of existing features, or a new feature in existing plugins
  • [ ] I have updated CHANGELOG.asciidoc
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [ ] Added an API method or config option? Document in which version this will be introduced
  • [ ] I have made corresponding changes to the documentation
• [ ] This is a bugfix
  • [ ] I have updated CHANGELOG.asciidoc
  • [ ] I have added tests that would fail without this fix
• [ ] This is a new plugin
  • [ ] I have updated CHANGELOG.asciidoc
  • [ ] My code follows the style guidelines of this project
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [ ] New and existing unit tests pass locally with my changes
  • [ ] I have updated supported-technologies.asciidoc
  • [ ] Added an API method or config option? Document in which version this will be introduced
  • [ ] Added an instrumentation plugin? Describe how you made sure that old, non-supported versions are not instrumented by accident.
• [ ] This is something else
  • [ ] I have updated CHANGELOG.asciidoc

[JonasKunz]

Please note that we are going to preserve the current Dockerfile, so that users will still be able to build their custom images based on Alpine: this is needed because docker.elastic.co/wolfi/chainguard-base is not a public base image, so docker build would fail for unauthenticated users.

If users cannot use this new image, what is the purpose of adding it?

[v1v]

If users cannot use this new image, what is the purpose of adding it?

IIUC, users can use the docker image we generate based on Wolfi, but they cannot use the base docker image docker.elastic.co/wolfi/chainguard-base.

[JonasKunz]

IIUC, users can use the docker image we generate based on Wolfi, but they cannot use the base docker image docker.elastic.co/wolfi/chainguard-base.

I see. I suppose the purpose of this PR is to enhance security so that we don't ship any outdated libs in our docker image, correct?

I'd argue then why not simply not use any base-image at all (FROM scratch in the Dockerfile)?

Our image is not intended to be used as a base image, the docs state that it should be used in a COPY-statement: COPY --from=docker.elastic.co/observability/apm-agent-java:latest /usr/agent/elastic-apm-agent.jar /elastic-apm-agent.jar

I feel like this would be a much simpler and easier to maintain approach (if I'm not misunderstanding the goal here). I'd need to double check with them that we really don't want to use our published images as base images anywhere.

[v1v]

I'd argue then why not simply not use any base-image at all (FROM scratch in the Dockerfile)?

For completeness in this thread, I just added you to the loop on an internal GitHub issue.

[JonasKunz]

I'd argue then why not simply not use any base-image at all (FROM scratch in the Dockerfile)?

For reference: We found out that the K8s-attacher requires executing cp within the container, so using FROM scratch is not an option.