image built from upstream.Dockerfile should have no shell

[exdx]

Feature Request

Is your feature request related to a problem? Please describe. The upstream.Dockerfile used for building OLM releases was previously based on golang:alpine based images on dockerhub. Due to the new ratelimiting policies that dockerhub created, a change was made to move off dockerhub images and onto quay in #2110

The upstream.Dockerfile is a multi-stage build, and in the second stage the alpine:latest image was being used. This was changed to the gcr.io/distroless/static:debug image, which has a shell in it, for purposes of backwards compatibility for users who expect OLM to have a shell to drop into. Best practices suggest that a container image with just statically linked binaries in it should not have a shell if it does not require one and only makes syscalls.

Describe the solution you'd like Build from scratch or gcr.io/distroless/static in the second stage of the upstream.Dockerfile build.

[exdx]

v0.18.0 relies on the static:debug tag ... the plan for the v0.19.0 release is to go with the static tag

[timflannagan]

@exdx Is this still relevant after the upstream.Dockerfile has been nuked/renamed to Dockerfile. It looks like that file still uses static:debug as the final image layer, so it seems like this issue is still relevant but wanted to double-check that assumption.

[exdx]

Yes, I think so since the imageref is the same

[timflannagan]

@exdx @awgreene Is this something we'd expect to block the v0.21.0 release? Should we move this to the backlog or v0.22.0 milestone?

[exdx]

I'm ok with moving this to the backlog -- I don't think it should block the next release.