VOL-3970 lock down deploy image

- use distroless base image for deployment
- use nonroot user/group for image

Change-Id: Idce62721921168c8bc919c431c4aa2b2eb49243d
diff --git a/Makefile b/Makefile
index 08d9cfe..884693b 100755
--- a/Makefile
+++ b/Makefile
@@ -28,7 +28,8 @@
 DOCKER_EXTRA_ARGS        ?=
 DOCKER_REGISTRY          ?=
 DOCKER_REPOSITORY        ?=
-DOCKER_TAG               ?= ${VERSION}
+DOCKER_TAG               ?= ${VERSION}$(shell [[ ${DOCKER_LABEL_VCS_DIRTY} == "true" ]] && echo "-dirty" || true)
+DOCKER_TARGET            ?= prod
 ADAPTER_IMAGENAME        := ${DOCKER_REGISTRY}${DOCKER_REPOSITORY}voltha-openonu-adapter-go:${DOCKER_TAG}
 TYPE                     ?= minimal
 
@@ -57,33 +58,11 @@
 GOLANGCI_LINT     = docker run --rm --user $$(id -u):$$(id -g) -v ${CURDIR}:/app -v gocache:/.cache -v gocache-${VOLTHA_TOOLS_VERSION}:/go/pkg voltha/voltha-ci-tools:${VOLTHA_TOOLS_VERSION}-golangci-lint golangci-lint
 HADOLINT          = docker run --rm --user $$(id -u):$$(id -g) -v ${CURDIR}:/app voltha/voltha-ci-tools:${VOLTHA_TOOLS_VERSION}-hadolint hadolint
 
-.PHONY: docker-build local-protos local-lib-go
-
-# This should to be the first and default target in this Makefile
-help:
-	@echo "Usage: make [<target>]"
-	@echo "where available targets are:"
-	@echo ""
-	@echo "clean             : Removes any local filesystem artifacts generated by a build"
-	@echo "distclean         : Removes any local filesystem artifacts generated by a build or test run"
-	@echo "build             : Build all openonu adapter artifacts"
-	@echo "docker-build      : Build openonu adapter docker image"
-	@echo "docker-push       : Push the docker images to an external repository"
-	@echo "help              : Print this help"
-	@echo "lint              : Run all lint targets"
-	@echo "lint-dockerfile   : Perform static analysis on Dockerfiles"
-	@echo "lint-mod          : Verify the Go dependencies"
-	@echo "lint-sanity       : Run the Go language sanity tests (vet)"
-	@echo "lint-style        : Verify the Go standard format of the source"
-	@echo "local-protos      : Copies a local verison of the VOLTHA protos into the vendor directory"
-	@echo "local-lib-go      : Copies a local version of the VOTLHA dependencies into the vendor directory"
-	@echo "sca               : Runs various SCA through golangci-lint tool"
-	@echo "test              : Run unit tests, if any"
-	@echo
+.PHONY: docker-build local-protos local-lib-go help
+.DEFAULT_GOAL := help
 
 ## Local Development Helpers
-
-local-protos:
+local-protos: ## Copies a local version of the voltha-protos dependency into the vendor directory
 ifdef LOCAL_PROTOS
 	rm -rf vendor/github.com/opencord/voltha-protos/v4/go
 	mkdir -p vendor/github.com/opencord/voltha-protos/v4/go
@@ -92,41 +71,41 @@
 endif
 
 ## Local Development Helpers
-local-lib-go:
+local-lib-go: ## Copies a local version of the voltha-lib-go dependency into the vendor directory
 ifdef LOCAL_LIB_GO
+	rm -rf vendor/github.com/opencord/voltha-lib-go/v4/pkg
 	mkdir -p vendor/github.com/opencord/voltha-lib-go/v4/pkg
 	cp -r ${LOCAL_LIB_GO}/pkg/* vendor/github.com/opencord/voltha-lib-go/v4/pkg/
 endif
 
+build: docker-build ## Alias for 'docker build'
+
 ## Docker targets
-
-build: docker-build
-
 docker-build: local-protos local-lib-go ## Build openonu adapter docker image (set BUILD_PROFILED=true to also build the profiled image)
-	docker build $(DOCKER_BUILD_ARGS) -t ${ADAPTER_IMAGENAME} -f docker/Dockerfile.openonu .
+	docker build $(DOCKER_BUILD_ARGS) --target=${DOCKER_TARGET} -t ${ADAPTER_IMAGENAME} -f docker/Dockerfile.openonu .
 ifdef BUILD_PROFILED
-	docker build $(DOCKER_BUILD_ARGS) --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${ADAPTER_IMAGENAME}-profile -f docker/Dockerfile.openonu .
+	docker build $(DOCKER_BUILD_ARGS) --target=${DOCKER_TARGET} --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${ADAPTER_IMAGENAME}-profile -f docker/Dockerfile.openonu .
 endif
 
-docker-push:
+docker-push: ## Push the docker images to an external repository
 	docker push ${ADAPTER_IMAGENAME}
 ifdef BUILD_PROFILED
 	docker push ${ADAPTER_IMAGENAME}-profile
 endif
 
-docker-kind-load:
+docker-kind-load: ## Load docker images into a KinD cluster
 	@if [ "`kind get clusters | grep voltha-$(TYPE)`" = '' ]; then echo "no voltha-$(TYPE) cluster found" && exit 1; fi
 	kind load docker-image ${ADAPTER_IMAGENAME} --name=voltha-$(TYPE) --nodes $(shell kubectl get nodes --template='{{range .items}}{{.metadata.name}},{{end}}' | sed 's/,$$//')
 
 
 ## lint and unit tests
 
-lint-dockerfile:
+lint-dockerfile: ## Perform static analysis on Dockerfile
 	@echo "Running Dockerfile lint check ..."
 	@${HADOLINT} $$(find . -name "Dockerfile.*")
 	@echo "Dockerfile lint check OK"
 
-lint-style:
+lint-style: ## Perform lint style checks on source code
 	@echo "Running style check..."
 	@gofmt_out="$$(${GOFMT} -l $$(find . -name '*.go' -not -path './vendor/*'))" ;\
 	if [ ! -z "$$gofmt_out" ]; then \
@@ -136,12 +115,12 @@
 	fi
 	@echo "Style check OK"
 
-lint-sanity:
+lint-sanity: ## Perform basic code checks on source
 	@echo "Running sanity check..."
 	@${GO} vet -mod=vendor ./...
 	@echo "Sanity check OK"
 
-lint-mod:
+lint-mod: ## Verify the Go dependencies
 	@echo "Running dependency check..."
 	@${GO} mod verify
 	@echo "Dependency check OK. Running vendor check..."
@@ -155,9 +134,9 @@
 	@[[ `git ls-files --exclude-standard --others go.mod go.sum vendor` == "" ]] || (echo "ERROR: Untracked files detected after running go mod tidy / go mod vendor" && echo "`git status`" && exit 1)
 	@echo "Vendor check OK."
 
-lint: local-lib-go lint-style lint-sanity lint-mod lint-dockerfile
+lint: local-lib-go lint-style lint-sanity lint-mod lint-dockerfile ## Run all lint targets
 
-test: lint
+test: lint ## Run unit tests
 	@mkdir -p ./tests/results
 	@${GO} test -mod=vendor -v -coverprofile ./tests/results/go-test-coverage.out -covermode count ./... 2>&1 | tee ./tests/results/go-test-results.out ;\
 	RETURN=$$? ;\
@@ -165,17 +144,25 @@
 	${GOCOVER_COBERTURA} < ./tests/results/go-test-coverage.out > ./tests/results/go-test-coverage.xml ;\
 	exit $$RETURN
 
-sca:
+sca: ## Runs static code analysis with the golangci-lint tool
 	@mkdir -p ./sca-report
 	@echo "Running static code analysis..."
 	@${GOLANGCI_LINT} run --deadline=6m --out-format junit-xml ./... | tee ./sca-report/sca-report.xml
 	@echo "Static code analysis OK"
 
-clean: distclean
+clean: distclean ## Removes any local filesystem artifacts generated by a build
 
-distclean:
+distclean: ## Removes any local filesystem artifacts generated by a build or test run
 	rm -rf ./sca-report
 
-mod-update:
+mod-update: ## Update go mod files
 	${GO} mod tidy
 	${GO} mod vendor
+
+# For each makefile target, add ## <description> on the target line and it will be listed by 'make help'
+help: ## Print help for each Makefile target
+	@echo "Usage: make [<target>]"
+	@echo "where available targets are:"
+	@echo
+	@grep '^[[:alpha:]_-]*:.* ##' $(MAKEFILE_LIST) \
+		| sort | awk 'BEGIN {FS=":.* ## "}; {printf "%-25s : %s\n", $$1, $$2};'
diff --git a/docker/Dockerfile.openonu b/docker/Dockerfile.openonu
index 5d50605..26b1c20 100755
--- a/docker/Dockerfile.openonu
+++ b/docker/Dockerfile.openonu
@@ -15,20 +15,13 @@
 # -------------
 # Build stage
 
-ARG GOLANG_IMAGE=golang:1.13.8-alpine3.11
-ARG DEPLOY_IMAGE=gcr.io/distroless/static:nonroot
-ARG IMAGE_OS=linux
-ARG IMAGE_ARCH=amd64
-# hadolint ignore=DL3006
-FROM --platform=$IMAGE_OS/$IMAGE_ARCH  $GOLANG_IMAGE AS build-env
+FROM --platform=linux/amd64 golang:1.13.8-alpine3.11 AS dev
 
 # Install required packages
 RUN apk add --no-cache build-base=0.5-r1
 
-# Prepare directory structure
-WORKDIR /go/src/github.com/opencord/voltha-openonu-adapter-go
-
-# Copy common files.
+# Use Standard go build directory structure
+WORKDIR /go/src
 COPY . .
 
 ARG EXTRA_GO_BUILD_TAGS=""
@@ -40,11 +33,10 @@
 ARG org_opencord_vcs_commit_date=unknown
 ARG org_opencord_vcs_dirty=unknown
 
-# Build openonu
+# Build
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 RUN \
-CGO_ENABLED=0 GOOS=$IMAGE_OS GOARCH=$IMAGE_ARCH \
-go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /go/bin/openonu \
+CGO_ENABLED=0 go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /app/openonu \
 -ldflags \
 "-X github.com/opencord/voltha-lib-go/v4/pkg/version.version=$org_label_schema_version \
 -X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsRef=$org_label_schema_vcs_ref \
@@ -55,16 +47,18 @@
 -X github.com/opencord/voltha-lib-go/v4/pkg/version.buildTime=$org_label_schema_build_date" \
 ./cmd/openonu-adapter/
 
+WORKDIR /app
+
 # -------------
 # Image creation stage
-# hadolint ignore=DL3006
-FROM --platform=$IMAGE_OS/$IMAGE_ARCH $DEPLOY_IMAGE
+
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot AS prod
 
 # Set the working directory
 WORKDIR /app
 
 # Copy required files
-COPY --from=build-env /go/bin/openonu /app/openonu
+COPY --from=dev /app/openonu /app/openonu
 
 # Label image
 ARG org_label_schema_version=unknown
@@ -73,8 +67,6 @@
 ARG org_label_schema_build_date=unknown
 ARG org_opencord_vcs_commit_date=unknown
 ARG org_opencord_vcs_dirty=unknown
-ARG IMAGE_USER=nonroot
-ARG IMAGE_GROUP=nonroot
 
 LABEL \
 org.label-schema.schema-version=1.0 \
@@ -86,4 +78,4 @@
 org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
 org.opencord.vcs-dirty=$org_opencord_vcs_dirty
 
-USER $IMAGE_USER:$IMAGE_GROUP
+USER nonroot:nonroot