feat: non-root self hosted images for standard deployment

[tangowithfoxtrot]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-14496

Update our self-hosted standard deployment images (this work excludes Unified) to allow running in non-root contexts, such as kubernetes deployments using runAsNonRoot or specifying user: ${PUID}:${PGID} in a container compose override file.

Note that this work excludes the MSSQL and Nginx images, so a fully non-rootful deployment will require hosting those services separately. Also note that the images are intended to run as non-root users on an opt-in basis. They are not rootless by default, as we want to avoid making breaking changes to existing rootful deployments for the time being.

📔 Objective

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 492f2df2-814f-4cea-a6d4-a03aa0b750e0

New Issues (1)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Stored_XSS	/util/Server/Startup.cs: 57	details The method Lambda embeds untrusted data in generated output with WriteAsync, at line 59 of /util/Server/Startup.cs. This untrusted data is embedd... ID: eVLjqrGrhR8bX6vH49rf3sR1lsU%3D Attack Vector

[codecov]

Codecov Report

Attention: Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.

Project coverage is 47.51%. Comparing base (31b6b47) to head (c3f4a96).
Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Core/Utilities/CoreHelpers.cs	50.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5701   +/-   ##
=======================================
  Coverage   47.51%   47.51%           
=======================================
  Files        1662     1662           
  Lines       75215    75216    +1     
  Branches     6761     6761           
=======================================
+ Hits        35737    35738    +1     
  Misses      38015    38015           
  Partials     1463     1463           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-advanced-security]

Checkmarx One found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[dani-garcia]

Overall looks pretty good to me, though we'll need to make sure this is well tested by QA to ensure everything is working.

I've left some suggestions simplify the Dockerfiles a bit more. We have a lot of them so any extra code that we require gets multiplied by 10.

[dani-garcia]

LGTM, we'll need to make sure this is throroughly tested to ensure everything works as expected

[tangowithfoxtrot]

There's a merge conflict in the build workflow. I'm reworking things to reduce the changes between the workflow on this branch and main.

[tangowithfoxtrot]

Apologies for the re-review requests. I think I've reduced the build workflow changes to bring it more inline with main.

[Eeebru]

With the branch check step removed, was this image build tested?

[Eeebru]

This project is built for node in the artifact job and also build for dotnet in the docker image job, removing the artifact job will build this image for both node and dotnet, is that the intended behaviour?

[tangowithfoxtrot]

Unless I'm misunderstanding your concern, Admin needs node to build the static files and dotnet to build the server.

[Eeebru]

Just ensuring it's not a mistake

[Eeebru]

Any reason why we are removing this image name in the build?

[tangowithfoxtrot]

We previously only needed a dedicated bitwarden/server image for attachments. Since we're using multi-stage builds, we no longer require it.

[Eeebru]

Why are we not checking for branch to publish anymore?

[tangowithfoxtrot]

This was removed by mistake. Thanks for catching it. Added it back in 88848e6.

[sonarqubecloud]

Quality Gate passed

Issues
26 New issues
0 Accepted issues

Measures
17 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud