harden, scan, and attest container images

[qrkourier]

The container images must be hardened, scanned, and signed to satisfy security minimums for production deployments (e.g., Docker, Kubernetes).

The popular approach to hardening seems to be switching to a source image that is comparatively free of CVEs, and that seems like the only sensible approach.

Our current images are sourcing the RedHat Universal Base Image (UBI) minimal variant, which reportedly has about 2/3 as many CVEs as a comparable Debian image, so we're not in the worst possible condition. Using the UBI is a prerequisite for OpenShift certification. So, if we decide to pursue that certification and have switched away from the UBI, we'd have to create a parallel UBI-based image build or switch back to the UBI.

Alternative images billed as "hardened" include ChainGuard's, USAF's Iron Bank, and Canonical's Chiselled.

Resources:

• https://www.chainguard.dev/
• https://docs.sigstore.dev/signing/signing_with_containers/
• https://github.com/openpubkey/openpubkey?tab=readme-ov-file#readme
• https://notaryproject.dev/
• https://docs.docker.com/engine/security/trust/