Migrate cp-kcat to UBI9 micro base image

Switch from 2-stage ubi9-minimal build to 3-stage build using
ubi9-micro as the final base:
- Stage 1: Build kcat from source on ubi9 (unchanged logic)
- Stage 2: Install runtime deps (libcurl, cyrus-sasl, krb5, etc.)
  into /microdir using dnf --installroot
- Stage 3: Copy runtime libs + kcat binary to ubi9-micro

Key changes:
- Base image: ubi9-minimal -> ubi9-micro (ultra-lightweight, no pkg mgr)
- Package manager: microdnf -> dnf --installroot=/microdir
- Runtime deps installed in isolated stage, only /usr/lib64 + /etc/pki copied
- Remove shadow-utils from build deps; manually create appuser in /etc/passwd
- Build arg: UBI_MINIMAL_VERSION -> UBI_MICRO_VERSION + UBI9_VERSION
- Fix LABEL summary quoting (remove nested quotes)
- Fix fabric8 plugin indentation in pom.xml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: KrishVora01

kcat/Dockerfile.ubi9

@@ -18,19 +18,18 @@ ARG DOCKER_UPSTREAM_TAG=ubi9-latest
 ARG PROJECT_VERSION
 ARG ARTIFACT_ID
 ARG GIT_COMMIT
-ARG UBI_MINIMAL_VERSION="latest"
+ARG UBI9_VERSION
+ARG UBI_MICRO_VERSION
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:${UBI_MINIMAL_VERSION}
+# Stage 1: Build kcat from source
+FROM registry.access.redhat.com/ubi9:${UBI9_VERSION} AS build
 
 WORKDIR /build
 
 ENV VERSION=1.7.0
-ENV BUILD_PACKAGES="which git make cmake gcc-c++ zlib-devel curl-devel openssl-devel cyrus-sasl-devel krb5-devel pkgconfig lz4-devel wget tar findutils shadow-utils"
-
-USER root
+ENV BUILD_PACKAGES="which git make cmake gcc-c++ zlib-devel curl-devel openssl-devel cyrus-sasl-devel krb5-devel pkgconfig lz4-devel wget tar findutils"
 
 RUN echo "Building kcat ....." \
-    && microdnf install -y dnf \
     && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
     && dnf install -y $BUILD_PACKAGES \
     && dnf clean all \
@@ -41,35 +40,53 @@ RUN echo "Building kcat ....." \
     && make \
     && ldd kcat
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:${UBI_MINIMAL_VERSION}
+# Stage 2: Install runtime dependencies to /microdir
+FROM registry.access.redhat.com/ubi9:${UBI9_VERSION} AS runtime-deps
+
+RUN mkdir -p /microdir \
+    && dnf install -y --installroot=/microdir --releasever=9 --setopt=install_weak_deps=False --nodocs \
+       ca-certificates \
+       libcurl-minimal \
+       cyrus-sasl-lib \
+       krb5-libs \
+       openssl-libs \
+       zlib \
+       libxcrypt \
+       libcom_err \
+       keyutils-libs \
+       libnghttp2 \
+    && dnf --installroot=/microdir clean all \
+    && rm -rf /microdir/var/cache/* /microdir/var/log/dnf* /microdir/var/log/yum.* \
+    && rm -rf /microdir/dev/* /microdir/proc/* /microdir/sys/*
+
+# Stage 3: Final ultra-lightweight image using ubi9-micro
+FROM registry.access.redhat.com/ubi9-micro:${UBI_MICRO_VERSION}
 
 LABEL maintainer="partner-support@confluent.io"
 LABEL vendor="Confluent"
 LABEL version=$GIT_COMMIT
 LABEL release=$PROJECT_VERSION
 LABEL name=$ARTIFACT_ID
-LABEL summary="kcat is a command line utility that you can use to test and debug Apache Kafka® deployments. You can use kcat to produce, consume, and list topic and partition information for Kafka. Described as “netcat for Kafka”, it is a swiss-army knife of tools for inspecting and creating data in Kafka."
+LABEL summary="kcat is a command line utility that you can use to test and debug Apache Kafka® deployments. You can use kcat to produce, consume, and list topic and partition information for Kafka. Described as netcat for Kafka, it is a swiss-army knife of tools for inspecting and creating data in Kafka."
 LABEL io.confluent.docker=true
 LABEL io.confluent.docker.git.id=$GIT_COMMIT
 ARG BUILD_NUMBER=-1
 LABEL io.confluent.docker.build.number=$BUILD_NUMBER
 LABEL io.confluent.docker.git.repo="confluentinc/kafkacat-images"
 
-USER root
+# Copy runtime libraries from the deps stage
+COPY --from=runtime-deps /microdir/usr/lib64/ /usr/lib64/
+COPY --from=runtime-deps /microdir/etc/pki/ /etc/pki/
 
-COPY --from=0 /build/kcat/kcat /usr/local/bin/
+# Copy kcat binary from the build stage
+COPY --from=build /build/kcat/kcat /usr/local/bin/
+RUN ln -s /usr/local/bin/kcat /usr/local/bin/kafkacat
 
-RUN ln -s /usr/local/bin/kcat /usr/local/bin/kafkacat \
-    && echo "Installing runtime dependencies for SSL and SASL support ...." \
-    && microdnf install -y dnf \
-    && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
-    && dnf install -y ca-certificates \
-    && echo "===> clean up ..."  \
-    && dnf clean all \
-    && rm -rf /tmp/*
+# Create non-root user (ubi9-micro has no shadow-utils)
+RUN echo "appuser:x:1000:1000:appuser:/home/appuser:/sbin/nologin" >> /etc/passwd \
+    && echo "appuser:x:1000:" >> /etc/group
 
-RUN useradd -ms /bin/bash appuser
-USER appuser
+USER 1000
 
 RUN kcat -V
 

kcat/pom.xml

@@ -42,27 +42,29 @@
                 <artifactId>dockerfile-maven-plugin</artifactId>
                 <configuration>
                     <buildArgs>
-                        <UBI_MINIMAL_VERSION>${ubi9.minimal.image.version}</UBI_MINIMAL_VERSION>
+                        <UBI_MICRO_VERSION>${ubi9-micro.image.version}</UBI_MICRO_VERSION>
+                        <UBI9_VERSION>${ubi9.image.version}</UBI9_VERSION>
                     </buildArgs>
                 </configuration>
             </plugin>
 
             <plugin>
-            <groupId>io.fabric8</groupId>
-            <artifactId>docker-maven-plugin</artifactId>
-            <version>0.48.1</version>
-            <configuration>
-              <images>
-                <image>
-                  <build>
-                    <args>
-                      <UBI_MINIMAL_VERSION>${ubi9.minimal.image.version}</UBI_MINIMAL_VERSION>
-                    </args>
-                  </build>
-                </image>
-              </images>
-            </configuration>
-          </plugin>       
+                <groupId>io.fabric8</groupId>
+                <artifactId>docker-maven-plugin</artifactId>
+                <version>0.48.1</version>
+                <configuration>
+                    <images>
+                        <image>
+                            <build>
+                                <args>
+                                    <UBI_MICRO_VERSION>${ubi9-micro.image.version}</UBI_MICRO_VERSION>
+                                    <UBI9_VERSION>${ubi9.image.version}</UBI9_VERSION>
+                                </args>
+                            </build>
+                        </image>
+                    </images>
+                </configuration>
+            </plugin>       
         </plugins>
     </build>