Use Distroless for the Java Docker base image. (#6537)

* Use Distroless for the Java Docker base image.

We switched away from Distroless because it was causing issues with
`docker pull` when you had Docker configured to use `gcloud` for
authentication, but weren't actually authenticated.

Adding `docker-credential-gcloud` to dev-env should hopefully fix this,
meaning we can switch back to a base image that is better-maintained.

CHANGELOG_BEGIN
CHANGELOG_END

* Bump rules_docker to v0.14.3.

This fixes an issue when running `bazel sync`:

```
ERROR: java.io.IOException: Error downloading [http://central.maven.org/maven2/javax/servlet/javax.servlet-api/3.0.1/javax.servlet-api-3.0.1.jar] to [...]/external/javax_servlet_api/javax.servlet-api-3.0.1.jar: Unknown host: central.maven.org
```

WORKSPACE

@@ -737,10 +737,11 @@ container_deps()
 load("@io_bazel_rules_docker//container:container.bzl", "container_pull")
 
 container_pull(
-    name = "openjdk_base",
-    registry = "docker.io",
-    repository = "openjdk",
-    tag = "8-alpine",
+    name = "java_base",
+    digest = "sha256:7cef6d99241bc86e09659d41842e3656a1cab99adf0e440a44d2858c8e52a71a",
+    registry = "gcr.io",
+    repository = "distroless/java",
+    tag = "8",
 )
 
 load("@io_bazel_rules_docker//java:image.bzl", java_image_repositories = "repositories")

deps.bzl

@@ -151,9 +151,9 @@ def daml_deps():
     if "io_bazel_rules_docker" not in native.existing_rules():
         http_archive(
             name = "io_bazel_rules_docker",
-            url = "https://github.com/bazelbuild/rules_docker/releases/download/v0.12.1/rules_docker-v0.12.1.tar.gz",
-            strip_prefix = "rules_docker-0.12.1",
-            sha256 = "14ac30773fdb393ddec90e158c9ec7ebb3f8a4fd533ec2abbfd8789ad81a284b",
+            url = "https://github.com/bazelbuild/rules_docker/releases/download/v0.14.3/rules_docker-v0.14.3.tar.gz",
+            strip_prefix = "rules_docker-0.14.3",
+            sha256 = "6287241e033d247e9da5ff705dd6ef526bac39ae82f3d17de1b69f8cb313f9cd",
         )
 
     if "com_google_protobuf" not in native.existing_rules():

dev-env/bin/docker-credential-gcloud

@@ -0,0 +1 @@
+../lib/dade-exec-nix-tool

ledger/ledger-on-memory/BUILD.bazel

@@ -180,7 +180,7 @@ conformance_test(
 
 java_image(
     name = "app-image",
-    base = "@openjdk_base//image",
+    base = "@java_base//image",
     main_class = "com.daml.ledger.on.memory.Main",
     resources = ["src/app/resources/logback.xml"],
     visibility = ["//visibility:public"],

ledger/sandbox/BUILD.bazel

@@ -178,7 +178,7 @@ genrule(
 
 container_image(
     name = "sandbox-image-base",
-    base = "@openjdk_base//image",
+    base = "@java_base//image",
     cmd = None,
     directory = "/usr/bin",
     files = [

nix/default.nix

@@ -222,8 +222,9 @@ in rec {
     # Cloud tools
     aws = pkgs.awscli;
     gcloud = pkgs.google-cloud-sdk;
-    bq     = gcloud;
+    bq = gcloud;
     gsutil = gcloud;
+    docker-credential-gcloud = gcloud;
     # used to set up the webide CI pipeline in azure-cron.yml
     docker-credential-gcr = pkgs.docker-credential-gcr;
     # Note: we need to pin Terraform to 0.11 until nixpkgs includes a version