Skip to content

Commit 9701c74

Browse files
manuelbuilmanuelbuil
committed
Make Dockerfile.test more secure
Signed-off-by: Manuel Buil <mbuil@suse.com>
1 parent 9b93abc commit 9701c74

File tree

1 file changed

+35
-12
lines changed

1 file changed

+35
-12
lines changed

Dockerfile.test

Lines changed: 35 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
ARG GOLANG=golang:1.25.7-alpine3.23
2+
ARG KUBECTL_VERSION=v1.34.6
3+
ARG BENTO_BOX_VERSION=202404.26.0
4+
ARG BENTO_BOX_SHA256=b23d416e559faab6d6de574b702388b8c998806c3e70c0d8175fddfb649eadb8
5+
ARG KUBECTL_SHA256=3166155b17198c0af34ff5a360bd4d9d58db98bafadc6f3c2a57ae560563cd6
6+
27
FROM ${GOLANG} AS test-base
38

49
RUN apk -U --no-cache add bash jq
@@ -13,19 +18,25 @@ COPY ./scripts/test-mods /bin/
1318
ENTRYPOINT ["/bin/test-mods"]
1419

1520
FROM test-base AS test-k3s
16-
21+
ARG KUBECTL_VERSION
22+
ARG KUBECTL_SHA256
1723
RUN apk -U --no-cache add git gcc musl-dev docker curl coreutils openssl procps findutils yq
1824

1925
ENV SONOBUOY_VERSION=0.57.2
2026

2127
RUN OS=linux; \
2228
ARCH=$(go env GOARCH); \
23-
RELEASE=$(curl -fs https://storage.googleapis.com/kubernetes-release/release/stable.txt); \
29+
RELEASE=${KUBECTL_VERSION}; \
2430
if [ "${ARCH}" == "amd64" ] || [ "${ARCH}" == "arm64" ] || [ "${ARCH}" == "s390x" ]; then \
25-
curl -sL "https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_${OS}_${ARCH}.tar.gz" | \
26-
tar -xzf - -C /usr/local/bin; \
31+
TARBALL="sonobuoy_${SONOBUOY_VERSION}_${OS}_${ARCH}.tar.gz"; \
32+
curl -fsSL "https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_checksums.txt" -o /tmp/sonobuoy_checksums.txt; \
33+
curl -fsSL "https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/${TARBALL}" -o /tmp/sonobuoy.tar.gz; \
34+
echo "$(grep "${TARBALL}" /tmp/sonobuoy_checksums.txt | awk '{print $1}') /tmp/sonobuoy.tar.gz" | sha256sum -c -; \
35+
tar -xzf /tmp/sonobuoy.tar.gz -C /usr/local/bin; \
36+
rm -f /tmp/sonobuoy.tar.gz /tmp/sonobuoy_checksums.txt; \
2737
fi; \
28-
curl -fsL https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/${ARCH}/kubectl -o /usr/local/bin/kubectl; \
38+
curl -fsSL https://dl.k8s.io/release/${RELEASE}/bin/linux/${ARCH}/kubectl -o /usr/local/bin/kubectl; \
39+
echo "${KUBECTL_SHA256} /usr/local/bin/kubectl" | sha256sum -c -; \
2940
chmod a+x /usr/local/bin/kubectl;
3041

3142
ENV TEST_CLEANUP=true
@@ -35,22 +46,34 @@ CMD ["test"]
3546

3647

3748
FROM vagrantlibvirt/vagrant-libvirt:sha-a94ce0d AS test-e2e
49+
ARG KUBECTL_VERSION
50+
ARG BENTO_BOX_VERSION
51+
ARG BENTO_BOX_SHA256
52+
ARG KUBECTL_SHA256
3853
RUN apt-get update && apt-get install -y docker.io wget
3954

4055
ENV VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1
4156
RUN vagrant plugin install vagrant-k3s --plugin-version 0.4.0
4257
RUN vagrant plugin install vagrant-reload vagrant-scp
4358

44-
# Workaround for older vagrant-libvirt image and new vagrant infra wesbites
59+
# Workaround for older vagrant-libvirt image and new vagrant infra websites
4560
# See https://github.com/hashicorp/vagrant/issues/13571 and
4661
# https://github.com/vagrant-libvirt/vagrant-libvirt/issues/1840
47-
RUN wget https://app.vagrantup.com/bento/boxes/ubuntu-24.04/versions/202404.26.0/providers/libvirt.box -O bento-ubuntu24.04-202404.26.0.box
48-
RUN vagrant box add bento/ubuntu-24.04 bento-ubuntu24.04-202404.26.0.box
49-
RUN cd /.vagrant.d/boxes/bento-VAGRANTSLASH-ubuntu-24.04/ && mv 0 202404.26.0 && echo -n "https://app.vagrantup.com/bento/boxes/ubuntu-24.04" > metadata_url
50-
51-
RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"; \
62+
RUN wget --https-only --retry-connrefused --tries=3 \
63+
"https://vagrantcloud.com/bento/boxes/ubuntu-24.04/versions/${BENTO_BOX_VERSION}/providers/libvirt/amd64/vagrant.box" \
64+
-O "bento-ubuntu24.04-${BENTO_BOX_VERSION}.box" \
65+
&& if [ -n "${BENTO_BOX_SHA256}" ]; then \
66+
echo "${BENTO_BOX_SHA256} bento-ubuntu24.04-${BENTO_BOX_VERSION}.box" | sha256sum -c -; \
67+
fi
68+
RUN vagrant box add bento/ubuntu-24.04 "bento-ubuntu24.04-${BENTO_BOX_VERSION}.box"
69+
RUN cd /.vagrant.d/boxes/bento-VAGRANTSLASH-ubuntu-24.04/ && mv 0 "${BENTO_BOX_VERSION}" \
70+
&& echo -n "https://app.vagrantup.com/bento/boxes/ubuntu-24.04" > metadata_url
71+
72+
RUN RELEASE=${KUBECTL_VERSION}; \
73+
curl -fsSLo ./kubectl "https://dl.k8s.io/release/${RELEASE}/bin/linux/amd64/kubectl"; \
74+
echo "${KUBECTL_SHA256} ./kubectl" | sha256sum -c -; \
5275
chmod +x ./kubectl; \
53-
mv ./kubectl /usr/local/bin/kubectl
76+
mv ./kubectl /usr/local/bin/kubectl;
5477
RUN GO_VERSION=go1.23.6; \
5578
curl -O -L "https://golang.org/dl/${GO_VERSION}.linux-amd64.tar.gz"; \
5679
rm -rf /usr/local/go; \

0 commit comments

Comments
 (0)