From 60621ff3187a903005dbbb44c71829ddf80ce87a Mon Sep 17 00:00:00 2001 From: Cyril Jouve Date: Fri, 25 Nov 2022 02:14:27 +0100 Subject: [PATCH] rework dockerfiles (#519) * fetch checksum when possible * use sha256sum -c to validate checksum * use tar features to extract artifacts * validate installed pkg in-place Signed-off-by: Cyril Jouve Signed-off-by: Cyril Jouve --- .dockerignore | 1 + Dockerfile | 55 +++++++++++++++++--------------- Dockerfile.debian-stable-slim | 59 +++++++++++++++++++---------------- Dockerfile.ubuntu | 59 +++++++++++++++++++---------------- 4 files changed, 95 insertions(+), 79 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..3253b19e --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +Dockerfile* diff --git a/Dockerfile b/Dockerfile index a8217633..1b174f89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,58 +18,63 @@ LABEL org.opencontainers.image.source https://github.com/helmfile/helmfile RUN apk add --no-cache ca-certificates git bash curl jq openssh-client ARG HELM_VERSION="v3.10.2" +ENV HELM_VERSION="${HELM_VERSION}" ARG HELM_SHA256="2315941a13291c277dac9f65e75ead56386440d3907e0540bf157ae70f188347" ARG HELM_LOCATION="https://get.helm.sh" ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz" - RUN set -x && \ - curl --retry 5 --retry-connrefused -LO ${HELM_LOCATION}/${HELM_FILENAME} && \ + curl --retry 5 --retry-connrefused -LO "${HELM_LOCATION}/${HELM_FILENAME}" && \ echo Verifying ${HELM_FILENAME}... && \ - sha256sum ${HELM_FILENAME} | grep -q "${HELM_SHA256}" && \ + echo "${HELM_SHA256} ${HELM_FILENAME}" | sha256sum -c && \ echo Extracting ${HELM_FILENAME}... && \ - tar zxvf ${HELM_FILENAME} && mv /linux-amd64/helm /usr/local/bin/ && \ - rm ${HELM_FILENAME} && rm -r /linux-amd64 + tar xvf "${HELM_FILENAME}" -C /usr/local/bin --strip-components 1 linux-amd64/helm && \ + rm "${HELM_FILENAME}" && \ + [ "$(helm version --template '{{.Version}}')" = "${HELM_VERSION}" ] # using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/ # for now but in a future version of alpine (in the testing version at the time of writing) # we should be able to install using apk add. -# the sha256 sum can be found at https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256 -# maybe a good idea to automate in the future? ENV KUBECTL_VERSION="v1.25.2" -ENV KUBECTL_SHA256="8639f2b9c33d38910d706171ce3d25be9b19fc139d0e3d4627f38ce84f9040eb" +ARG KUBECTL_SHA256="8639f2b9c33d38910d706171ce3d25be9b19fc139d0e3d4627f38ce84f9040eb" RUN set -x && \ curl --retry 5 --retry-connrefused -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ - sha256sum kubectl | grep ${KUBECTL_SHA256} && \ + echo "${KUBECTL_SHA256} kubectl" | sha256sum -c && \ chmod +x kubectl && \ - mv kubectl /usr/local/bin/kubectl + mv kubectl /usr/local/bin/kubectl && \ + [ "$(kubectl version -o json | jq -r '.clientVersion.gitVersion')" = "${KUBECTL_VERSION}" ] ENV KUSTOMIZE_VERSION="v4.5.7" -ENV KUSTOMIZE_SHA256="701e3c4bfa14e4c520d481fdf7131f902531bfc002cb5062dcf31263a09c70c9" +ARG KUSTOMIZE_SHA256="701e3c4bfa14e4c520d481fdf7131f902531bfc002cb5062dcf31263a09c70c9" +ARG KUSTOMIZE_FILENAME="kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \ - tar zxvf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - mv kustomize /usr/local/bin/kustomize + curl --retry 5 --retry-connrefused -LO "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}" && \ + echo "${KUSTOMIZE_SHA256} ${KUSTOMIZE_FILENAME}" | sha256sum -c && \ + tar xvf "${KUSTOMIZE_FILENAME}" -C /usr/local/bin && \ + rm "${KUSTOMIZE_FILENAME}" && \ + kustomize version --short | grep "kustomize/${KUSTOMIZE_VERSION}" ENV SOPS_VERSION="v3.7.3" +ARG SOPS_FILENAME="sops-${SOPS_VERSION}.linux.amd64" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 && \ - chmod +x sops-${SOPS_VERSION}.linux.amd64 && \ - mv sops-${SOPS_VERSION}.linux.amd64 /usr/local/bin/sops + curl --retry 5 --retry-connrefused -LO "https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/${SOPS_FILENAME}" && \ + chmod +x "${SOPS_FILENAME}" && \ + mv "${SOPS_FILENAME}" /usr/local/bin/sops && \ + sops --version | grep -E "^sops ${SOPS_VERSION#v}" ENV AGE_VERSION="v1.0.0" +ARG AGE_FILENAME="age-${AGE_VERSION}-linux-amd64.tar.gz" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/age-${AGE_VERSION}-linux-amd64.tar.gz && \ - tar zxvf age-${AGE_VERSION}-linux-amd64.tar.gz && \ - mv age/age /usr/local/bin/age && \ - mv age/age-keygen /usr/local/bin/age-keygen && \ - rm -rf age-${AGE_VERSION}-linux-amd64.tar.gz age + curl --retry 5 --retry-connrefused -LO "https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/${AGE_FILENAME}" && \ + tar xvf "${AGE_FILENAME}" -C /usr/local/bin --strip-components 1 age/age age/age-keygen && \ + rm "${AGE_FILENAME}" && \ + [ "$(age --version)" = "${AGE_VERSION}" ] && \ + [ "$(age-keygen --version)" = "${AGE_VERSION}" ] RUN helm plugin install https://github.com/databus23/helm-diff --version v3.6.0 && \ helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \ helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \ - helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 + helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \ + rm -rf /root/.cache/helm/plugins # Allow users other than root to use helm plugins located in root home RUN chmod 751 /root diff --git a/Dockerfile.debian-stable-slim b/Dockerfile.debian-stable-slim index a9e33072..8dd361df 100644 --- a/Dockerfile.debian-stable-slim +++ b/Dockerfile.debian-stable-slim @@ -17,63 +17,68 @@ LABEL org.opencontainers.image.source https://github.com/helmfile/helmfile RUN apt update -qq && \ apt install --no-install-recommends -y \ - ca-certificates \ + ca-certificates \ git bash curl jq wget openssh-client && \ rm -rf /var/lib/apt/lists/* ARG HELM_VERSION="v3.10.2" +ENV HELM_VERSION="${HELM_VERSION}" ARG HELM_SHA256="2315941a13291c277dac9f65e75ead56386440d3907e0540bf157ae70f188347" ARG HELM_LOCATION="https://get.helm.sh" ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz" - RUN set -x && \ curl --retry 5 --retry-connrefused -LO "${HELM_LOCATION}/${HELM_FILENAME}" && \ - echo "Verifying ${HELM_FILENAME}..." && \ - sha256sum "${HELM_FILENAME}" | grep -q "${HELM_SHA256}" && \ - echo "Extracting ${HELM_FILENAME}..." && \ - tar zxvf "${HELM_FILENAME}" && mv /linux-amd64/helm /usr/local/bin/ && \ - rm ${HELM_FILENAME} && rm -r /linux-amd64 + echo Verifying ${HELM_FILENAME}... && \ + echo "${HELM_SHA256} ${HELM_FILENAME}" | sha256sum -c && \ + echo Extracting ${HELM_FILENAME}... && \ + tar xvf "${HELM_FILENAME}" -C /usr/local/bin --strip-components 1 linux-amd64/helm && \ + rm "${HELM_FILENAME}" && \ + [ "$(helm version --template '{{.Version}}')" = "${HELM_VERSION}" ] # using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/ # for now but in a future version of alpine (in the testing version at the time of writing) # we should be able to install using apk add. -# the sha256 sum can be found at https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256 -# maybe a good idea to automate in the future? ENV KUBECTL_VERSION="v1.25.2" -ENV KUBECTL_SHA256="8639f2b9c33d38910d706171ce3d25be9b19fc139d0e3d4627f38ce84f9040eb" +ARG KUBECTL_SHA256="8639f2b9c33d38910d706171ce3d25be9b19fc139d0e3d4627f38ce84f9040eb" RUN set -x && \ curl --retry 5 --retry-connrefused -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ - sha256sum kubectl | grep ${KUBECTL_SHA256} && \ + echo "${KUBECTL_SHA256} kubectl" | sha256sum -c && \ chmod +x kubectl && \ - mv kubectl /usr/local/bin/kubectl + mv kubectl /usr/local/bin/kubectl && \ + [ "$(kubectl version -o json | jq -r '.clientVersion.gitVersion')" = "${KUBECTL_VERSION}" ] ENV KUSTOMIZE_VERSION="v4.5.7" -ENV KUSTOMIZE_SHA256="701e3c4bfa14e4c520d481fdf7131f902531bfc002cb5062dcf31263a09c70c9" +ARG KUSTOMIZE_SHA256="701e3c4bfa14e4c520d481fdf7131f902531bfc002cb5062dcf31263a09c70c9" +ARG KUSTOMIZE_FILENAME="kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \ - tar zxvf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - mv kustomize /usr/local/bin/kustomize + curl --retry 5 --retry-connrefused -LO "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}" && \ + echo "${KUSTOMIZE_SHA256} ${KUSTOMIZE_FILENAME}" | sha256sum -c && \ + tar xvf "${KUSTOMIZE_FILENAME}" -C /usr/local/bin && \ + rm "${KUSTOMIZE_FILENAME}" && \ + kustomize version --short | grep "kustomize/${KUSTOMIZE_VERSION}" ENV SOPS_VERSION="v3.7.3" +ARG SOPS_FILENAME="sops-${SOPS_VERSION}.linux.amd64" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 && \ - chmod +x sops-${SOPS_VERSION}.linux.amd64 && \ - mv sops-${SOPS_VERSION}.linux.amd64 /usr/local/bin/sops + curl --retry 5 --retry-connrefused -LO "https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/${SOPS_FILENAME}" && \ + chmod +x "${SOPS_FILENAME}" && \ + mv "${SOPS_FILENAME}" /usr/local/bin/sops && \ + sops --version | grep -E "^sops ${SOPS_VERSION#v}" ENV AGE_VERSION="v1.0.0" +ARG AGE_FILENAME="age-${AGE_VERSION}-linux-amd64.tar.gz" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/age-${AGE_VERSION}-linux-amd64.tar.gz && \ - tar zxvf age-${AGE_VERSION}-linux-amd64.tar.gz && \ - mv age/age /usr/local/bin/age && \ - mv age/age-keygen /usr/local/bin/age-keygen && \ - rm -rf age-${AGE_VERSION}-linux-amd64.tar.gz age + curl --retry 5 --retry-connrefused -LO "https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/${AGE_FILENAME}" && \ + tar xvf "${AGE_FILENAME}" -C /usr/local/bin --strip-components 1 age/age age/age-keygen && \ + rm "${AGE_FILENAME}" && \ + [ "$(age --version)" = "${AGE_VERSION}" ] && \ + [ "$(age-keygen --version)" = "${AGE_VERSION}" ] RUN helm plugin install https://github.com/databus23/helm-diff --version v3.6.0 && \ helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \ helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \ - helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 + helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \ + rm -rf /root/.cache/helm/plugins # Allow users other than root to use helm plugins located in root home RUN chmod 751 /root diff --git a/Dockerfile.ubuntu b/Dockerfile.ubuntu index 087084c5..39d19dcb 100644 --- a/Dockerfile.ubuntu +++ b/Dockerfile.ubuntu @@ -15,65 +15,70 @@ FROM ubuntu:20.04 LABEL org.opencontainers.image.source https://github.com/helmfile/helmfile -RUN apt-get update && \ - apt-get install --no-install-recommends -y \ +RUN apt update -qq && \ + apt install --no-install-recommends -y \ ca-certificates \ git bash curl jq wget openssh-client && \ rm -rf /var/lib/apt/lists/* ARG HELM_VERSION="v3.10.2" +ENV HELM_VERSION="${HELM_VERSION}" ARG HELM_SHA256="2315941a13291c277dac9f65e75ead56386440d3907e0540bf157ae70f188347" ARG HELM_LOCATION="https://get.helm.sh" ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz" - RUN set -x && \ - curl --retry 5 --retry-connrefused -LO ${HELM_LOCATION}/${HELM_FILENAME} && \ + curl --retry 5 --retry-connrefused -LO "${HELM_LOCATION}/${HELM_FILENAME}" && \ echo Verifying ${HELM_FILENAME}... && \ - sha256sum ${HELM_FILENAME} | grep -q "${HELM_SHA256}" && \ + echo "${HELM_SHA256} ${HELM_FILENAME}" | sha256sum -c && \ echo Extracting ${HELM_FILENAME}... && \ - tar zxvf ${HELM_FILENAME} && mv /linux-amd64/helm /usr/local/bin/ && \ - rm ${HELM_FILENAME} && rm -r /linux-amd64 + tar xvf "${HELM_FILENAME}" -C /usr/local/bin --strip-components 1 linux-amd64/helm && \ + rm "${HELM_FILENAME}" && \ + [ "$(helm version --template '{{.Version}}')" = "${HELM_VERSION}" ] # using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/ # for now but in a future version of alpine (in the testing version at the time of writing) # we should be able to install using apk add. -# the sha256 sum can be found at https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256 -# maybe a good idea to automate in the future? ENV KUBECTL_VERSION="v1.25.2" -ENV KUBECTL_SHA256="8639f2b9c33d38910d706171ce3d25be9b19fc139d0e3d4627f38ce84f9040eb" +ARG KUBECTL_SHA256="8639f2b9c33d38910d706171ce3d25be9b19fc139d0e3d4627f38ce84f9040eb" RUN set -x && \ curl --retry 5 --retry-connrefused -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ - sha256sum kubectl | grep ${KUBECTL_SHA256} && \ + echo "${KUBECTL_SHA256} kubectl" | sha256sum -c && \ chmod +x kubectl && \ - mv kubectl /usr/local/bin/kubectl + mv kubectl /usr/local/bin/kubectl && \ + [ "$(kubectl version -o json | jq -r '.clientVersion.gitVersion')" = "${KUBECTL_VERSION}" ] ENV KUSTOMIZE_VERSION="v4.5.7" -ENV KUSTOMIZE_SHA256="701e3c4bfa14e4c520d481fdf7131f902531bfc002cb5062dcf31263a09c70c9" +ARG KUSTOMIZE_SHA256="701e3c4bfa14e4c520d481fdf7131f902531bfc002cb5062dcf31263a09c70c9" +ARG KUSTOMIZE_FILENAME="kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \ - tar zxvf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \ - mv kustomize /usr/local/bin/kustomize + curl --retry 5 --retry-connrefused -LO "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}" && \ + echo "${KUSTOMIZE_SHA256} ${KUSTOMIZE_FILENAME}" | sha256sum -c && \ + tar xvf "${KUSTOMIZE_FILENAME}" -C /usr/local/bin && \ + rm "${KUSTOMIZE_FILENAME}" && \ + kustomize version --short | grep "kustomize/${KUSTOMIZE_VERSION}" ENV SOPS_VERSION="v3.7.3" +ARG SOPS_FILENAME="sops-${SOPS_VERSION}.linux.amd64" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 && \ - chmod +x sops-${SOPS_VERSION}.linux.amd64 && \ - mv sops-${SOPS_VERSION}.linux.amd64 /usr/local/bin/sops + curl --retry 5 --retry-connrefused -LO "https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/${SOPS_FILENAME}" && \ + chmod +x "${SOPS_FILENAME}" && \ + mv "${SOPS_FILENAME}" /usr/local/bin/sops && \ + sops --version | grep -E "^sops ${SOPS_VERSION#v}" ENV AGE_VERSION="v1.0.0" +ARG AGE_FILENAME="age-${AGE_VERSION}-linux-amd64.tar.gz" RUN set -x && \ - curl --retry 5 --retry-connrefused -LO https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/age-${AGE_VERSION}-linux-amd64.tar.gz && \ - tar zxvf age-${AGE_VERSION}-linux-amd64.tar.gz && \ - mv age/age /usr/local/bin/age && \ - mv age/age-keygen /usr/local/bin/age-keygen && \ - rm -rf age-${AGE_VERSION}-linux-amd64.tar.gz age + curl --retry 5 --retry-connrefused -LO "https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/${AGE_FILENAME}" && \ + tar xvf "${AGE_FILENAME}" -C /usr/local/bin --strip-components 1 age/age age/age-keygen && \ + rm "${AGE_FILENAME}" && \ + [ "$(age --version)" = "${AGE_VERSION}" ] && \ + [ "$(age-keygen --version)" = "${AGE_VERSION}" ] RUN helm plugin install https://github.com/databus23/helm-diff --version v3.6.0 && \ helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \ helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \ - helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 + helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \ + rm -rf /root/.cache/helm/plugins # Allow users other than root to use helm plugins located in root home RUN chmod 751 /root