33# Supports multi-architecture builds (amd64, arm64)
44
55# Stage 1: Build roxie binary
6- FROM --platform=$BUILDPLATFORM docker.io/library/golang :1.25-alpine AS builder
6+ FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset :1.25@sha256:2830e4bd1c394ed506c00a9abbb4d00445e2e72e8ef4e3cd51e0da0db66dee12 AS builder
77
88# Build arguments for cross-compilation
99# These are automatically provided by Docker buildx
@@ -12,9 +12,6 @@ ARG TARGETARCH
1212
1313WORKDIR /build
1414
15- # Install build dependencies
16- RUN apk add --no-cache git ca-certificates
17-
1815# Copy go mod files first for better layer caching
1916COPY go.mod go.sum ./
2017RUN go mod download
@@ -33,22 +30,62 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \
3330 ./cmd
3431
3532# Download gcloud SDK in builder stage to avoid UBI filesystem restrictions
36- ARG GCLOUD_VERSION=latest
37- RUN apk add --no-cache curl python3 && \
38- ARCH=${TARGETARCH:-amd64} && \
33+ # Latest version including checksums can be found at:
34+ # https://docs.cloud.google.com/sdk/docs/install-sdk#linux
35+ #
36+ # Unfortunately Googles release pipelines currently do not properly support versioned, checksum-protected downloads,
37+ #
38+ # THE PROBLEM
39+ #
40+ # The page https://docs.cloud.google.com/sdk/docs/install-sdk#linux references download links which are
41+ # unversioned, which is not suitable for CI. For these unversioned links the page contains checksums.
42+ #
43+ # The SDK can also be downloaded throught versioned links, which is suitable for CI usage. However, these
44+ # versioned links are not referenced in the page and -- more importantly -- the checksums of both
45+ # files (versioned and unversioned) are *not* the same. They differ in the filename contained in the gzip header.
46+ #
47+ # THE WORKAROUND
48+ #
49+ # I have downloaded both files, versioned and unversioned, together with the latest checksum
50+ # from the download page for the unversioned file. Then I have decompressed both files, verified
51+ # that both archives are bytewise identical and then I have compted the sha256 of the versioned file
52+ # and inserted it here.
53+ #
54+ # Example:
55+ #
56+ # ❯ curl -sLfO https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz
57+ # ❯ curl -sLfO https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-562.0.0-linux-x86_64.tar.gz
58+ # ❯ UNVERSIONED_CHECKSUM=38bd4f203392354fa7cc5514ee38ea02bb808aa5f1f7e00257806abf782dde38
59+ # ❯ gzip -dk google-cloud-cli-562.0.0-linux-x86_64.tar.gz; gzip -dk google-cloud-cli-linux-x86_64.tar.gz
60+ # ❯ echo "${UNVERSIONED_CHECKSUM} google-cloud-cli-linux-x86_64.tar.gz" | sha256sum -c -
61+ # google-cloud-cli-linux-x86_64.tar.gz: OK
62+ # ❯ cmp google-cloud-cli-562.0.0-linux-x86_64.tar google-cloud-cli-linux-x86_64.tar
63+ # ❯ sha256 google-cloud-cli-562.0.0-linux-x86_64.tar.gz
64+ # SHA256 (google-cloud-cli-562.0.0-linux-x86_64.tar.gz) = 016a4b1702f8c97b585f9ae12c6182762758c17ef5302cb8561c7f6be5cc9af3
65+ #
66+ ARG GCLOUD_VERSION=562.0.0
67+ ARG GCLOUD_ARM64_SHA256=a9ebaa0f4020ea0487c2c935af3d4566d1b4a1ccae685c6b7141211fc96424ee
68+ ARG GCLOUD_AMD64_SHA256=016a4b1702f8c97b585f9ae12c6182762758c17ef5302cb8561c7f6be5cc9af3
69+ RUN ARCH=${TARGETARCH:-amd64} && \
3970 if [ "${ARCH}" = "amd64" ]; then \
4071 GCLOUD_ARCH="x86_64" ; \
72+ GCLOUD_SHA256=${GCLOUD_AMD64_SHA256}; \
4173 elif [ "${ARCH}" = "arm64" ]; then \
4274 GCLOUD_ARCH="arm" ; \
75+ GCLOUD_SHA256=${GCLOUD_ARM64_SHA256}; \
4376 else \
4477 echo "ERROR: Unsupported architecture: ${ARCH}" ; exit 1; \
4578 fi && \
46- curl -fsSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-${GCLOUD_ARCH}.tar.gz" | \
47- tar -xz -C /tmp && \
79+ filename="google-cloud-cli-${GCLOUD_VERSION}-linux-${GCLOUD_ARCH}.tar.gz" && \
80+ url="https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/${filename}" && \
81+ echo "Downloading gcloud SDK from: ${url}" && \
82+ curl -o "/tmp/${filename}" -fsSL "${url}" && \
83+ echo "${GCLOUD_SHA256} /tmp/${filename}" | sha256sum -c - && \
84+ tar -xz -C /tmp -f "/tmp/${filename}" && \
4885 /tmp/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet
4986
5087# Stage 2: Runtime image based on Red Hat UBI Minimal
51- FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
88+ FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183
5289
5390# Architecture detection for multi-arch builds
5491ARG TARGETARCH
@@ -76,40 +113,47 @@ RUN microdnf install -y \
76113 && rm -rf /var/cache/yum
77114
78115# Install kubectl - architecture-aware
79- ARG KUBECTL_VERSION=v1.29.0
116+ # Checksums can be found at
117+ # https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256.
118+ ARG KUBECTL_VERSION=v1.35.3
119+ ARG KUBECTL_ARM64_SHA256=6f0cd088a82dde5d5807122056069e2fac4ed447cc518efc055547ae46525f14
120+ ARG KUBECTL_AMD64_SHA256=fd31c7d7129260e608f6faf92d5984c3267ad0b5ead3bced2fe125686e286ad6
80121RUN ARCH=${TARGETARCH:-amd64} && \
81122 echo "Installing kubectl for ${ARCH}" && \
82- curl -fsSLo /usr/local/bin/kubectl \
83- "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \
84- && chmod +x /usr/local/bin/kubectl
85-
86- # Install helm - architecture-aware
87- ARG HELM_VERSION=v3.14.0
88- RUN ARCH=${TARGETARCH:-amd64} && \
89- echo "Installing helm for ${ARCH}" && \
90- curl -fsSL "https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz" | \
91- tar -xzO "linux-${ARCH}/helm" > /usr/local/bin/helm && \
92- chmod +x /usr/local/bin/helm
123+ if [ "${ARCH}" = "arm64" ]; then \
124+ KUBECTL_SHA256=${KUBECTL_ARM64_SHA256}; \
125+ elif [ "${ARCH}" = "amd64" ]; then \
126+ KUBECTL_SHA256=${KUBECTL_AMD64_SHA256}; \
127+ else \
128+ echo "ERROR: Unsupported architecture: ${ARCH}" ; exit 1; \
129+ fi && \
130+ url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \
131+ echo "Downloading kubectl from: ${url}" && \
132+ curl -fsSLo /usr/local/bin/kubectl "${url}" && \
133+ echo "${KUBECTL_SHA256} /usr/local/bin/kubectl" | sha256sum -c - && \
134+ chmod +x /usr/local/bin/kubectl
93135
94136# Install roxctl - architecture-aware
95137# The mirror has architecture-specific binaries: 'roxctl' (amd64) and 'roxctl-arm64'
96- # Override with --build-arg ROXCTL_VERSION=4.x.x for specific versions
97- ARG ROXCTL_VERSION=latest
138+ ARG ROXCTL_VERSION=4.10.0
139+ ARG ROXCTL_ARM64_SHA256=a3951413d56671e46413009d31004d984e9c77c7520f35c8f062f5bd4e4f8212
140+ ARG ROXCTL_AMD64_SHA256=5db647b14569465866c0162522e83393ebf02f671f4556b1b3ed551b9f8433bc
98141RUN ARCH=${TARGETARCH:-amd64} && \
99142 echo "Installing roxctl for ${ARCH}" && \
100143 if [ "${ARCH}" = "arm64" ]; then \
101144 ROXCTL_BINARY="roxctl-arm64" ; \
145+ ROXCTL_SHA256=${ROXCTL_ARM64_SHA256}; \
102146 elif [ "${ARCH}" = "amd64" ]; then \
103147 ROXCTL_BINARY="roxctl" ; \
148+ ROXCTL_SHA256=${ROXCTL_AMD64_SHA256}; \
104149 else \
105150 echo "ERROR: Unsupported architecture: ${ARCH}" ; exit 1; \
106151 fi && \
107- ROXCTL_PATH=$([ "${ROXCTL_VERSION}" = "latest" ] && echo "latest" || echo "${ROXCTL_VERSION}" ) && \
108- ROXCTL_URL="https://mirror.openshift.com/pub/rhacs/assets/${ROXCTL_PATH}/bin/Linux/${ROXCTL_BINARY}" && \
109- echo "Downloading from: ${ROXCTL_URL}" && \
110- curl -fsSLo /usr/local/bin/roxctl "${ROXCTL_URL}" && \
111- chmod +x /usr/local/bin/roxctl && \
112- echo "roxctl installed successfully for ${ARCH}"
152+ url="https://mirror.openshift.com/pub/rhacs/assets/${ROXCTL_VERSION}/bin/Linux/${ROXCTL_BINARY}" && \
153+ echo "Downloading from: ${url}" && \
154+ curl -fsSLo /usr/local/bin/roxctl "${url}" && \
155+ echo "${ROXCTL_SHA256} /usr/local/bin/roxctl" | sha256sum -c - && \
156+ chmod +x /usr/local/bin/roxctl
113157
114158# Install podman (required for extracting operator bundles)
115159# fuse-overlayfs provides better performance but vfs driver is more compatible
@@ -127,16 +171,18 @@ RUN ln -s /opt/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud && \
127171 ln -s /opt/google-cloud-sdk/bin/gke-gcloud-auth-plugin /usr/local/bin/gke-gcloud-auth-plugin
128172
129173# 2. AWS (EKS) - aws-iam-authenticator
174+ # Using GitHub releases for latest version (AWS S3 bucket has outdated versions)
175+ ARG AWS_IAM_AUTH_VERSION=0.7.12
130176RUN ARCH=${TARGETARCH:-amd64} && \
131- echo "Installing aws-iam-authenticator for ${ARCH}" && \
177+ echo "Installing aws-iam-authenticator v${AWS_IAM_AUTH_VERSION} for ${ARCH}" && \
132178 curl -fsSLo /usr/local/bin/aws-iam-authenticator \
133- "https://amazon-eks.s3.us-west-2.amazonaws. com/1.30.0/2024-05-12/bin/linux/${ARCH }/aws-iam-authenticator " && \
179+ "https://github. com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_IAM_AUTH_VERSION }/aws-iam-authenticator_${AWS_IAM_AUTH_VERSION}_linux_${ARCH} " && \
134180 chmod +x /usr/local/bin/aws-iam-authenticator
135181
136182# 3. Azure (AKS) - kubelogin
137183RUN ARCH=${TARGETARCH:-amd64} && \
138184 echo "Installing kubelogin (Azure) for ${ARCH}" && \
139- KUBELOGIN_VERSION="v0.1.4 " && \
185+ KUBELOGIN_VERSION="v0.2.16 " && \
140186 curl -fsSL "https://github.com/Azure/kubelogin/releases/download/${KUBELOGIN_VERSION}/kubelogin-linux-${ARCH}.zip" \
141187 -o /tmp/kubelogin.zip && \
142188 unzip -q /tmp/kubelogin.zip -d /tmp && \
0 commit comments