Skip to content

Commit f75bbc6

Browse files
mclasmeierMoritz Clasmeier
andauthored
Bump go builder, build dependencies and runtime dependencies (#69)
Co-authored-by: Moritz Clasmeier <mclasmeier@redhat.com>
1 parent a2ed75b commit f75bbc6

3 files changed

Lines changed: 101 additions & 55 deletions

File tree

Dockerfile

Lines changed: 79 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
# Supports multi-architecture builds (amd64, arm64)
44

55
# Stage 1: Build roxie binary
6-
FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25-alpine AS builder
6+
FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:1.25@sha256:2830e4bd1c394ed506c00a9abbb4d00445e2e72e8ef4e3cd51e0da0db66dee12 AS builder
77

88
# Build arguments for cross-compilation
99
# These are automatically provided by Docker buildx
@@ -12,9 +12,6 @@ ARG TARGETARCH
1212

1313
WORKDIR /build
1414

15-
# Install build dependencies
16-
RUN apk add --no-cache git ca-certificates
17-
1815
# Copy go mod files first for better layer caching
1916
COPY go.mod go.sum ./
2017
RUN go mod download
@@ -33,22 +30,62 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \
3330
./cmd
3431

3532
# Download gcloud SDK in builder stage to avoid UBI filesystem restrictions
36-
ARG GCLOUD_VERSION=latest
37-
RUN apk add --no-cache curl python3 && \
38-
ARCH=${TARGETARCH:-amd64} && \
33+
# Latest version including checksums can be found at:
34+
# https://docs.cloud.google.com/sdk/docs/install-sdk#linux
35+
#
36+
# Unfortunately Googles release pipelines currently do not properly support versioned, checksum-protected downloads,
37+
#
38+
# THE PROBLEM
39+
#
40+
# The page https://docs.cloud.google.com/sdk/docs/install-sdk#linux references download links which are
41+
# unversioned, which is not suitable for CI. For these unversioned links the page contains checksums.
42+
#
43+
# The SDK can also be downloaded throught versioned links, which is suitable for CI usage. However, these
44+
# versioned links are not referenced in the page and -- more importantly -- the checksums of both
45+
# files (versioned and unversioned) are *not* the same. They differ in the filename contained in the gzip header.
46+
#
47+
# THE WORKAROUND
48+
#
49+
# I have downloaded both files, versioned and unversioned, together with the latest checksum
50+
# from the download page for the unversioned file. Then I have decompressed both files, verified
51+
# that both archives are bytewise identical and then I have compted the sha256 of the versioned file
52+
# and inserted it here.
53+
#
54+
# Example:
55+
#
56+
# ❯ curl -sLfO https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz
57+
# ❯ curl -sLfO https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-562.0.0-linux-x86_64.tar.gz
58+
# ❯ UNVERSIONED_CHECKSUM=38bd4f203392354fa7cc5514ee38ea02bb808aa5f1f7e00257806abf782dde38
59+
# ❯ gzip -dk google-cloud-cli-562.0.0-linux-x86_64.tar.gz; gzip -dk google-cloud-cli-linux-x86_64.tar.gz
60+
# ❯ echo "${UNVERSIONED_CHECKSUM} google-cloud-cli-linux-x86_64.tar.gz" | sha256sum -c -
61+
# google-cloud-cli-linux-x86_64.tar.gz: OK
62+
# ❯ cmp google-cloud-cli-562.0.0-linux-x86_64.tar google-cloud-cli-linux-x86_64.tar
63+
# ❯ sha256 google-cloud-cli-562.0.0-linux-x86_64.tar.gz
64+
# SHA256 (google-cloud-cli-562.0.0-linux-x86_64.tar.gz) = 016a4b1702f8c97b585f9ae12c6182762758c17ef5302cb8561c7f6be5cc9af3
65+
#
66+
ARG GCLOUD_VERSION=562.0.0
67+
ARG GCLOUD_ARM64_SHA256=a9ebaa0f4020ea0487c2c935af3d4566d1b4a1ccae685c6b7141211fc96424ee
68+
ARG GCLOUD_AMD64_SHA256=016a4b1702f8c97b585f9ae12c6182762758c17ef5302cb8561c7f6be5cc9af3
69+
RUN ARCH=${TARGETARCH:-amd64} && \
3970
if [ "${ARCH}" = "amd64" ]; then \
4071
GCLOUD_ARCH="x86_64"; \
72+
GCLOUD_SHA256=${GCLOUD_AMD64_SHA256}; \
4173
elif [ "${ARCH}" = "arm64" ]; then \
4274
GCLOUD_ARCH="arm"; \
75+
GCLOUD_SHA256=${GCLOUD_ARM64_SHA256}; \
4376
else \
4477
echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \
4578
fi && \
46-
curl -fsSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-${GCLOUD_ARCH}.tar.gz" | \
47-
tar -xz -C /tmp && \
79+
filename="google-cloud-cli-${GCLOUD_VERSION}-linux-${GCLOUD_ARCH}.tar.gz" && \
80+
url="https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/${filename}" && \
81+
echo "Downloading gcloud SDK from: ${url}" && \
82+
curl -o "/tmp/${filename}" -fsSL "${url}" && \
83+
echo "${GCLOUD_SHA256} /tmp/${filename}" | sha256sum -c - && \
84+
tar -xz -C /tmp -f "/tmp/${filename}" && \
4885
/tmp/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet
4986

5087
# Stage 2: Runtime image based on Red Hat UBI Minimal
51-
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
88+
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183
5289

5390
# Architecture detection for multi-arch builds
5491
ARG TARGETARCH
@@ -76,40 +113,47 @@ RUN microdnf install -y \
76113
&& rm -rf /var/cache/yum
77114

78115
# Install kubectl - architecture-aware
79-
ARG KUBECTL_VERSION=v1.29.0
116+
# Checksums can be found at
117+
# https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256.
118+
ARG KUBECTL_VERSION=v1.35.3
119+
ARG KUBECTL_ARM64_SHA256=6f0cd088a82dde5d5807122056069e2fac4ed447cc518efc055547ae46525f14
120+
ARG KUBECTL_AMD64_SHA256=fd31c7d7129260e608f6faf92d5984c3267ad0b5ead3bced2fe125686e286ad6
80121
RUN ARCH=${TARGETARCH:-amd64} && \
81122
echo "Installing kubectl for ${ARCH}" && \
82-
curl -fsSLo /usr/local/bin/kubectl \
83-
"https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \
84-
&& chmod +x /usr/local/bin/kubectl
85-
86-
# Install helm - architecture-aware
87-
ARG HELM_VERSION=v3.14.0
88-
RUN ARCH=${TARGETARCH:-amd64} && \
89-
echo "Installing helm for ${ARCH}" && \
90-
curl -fsSL "https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz" | \
91-
tar -xzO "linux-${ARCH}/helm" > /usr/local/bin/helm && \
92-
chmod +x /usr/local/bin/helm
123+
if [ "${ARCH}" = "arm64" ]; then \
124+
KUBECTL_SHA256=${KUBECTL_ARM64_SHA256}; \
125+
elif [ "${ARCH}" = "amd64" ]; then \
126+
KUBECTL_SHA256=${KUBECTL_AMD64_SHA256}; \
127+
else \
128+
echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \
129+
fi && \
130+
url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \
131+
echo "Downloading kubectl from: ${url}" && \
132+
curl -fsSLo /usr/local/bin/kubectl "${url}" && \
133+
echo "${KUBECTL_SHA256} /usr/local/bin/kubectl" | sha256sum -c - && \
134+
chmod +x /usr/local/bin/kubectl
93135

94136
# Install roxctl - architecture-aware
95137
# The mirror has architecture-specific binaries: 'roxctl' (amd64) and 'roxctl-arm64'
96-
# Override with --build-arg ROXCTL_VERSION=4.x.x for specific versions
97-
ARG ROXCTL_VERSION=latest
138+
ARG ROXCTL_VERSION=4.10.0
139+
ARG ROXCTL_ARM64_SHA256=a3951413d56671e46413009d31004d984e9c77c7520f35c8f062f5bd4e4f8212
140+
ARG ROXCTL_AMD64_SHA256=5db647b14569465866c0162522e83393ebf02f671f4556b1b3ed551b9f8433bc
98141
RUN ARCH=${TARGETARCH:-amd64} && \
99142
echo "Installing roxctl for ${ARCH}" && \
100143
if [ "${ARCH}" = "arm64" ]; then \
101144
ROXCTL_BINARY="roxctl-arm64"; \
145+
ROXCTL_SHA256=${ROXCTL_ARM64_SHA256}; \
102146
elif [ "${ARCH}" = "amd64" ]; then \
103147
ROXCTL_BINARY="roxctl"; \
148+
ROXCTL_SHA256=${ROXCTL_AMD64_SHA256}; \
104149
else \
105150
echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \
106151
fi && \
107-
ROXCTL_PATH=$([ "${ROXCTL_VERSION}" = "latest" ] && echo "latest" || echo "${ROXCTL_VERSION}") && \
108-
ROXCTL_URL="https://mirror.openshift.com/pub/rhacs/assets/${ROXCTL_PATH}/bin/Linux/${ROXCTL_BINARY}" && \
109-
echo "Downloading from: ${ROXCTL_URL}" && \
110-
curl -fsSLo /usr/local/bin/roxctl "${ROXCTL_URL}" && \
111-
chmod +x /usr/local/bin/roxctl && \
112-
echo "roxctl installed successfully for ${ARCH}"
152+
url="https://mirror.openshift.com/pub/rhacs/assets/${ROXCTL_VERSION}/bin/Linux/${ROXCTL_BINARY}" && \
153+
echo "Downloading from: ${url}" && \
154+
curl -fsSLo /usr/local/bin/roxctl "${url}" && \
155+
echo "${ROXCTL_SHA256} /usr/local/bin/roxctl" | sha256sum -c - && \
156+
chmod +x /usr/local/bin/roxctl
113157

114158
# Install podman (required for extracting operator bundles)
115159
# fuse-overlayfs provides better performance but vfs driver is more compatible
@@ -127,16 +171,18 @@ RUN ln -s /opt/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud && \
127171
ln -s /opt/google-cloud-sdk/bin/gke-gcloud-auth-plugin /usr/local/bin/gke-gcloud-auth-plugin
128172

129173
# 2. AWS (EKS) - aws-iam-authenticator
174+
# Using GitHub releases for latest version (AWS S3 bucket has outdated versions)
175+
ARG AWS_IAM_AUTH_VERSION=0.7.12
130176
RUN ARCH=${TARGETARCH:-amd64} && \
131-
echo "Installing aws-iam-authenticator for ${ARCH}" && \
177+
echo "Installing aws-iam-authenticator v${AWS_IAM_AUTH_VERSION} for ${ARCH}" && \
132178
curl -fsSLo /usr/local/bin/aws-iam-authenticator \
133-
"https://amazon-eks.s3.us-west-2.amazonaws.com/1.30.0/2024-05-12/bin/linux/${ARCH}/aws-iam-authenticator" && \
179+
"https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_IAM_AUTH_VERSION}/aws-iam-authenticator_${AWS_IAM_AUTH_VERSION}_linux_${ARCH}" && \
134180
chmod +x /usr/local/bin/aws-iam-authenticator
135181

136182
# 3. Azure (AKS) - kubelogin
137183
RUN ARCH=${TARGETARCH:-amd64} && \
138184
echo "Installing kubelogin (Azure) for ${ARCH}" && \
139-
KUBELOGIN_VERSION="v0.1.4" && \
185+
KUBELOGIN_VERSION="v0.2.16" && \
140186
curl -fsSL "https://github.com/Azure/kubelogin/releases/download/${KUBELOGIN_VERSION}/kubelogin-linux-${ARCH}.zip" \
141187
-o /tmp/kubelogin.zip && \
142188
unzip -q /tmp/kubelogin.zip -d /tmp && \

go.mod

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,19 @@
11
module github.com/stackrox/roxie
22

3-
go 1.25
3+
go 1.25.0
44

55
require (
6-
github.com/fatih/color v1.16.0
6+
github.com/fatih/color v1.19.0
77
github.com/moby/sys/mountinfo v0.7.2
8-
github.com/spf13/cobra v1.8.0
9-
golang.org/x/term v0.38.0
8+
github.com/spf13/cobra v1.10.2
9+
golang.org/x/term v0.41.0
1010
gopkg.in/yaml.v3 v3.0.1
1111
)
1212

1313
require (
1414
github.com/inconshreveable/mousetrap v1.1.0 // indirect
15-
github.com/mattn/go-colorable v0.1.13 // indirect
15+
github.com/mattn/go-colorable v0.1.14 // indirect
1616
github.com/mattn/go-isatty v0.0.20 // indirect
17-
github.com/spf13/pflag v1.0.5 // indirect
18-
golang.org/x/sys v0.39.0 // indirect
17+
github.com/spf13/pflag v1.0.10 // indirect
18+
golang.org/x/sys v0.42.0 // indirect
1919
)

go.sum

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,26 @@
1-
github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
2-
github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
3-
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
1+
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
2+
github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
3+
github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
44
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
55
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
6-
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
7-
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
8-
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
6+
github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
7+
github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
98
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
109
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
1110
github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
1211
github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
1312
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
14-
github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
15-
github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
16-
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
17-
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
18-
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
13+
github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
14+
github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
15+
github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
16+
github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
17+
github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
18+
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
1919
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
20-
golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
21-
golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
22-
golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
23-
golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
20+
golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
21+
golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
22+
golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
23+
golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
2424
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
2525
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
2626
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

0 commit comments

Comments
 (0)