Remove insecure curl from worker image. (#15028)

Curl was the last remaining security vulnerability in the image. Instead of using curl, use wget to avoid this issue. This also has the side effect of decreasing the image size by 150 MB.
airbytehq · Jul 26, 2022 · adebeb0 · adebeb0
1 parent a51fd71
commit adebeb0
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/airbyte-workers/Dockerfile b/airbyte-workers/Dockerfile
@@ -6,24 +6,24 @@ ARG DOCKER_BUILD_ARCH=amd64
 
 # Install Docker to launch worker images. Eventually should be replaced with Docker-java.
 # See https://gitter.im/docker-java/docker-java?at=5f3eb87ba8c1780176603f4e for more information on why we are not currently using Docker-java
+# See https://docs.docker.com/engine/install/debian/ to understand what the following commands are
+# doing.
 RUN apt-get update && apt-get install -y \
-                          apt-transport-https \
                           ca-certificates \
-                          curl \
-                          gnupg-agent \
-                          software-properties-common
-RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
-# arch var used to detect architecture of container. Architecture should be spcified to get proper binaries from repo.
-RUN arch=$(dpkg --print-architecture) && \
-       add-apt-repository \
-       "deb [arch=${arch}] https://download.docker.com/linux/debian \
-       $(lsb_release -cs) stable"
+                          wget \
+                          gnupg \
+                          lsb-release
+RUN mkdir -p /etc/apt/keyrings
+RUN wget -O - https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+RUN echo \
+      "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+      $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 RUN apt-get update && apt-get install -y docker-ce-cli jq
 
 # Install kubectl for copying files to kube pods. Eventually should be replaced with a kube java client.
 # See https://github.com/airbytehq/airbyte/issues/8643 for more information on why we are using kubectl for copying.
 # The following commands were taken from https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-using-native-package-management
-RUN curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
+RUN wget -O /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
 RUN echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list
 RUN apt-get update && apt-get install -y kubectl