From 36c155ffd45bf3174d77fc296f1257cf8c2f94b4 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Fri, 20 Mar 2026 12:01:38 +0100 Subject: [PATCH 01/11] Bump go builder --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a1b9913..a864a33 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # Supports multi-architecture builds (amd64, arm64) # Stage 1: Build roxie binary -FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25-alpine AS builder +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:1.25 AS builder # Build arguments for cross-compilation # These are automatically provided by Docker buildx From 0bbffc940519cbc87ed014959c2887ec27c52590 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Tue, 24 Mar 2026 11:48:49 +0100 Subject: [PATCH 02/11] Remove apk add --- Dockerfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index a864a33..06d4201 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,9 +12,6 @@ ARG TARGETARCH WORKDIR /build -# Install build dependencies -RUN apk add --no-cache git ca-certificates - # Copy go mod files first for better layer caching COPY go.mod go.sum ./ RUN go mod download @@ -34,8 +31,7 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \ # Download gcloud SDK in builder stage to avoid UBI filesystem restrictions ARG GCLOUD_VERSION=latest -RUN apk add --no-cache curl python3 && \ - ARCH=${TARGETARCH:-amd64} && \ +RUN ARCH=${TARGETARCH:-amd64} && \ if [ "${ARCH}" = "amd64" ]; then \ GCLOUD_ARCH="x86_64"; \ elif [ "${ARCH}" = "arm64" ]; then \ From a8ff0f187cf1b271c0dff02eea259f55bc2a9341 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Tue, 24 Mar 2026 12:19:41 +0100 Subject: [PATCH 03/11] Fix build permissions --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index 06d4201..f1c22de 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,11 @@ FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:1.25 A ARG TARGETOS ARG TARGETARCH +# Create build directory with proper permissions for the default user +USER 0 WORKDIR /build +RUN chown -R 1001:0 /build +USER 1001 # Copy go mod files first for better layer caching COPY go.mod go.sum ./ From 46d644e0aae6b0516c0027febb1ec03662383e39 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Tue, 24 Mar 2026 13:07:56 +0100 Subject: [PATCH 04/11] Version bumps in Dockerfile --- Dockerfile | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index f1c22de..dff810b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \ ./cmd # Download gcloud SDK in builder stage to avoid UBI filesystem restrictions -ARG GCLOUD_VERSION=latest +ARG GCLOUD_VERSION=561.0.0 RUN ARCH=${TARGETARCH:-amd64} && \ if [ "${ARCH}" = "amd64" ]; then \ GCLOUD_ARCH="x86_64"; \ @@ -43,7 +43,7 @@ RUN ARCH=${TARGETARCH:-amd64} && \ else \ echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \ fi && \ - curl -fsSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-${GCLOUD_ARCH}.tar.gz" | \ + curl -fsSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_VERSION}-linux-${GCLOUD_ARCH}.tar.gz" | \ tar -xz -C /tmp && \ /tmp/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet @@ -76,7 +76,7 @@ RUN microdnf install -y \ && rm -rf /var/cache/yum # Install kubectl - architecture-aware -ARG KUBECTL_VERSION=v1.29.0 +ARG KUBECTL_VERSION=v1.35.3 RUN ARCH=${TARGETARCH:-amd64} && \ echo "Installing kubectl for ${ARCH}" && \ curl -fsSLo /usr/local/bin/kubectl \ @@ -84,7 +84,7 @@ RUN ARCH=${TARGETARCH:-amd64} && \ && chmod +x /usr/local/bin/kubectl # Install helm - architecture-aware -ARG HELM_VERSION=v3.14.0 +ARG HELM_VERSION=v3.20.1 RUN ARCH=${TARGETARCH:-amd64} && \ echo "Installing helm for ${ARCH}" && \ curl -fsSL "https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz" | \ @@ -94,7 +94,7 @@ RUN ARCH=${TARGETARCH:-amd64} && \ # Install roxctl - architecture-aware # The mirror has architecture-specific binaries: 'roxctl' (amd64) and 'roxctl-arm64' # Override with --build-arg ROXCTL_VERSION=4.x.x for specific versions -ARG ROXCTL_VERSION=latest +ARG ROXCTL_VERSION=4.10.0 RUN ARCH=${TARGETARCH:-amd64} && \ echo "Installing roxctl for ${ARCH}" && \ if [ "${ARCH}" = "arm64" ]; then \ @@ -127,16 +127,18 @@ RUN ln -s /opt/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud && \ ln -s /opt/google-cloud-sdk/bin/gke-gcloud-auth-plugin /usr/local/bin/gke-gcloud-auth-plugin # 2. AWS (EKS) - aws-iam-authenticator +# Using GitHub releases for latest version (AWS S3 bucket has outdated versions) +ARG AWS_IAM_AUTH_VERSION=0.7.12 RUN ARCH=${TARGETARCH:-amd64} && \ - echo "Installing aws-iam-authenticator for ${ARCH}" && \ + echo "Installing aws-iam-authenticator v${AWS_IAM_AUTH_VERSION} for ${ARCH}" && \ curl -fsSLo /usr/local/bin/aws-iam-authenticator \ - "https://amazon-eks.s3.us-west-2.amazonaws.com/1.30.0/2024-05-12/bin/linux/${ARCH}/aws-iam-authenticator" && \ + "https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_IAM_AUTH_VERSION}/aws-iam-authenticator_${AWS_IAM_AUTH_VERSION}_linux_${ARCH}" && \ chmod +x /usr/local/bin/aws-iam-authenticator # 3. Azure (AKS) - kubelogin RUN ARCH=${TARGETARCH:-amd64} && \ echo "Installing kubelogin (Azure) for ${ARCH}" && \ - KUBELOGIN_VERSION="v0.1.4" && \ + KUBELOGIN_VERSION="v0.2.16" && \ curl -fsSL "https://github.com/Azure/kubelogin/releases/download/${KUBELOGIN_VERSION}/kubelogin-linux-${ARCH}.zip" \ -o /tmp/kubelogin.zip && \ unzip -q /tmp/kubelogin.zip -d /tmp && \ From dad04675142091a679d2a4316652d4ab40eacb08 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Tue, 24 Mar 2026 14:00:11 +0100 Subject: [PATCH 05/11] Go version bumps --- go.mod | 14 +++++++------- go.sum | 30 +++++++++++++++--------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/go.mod b/go.mod index a457e6c..8c7d788 100644 --- a/go.mod +++ b/go.mod @@ -1,19 +1,19 @@ module github.com/stackrox/roxie -go 1.25 +go 1.25.0 require ( - github.com/fatih/color v1.16.0 + github.com/fatih/color v1.19.0 github.com/moby/sys/mountinfo v0.7.2 - github.com/spf13/cobra v1.8.0 - golang.org/x/term v0.38.0 + github.com/spf13/cobra v1.10.2 + golang.org/x/term v0.41.0 gopkg.in/yaml.v3 v3.0.1 ) require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/spf13/pflag v1.0.5 // indirect - golang.org/x/sys v0.39.0 // indirect + github.com/spf13/pflag v1.0.10 // indirect + golang.org/x/sys v0.42.0 // indirect ) diff --git a/go.sum b/go.sum index d1733f4..87aadbe 100644 --- a/go.sum +++ b/go.sum @@ -1,26 +1,26 @@ -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= -github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w= +github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= -github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= -github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= +github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= -github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= +github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= -golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q= -golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= +golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= From a1d95f4f3ddc6116d4cf1e7ae2b6e1b4c72683a8 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Tue, 24 Mar 2026 14:12:44 +0100 Subject: [PATCH 06/11] Remove helm from image -- only support operator in image --- Dockerfile | 8 -------- 1 file changed, 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index dff810b..725338c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -83,14 +83,6 @@ RUN ARCH=${TARGETARCH:-amd64} && \ "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \ && chmod +x /usr/local/bin/kubectl -# Install helm - architecture-aware -ARG HELM_VERSION=v3.20.1 -RUN ARCH=${TARGETARCH:-amd64} && \ - echo "Installing helm for ${ARCH}" && \ - curl -fsSL "https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz" | \ - tar -xzO "linux-${ARCH}/helm" > /usr/local/bin/helm && \ - chmod +x /usr/local/bin/helm - # Install roxctl - architecture-aware # The mirror has architecture-specific binaries: 'roxctl' (amd64) and 'roxctl-arm64' # Override with --build-arg ROXCTL_VERSION=4.x.x for specific versions From 61f96b84e055696135a4b873a9f647e05a8ab48e Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Fri, 27 Mar 2026 13:38:37 +0100 Subject: [PATCH 07/11] Pin checksums --- Dockerfile | 49 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index 725338c..a626c6d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # Supports multi-architecture builds (amd64, arm64) # Stage 1: Build roxie binary -FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:1.25 AS builder +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:1.25@sha256:2830e4bd1c394ed506c00a9abbb4d00445e2e72e8ef4e3cd51e0da0db66dee12 AS builder # Build arguments for cross-compilation # These are automatically provided by Docker buildx @@ -35,20 +35,28 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \ # Download gcloud SDK in builder stage to avoid UBI filesystem restrictions ARG GCLOUD_VERSION=561.0.0 +ARG GCLOUD_ARM64_SHA256=f403765193caad58991650872773780d1683a78f668eee591277383ab45e6148 +ARG GCLOUD_AMD64_SHA256=10e0f4ff6e6a09a50636245a14786530ee8e8d1cbe2f2ce068e2dee7857d99cc RUN ARCH=${TARGETARCH:-amd64} && \ if [ "${ARCH}" = "amd64" ]; then \ GCLOUD_ARCH="x86_64"; \ + GCLOUD_SHA256=${GCLOUD_AMD64_SHA256}; \ elif [ "${ARCH}" = "arm64" ]; then \ GCLOUD_ARCH="arm"; \ + GCLOUD_SHA256=${GCLOUD_ARM64_SHA256}; \ else \ echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \ fi && \ - curl -fsSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_VERSION}-linux-${GCLOUD_ARCH}.tar.gz" | \ - tar -xz -C /tmp && \ + filename="google-cloud-cli-${GCLOUD_VERSION}-linux-${GCLOUD_ARCH}.tar.gz" && \ + url="https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/${filename}" && \ + echo "Downloading gcloud SDK from: ${url}" && \ + curl -o "/tmp/${filename}" -fsSL "${url}" && \ + echo "${GCLOUD_SHA256} /tmp/${filename}" | sha256sum -c - && \ + tar -xz -C /tmp "/tmp/${filename}" && \ /tmp/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet # Stage 2: Runtime image based on Red Hat UBI Minimal -FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183 # Architecture detection for multi-arch builds ARG TARGETARCH @@ -77,31 +85,44 @@ RUN microdnf install -y \ # Install kubectl - architecture-aware ARG KUBECTL_VERSION=v1.35.3 +ARG KUBECTL_ARM64_SHA256=6f0cd088a82dde5d5807122056069e2fac4ed447cc518efc055547ae46525f14 +ARG KUBECTL_AMD64_SHA256=fd31c7d7129260e608f6faf92d5984c3267ad0b5ead3bced2fe125686e286ad6 RUN ARCH=${TARGETARCH:-amd64} && \ echo "Installing kubectl for ${ARCH}" && \ - curl -fsSLo /usr/local/bin/kubectl \ - "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \ - && chmod +x /usr/local/bin/kubectl + if [ "${ARCH}" = "arm64" ]; then \ + KUBECTL_SHA256=${KUBECTL_ARM64_SHA256}; \ + elif [ "${ARCH}" = "amd64" ]; then \ + KUBECTL_SHA256=${KUBECTL_AMD64_SHA256}; \ + else \ + echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \ + fi && \ + url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \ + echo "Downloading kubectl from: ${url}" && \ + curl -fsSLo /usr/local/bin/kubectl "${url}" && \ + echo "${KUBECTL_SHA256} /usr/local/bin/kubectl" | sha256sum -c - && \ + chmod +x /usr/local/bin/kubectl # Install roxctl - architecture-aware # The mirror has architecture-specific binaries: 'roxctl' (amd64) and 'roxctl-arm64' -# Override with --build-arg ROXCTL_VERSION=4.x.x for specific versions ARG ROXCTL_VERSION=4.10.0 +ARG ROXCTL_ARM64_SHA256=a3951413d56671e46413009d31004d984e9c77c7520f35c8f062f5bd4e4f8212 +ARG ROXCTL_AMD64_SHA256=5db647b14569465866c0162522e83393ebf02f671f4556b1b3ed551b9f8433bc RUN ARCH=${TARGETARCH:-amd64} && \ echo "Installing roxctl for ${ARCH}" && \ if [ "${ARCH}" = "arm64" ]; then \ ROXCTL_BINARY="roxctl-arm64"; \ + ROXCTL_SHA256=${ROXCTL_ARM64_SHA256}; \ elif [ "${ARCH}" = "amd64" ]; then \ ROXCTL_BINARY="roxctl"; \ + ROXCTL_SHA256=${ROXCTL_AMD64_SHA256}; \ else \ echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \ fi && \ - ROXCTL_PATH=$([ "${ROXCTL_VERSION}" = "latest" ] && echo "latest" || echo "${ROXCTL_VERSION}") && \ - ROXCTL_URL="https://mirror.openshift.com/pub/rhacs/assets/${ROXCTL_PATH}/bin/Linux/${ROXCTL_BINARY}" && \ - echo "Downloading from: ${ROXCTL_URL}" && \ - curl -fsSLo /usr/local/bin/roxctl "${ROXCTL_URL}" && \ - chmod +x /usr/local/bin/roxctl && \ - echo "roxctl installed successfully for ${ARCH}" + url="https://mirror.openshift.com/pub/rhacs/assets/${ROXCTL_VERSION}/bin/Linux/${ROXCTL_BINARY}" && \ + echo "Downloading from: ${url}" && \ + curl -fsSLo /usr/local/bin/roxctl "${url}" && \ + echo "${ROXCTL_SHA256} /usr/local/bin/roxctl" | sha256sum -c - && \ + chmod +x /usr/local/bin/roxctl # Install podman (required for extracting operator bundles) # fuse-overlayfs provides better performance but vfs driver is more compatible From 239e4cfdc8e75bc02dc0f1b64ffa4b4f435b6523 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Mon, 30 Mar 2026 11:57:15 +0200 Subject: [PATCH 08/11] Bump gcloud sdk and reference official docs for checksums --- Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index a626c6d..c0a0db5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,9 +34,11 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \ ./cmd # Download gcloud SDK in builder stage to avoid UBI filesystem restrictions -ARG GCLOUD_VERSION=561.0.0 -ARG GCLOUD_ARM64_SHA256=f403765193caad58991650872773780d1683a78f668eee591277383ab45e6148 -ARG GCLOUD_AMD64_SHA256=10e0f4ff6e6a09a50636245a14786530ee8e8d1cbe2f2ce068e2dee7857d99cc +# Latest version including checksums can be found at: +# https://docs.cloud.google.com/sdk/docs/install-sdk#linux +ARG GCLOUD_VERSION=562.0.0 +ARG GCLOUD_ARM64_SHA256=4fde7da4176fdc8e88f33a2293a050afada0d72d77686cdcdedeee9e807d69b6 +ARG GCLOUD_AMD64_SHA256=38bd4f203392354fa7cc5514ee38ea02bb808aa5f1f7e00257806abf782dde38 RUN ARCH=${TARGETARCH:-amd64} && \ if [ "${ARCH}" = "amd64" ]; then \ GCLOUD_ARCH="x86_64"; \ From 2100bca277cd48fb55c9e62a5d78671e97ffbb1f Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Mon, 30 Mar 2026 12:02:13 +0200 Subject: [PATCH 09/11] Simplified Dockerfile (WORKDIR setup) --- Dockerfile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c0a0db5..7558e89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,11 +10,7 @@ FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:1.25@s ARG TARGETOS ARG TARGETARCH -# Create build directory with proper permissions for the default user -USER 0 WORKDIR /build -RUN chown -R 1001:0 /build -USER 1001 # Copy go mod files first for better layer caching COPY go.mod go.sum ./ From 47c0d9bea3d31b503e83669089576c9b198e3d3f Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Mon, 30 Mar 2026 12:06:31 +0200 Subject: [PATCH 10/11] Mention kubectl checksum reference --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 7558e89..0e6fe65 100644 --- a/Dockerfile +++ b/Dockerfile @@ -82,6 +82,8 @@ RUN microdnf install -y \ && rm -rf /var/cache/yum # Install kubectl - architecture-aware +# Checksums can be found at +# https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256. ARG KUBECTL_VERSION=v1.35.3 ARG KUBECTL_ARM64_SHA256=6f0cd088a82dde5d5807122056069e2fac4ed447cc518efc055547ae46525f14 ARG KUBECTL_AMD64_SHA256=fd31c7d7129260e608f6faf92d5984c3267ad0b5ead3bced2fe125686e286ad6 From 9977aac579d6fd55878e400c7212657f9a98c941 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Mon, 30 Mar 2026 14:29:17 +0200 Subject: [PATCH 11/11] Fix gcloud checksum for amd64 Fix tar invocation --- Dockerfile | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0e6fe65..56cde05 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,9 +32,40 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \ # Download gcloud SDK in builder stage to avoid UBI filesystem restrictions # Latest version including checksums can be found at: # https://docs.cloud.google.com/sdk/docs/install-sdk#linux +# +# Unfortunately Googles release pipelines currently do not properly support versioned, checksum-protected downloads, +# +# THE PROBLEM +# +# The page https://docs.cloud.google.com/sdk/docs/install-sdk#linux references download links which are +# unversioned, which is not suitable for CI. For these unversioned links the page contains checksums. +# +# The SDK can also be downloaded throught versioned links, which is suitable for CI usage. However, these +# versioned links are not referenced in the page and -- more importantly -- the checksums of both +# files (versioned and unversioned) are *not* the same. They differ in the filename contained in the gzip header. +# +# THE WORKAROUND +# +# I have downloaded both files, versioned and unversioned, together with the latest checksum +# from the download page for the unversioned file. Then I have decompressed both files, verified +# that both archives are bytewise identical and then I have compted the sha256 of the versioned file +# and inserted it here. +# +# Example: +# +# ❯ curl -sLfO https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz +# ❯ curl -sLfO https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-562.0.0-linux-x86_64.tar.gz +# ❯ UNVERSIONED_CHECKSUM=38bd4f203392354fa7cc5514ee38ea02bb808aa5f1f7e00257806abf782dde38 +# ❯ gzip -dk google-cloud-cli-562.0.0-linux-x86_64.tar.gz; gzip -dk google-cloud-cli-linux-x86_64.tar.gz +# ❯ echo "${UNVERSIONED_CHECKSUM} google-cloud-cli-linux-x86_64.tar.gz" | sha256sum -c - +# google-cloud-cli-linux-x86_64.tar.gz: OK +# ❯ cmp google-cloud-cli-562.0.0-linux-x86_64.tar google-cloud-cli-linux-x86_64.tar +# ❯ sha256 google-cloud-cli-562.0.0-linux-x86_64.tar.gz +# SHA256 (google-cloud-cli-562.0.0-linux-x86_64.tar.gz) = 016a4b1702f8c97b585f9ae12c6182762758c17ef5302cb8561c7f6be5cc9af3 +# ARG GCLOUD_VERSION=562.0.0 -ARG GCLOUD_ARM64_SHA256=4fde7da4176fdc8e88f33a2293a050afada0d72d77686cdcdedeee9e807d69b6 -ARG GCLOUD_AMD64_SHA256=38bd4f203392354fa7cc5514ee38ea02bb808aa5f1f7e00257806abf782dde38 +ARG GCLOUD_ARM64_SHA256=a9ebaa0f4020ea0487c2c935af3d4566d1b4a1ccae685c6b7141211fc96424ee +ARG GCLOUD_AMD64_SHA256=016a4b1702f8c97b585f9ae12c6182762758c17ef5302cb8561c7f6be5cc9af3 RUN ARCH=${TARGETARCH:-amd64} && \ if [ "${ARCH}" = "amd64" ]; then \ GCLOUD_ARCH="x86_64"; \ @@ -49,8 +80,8 @@ RUN ARCH=${TARGETARCH:-amd64} && \ url="https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/${filename}" && \ echo "Downloading gcloud SDK from: ${url}" && \ curl -o "/tmp/${filename}" -fsSL "${url}" && \ - echo "${GCLOUD_SHA256} /tmp/${filename}" | sha256sum -c - && \ - tar -xz -C /tmp "/tmp/${filename}" && \ + echo "${GCLOUD_SHA256} /tmp/${filename}" | sha256sum -c - && \ + tar -xz -C /tmp -f "/tmp/${filename}" && \ /tmp/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet # Stage 2: Runtime image based on Red Hat UBI Minimal