Adding checksum verification kubectl (#9963)

* Adding checksum verification kubectl Added checksum check of binary file, added PYTHONDONTWRITEBYTECODE variable to improve stability of pip after installing packages and deleting cache, added --no-compile switch to pip package installation to improve performance after deleting cache. * Update Dockerfile
2023-04-11 12:47:18 +03:00 · 2023-04-11 12:47:18 +03:00 · 107cb7f549
parent 6c30b3f263
commit 107cb7f549
1 changed files with 25 additions and 18 deletions
--- a/43
+++ b/43
@ -5,9 +5,8 @@ FROM ubuntu:focal-20220531
 # (and potentially other packages)
 # See: https://github.com/pypa/pip/issues/10219
 ENV LANG=C.UTF-8 \
-    DEBIAN_FRONTEND=noninteractive
-ARG ARCH=amd64
-
+    DEBIAN_FRONTEND=noninteractive \
+    PYTHONDONTWRITEBYTECODE=1
 WORKDIR /kubespray
 COPY *yml .
 COPY roles ./roles
@ -16,19 +15,27 @@ COPY inventory ./inventory
 COPY library ./library
 COPY extra_playbooks ./extra_playbooks

-RUN apt update && apt install -y --no-install-recommends \
-    curl python3 python3-pip sshpass vim rsync openssh-client \
-    && rm -rf /var/lib/apt/lists/* /var/log/* \
-    && pip install --no-cache-dir \
-    ansible==5.7.1 \
-    ansible-core==2.12.5 \
-    cryptography==3.4.8 \
-    jinja2==2.11.3 \
-    netaddr==0.7.19 \
-    jmespath==1.0.1 \
-    MarkupSafe==1.1.1 \
-    ruamel.yaml==0.17.21 \
-    && find / -type d -name '*__pycache__' -prune -exec rm -rf {} \; \
+RUN apt update -q \
+    && apt install -yq --no-install-recommends \
+       curl \
+       python3 \
+       python3-pip \
+       sshpass \
+       vim \
+       rsync \
+       openssh-client \
+    && pip install --no-compile --no-cache-dir \
+       ansible==5.7.1 \
+       ansible-core==2.12.5 \
+       cryptography==3.4.8 \
+       jinja2==2.11.3 \
+       netaddr==0.7.19 \
+       jmespath==1.0.1 \
+       MarkupSafe==1.1.1 \
+       ruamel.yaml==0.17.21 \
    && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
-    && curl -L https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$ARCH/kubectl -o /usr/local/bin/kubectl \
-    && chmod a+x /usr/local/bin/kubectl
+    && curl -L https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && chmod a+x /usr/local/bin/kubectl \
+    && rm -rf /var/lib/apt/lists/* /var/log/* \
+    && find / -type d -name '*__pycache__' -prune -exec rm -rf {} \;