From 107cb7f5499c59fff8a456f11c3ee539c6026262 Mon Sep 17 00:00:00 2001
From: Aleksey Karpov <86011874+alekseyolg@users.noreply.github.com>
Date: Tue, 11 Apr 2023 12:47:18 +0300
Subject: [PATCH] Adding checksum verification kubectl (#9963)

* Adding checksum verification kubectl

Added checksum check of binary file, added PYTHONDONTWRITEBYTECODE variable to improve stability of pip after installing packages and deleting cache, added --no-compile switch to pip package installation to improve performance after deleting cache.

* Update Dockerfile
---
 Dockerfile | 43 +++++++++++++++++++++++++------------------
 1 file changed, 25 insertions(+), 18 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 45b89a750..51b0bf8b5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,9 +5,8 @@ FROM ubuntu:focal-20220531
 # (and potentially other packages)
 # See: https://github.com/pypa/pip/issues/10219
 ENV LANG=C.UTF-8 \
-    DEBIAN_FRONTEND=noninteractive
-ARG ARCH=amd64
-
+    DEBIAN_FRONTEND=noninteractive \
+    PYTHONDONTWRITEBYTECODE=1
 WORKDIR /kubespray
 COPY *yml .
 COPY roles ./roles
@@ -16,19 +15,27 @@ COPY inventory ./inventory
 COPY library ./library
 COPY extra_playbooks ./extra_playbooks
 
-RUN apt update && apt install -y --no-install-recommends \
-    curl python3 python3-pip sshpass vim rsync openssh-client \
-    && rm -rf /var/lib/apt/lists/* /var/log/* \
-    && pip install --no-cache-dir \
-    ansible==5.7.1 \
-    ansible-core==2.12.5 \
-    cryptography==3.4.8 \
-    jinja2==2.11.3 \
-    netaddr==0.7.19 \
-    jmespath==1.0.1 \
-    MarkupSafe==1.1.1 \
-    ruamel.yaml==0.17.21 \
-    && find / -type d -name '*__pycache__' -prune -exec rm -rf {} \; \
+RUN apt update -q \
+    && apt install -yq --no-install-recommends \
+       curl \
+       python3 \
+       python3-pip \
+       sshpass \
+       vim \
+       rsync \
+       openssh-client \
+    && pip install --no-compile --no-cache-dir \
+       ansible==5.7.1 \
+       ansible-core==2.12.5 \
+       cryptography==3.4.8 \
+       jinja2==2.11.3 \
+       netaddr==0.7.19 \
+       jmespath==1.0.1 \
+       MarkupSafe==1.1.1 \
+       ruamel.yaml==0.17.21 \
     && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
-    && curl -L https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$ARCH/kubectl -o /usr/local/bin/kubectl \
-    && chmod a+x /usr/local/bin/kubectl
+    && curl -L https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && chmod a+x /usr/local/bin/kubectl \
+    && rm -rf /var/lib/apt/lists/* /var/log/* \
+    && find / -type d -name '*__pycache__' -prune -exec rm -rf {} \;
-- 
GitLab