From 836796154a9d431142bdc6f5e51b603365b4b6ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rodolfo=20M=C3=B3i=20de=20Oliveira?= Date: Fri, 24 Apr 2026 10:33:11 -0300 Subject: [PATCH 1/3] Remove kustomize (#436) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces `kustomize` with a minimal shell script that proxies the `build` subcommand to `kubectl kustomize` and rejects everything else. * Remove kustomize.sh script * Remove kustomize binary * Remove kustomize from helm-cmd * Add kustomize wrapper script See rancher/rancher#54676 Signed-off-by: Rodolfo Mói de Oliveira --- hack/make/deps.mk | 8 -------- hack/test | 6 ++---- package/Dockerfile | 11 +++++------ package/helm-cmd | 8 -------- package/kustomize | 38 ++++++++++++++++++++++++++++++++++++++ package/kustomize.sh | 5 ----- 6 files changed, 45 insertions(+), 31 deletions(-) create mode 100755 package/kustomize delete mode 100755 package/kustomize.sh diff --git a/hack/make/deps.mk b/hack/make/deps.mk index f56e214..79ac7af 100644 --- a/hack/make/deps.mk +++ b/hack/make/deps.mk @@ -5,13 +5,6 @@ KUBECTL_VERSION := v1.31.7 KUBECTL_SUM_arm64 ?= $(shell curl -L "https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/linux/arm64/kubectl.sha256") KUBECTL_SUM_amd64 ?= $(shell curl -L "https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/linux/amd64/kubectl.sha256") -# renovate-local: kustomize-amd64 -KUSTOMIZE_VERSION := v5.6.0 -# renovate-local: kustomize-arm64=v5.6.0 -KUSTOMIZE_SUM_arm64 := ad8ab62d4f6d59a8afda0eec4ba2e5cd2f86bf1afeea4b78d06daac945eb0660 -# renovate-local: kustomize-amd64=v5.6.0 -KUSTOMIZE_SUM_amd64 := 54e4031ddc4e7fc59e408da29e7c646e8e57b8088c51b84b3df0864f47b5148f - # renovate: datasource=github-release-attachments depName=derailed/k9s K9S_VERSION := v0.50.0 # renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.0 @@ -22,5 +15,4 @@ K9S_SUM_amd64 := 63eb225a3da358245d37e7f79904d62c1d5361e4faa9275c43fb3cdbb053dde # Reduces the code duplication on Makefile by keeping all args into a single variable. IMAGE_ARGS := --build-arg HELM_VERSION=$(HELM_VERSION) \ --build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) --build-arg KUBECTL_SUM_arm64=$(KUBECTL_SUM_arm64) --build-arg KUBECTL_SUM_amd64=$(KUBECTL_SUM_amd64) \ - --build-arg KUSTOMIZE_VERSION=$(KUSTOMIZE_VERSION) --build-arg KUSTOMIZE_SUM_arm64=$(KUSTOMIZE_SUM_arm64) --build-arg KUSTOMIZE_SUM_amd64=$(KUSTOMIZE_SUM_amd64) \ --build-arg K9S_VERSION=$(K9S_VERSION) --build-arg K9S_SUM_arm64=$(K9S_SUM_arm64) --build-arg K9S_SUM_amd64=$(K9S_SUM_amd64) diff --git a/hack/test b/hack/test index fc40c58..ef1f67e 100755 --- a/hack/test +++ b/hack/test @@ -17,14 +17,14 @@ function expected_file(){ file="$1" owner="$2" perms="$3" - + actualPerms=$(stat '%a' "${file}") actualOwner=$(stat '%u:%g' "${file}") if [[ "${actualPerms}" != "${perms}" ]] || \ [[ "${actualOwner}" != "${owner}" ]]; then echo "${file}: expected (${owner} ${perms}) got (${actualOwner} ${actualPerms})" exit 1 - else + else echo "${file}: OK" fi } @@ -37,7 +37,6 @@ function check_files(){ expected_file "/usr/local/bin/kubectl" "0:0" "755" expected_file "/usr/local/bin/kustomize" "0:0" "755" expected_file "/usr/local/bin/welcome" "0:0" "755" - expected_file "/home/shell/kustomize.sh" "1000:1000" "755" } @@ -62,7 +61,6 @@ function expected_version(){ function check_versions(){ echo "checking command versions:" expected_version "helm" "${HELM_VERSION}" - expected_version "kustomize" "${KUSTOMIZE_VERSION}" expected_version "k9s" "${K9S_VERSION}" # --client=true is used so that it does not fail trying to # identify the server version. diff --git a/package/Dockerfile b/package/Dockerfile index 510a2bd..8d80e04 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -25,7 +25,7 @@ RUN zypper -n install curl gzip tar # Define build arguments ARG KUBECTL_VERSION KUBECTL_SUM_arm64 KUBECTL_SUM_amd64 \ - KUSTOMIZE_VERSION KUSTOMIZE_SUM_arm64 KUSTOMIZE_SUM_amd64 \ + HELM_VERSION HELM_SUM_arm64 HELM_SUM_amd64 \ K9S_VERSION K9S_SUM_arm64 K9S_SUM_amd64 ARG TARGETARCH @@ -65,8 +65,8 @@ RUN zypper --non-interactive refresh && \ zypper --installroot /chroot -n rm busybox-vi busybox-links && \ zypper --installroot /chroot -n in bash-completion jq vim curl && \ zypper --installroot /chroot clean -a && \ - rm -rf /chroot/var/cache/zypp/* /chroot/var/log/zypp/* /chroot/etc/zypp/ - + rm -rf /chroot/var/cache/zypp/* /chroot/var/log/zypp/* /chroot/etc/zypp/ /chroot/run/zypp.pid + RUN echo 'shell:x:1000:1000:shell,,,:/home/shell:/bin/bash' > /chroot/etc/passwd && \ echo 'shell:x:1000:' > /chroot/etc/group && \ @@ -86,9 +86,8 @@ FROM scratch COPY --from=zypper /chroot / COPY --chown=root:root --chmod=0755 --from=helm /helm/bin/helm /usr/local/bin/ -COPY --chown=root:root --chmod=0755 --from=build /kubectl /k9s /kustomize* /usr/local/bin/ -COPY --chown=root:root --chmod=0755 package/helm-cmd package/welcome /usr/local/bin/ -COPY --chown=1000:1000 --chmod=0755 package/kustomize.sh /home/shell/ +COPY --chown=root:root --chmod=0755 --from=build /kubectl /helm /k9s /usr/local/bin/ +COPY --chown=root:root --chmod=0755 package/helm-cmd package/welcome package/kustomize /usr/local/bin/ USER 1000 diff --git a/package/helm-cmd b/package/helm-cmd index c54bc47..b7d75b2 100755 --- a/package/helm-cmd +++ b/package/helm-cmd @@ -15,14 +15,6 @@ for i in $(seq 1 20); do done for i in operation*; do - # If a kustomize yaml has been passed along with the operation - # it will have the same numerical suffix. - kustomization=$(echo $i.yaml | sed "s/operation/kustomization/g") - if [[ -f $kustomization ]]; then - # Renaming file because kustomize only supports the following filenames: - # kustomization.yaml, kustomization.yml, and Kustomization. - cp $kustomization kustomization.yaml - fi cat $i | xargs -0 -- echo helm cat $i | xargs -0 -- helm echo diff --git a/package/kustomize b/package/kustomize new file mode 100755 index 0000000..bd514d4 --- /dev/null +++ b/package/kustomize @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +declare TRACE +[[ "${TRACE}" == 1 ]] && set -o xtrace +set -o errexit +set -o nounset +set -o pipefail +set -o noclobber + +kustomize-proxy() { + exec kubectl kustomize "${@}" +} + +args-parse() { + if [[ "$#" -eq 0 ]]; then + 1>&2 printf "error: no subcommand given\n" + exit 1 + fi + + while [[ "$#" -gt 0 ]]; do + case "${1}" in + build) + shift + kustomize-proxy "${@}" + ;; + *) + 1>&2 printf "error: subcommand \`%s\` not supported, only \`build\` is available\n" "${1}" + exit 1 + ;; + esac + done +} + +main() { + args-parse "$@" +} + +main "$@" diff --git a/package/kustomize.sh b/package/kustomize.sh deleted file mode 100755 index 9e4a0fb..0000000 --- a/package/kustomize.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -cat <&0 > /home/shell/helm-run/all.yaml - -kustomize build . && rm /home/shell/helm-run/all.yaml From 5b89fa6ce842ba336cf35956344afcd5721dab6f Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Thu, 11 Jun 2026 20:12:50 -0300 Subject: [PATCH 2/3] keep local helm --- package/Dockerfile | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/package/Dockerfile b/package/Dockerfile index 8d80e04..c53196a 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -37,18 +37,10 @@ ADD --chown=root:root --chmod=0755 \ ENV KUBECTL_SUM="KUBECTL_SUM_${TARGETARCH}" RUN echo "${!KUBECTL_SUM} /kubectl" | sha256sum -c - -# Stage kustomize into build -ADD "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz" \ - /tmp/kustomize.tar.gz -ENV KUSTOMIZE_SUM="KUSTOMIZE_SUM_${TARGETARCH}" -RUN echo "${!KUSTOMIZE_SUM} /tmp/kustomize.tar.gz" | sha256sum -c - && \ - tar -xvzf /tmp/kustomize.tar.gz -C / kustomize - # Stage k9s into build -ADD "https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_Linux_${TARGETARCH}.tar.gz" \ - /tmp/k9s.tar.gz ENV K9S_SUM="K9S_SUM_${TARGETARCH}" -RUN echo "${!K9S_SUM} /tmp/k9s.tar.gz" | sha256sum -c - && \ +RUN curl --output /tmp/k9s.tar.gz -sLf "https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_Linux_${TARGETARCH}.tar.gz" && \ + echo "${!K9S_SUM} /tmp/k9s.tar.gz" | sha256sum -c - && \ tar -xvzf /tmp/k9s.tar.gz -C / k9s FROM registry.suse.com/bci/bci-base:${BCI_VERSION} AS zypper @@ -86,7 +78,7 @@ FROM scratch COPY --from=zypper /chroot / COPY --chown=root:root --chmod=0755 --from=helm /helm/bin/helm /usr/local/bin/ -COPY --chown=root:root --chmod=0755 --from=build /kubectl /helm /k9s /usr/local/bin/ +COPY --chown=root:root --chmod=0755 --from=build /kubectl /k9s /usr/local/bin/ COPY --chown=root:root --chmod=0755 package/helm-cmd package/welcome package/kustomize /usr/local/bin/ USER 1000 From 467eb5276778b37b266eceb465f62f483b2a62c7 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Thu, 11 Jun 2026 20:13:55 -0300 Subject: [PATCH 3/3] cve bumps and building bins locally --- hack/make/deps.mk | 17 ++++------ package/Dockerfile | 77 +++++++++++++++++++++++++++++----------------- 2 files changed, 55 insertions(+), 39 deletions(-) diff --git a/hack/make/deps.mk b/hack/make/deps.mk index 79ac7af..3f9f9e0 100644 --- a/hack/make/deps.mk +++ b/hack/make/deps.mk @@ -1,18 +1,13 @@ # renovate: datasource=github-release-attachments depName=rancher/helm -HELM_VERSION := v3.17.4-rancher1 +HELM_VERSION := v3.20.0-rancher2 -KUBECTL_VERSION := v1.31.7 -KUBECTL_SUM_arm64 ?= $(shell curl -L "https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/linux/arm64/kubectl.sha256") -KUBECTL_SUM_amd64 ?= $(shell curl -L "https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/linux/amd64/kubectl.sha256") +# renovate-local: kubectl-amd64 +KUBECTL_VERSION := v1.31.14 # renovate: datasource=github-release-attachments depName=derailed/k9s -K9S_VERSION := v0.50.0 -# renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.0 -K9S_SUM_arm64 := 2a068382b89d3c8ca49c3b0593b50601ba0d0c057bee2433d71d3aa983e69325 -# renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.0 -K9S_SUM_amd64 := 63eb225a3da358245d37e7f79904d62c1d5361e4faa9275c43fb3cdbb053dde9 +K9S_VERSION := v0.51.0 # Reduces the code duplication on Makefile by keeping all args into a single variable. IMAGE_ARGS := --build-arg HELM_VERSION=$(HELM_VERSION) \ - --build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) --build-arg KUBECTL_SUM_arm64=$(KUBECTL_SUM_arm64) --build-arg KUBECTL_SUM_amd64=$(KUBECTL_SUM_amd64) \ - --build-arg K9S_VERSION=$(K9S_VERSION) --build-arg K9S_SUM_arm64=$(K9S_SUM_arm64) --build-arg K9S_SUM_amd64=$(K9S_SUM_amd64) + --build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) \ + --build-arg K9S_VERSION=$(K9S_VERSION) diff --git a/package/Dockerfile b/package/Dockerfile index c53196a..3330ee3 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -1,47 +1,67 @@ -ARG BCI_VERSION=15.6 +ARG BCI_VERSION=16.0 +ARG GO_IMAGE=rancher/hardened-build-base:v1.25.11b1 FROM registry.suse.com/bci/bci-busybox:${BCI_VERSION} AS final # Image that provides cross compilation tooling. FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.5.0 AS xx -FROM --platform=$BUILDPLATFORM registry.suse.com/bci/golang:1.23 AS helm +FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS helm # Clone repository once, and reuse it for target archs. ARG HELM_VERSION ADD --keep-git-dir=true https://github.com/rancher/helm.git#${HELM_VERSION} /helm -RUN cd /helm && go mod download +RUN --mount=type=cache,target=/go/pkg/mod \ + cd /helm && go mod download COPY --from=xx / / # Cross-compile instead of emulating the compilation on the target arch. ARG TARGETPLATFORM RUN xx-go --wrap && mkdir -p /run/lock -RUN make -C /helm +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.cache/go-build \ + make -C /helm RUN xx-verify --static /helm/bin/helm -FROM --platform=$BUILDPLATFORM registry.suse.com/bci/bci-base:${BCI_VERSION} AS build -RUN zypper -n install curl gzip tar +FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS kubectl -# Define build arguments -ARG KUBECTL_VERSION KUBECTL_SUM_arm64 KUBECTL_SUM_amd64 \ - HELM_VERSION HELM_SUM_arm64 HELM_SUM_amd64 \ - K9S_VERSION K9S_SUM_arm64 K9S_SUM_amd64 +ARG KUBECTL_VERSION +ADD https://github.com/kubernetes/kubernetes/archive/refs/tags/${KUBECTL_VERSION}.tar.gz /src.tar.gz +RUN mkdir /src && tar -xzf /src.tar.gz -C /src --strip-components=1 && rm /src.tar.gz -ARG TARGETARCH -# Stage kubectl into build -ADD --chown=root:root --chmod=0755 \ - "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" \ - /kubectl - -ENV KUBECTL_SUM="KUBECTL_SUM_${TARGETARCH}" -RUN echo "${!KUBECTL_SUM} /kubectl" | sha256sum -c - +COPY --from=xx / / +ARG TARGETPLATFORM +RUN xx-go --wrap +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.cache/go-build \ + cd /src && \ + KUBE_GIT_VERSION=${KUBECTL_VERSION} \ + KUBE_GIT_COMMIT=unknown \ + KUBE_GIT_TREE_STATE=clean \ + KUBE_BUILD_PLATFORMS=$(xx-info os)/$(xx-info arch) \ + GOFLAGS="-tags=providerless" \ + CGO_ENABLED=0 \ + make WHAT=cmd/kubectl && \ + cp /src/_output/local/bin/$(xx-info os)/$(xx-info arch)/kubectl /kubectl +RUN xx-verify --static /kubectl + +FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS k9s + +ARG K9S_VERSION +ADD https://github.com/derailed/k9s/archive/refs/tags/${K9S_VERSION}.tar.gz /src.tar.gz +RUN mkdir /src && tar -xzf /src.tar.gz -C /src --strip-components=1 && rm /src.tar.gz -# Stage k9s into build -ENV K9S_SUM="K9S_SUM_${TARGETARCH}" -RUN curl --output /tmp/k9s.tar.gz -sLf "https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_Linux_${TARGETARCH}.tar.gz" && \ - echo "${!K9S_SUM} /tmp/k9s.tar.gz" | sha256sum -c - && \ - tar -xvzf /tmp/k9s.tar.gz -C / k9s +COPY --from=xx / / +ARG TARGETPLATFORM +RUN xx-go --wrap +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.cache/go-build \ + cd /src && \ + CGO_ENABLED=0 go build -trimpath \ + -ldflags="-s -w -X github.com/derailed/k9s/cmd.version=${K9S_VERSION}" \ + -o /k9s . +RUN xx-verify --static /k9s FROM registry.suse.com/bci/bci-base:${BCI_VERSION} AS zypper @@ -62,7 +82,7 @@ RUN zypper --non-interactive refresh && \ RUN echo 'shell:x:1000:1000:shell,,,:/home/shell:/bin/bash' > /chroot/etc/passwd && \ echo 'shell:x:1000:' > /chroot/etc/group && \ - mkdir /chroot/home/shell && \ + mkdir -p /chroot/home/shell/.kube /chroot/home/shell/helm-run && \ echo '. /etc/profile.d/bash_completion.sh' >> /chroot/home/shell/.bashrc && \ echo 'alias k="kubectl"' >> /chroot/home/shell/.bashrc && \ echo 'alias ks="kubectl -n kube-system"' >> /chroot/home/shell/.bashrc && \ @@ -70,15 +90,16 @@ RUN echo 'shell:x:1000:1000:shell,,,:/home/shell:/bin/bash' > /chroot/etc/passwd echo 'complete -o default -F __start_kubectl k' >> /chroot/home/shell/.bashrc && \ echo 'LANG=en_US.UTF-8' >> /chroot/home/shell/.bashrc && \ echo 'PS1="> "' >> /chroot/home/shell/.bashrc && \ - mkdir /chroot/home/shell/.kube && \ - chown -R 1000:1000 /chroot/home/shell && \ - chmod 700 /chroot/run + mkdir -p /chroot/tmp && \ + chmod 1777 /chroot/tmp && \ + chown -R 1000:1000 /chroot/home/shell FROM scratch COPY --from=zypper /chroot / COPY --chown=root:root --chmod=0755 --from=helm /helm/bin/helm /usr/local/bin/ -COPY --chown=root:root --chmod=0755 --from=build /kubectl /k9s /usr/local/bin/ +COPY --chown=root:root --chmod=0755 --from=kubectl /kubectl /usr/local/bin/ +COPY --chown=root:root --chmod=0755 --from=k9s /k9s /usr/local/bin/ COPY --chown=root:root --chmod=0755 package/helm-cmd package/welcome package/kustomize /usr/local/bin/ USER 1000