CVE bumps 2.11

hack/make/deps.mk

@@ -1,26 +1,13 @@
 # renovate: datasource=github-release-attachments depName=rancher/helm
-HELM_VERSION := v3.17.4-rancher1
+HELM_VERSION := v3.20.0-rancher2
 
-KUBECTL_VERSION := v1.31.7
-KUBECTL_SUM_arm64 ?= $(shell curl -L "https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/linux/arm64/kubectl.sha256")
-KUBECTL_SUM_amd64 ?= $(shell curl -L "https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/linux/amd64/kubectl.sha256")
-
-# renovate-local: kustomize-amd64
-KUSTOMIZE_VERSION := v5.6.0
-# renovate-local: kustomize-arm64=v5.6.0
-KUSTOMIZE_SUM_arm64 := ad8ab62d4f6d59a8afda0eec4ba2e5cd2f86bf1afeea4b78d06daac945eb0660
-# renovate-local: kustomize-amd64=v5.6.0
-KUSTOMIZE_SUM_amd64 := 54e4031ddc4e7fc59e408da29e7c646e8e57b8088c51b84b3df0864f47b5148f
+# renovate-local: kubectl-amd64
+KUBECTL_VERSION := v1.31.14
 
 # renovate: datasource=github-release-attachments depName=derailed/k9s
-K9S_VERSION := v0.50.0
-# renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.0
-K9S_SUM_arm64 := 2a068382b89d3c8ca49c3b0593b50601ba0d0c057bee2433d71d3aa983e69325
-# renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.0
-K9S_SUM_amd64 := 63eb225a3da358245d37e7f79904d62c1d5361e4faa9275c43fb3cdbb053dde9
+K9S_VERSION := v0.51.0
 
 # Reduces the code duplication on Makefile by keeping all args into a single variable.
 IMAGE_ARGS := --build-arg HELM_VERSION=$(HELM_VERSION) \
-			  --build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) --build-arg KUBECTL_SUM_arm64=$(KUBECTL_SUM_arm64) --build-arg KUBECTL_SUM_amd64=$(KUBECTL_SUM_amd64) \
-			  --build-arg KUSTOMIZE_VERSION=$(KUSTOMIZE_VERSION) --build-arg KUSTOMIZE_SUM_arm64=$(KUSTOMIZE_SUM_arm64) --build-arg KUSTOMIZE_SUM_amd64=$(KUSTOMIZE_SUM_amd64) \
-			  --build-arg K9S_VERSION=$(K9S_VERSION) --build-arg K9S_SUM_arm64=$(K9S_SUM_arm64) --build-arg K9S_SUM_amd64=$(K9S_SUM_amd64)
+			  --build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) \
+			  --build-arg K9S_VERSION=$(K9S_VERSION)

hack/test

@@ -17,14 +17,14 @@ function expected_file(){
     file="$1"
     owner="$2"
     perms="$3"
-        
+
     actualPerms=$(stat '%a' "${file}")
     actualOwner=$(stat '%u:%g' "${file}")
     if [[ "${actualPerms}" != "${perms}" ]] || \
         [[ "${actualOwner}" != "${owner}" ]]; then
         echo "${file}: expected (${owner} ${perms}) got (${actualOwner} ${actualPerms})"
         exit 1
-    else 
+    else
         echo "${file}: OK"
     fi
 }
@@ -37,7 +37,6 @@ function check_files(){
     expected_file "/usr/local/bin/kubectl" "0:0" "755"
     expected_file "/usr/local/bin/kustomize" "0:0" "755"
     expected_file "/usr/local/bin/welcome" "0:0" "755"
-    expected_file "/home/shell/kustomize.sh" "1000:1000" "755"
 }
 
 
@@ -62,7 +61,6 @@ function expected_version(){
 function check_versions(){
     echo "checking command versions:"
     expected_version "helm" "${HELM_VERSION}"
-    expected_version "kustomize" "${KUSTOMIZE_VERSION}"
     expected_version "k9s" "${K9S_VERSION}"
     # --client=true is used so that it does not fail trying to
     # identify the server version.

package/Dockerfile

@@ -1,55 +1,67 @@
-ARG BCI_VERSION=15.6
+ARG BCI_VERSION=16.0
+ARG GO_IMAGE=rancher/hardened-build-base:v1.25.11b1
 FROM registry.suse.com/bci/bci-busybox:${BCI_VERSION} AS final
 
 # Image that provides cross compilation tooling.
 FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.5.0 AS xx
 
-FROM --platform=$BUILDPLATFORM registry.suse.com/bci/golang:1.23 AS helm
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS helm
 
 # Clone repository once, and reuse it for target archs.
 ARG HELM_VERSION
 ADD --keep-git-dir=true https://github.com/rancher/helm.git#${HELM_VERSION} /helm
-RUN cd /helm && go mod download
+RUN --mount=type=cache,target=/go/pkg/mod \
+    cd /helm && go mod download
 
 COPY --from=xx / /
 
 # Cross-compile instead of emulating the compilation on the target arch.
 ARG TARGETPLATFORM
 RUN xx-go --wrap && mkdir -p /run/lock
-RUN make -C /helm
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    make -C /helm
 
 RUN xx-verify --static /helm/bin/helm
 
-FROM --platform=$BUILDPLATFORM registry.suse.com/bci/bci-base:${BCI_VERSION} AS build
-RUN zypper -n install curl gzip tar
-
-# Define build arguments
-ARG KUBECTL_VERSION KUBECTL_SUM_arm64 KUBECTL_SUM_amd64 \
-    KUSTOMIZE_VERSION KUSTOMIZE_SUM_arm64 KUSTOMIZE_SUM_amd64 \
-    K9S_VERSION K9S_SUM_arm64 K9S_SUM_amd64
-
-ARG TARGETARCH
-# Stage kubectl into build
-ADD --chown=root:root --chmod=0755 \
-    "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" \
-    /kubectl
-
-ENV KUBECTL_SUM="KUBECTL_SUM_${TARGETARCH}"
-RUN echo "${!KUBECTL_SUM}  /kubectl" | sha256sum -c -
-
-# Stage kustomize into build
-ADD "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz" \
-    /tmp/kustomize.tar.gz
-ENV KUSTOMIZE_SUM="KUSTOMIZE_SUM_${TARGETARCH}"
-RUN echo "${!KUSTOMIZE_SUM}  /tmp/kustomize.tar.gz" | sha256sum -c - && \
-    tar -xvzf /tmp/kustomize.tar.gz -C / kustomize
-
-# Stage k9s into build
-ADD "https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_Linux_${TARGETARCH}.tar.gz" \
-    /tmp/k9s.tar.gz
-ENV K9S_SUM="K9S_SUM_${TARGETARCH}"
-RUN echo "${!K9S_SUM}  /tmp/k9s.tar.gz" | sha256sum -c - && \
-    tar -xvzf /tmp/k9s.tar.gz -C / k9s
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS kubectl
+
+ARG KUBECTL_VERSION
+ADD https://github.com/kubernetes/kubernetes/archive/refs/tags/${KUBECTL_VERSION}.tar.gz /src.tar.gz
+RUN mkdir /src && tar -xzf /src.tar.gz -C /src --strip-components=1 && rm /src.tar.gz
+
+COPY --from=xx / /
+ARG TARGETPLATFORM
+RUN xx-go --wrap
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    cd /src && \
+    KUBE_GIT_VERSION=${KUBECTL_VERSION} \
+    KUBE_GIT_COMMIT=unknown \
+    KUBE_GIT_TREE_STATE=clean \
+    KUBE_BUILD_PLATFORMS=$(xx-info os)/$(xx-info arch) \
+    GOFLAGS="-tags=providerless" \
+    CGO_ENABLED=0 \
+    make WHAT=cmd/kubectl && \
+    cp /src/_output/local/bin/$(xx-info os)/$(xx-info arch)/kubectl /kubectl
+RUN xx-verify --static /kubectl
+
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS k9s
+
+ARG K9S_VERSION
+ADD https://github.com/derailed/k9s/archive/refs/tags/${K9S_VERSION}.tar.gz /src.tar.gz
+RUN mkdir /src && tar -xzf /src.tar.gz -C /src --strip-components=1 && rm /src.tar.gz
+
+COPY --from=xx / /
+ARG TARGETPLATFORM
+RUN xx-go --wrap
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    cd /src && \
+    CGO_ENABLED=0 go build -trimpath \
+      -ldflags="-s -w -X github.com/derailed/k9s/cmd.version=${K9S_VERSION}" \
+      -o /k9s .
+RUN xx-verify --static /k9s
 
 FROM registry.suse.com/bci/bci-base:${BCI_VERSION} AS zypper
 
@@ -65,30 +77,30 @@ RUN zypper --non-interactive refresh && \
     zypper --installroot /chroot -n rm busybox-vi busybox-links && \
     zypper --installroot /chroot -n in bash-completion jq vim curl && \
     zypper --installroot /chroot clean -a && \
-    rm -rf /chroot/var/cache/zypp/* /chroot/var/log/zypp/* /chroot/etc/zypp/
-    
+    rm -rf /chroot/var/cache/zypp/* /chroot/var/log/zypp/* /chroot/etc/zypp/ /chroot/run/zypp.pid
+
 
 RUN echo 'shell:x:1000:1000:shell,,,:/home/shell:/bin/bash' > /chroot/etc/passwd && \
         echo 'shell:x:1000:' > /chroot/etc/group && \
-        mkdir /chroot/home/shell && \
+        mkdir -p /chroot/home/shell/.kube /chroot/home/shell/helm-run && \
         echo '. /etc/profile.d/bash_completion.sh' >> /chroot/home/shell/.bashrc && \
         echo 'alias k="kubectl"' >> /chroot/home/shell/.bashrc && \
         echo 'alias ks="kubectl -n kube-system"' >> /chroot/home/shell/.bashrc && \
         echo 'source <(kubectl completion bash)' >> /chroot/home/shell/.bashrc && \
         echo 'complete -o default -F __start_kubectl k' >> /chroot/home/shell/.bashrc && \
         echo 'LANG=en_US.UTF-8' >> /chroot/home/shell/.bashrc && \
         echo 'PS1="> "' >> /chroot/home/shell/.bashrc && \
-        mkdir /chroot/home/shell/.kube && \
-        chown -R 1000:1000 /chroot/home/shell && \
-        chmod 700 /chroot/run
+        mkdir -p /chroot/tmp && \
+        chmod 1777 /chroot/tmp && \
+        chown -R 1000:1000 /chroot/home/shell
 
 FROM scratch
 
 COPY --from=zypper /chroot /
 COPY --chown=root:root --chmod=0755 --from=helm /helm/bin/helm /usr/local/bin/
-COPY --chown=root:root --chmod=0755 --from=build /kubectl /k9s /kustomize* /usr/local/bin/
-COPY --chown=root:root --chmod=0755 package/helm-cmd package/welcome /usr/local/bin/
-COPY --chown=1000:1000 --chmod=0755 package/kustomize.sh /home/shell/
+COPY --chown=root:root --chmod=0755 --from=kubectl /kubectl /usr/local/bin/
+COPY --chown=root:root --chmod=0755 --from=k9s /k9s /usr/local/bin/
+COPY --chown=root:root --chmod=0755 package/helm-cmd package/welcome package/kustomize /usr/local/bin/
 
 USER 1000
 

package/helm-cmd

@@ -15,14 +15,6 @@ for i in $(seq 1 20); do
 done
 
 for i in operation*; do
-    # If a kustomize yaml has been passed along with the operation
-    # it will have the same numerical suffix.
-    kustomization=$(echo $i.yaml | sed "s/operation/kustomization/g")
-    if [[ -f $kustomization ]]; then
-      # Renaming file because kustomize only supports the following filenames:
-      # kustomization.yaml, kustomization.yml, and Kustomization.
-      cp $kustomization kustomization.yaml
-    fi
     cat $i | xargs -0 -- echo helm
     cat $i | xargs -0 -- helm
     echo

package/kustomize

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+declare TRACE
+[[ "${TRACE}" == 1 ]] && set -o xtrace
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o noclobber
+
+kustomize-proxy() {
+  exec kubectl kustomize "${@}"
+}
+
+args-parse() {
+  if [[ "$#" -eq 0 ]]; then
+    1>&2 printf "error: no subcommand given\n"
+    exit 1
+  fi
+
+  while [[ "$#" -gt 0 ]]; do
+    case "${1}" in
+    build)
+      shift
+      kustomize-proxy "${@}"
+      ;;
+    *)
+      1>&2 printf "error: subcommand \`%s\` not supported, only \`build\` is available\n" "${1}"
+      exit 1
+      ;;
+    esac
+  done
+}
+
+main() {
+  args-parse "$@"
+}
+
+main "$@"