From 46f878e6c5bc57819de31f78d502dd6f4e7f021a Mon Sep 17 00:00:00 2001
From: "David.Houck" <David.Houck@sas.com>
Date: Mon, 2 Dec 2024 19:49:54 -0500
Subject: [PATCH] Add checksum for kubectl download

Signed-off-by: David.Houck <David.Houck@sas.com>
---
 Dockerfile | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3a41d03..5d5918e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,23 +2,31 @@ ARG TERRAFORM_VERSION=1.9.6
 ARG AWS_CLI_VERSION=2.17.58
 FROM hashicorp/terraform:$TERRAFORM_VERSION AS terraform
 
+FROM almalinux:minimal AS amin
+WORKDIR /app
+USER root
+ARG KUBECTL_VERSION=1.30.6
+ARG KUBECTL_CHECKSUM=7a3adf80ca74b1b2afdfc7f4570f0005ca03c2812367ffb6ee2f731d66e45e61
+RUN set -eux \
+  && curl -fSLO https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \
+  && chmod 755 ./kubectl \
+  && sha256sum --check --strict <(echo ${KUBECTL_CHECKSUM}  kubectl)
+
 FROM amazon/aws-cli:$AWS_CLI_VERSION
-ARG KUBECTL_VERSION=1.29.8
 
 WORKDIR /viya4-iac-aws
 
+COPY --from=amin /app/kubectl /usr/local/bin/kubectl
 COPY --from=terraform /bin/terraform /bin/terraform
 COPY . .
 
 RUN yum -y install git openssh jq which \
   && yum -y update openssl-libs glib2 vim-minimal vim-data curl \
   && yum clean all && rm -rf /var/cache/yum \
-  && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \
-  && chmod 755 ./kubectl /viya4-iac-aws/docker-entrypoint.sh \
-  && mv ./kubectl /usr/local/bin/kubectl \
-  && chmod g=u -R /etc/passwd /etc/group /viya4-iac-aws \
+  && chmod 755 /viya4-iac-aws/docker-entrypoint.sh \
   && git config --system --add safe.directory /viya4-iac-aws \
-  && terraform init
+  && terraform init \
+  && chmod g=u -R /etc/passwd /etc/group /viya4-iac-aws
 
 ENV TF_VAR_iac_tooling=docker
 ENTRYPOINT ["/viya4-iac-aws/docker-entrypoint.sh"]