HYPERFLEET-578 | feat: E2E testing Container Images to include Helm and Cloud CLI Tools

[yasun1]

update

Summary by CodeRabbit

• New Features

  • Containerized E2E testing image with default entrypoint/command and included test configs.
  • Platform image preloaded with kubectl, Helm and major cloud CLIs for in-container cloud workflows; non-root user for safer runtime.

• Chores

  • Streamlined multi-stage build and runtime setup for smaller, more efficient images and clearer runtime tool dependencies.

[coderabbitai]

Walkthrough

Adds and updates multi-stage Docker image definitions for the HyperFleet E2E tooling. images/Dockerfile introduces a Go build stage that compiles the hyperfleet-e2e binary and a UBI-based runtime stage that installs runtime tools (jq, gettext, curl), kubectl, and Helm, copies binaries, testdata, and configs, and sets ENTRYPOINT/CMD and image labels. images/Dockerfile.platform creates a platform image that installs cloud CLIs (gcloud, aws), kubectl, Helm, yq, creates a non-root clouduser (UID 1000), and configures /workspace as the working directory.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• HYPERFLEET-488 | test: Update the dockerfile to meet Prow job usage #14: Modifies the same Dockerfile areas (kubectl/helm installation, binary handling, entrypoint/metadata) and may conflict with these changes.

Suggested labels

lgtm, approved

Suggested reviewers

• AlexVulaj
• tzhou5
• crizzo71

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding E2E testing container images with Helm and Cloud CLI tools.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@Dockerfile`:
- Around line 29-38: The Dockerfile currently installs kubectl and Helm without
version pinning or checksum verification; update the kubectl and Helm install
steps to pin explicit release versions and verify integrity before installing:
for kubectl, fetch the stable release tag into a KUBECTL_VERSION variable,
download the corresponding kubectl binary and its .sha256 checksum from the same
release, verify the checksum with sha256sum, then install the binary (reference:
kubectl binary download step). For Helm, avoid piping the installer from the
main branch — either download a specific release artifact and its
checksum/signature and verify them before extracting, or download the install
script to a file, set DESIRED_VERSION to a fixed vX.Y.Z, enable
VERIFY_CHECKSUM=true (and VERIFY_SIGNATURES=true if available), inspect the
script, then run it; update the RUN lines that currently call curl ... kubectl
and curl ... get-helm-3 accordingly.

In `@images/Dockerfile`:
- Around line 33-38: Pin kubectl and Helm versions, install openssl before
running the Helm installer, and add checksum verification for the kubectl
binary: ensure the runtime install RUN (the line that installs jq/gettext/curl)
includes openssl, replace the kubectl download RUN (the curl to
dl.k8s.io/release/.../kubectl) with a pinned KUBECTL_VERSION and fetch the
matching kubectl.sha256 then verify it with sha256sum -c before chmod +x, and
run the Helm installer using a DESIRED_VERSION variable (or download get-helm-3
and execute it) so the installer can perform its checksum verification using
openssl.

In `@images/Dockerfile.platform`:
- Around line 35-51: The Dockerfile currently downloads AWS CLI, kubectl, Helm,
and yq without pinned versions or integrity checks (see the RUN that downloads
awscliv2.zip, the RUN that fetches kubectl via stable.txt, the RUN piping
get-helm-3 | bash, and the RUN downloading yq_linux_amd64); update each step to
pin a specific release, fetch the corresponding checksum or signature artifact
(e.g., awscliv2.zip.sig or a published sha256 file for kubectl/yq) and verify it
(PGP verify for AWS CLI or sha256sum -c for kubectl/yq) before installing, and
stop piping remote scripts directly—download a specific get-helm-3 release
script, verify it, and execute it locally or use a packaged release instead.

🧹 Nitpick comments (2)

images/Dockerfile (1)

29-41: Consider dropping privileges in the runtime image.

The runtime stage installs tools as root but never switches to a non-root user. Given this is a test image, that may be acceptable, but using a non-root user reduces blast radius.

♻️ Suggested non-root pattern

+RUN useradd -r -u 1000 -g 0 -m -d /home/e2euser -s /bin/bash e2euser \
+    && mkdir -p /e2e \
+    && chown -R 1000:0 /e2e /home/e2euser \
+    && chmod -R g=u /e2e /home/e2euser
+USER 1000
 WORKDIR /e2e

images/Dockerfile.platform (1)

5-5: Pin the UBI 9 base image by digest or version tag instead of :latest.

Floating tags harm reproducibility and complicate supply-chain scanning. Red Hat UBI 9 best practices recommend one of two approaches:

• Immutable digest (strongest reproducibility): FROM registry.access.redhat.com/ubi9/ubi@sha256:<digest> — retrieve via skopeo inspect docker://registry.access.redhat.com/ubi9/ubi:<tag> — requires intentional updates for security patches.
• Major/minor version tag (allows security patches): FROM registry.access.redhat.com/ubi9/ubi:9.x — permits patch updates while maintaining compatibility.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

kubectl official installation RHEL checksum verification binary

💡 Result:

Official kubectl (binary) install on RHEL + checksum verification

# 1) Download latest stable kubectl (amd64 example)
curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

# 2) Download the matching SHA256 checksum
curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"

# 3) Verify checksum
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check

# 4) Install
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

# 5) Test
kubectl version --client

This is the Kubernetes project’s official install flow for Linux (works on RHEL) and includes the official checksum verification step. [1]

(Optional, stronger) Verify the kubectl binary signature (cosign keyless)

Kubernetes also publishes keyless cosign signatures for standalone binaries; download kubectl, kubectl.sig, kubectl.cert for a specific version/arch and verify with cosign verify-blob. [2]

Sources: Kubernetes docs on installing kubectl on Linux and validating SHA256 checksums [1]; Kubernetes docs on verifying signed release artifacts with cosign [2].

---

🌐 Web query:

Helm official installation script checksum RHEL UBI best practices

💡 Result:

What Helm publishes (and what it doesn’t)

• Helm’s official docs acknowledge the convenience script (scripts/get-helm-3) and explicitly warn that piping it to bash is “live on the edge.” [1]
• There is no official, stable “checksum file” published for the installer script itself (it’s fetched from a moving Git branch like main). Treat it like source code you must pin/review.

Best-practice approaches (RHEL / UBI-friendly)

1) Prefer release artifacts + checksum (and optionally signatures) over the script

1. Pick an explicit Helm version (don’t use “latest” in production).
2. Download the release tarball and its .sha256.
3. Verify the tarball checksum with sha256sum (or openssl dgst -sha256).
4. (Stronger) Verify the GPG signature for the release assets—Helm release pages state releases have attached signatures and should be verified with gpg. [3]

This avoids trusting a mutable install script URL and aligns with typical supply-chain controls.

2) If you must use get-helm-3, pin it and verify more than “it ran”

The script supports:

• VERIFY_CHECKSUM=true by default (verifies the downloaded tarball checksum),
• optional VERIFY_SIGNATURES=true (requires gpg), and
• DESIRED_VERSION so you can avoid “latest”. [2]

Best practice when using it:

• Download the script to a file (don’t pipe to bash) so you can review it. [1]
• Pin the script to a specific commit (or vendor it into your repo) and verify that pinned content with your own recorded SHA256 (internal control).
• Set DESIRED_VERSION=vX.Y.Z and consider VERIFY_SIGNATURES=true. [2]

3) RHEL UBI container specifics

• On UBI minimal, use microdnf (not full dnf) to add dependencies. [4]
• Ensure required tools exist in the image before running Helm install steps (common ones: curl, tar, gzip, openssl; plus gnupg2 if doing signatures). The Helm script will fail if tar is missing. [2]

Pattern (Containerfile idea):

• Install only what you need with microdnf, disable weak deps, then clean caches to keep the image small. [4]

Sources: [1] Helm install docs (script warning). [2] get-helm-3 script behavior/options (checksum/signature/version env vars, required tools). [3] Helm GitHub releases guidance on using attached signatures with gpg. [4] Red Hat docs on using microdnf in UBI minimal and disabling weak deps.

---

🌐 Web query:

Kubernetes kubectl binary SHA256 checksum verification official

💡 Result:

Official Kubernetes instructions to verify a kubectl download are:

# Linux example (amd64) — download kubectl + matching SHA256 file
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"

# Verify the binary against the downloaded checksum
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
# Expected: kubectl: OK

Download the same version of the binary and the .sha256 file. [1]

If you want to verify the Sigstore signature (in addition to SHA256), Kubernetes also publishes kubectl.sig and kubectl.cert, which you can verify with cosign verify-blob. [2]

Sources: [1] https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ [2] https://kubernetes.io/blog/2022/12/12/kubernetes-release-artifact-signing/

---

🌐 Web query:

Helm installation methods verified checksums release download

💡 Result:

Helm installation methods (official) + how to verify release downloads

1) Install from binary releases (manual download)

• Download the Helm tarball for your OS/arch from the Helm release artifacts, unpack it, and put helm on your PATH. (helm.sh)
• Verify checksum: download the matching *.sha256sum (or *.sha256) file for the tarball and verify locally, e.g.:

# in the directory containing both files
sha256sum -c helm-vX.Y.Z-OS-ARCH.tar.gz.sha256sum
# or, if your checksum file is a plain hex string:
echo "$(cat helm-vX.Y.Z-OS-ARCH.tar.gz.sha256sum)  helm-vX.Y.Z-OS-ARCH.tar.gz" | sha256sum -c -

(Exact checksum filename varies by release artifact.) (github.com)

• Verify GPG signatures (when provided): Helm GitHub releases include *.asc signature assets and indicate releases are signed; verify with gpg --verify <file>.asc <file>. (github.com)

2) Install via the official install script (get-helm-3)

• Fetch and run:

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

(helm.sh)

• The script verifies SHA256 checksums by default (VERIFY_CHECKSUM=true). (gist.github.com)
• It can also verify signatures if enabled (VERIFY_SIGNATURES=true), using the project KEYS file plus the release .asc assets. (gist.github.com)

3) Install via package managers

Helm docs list common package-manager installs (Homebrew/apt/dnf/snap/winget, etc.). This is convenient, but verification behavior depends on the package ecosystem rather than Helm release artifacts directly. (helm.sh)

Citations:

• 1: https://helm.sh/docs/v3/intro/install?utm_source=openai
• 2: https://github.com/helm/helm/releases?utm_source=openai
• 3: https://github.com/helm/helm/releases?utm_source=openai
• 4: https://helm.sh/docs/v3/intro/install?utm_source=openai
• 5: https://gist.github.com/dims/d1f1484e1dbdf13f0d1511917ef9b177?utm_source=openai
• 6: https://gist.github.com/dims/d1f1484e1dbdf13f0d1511917ef9b177?utm_source=openai
• 7: https://helm.sh/docs/v3/intro/install?utm_source=openai

---

Pin versions and add checksum verification for kubectl/Helm.

Lines 29–38 install tools without version pinning or integrity checks, creating supply-chain risks. Kubernetes officially publishes SHA256 checksums for kubectl releases; Helm's installer script (from main branch) is explicitly flagged in official docs as unsafe without version pinning and signature verification.

For kubectl: Download and verify the SHA256 checksum alongside the binary from the same versioned release URL:

KUBECTL_VERSION=$(curl -Ls https://dl.k8s.io/release/stable.txt)
curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256"
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
chmod +x kubectl && mv kubectl /usr/local/bin/

For Helm: Either (1) download release artifacts with checksum verification, or (2) if using the install script, pin a specific version with DESIRED_VERSION=vX.Y.Z, download the script to a file (don't pipe to bash), review it, and enable VERIFY_CHECKSUM=true and optionally VERIFY_SIGNATURES=true.

🤖 Prompt for AI Agents

In `@Dockerfile` around lines 29 - 38, The Dockerfile currently installs kubectl
and Helm without version pinning or checksum verification; update the kubectl
and Helm install steps to pin explicit release versions and verify integrity
before installing: for kubectl, fetch the stable release tag into a
KUBECTL_VERSION variable, download the corresponding kubectl binary and its
.sha256 checksum from the same release, verify the checksum with sha256sum, then
install the binary (reference: kubectl binary download step). For Helm, avoid
piping the installer from the main branch — either download a specific release
artifact and its checksum/signature and verify them before extracting, or
download the install script to a file, set DESIRED_VERSION to a fixed vX.Y.Z,
enable VERIFY_CHECKSUM=true (and VERIFY_SIGNATURES=true if available), inspect
the script, then run it; update the RUN lines that currently call curl ...
kubectl and curl ... get-helm-3 accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "Dockerfile" -type f

Repository: openshift-hyperfleet/hyperfleet-e2e

Length of output: 111

---

🏁 Script executed:

cat -n images/Dockerfile | head -50

Repository: openshift-hyperfleet/hyperfleet-e2e

Length of output: 1995

---

🌐 Web query:

official kubectl installation methods with checksum verification

💡 Result:

Official kubectl install methods that include checksum verification (Kubernetes docs)

1) Install the official binary from dl.k8s.io + verify SHA-256

Linux (amd64 example): download kubectl and its .sha256, then verify with sha256sum --check. [1]
macOS (Intel/Apple Silicon): same flow, but verification uses shasum -a 256 --check. [2]
Windows: download kubectl.exe.sha256 and verify with CertUtil (manual compare) or PowerShell (Get-FileHash compared to checksum file). [3]

2) (Stronger than checksum) Verify the release signature with Sigstore/cosign (official Kubernetes artifacts)

Kubernetes also publishes keyless cosign signatures for release artifacts (including standalone binaries). Download the binary plus its .sig and .cert, then run cosign verify-blob ... with the documented identity/issuer flags. [4]

Sources:
[1] Kubernetes docs – Install and Set Up kubectl on Linux (checksum validation) (kubernetes.io)
[2] Kubernetes docs – Install and Set Up kubectl on macOS (checksum validation) (kubernetes.io)
[3] Kubernetes docs – Install and Set Up kubectl on Windows (checksum validation) (kubernetes.io)
[4] Kubernetes docs – Verify Signed Kubernetes Artifacts (cosign verification) (kubernetes.io)

Citations:

• 1: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
• 2: https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/
• 3: https://kubernetes.io/docs/tasks/tools/install-kubectl-windows
• 4: https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts

---

🌐 Web query:

official Helm installation methods with checksum verification RHEL UBI

💡 Result:

Official Helm CLI installation methods (with checksum verification) for RHEL / UBI

1) Official installer script (get-helm-3) — checksum verification on by default

Helm’s docs list the script as an official install method. Download it, review it, and run it. [1]
The script defaults VERIFY_CHECKSUM=true and requires openssl to verify checksums. [2]

# UBI/RHEL: install prerequisites (adjust if you already have them)
microdnf install -y curl tar gzip openssl   # UBI
# dnf install -y curl tar gzip openssl      # RHEL

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

Optional controls (environment variables supported by the script): [2]

# Install a specific version
DESIRED_VERSION=v4.0.0 ./get_helm.sh

# (Not recommended) disable checksum verification
VERIFY_CHECKSUM=false ./get_helm.sh

---

2) Official pre-built binary release — verify using the published SHA-256 checksum file

Helm’s docs list “Binary Releases” as an official method. [1]
Helm releases publish per-archive checksum files (e.g., ...tar.gz.sha256sum). [3]

VER=v4.0.0
OS=linux
ARCH=amd64

curl -fSLO "https://get.helm.sh/helm-${VER}-${OS}-${ARCH}.tar.gz"
curl -fSLO "https://get.helm.sh/helm-${VER}-${OS}-${ARCH}.tar.gz.sha256sum"

# Verify checksum (either sha256sum or openssl is fine)
sha256sum -c "helm-${VER}-${OS}-${ARCH}.tar.gz.sha256sum"
# OR:
openssl dgst -sha256 "helm-${VER}-${OS}-${ARCH}.tar.gz"

tar -zxvf "helm-${VER}-${OS}-${ARCH}.tar.gz"
install -m 0755 "${OS}-${ARCH}/helm" /usr/local/bin/helm
helm version

---

Note on dnf/yum install helm

Helm’s docs describe package-manager installs as community/third-party methods (not the official Helm release channel). [1]

Sources: [1] [2] [3]

---

Add checksum verification for kubectl and install openssl for Helm's script verification.

Lines 34-35 download kubectl without verifying the binary checksum, increasing supply-chain risk. Lines 38 and 31: the Helm install script (get-helm-3) verifies checksums by default but requires openssl, which is not installed on line 31—this causes verification to fail silently. Pin both kubectl and Helm versions, and add checksum verification for kubectl:

Example fix

# Install runtime dependencies
RUN dnf -y install jq gettext curl openssl && dnf clean all

# Install kubectl (pinned version with checksum verification)
RUN KUBECTL_VERSION="v1.32.0" && \
    curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \
    -o /usr/local/bin/kubectl && \
    curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256" \
    -o /tmp/kubectl.sha256 && \
    echo "$(cat /tmp/kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c - && \
    chmod +x /usr/local/bin/kubectl && rm /tmp/kubectl.sha256

# Install Helm (pinned version with checksum verification)
RUN DESIRED_VERSION="v4.14.1" bash -c 'curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && chmod 700 get_helm.sh && ./get_helm.sh && rm get_helm.sh'

🤖 Prompt for AI Agents

In `@images/Dockerfile` around lines 33 - 38, Pin kubectl and Helm versions,
install openssl before running the Helm installer, and add checksum verification
for the kubectl binary: ensure the runtime install RUN (the line that installs
jq/gettext/curl) includes openssl, replace the kubectl download RUN (the curl to
dl.k8s.io/release/.../kubectl) with a pinned KUBECTL_VERSION and fetch the
matching kubectl.sha256 then verify it with sha256sum -c before chmod +x, and
run the Helm installer using a DESIRED_VERSION variable (or download get-helm-3
and execute it) so the installer can perform its checksum verification using
openssl.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "Dockerfile.platform" -o -name "Dockerfile*" | head -20

Repository: openshift-hyperfleet/hyperfleet-e2e

Length of output: 140

---

🏁 Script executed:

cat images/Dockerfile.platform 2>/dev/null | head -100

Repository: openshift-hyperfleet/hyperfleet-e2e

Length of output: 1943

---

🌐 Web query:

official AWS CLI v2 installation method UBI RHEL checksum verification

💡 Result:

Official AWS CLI v2 install on RHEL / UBI (Linux) with integrity verification (AWS-supported)

AWS’s official verification method for the Linux ZIP installer is PGP signature verification (.sig) with GnuPG (not a published SHA256 checksum list). (docs.aws.amazon.com)

1) Install prerequisites (RHEL/UBI)

Install tools you’ll need: curl, unzip, and gpg (package names may vary slightly by image/repo). (docs.aws.amazon.com)

2) Download the installer ZIP

x86_64:

curl -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"

(docs.aws.amazon.com)

aarch64 (ARM64):

curl -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"

(aws.amazon.com)

3) Create/import the AWS CLI Team PGP public key

AWS’s install guide provides the AWS CLI Team public key block plus fingerprint/Key ID—paste it into a file (example: aws-cli.pub) and import it:

gpg --import aws-cli.pub

(Key ID A6310ACC4672475C; fingerprint FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C) (docs.aws.amazon.com)

4) Download the matching .sig and verify

x86_64 signature example URL (same pattern for aarch64):

curl -o awscliv2.sig "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig"
gpg --verify awscliv2.sig awscliv2.zip

A successful verification shows “Good signature from ‘AWS CLI Team aws-cli@amazon.com’” (the “not certified with a trusted signature” warning is expected). (docs.aws.amazon.com)

5) Install

unzip awscliv2.zip
sudo ./aws/install

(docs.aws.amazon.com)

Citations:

• 1: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
• 2: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
• 3: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
• 4: https://aws.amazon.com/blogs/developer/aws-cli-v2-now-available-for-linux-arm/?utm_source=openai
• 5: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
• 6: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
• 7: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

---

🌐 Web query:

kubectl official installation checksum verification Linux

💡 Result:

To verify the official kubectl Linux download with the published SHA-256 checksum, use the Kubernetes docs’ steps:

# Download kubectl (example: latest stable, linux/amd64)
curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

# Download the matching checksum file
curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"

# Verify
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check

If it’s valid, you’ll see kubectl: OK. If not, it will report FAILED and exit non-zero. Make sure the binary and .sha256 are for the same version/arch. [1]

Source: Kubernetes “Install and Set Up kubectl on Linux” docs. [1]

[1] https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/

---

🌐 Web query:

Helm official installation method checksum verification

💡 Result:

Helm’s official installer script (scripts/get-helm-3) verifies checksums by default:

• VERIFY_CHECKSUM defaults to true. The script downloads the release tarball from get.helm.sh and its matching *.sha256 file, then computes SHA-256 locally (via openssl) and compares them; it aborts on mismatch. You can disable this only by setting VERIFY_CHECKSUM=false. [1]
• (Optional) You can also enable GPG signature verification by setting VERIFY_SIGNATURES=true; the script then downloads the Helm maintainers’ KEYS plus the release *.asc signature files from the GitHub release and verifies them with gpg (Linux-only in the script). [1]

The script itself is an official installation method documented on helm.sh (“From Script”). [2]

Manual equivalent (binary release install):

1. Download the tarball and the matching .sha256 file.
2. Verify locally, e.g. sha256sum -c helm-vX.Y.Z-OS-ARCH.tar.gz.sha256 (or openssl ...), then install. [2][1]

Sources
[1] Helm installer script (get-helm-3) showing VERIFY_CHECKSUM default, .sha256 download, checksum compare, and optional signature verification: (raw.githubusercontent.com)
[2] Helm official install docs (“From Script”, “From the Binary Releases”): (helm.sh)

Citations:

• 1: https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
• 2: https://helm.sh/docs/v3/intro/install

---

🌐 Web query:

yq official installation method checksum verification

💡 Result:

Official install (binary) + checksum verification for yq (mikefarah/yq):

1. Download the official release binary (pick a tag/version + platform) from GitHub Releases (example shown in the project README). [1]
2. Download the matching checksums file from the same release (each release publishes checksum assets like checksums). [2]
3. Verify the checksum locally (Linux example):

VERSION="vX.Y.Z"
ASSET="yq_linux_amd64"

curl -LO "https://github.com/mikefarah/yq/releases/download/${VERSION}/${ASSET}"
curl -LO "https://github.com/mikefarah/yq/releases/download/${VERSION}/checksums"

# verify only the asset you downloaded
grep " ${ASSET}\$" checksums | sha256sum -c -

Alternative (GitHub’s official verification): if you use the GitHub CLI, you can verify a local artifact matches the release asset with gh release verify-asset. [3]

Sources: yq README install instructions [1], yq GitHub Releases (checksum assets) [2], GitHub Docs (release asset verification) [3].

---

Pin versions and implement integrity verification for downloaded CLIs.

Lines 35-51 install AWS CLI, kubectl, Helm, and yq without version pinning or integrity checks, creating supply-chain risk and potential build instability.

• AWS CLI v2 (line 35): Download lacks PGP signature verification. Official method requires downloading the .sig file and verifying with the AWS CLI Team public key.
• kubectl (line 40): Downloads from a "latest stable" URL without checksum verification. Official method requires downloading the matching kubectl.sha256 file and validating with sha256sum -c.
• Helm (line 44): The get-helm-3 script itself includes checksum verification by default, but piping directly from the main branch of GitHub introduces a script injection risk. Pin a specific release version of the script or use a package manager.
• yq (line 47): Downloads from the "latest" release without checksum verification. Official releases publish checksums; validate against them before installation.

Use pinned versions and official verification methods (checksum files or PGP signatures) for all four tools.

Example pattern (kubectl)

+ARG KUBECTL_VERSION=v1.30.6
+ARG KUBECTL_SHA256=<insert-sha256-from-dl.k8s.io>
-RUN curl -fsSL "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
-    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
+RUN curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \
+    && curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256" \
+    && echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c - \
+    && chmod +x kubectl && mv kubectl /usr/local/bin/

🤖 Prompt for AI Agents

In `@images/Dockerfile.platform` around lines 35 - 51, The Dockerfile currently
downloads AWS CLI, kubectl, Helm, and yq without pinned versions or integrity
checks (see the RUN that downloads awscliv2.zip, the RUN that fetches kubectl
via stable.txt, the RUN piping get-helm-3 | bash, and the RUN downloading
yq_linux_amd64); update each step to pin a specific release, fetch the
corresponding checksum or signature artifact (e.g., awscliv2.zip.sig or a
published sha256 file for kubectl/yq) and verify it (PGP verify for AWS CLI or
sha256sum -c for kubectl/yq) before installing, and stop piping remote scripts
directly—download a specific get-helm-3 release script, verify it, and execute
it locally or use a packaged release instead.

[yingzhanredhat]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yingzhanredhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [yingzhanredhat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment