Skip to content

HYPERFLEET-578 | feat: E2E testing Container Images to include Helm and Cloud CLI Tools #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Feb 5, 2026
Merged

HYPERFLEET-578 | feat: E2E testing Container Images to include Helm and Cloud CLI Tools #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,7 @@ FROM golang:1.25 AS builder
WORKDIR /build

# Install build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends make curl && rm -rf /var/lib/apt/lists/*

# Download kubectl (stable version)
RUN mkdir -p /build/bin && \
curl -fsSL "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
-o /build/bin/kubectl
RUN apt-get update && apt-get install -y --no-install-recommends make && rm -rf /var/lib/apt/lists/*

# Copy source code
COPY . .
Expand All @@ -26,19 +21,26 @@ COPY . .
ARG GIT_COMMIT=unknown
RUN make build GIT_COMMIT=${GIT_COMMIT}

RUN chmod +x /build/bin/*
RUN chmod +x /build/bin/hyperfleet-e2e

# Runtime stage
FROM ${BASE_IMAGE}

# Install runtime dependencies
# Install runtime dependencies and tools
USER root
RUN dnf -y install jq gettext && dnf clean all
RUN dnf -y install --allowerasing jq gettext curl && dnf clean all

# Install kubectl (latest stable)
RUN curl -fsSL "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
-o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl

# Install Helm
RUN curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Comment on lines 29 to 38
Copy link

@coderabbitai coderabbitai bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

kubectl official installation RHEL checksum verification binary

💡 Result:

Official kubectl (binary) install on RHEL + checksum verification

# 1) Download latest stable kubectl (amd64 example)
curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

# 2) Download the matching SHA256 checksum
curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"

# 3) Verify checksum
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check

# 4) Install
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

# 5) Test
kubectl version --client

This is the Kubernetes project’s official install flow for Linux (works on RHEL) and includes the official checksum verification step. [1]

(Optional, stronger) Verify the kubectl binary signature (cosign keyless)

Kubernetes also publishes keyless cosign signatures for standalone binaries; download kubectl, kubectl.sig, kubectl.cert for a specific version/arch and verify with cosign verify-blob. [2]

Sources: Kubernetes docs on installing kubectl on Linux and validating SHA256 checksums [1]; Kubernetes docs on verifying signed release artifacts with cosign [2].

🌐 Web query:

Helm official installation script checksum RHEL UBI best practices

💡 Result:

What Helm publishes (and what it doesn’t)

  • Helm’s official docs acknowledge the convenience script (scripts/get-helm-3) and explicitly warn that piping it to bash is “live on the edge.” [1]
  • There is no official, stable “checksum file” published for the installer script itself (it’s fetched from a moving Git branch like main). Treat it like source code you must pin/review.

Best-practice approaches (RHEL / UBI-friendly)

1) Prefer release artifacts + checksum (and optionally signatures) over the script

  1. Pick an explicit Helm version (don’t use “latest” in production).
  2. Download the release tarball and its .sha256.
  3. Verify the tarball checksum with sha256sum (or openssl dgst -sha256).
  4. (Stronger) Verify the GPG signature for the release assets—Helm release pages state releases have attached signatures and should be verified with gpg. [3]

This avoids trusting a mutable install script URL and aligns with typical supply-chain controls.

2) If you must use get-helm-3, pin it and verify more than “it ran”

The script supports:

  • VERIFY_CHECKSUM=true by default (verifies the downloaded tarball checksum),
  • optional VERIFY_SIGNATURES=true (requires gpg), and
  • DESIRED_VERSION so you can avoid “latest”. [2]

Best practice when using it:

  • Download the script to a file (don’t pipe to bash) so you can review it. [1]
  • Pin the script to a specific commit (or vendor it into your repo) and verify that pinned content with your own recorded SHA256 (internal control).
  • Set DESIRED_VERSION=vX.Y.Z and consider VERIFY_SIGNATURES=true. [2]

3) RHEL UBI container specifics

  • On UBI minimal, use microdnf (not full dnf) to add dependencies. [4]
  • Ensure required tools exist in the image before running Helm install steps (common ones: curl, tar, gzip, openssl; plus gnupg2 if doing signatures). The Helm script will fail if tar is missing. [2]

Pattern (Containerfile idea):

  • Install only what you need with microdnf, disable weak deps, then clean caches to keep the image small. [4]

Sources: [1] Helm install docs (script warning). [2] get-helm-3 script behavior/options (checksum/signature/version env vars, required tools). [3] Helm GitHub releases guidance on using attached signatures with gpg. [4] Red Hat docs on using microdnf in UBI minimal and disabling weak deps.

🌐 Web query:

Kubernetes kubectl binary SHA256 checksum verification official

💡 Result:

Official Kubernetes instructions to verify a kubectl download are:

# Linux example (amd64) — download kubectl + matching SHA256 file
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"

# Verify the binary against the downloaded checksum
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
# Expected: kubectl: OK

Download the same version of the binary and the .sha256 file. [1]

If you want to verify the Sigstore signature (in addition to SHA256), Kubernetes also publishes kubectl.sig and kubectl.cert, which you can verify with cosign verify-blob. [2]

Sources: [1] https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ [2] https://kubernetes.io/blog/2022/12/12/kubernetes-release-artifact-signing/

🌐 Web query:

Helm installation methods verified checksums release download

💡 Result:

Helm installation methods (official) + how to verify release downloads

1) Install from binary releases (manual download)

  • Download the Helm tarball for your OS/arch from the Helm release artifacts, unpack it, and put helm on your PATH. (helm.sh)
  • Verify checksum: download the matching *.sha256sum (or *.sha256) file for the tarball and verify locally, e.g.:
# in the directory containing both files
sha256sum -c helm-vX.Y.Z-OS-ARCH.tar.gz.sha256sum
# or, if your checksum file is a plain hex string:
echo "$(cat helm-vX.Y.Z-OS-ARCH.tar.gz.sha256sum)  helm-vX.Y.Z-OS-ARCH.tar.gz" | sha256sum -c -

(Exact checksum filename varies by release artifact.) (github.com)

  • Verify GPG signatures (when provided): Helm GitHub releases include *.asc signature assets and indicate releases are signed; verify with gpg --verify <file>.asc <file>. (github.com)

2) Install via the official install script (get-helm-3)

  • Fetch and run:
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

(helm.sh)

  • The script verifies SHA256 checksums by default (VERIFY_CHECKSUM=true). (gist.github.com)
  • It can also verify signatures if enabled (VERIFY_SIGNATURES=true), using the project KEYS file plus the release .asc assets. (gist.github.com)

3) Install via package managers

Helm docs list common package-manager installs (Homebrew/apt/dnf/snap/winget, etc.). This is convenient, but verification behavior depends on the package ecosystem rather than Helm release artifacts directly. (helm.sh)

Citations:

Pin versions and add checksum verification for kubectl/Helm.

Lines 29–38 install tools without version pinning or integrity checks, creating supply-chain risks. Kubernetes officially publishes SHA256 checksums for kubectl releases; Helm's installer script (from main branch) is explicitly flagged in official docs as unsafe without version pinning and signature verification.

For kubectl: Download and verify the SHA256 checksum alongside the binary from the same versioned release URL:

KUBECTL_VERSION=$(curl -Ls https://dl.k8s.io/release/stable.txt)
curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256"
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
chmod +x kubectl && mv kubectl /usr/local/bin/

For Helm: Either (1) download release artifacts with checksum verification, or (2) if using the install script, pin a specific version with DESIRED_VERSION=vX.Y.Z, download the script to a file (don't pipe to bash), review it, and enable VERIFY_CHECKSUM=true and optionally VERIFY_SIGNATURES=true.

🤖 Prompt for AI Agents 
In `@Dockerfile` around lines 29 - 38, The Dockerfile currently installs kubectl
and Helm without version pinning or checksum verification; update the kubectl
and Helm install steps to pin explicit release versions and verify integrity
before installing: for kubectl, fetch the stable release tag into a
KUBECTL_VERSION variable, download the corresponding kubectl binary and its
.sha256 checksum from the same release, verify the checksum with sha256sum, then
install the binary (reference: kubectl binary download step). For Helm, avoid
piping the installer from the main branch — either download a specific release
artifact and its checksum/signature and verify them before extracting, or
download the install script to a file, set DESIRED_VERSION to a fixed vX.Y.Z,
enable VERIFY_CHECKSUM=true (and VERIFY_SIGNATURES=true if available), inspect
the script, then run it; update the RUN lines that currently call curl ...
kubectl and curl ... get-helm-3 accordingly.


WORKDIR /e2e

# Copy binary from builder (make build outputs to bin/)
COPY --from=builder /build/bin/* /usr/local/bin/
COPY --from=builder /build/bin/hyperfleet-e2e /usr/local/bin/

# Copy test payloads and fixtures
COPY --from=builder /build/testdata /e2e/testdata
Expand Down
57 changes: 57 additions & 0 deletions images/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# HyperFleet E2E Testing Framework
#
# Build: podman build -t quay.io/hyperfleet/hyperfleet-e2e:latest .
# Build with commit: podman build --build-arg GIT_COMMIT=$(git rev-parse HEAD) -t quay.io/hyperfleet/hyperfleet-e2e:latest .
# Run: podman run --rm -e HYPERFLEET_API_URL=<url> quay.io/hyperfleet/hyperfleet-e2e:latest test

ARG BASE_IMAGE=registry.access.redhat.com/ubi9/go-toolset

# Build stage
FROM golang:1.25 AS builder

WORKDIR /build

# Install build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends make && rm -rf /var/lib/apt/lists/*

# Copy source code
COPY . .

# Build binary using make to include commit and build date
ARG GIT_COMMIT=unknown
RUN make build GIT_COMMIT=${GIT_COMMIT}

RUN chmod +x /build/bin/hyperfleet-e2e

# Runtime stage
FROM ${BASE_IMAGE}

# Install runtime dependencies and tools
USER root
RUN dnf -y install jq gettext curl && dnf clean all

# Install kubectl (latest stable)
RUN curl -fsSL "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
-o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl

# Install Helm
RUN curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Comment on lines +33 to +38
Copy link

@coderabbitai coderabbitai bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "Dockerfile" -type f

Repository: openshift-hyperfleet/hyperfleet-e2e

Length of output: 111

🏁 Script executed:

cat -n images/Dockerfile | head -50

Repository: openshift-hyperfleet/hyperfleet-e2e

Length of output: 1995

🌐 Web query:

official kubectl installation methods with checksum verification

💡 Result:

Official kubectl install methods that include checksum verification (Kubernetes docs)

1) Install the official binary from dl.k8s.io + verify SHA-256

Linux (amd64 example): download kubectl and its .sha256, then verify with sha256sum --check. [1]
macOS (Intel/Apple Silicon): same flow, but verification uses shasum -a 256 --check. [2]
Windows: download kubectl.exe.sha256 and verify with CertUtil (manual compare) or PowerShell (Get-FileHash compared to checksum file). [3]

2) (Stronger than checksum) Verify the release signature with Sigstore/cosign (official Kubernetes artifacts)

Kubernetes also publishes keyless cosign signatures for release artifacts (including standalone binaries). Download the binary plus its .sig and .cert, then run cosign verify-blob ... with the documented identity/issuer flags. [4]

Sources:
[1] Kubernetes docs – Install and Set Up kubectl on Linux (checksum validation) (kubernetes.io)
[2] Kubernetes docs – Install and Set Up kubectl on macOS (checksum validation) (kubernetes.io)
[3] Kubernetes docs – Install and Set Up kubectl on Windows (checksum validation) (kubernetes.io)
[4] Kubernetes docs – Verify Signed Kubernetes Artifacts (cosign verification) (kubernetes.io)

Citations:

🌐 Web query:

official Helm installation methods with checksum verification RHEL UBI

💡 Result:

Official Helm CLI installation methods (with checksum verification) for RHEL / UBI

1) Official installer script (get-helm-3) — checksum verification on by default

Helm’s docs list the script as an official install method. Download it, review it, and run it. [1]
The script defaults VERIFY_CHECKSUM=true and requires openssl to verify checksums. [2]

# UBI/RHEL: install prerequisites (adjust if you already have them)
microdnf install -y curl tar gzip openssl   # UBI
# dnf install -y curl tar gzip openssl      # RHEL

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

Optional controls (environment variables supported by the script): [2]

# Install a specific version
DESIRED_VERSION=v4.0.0 ./get_helm.sh

# (Not recommended) disable checksum verification
VERIFY_CHECKSUM=false ./get_helm.sh

2) Official pre-built binary release — verify using the published SHA-256 checksum file

Helm’s docs list “Binary Releases” as an official method. [1]
Helm releases publish per-archive checksum files (e.g., ...tar.gz.sha256sum). [3]

VER=v4.0.0
OS=linux
ARCH=amd64

curl -fSLO "https://get.helm.sh/helm-${VER}-${OS}-${ARCH}.tar.gz"
curl -fSLO "https://get.helm.sh/helm-${VER}-${OS}-${ARCH}.tar.gz.sha256sum"

# Verify checksum (either sha256sum or openssl is fine)
sha256sum -c "helm-${VER}-${OS}-${ARCH}.tar.gz.sha256sum"
# OR:
openssl dgst -sha256 "helm-${VER}-${OS}-${ARCH}.tar.gz"

tar -zxvf "helm-${VER}-${OS}-${ARCH}.tar.gz"
install -m 0755 "${OS}-${ARCH}/helm" /usr/local/bin/helm
helm version

Note on dnf/yum install helm

Helm’s docs describe package-manager installs as community/third-party methods (not the official Helm release channel). [1]

Sources: [1] [2] [3]

Add checksum verification for kubectl and install openssl for Helm's script verification.

Lines 34-35 download kubectl without verifying the binary checksum, increasing supply-chain risk. Lines 38 and 31: the Helm install script (get-helm-3) verifies checksums by default but requires openssl, which is not installed on line 31—this causes verification to fail silently. Pin both kubectl and Helm versions, and add checksum verification for kubectl:

Example fix 
# Install runtime dependencies
RUN dnf -y install jq gettext curl openssl && dnf clean all

# Install kubectl (pinned version with checksum verification)
RUN KUBECTL_VERSION="v1.32.0" && \
    curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \
    -o /usr/local/bin/kubectl && \
    curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256" \
    -o /tmp/kubectl.sha256 && \
    echo "$(cat /tmp/kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c - && \
    chmod +x /usr/local/bin/kubectl && rm /tmp/kubectl.sha256

# Install Helm (pinned version with checksum verification)
RUN DESIRED_VERSION="v4.14.1" bash -c 'curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && chmod 700 get_helm.sh && ./get_helm.sh && rm get_helm.sh'
🤖 Prompt for AI Agents 
In `@images/Dockerfile` around lines 33 - 38, Pin kubectl and Helm versions,
install openssl before running the Helm installer, and add checksum verification
for the kubectl binary: ensure the runtime install RUN (the line that installs
jq/gettext/curl) includes openssl, replace the kubectl download RUN (the curl to
dl.k8s.io/release/.../kubectl) with a pinned KUBECTL_VERSION and fetch the
matching kubectl.sha256 then verify it with sha256sum -c before chmod +x, and
run the Helm installer using a DESIRED_VERSION variable (or download get-helm-3
and execute it) so the installer can perform its checksum verification using
openssl.


WORKDIR /e2e

# Copy binary from builder (make build outputs to bin/)
COPY --from=builder /build/bin/hyperfleet-e2e /usr/local/bin/

# Copy test payloads and fixtures
COPY --from=builder /build/testdata /e2e/testdata

# Copy default config (fallback if ConfigMap is not mounted)
COPY --from=builder /build/configs /e2e/configs

ENTRYPOINT ["/usr/local/bin/hyperfleet-e2e"]
CMD ["test", "--help"]

LABEL name="hyperfleet-e2e" \
vendor="Red Hat" \
summary="HyperFleet E2E Testing Framework" \
description="End to end testing for HyperFleet cluster lifecycle management"
62 changes: 62 additions & 0 deletions images/Dockerfile.platform
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# ==================================================
# Cloud Platform Tools Image
# Base: Red Hat Universal Base Image 9
# ==================================================
FROM registry.access.redhat.com/ubi9/ubi:latest

LABEL maintainer="HyperFleet E2E Team" \
description="Cloud platform tools for E2E testing (gcloud, aws, kubectl, helm, jq)"

# Install base tools
RUN dnf install -y --allowerasing \
curl \
tar \
unzip \
jq \
python3 \
&& dnf clean all

# Install gcloud CLI
RUN cat <<EOF > /etc/yum.repos.d/google-cloud-sdk.repo
[google-cloud-cli]
name=Google Cloud CLI
baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF

RUN dnf install -y \
google-cloud-cli \
google-cloud-cli-gke-gcloud-auth-plugin \
&& dnf clean all

# Install AWS CLI v2
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& unzip awscliv2.zip \
&& ./aws/install \
&& rm -rf aws awscliv2.zip

# Install kubectl (latest stable)
RUN curl -fsSL "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
-o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl

# Install Helm
RUN curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

# Install yq
RUN curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64" \
-o /usr/local/bin/yq \
&& chmod +x /usr/local/bin/yq
Comment on lines +35 to +51
Copy link

@coderabbitai coderabbitai bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "Dockerfile.platform" -o -name "Dockerfile*" | head -20

Repository: openshift-hyperfleet/hyperfleet-e2e

Length of output: 140

🏁 Script executed:

cat images/Dockerfile.platform 2>/dev/null | head -100

Repository: openshift-hyperfleet/hyperfleet-e2e

Length of output: 1943

🌐 Web query:

official AWS CLI v2 installation method UBI RHEL checksum verification

💡 Result:

Official AWS CLI v2 install on RHEL / UBI (Linux) with integrity verification (AWS-supported)

AWS’s official verification method for the Linux ZIP installer is PGP signature verification (.sig) with GnuPG (not a published SHA256 checksum list). (docs.aws.amazon.com)

1) Install prerequisites (RHEL/UBI)

Install tools you’ll need: curl, unzip, and gpg (package names may vary slightly by image/repo). (docs.aws.amazon.com)

2) Download the installer ZIP

x86_64:

curl -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"

(docs.aws.amazon.com)

aarch64 (ARM64):

curl -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"

(aws.amazon.com)

3) Create/import the AWS CLI Team PGP public key

AWS’s install guide provides the AWS CLI Team public key block plus fingerprint/Key ID—paste it into a file (example: aws-cli.pub) and import it:

gpg --import aws-cli.pub

(Key ID A6310ACC4672475C; fingerprint FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C) (docs.aws.amazon.com)

4) Download the matching .sig and verify

x86_64 signature example URL (same pattern for aarch64):

curl -o awscliv2.sig "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig"
gpg --verify awscliv2.sig awscliv2.zip

A successful verification shows “Good signature from ‘AWS CLI Team aws-cli@amazon.com’” (the “not certified with a trusted signature” warning is expected). (docs.aws.amazon.com)

5) Install

unzip awscliv2.zip
sudo ./aws/install

(docs.aws.amazon.com)

Citations:

🌐 Web query:

kubectl official installation checksum verification Linux

💡 Result:

To verify the official kubectl Linux download with the published SHA-256 checksum, use the Kubernetes docs’ steps:

# Download kubectl (example: latest stable, linux/amd64)
curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

# Download the matching checksum file
curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"

# Verify
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check

If it’s valid, you’ll see kubectl: OK. If not, it will report FAILED and exit non-zero. Make sure the binary and .sha256 are for the same version/arch. [1]

Source: Kubernetes “Install and Set Up kubectl on Linux” docs. [1]

[1] https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/

🌐 Web query:

Helm official installation method checksum verification

💡 Result:

Helm’s official installer script (scripts/get-helm-3) verifies checksums by default:

  • VERIFY_CHECKSUM defaults to true. The script downloads the release tarball from get.helm.sh and its matching *.sha256 file, then computes SHA-256 locally (via openssl) and compares them; it aborts on mismatch. You can disable this only by setting VERIFY_CHECKSUM=false. [1]
  • (Optional) You can also enable GPG signature verification by setting VERIFY_SIGNATURES=true; the script then downloads the Helm maintainers’ KEYS plus the release *.asc signature files from the GitHub release and verifies them with gpg (Linux-only in the script). [1]

The script itself is an official installation method documented on helm.sh (“From Script”). [2]

Manual equivalent (binary release install):

  1. Download the tarball and the matching .sha256 file.
  2. Verify locally, e.g. sha256sum -c helm-vX.Y.Z-OS-ARCH.tar.gz.sha256 (or openssl ...), then install. [2][1]

Sources
[1] Helm installer script (get-helm-3) showing VERIFY_CHECKSUM default, .sha256 download, checksum compare, and optional signature verification: (raw.githubusercontent.com)
[2] Helm official install docs (“From Script”, “From the Binary Releases”): (helm.sh)

Citations:

🌐 Web query:

yq official installation method checksum verification

💡 Result:

Official install (binary) + checksum verification for yq (mikefarah/yq):

  1. Download the official release binary (pick a tag/version + platform) from GitHub Releases (example shown in the project README). [1]
  2. Download the matching checksums file from the same release (each release publishes checksum assets like checksums). [2]
  3. Verify the checksum locally (Linux example):
VERSION="vX.Y.Z"
ASSET="yq_linux_amd64"

curl -LO "https://github.com/mikefarah/yq/releases/download/${VERSION}/${ASSET}"
curl -LO "https://github.com/mikefarah/yq/releases/download/${VERSION}/checksums"

# verify only the asset you downloaded
grep " ${ASSET}\$" checksums | sha256sum -c -

Alternative (GitHub’s official verification): if you use the GitHub CLI, you can verify a local artifact matches the release asset with gh release verify-asset. [3]

Sources: yq README install instructions [1], yq GitHub Releases (checksum assets) [2], GitHub Docs (release asset verification) [3].

Pin versions and implement integrity verification for downloaded CLIs.

Lines 35-51 install AWS CLI, kubectl, Helm, and yq without version pinning or integrity checks, creating supply-chain risk and potential build instability.

  • AWS CLI v2 (line 35): Download lacks PGP signature verification. Official method requires downloading the .sig file and verifying with the AWS CLI Team public key.
  • kubectl (line 40): Downloads from a "latest stable" URL without checksum verification. Official method requires downloading the matching kubectl.sha256 file and validating with sha256sum -c.
  • Helm (line 44): The get-helm-3 script itself includes checksum verification by default, but piping directly from the main branch of GitHub introduces a script injection risk. Pin a specific release version of the script or use a package manager.
  • yq (line 47): Downloads from the "latest" release without checksum verification. Official releases publish checksums; validate against them before installation.

Use pinned versions and official verification methods (checksum files or PGP signatures) for all four tools.

Example pattern (kubectl) 
+ARG KUBECTL_VERSION=v1.30.6
+ARG KUBECTL_SHA256=<insert-sha256-from-dl.k8s.io>
-RUN curl -fsSL "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
-    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
+RUN curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \
+    && curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256" \
+    && echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c - \
+    && chmod +x kubectl && mv kubectl /usr/local/bin/
🤖 Prompt for AI Agents 
In `@images/Dockerfile.platform` around lines 35 - 51, The Dockerfile currently
downloads AWS CLI, kubectl, Helm, and yq without pinned versions or integrity
checks (see the RUN that downloads awscliv2.zip, the RUN that fetches kubectl
via stable.txt, the RUN piping get-helm-3 | bash, and the RUN downloading
yq_linux_amd64); update each step to pin a specific release, fetch the
corresponding checksum or signature artifact (e.g., awscliv2.zip.sig or a
published sha256 file for kubectl/yq) and verify it (PGP verify for AWS CLI or
sha256sum -c for kubectl/yq) before installing, and stop piping remote scripts
directly—download a specific get-helm-3 release script, verify it, and execute
it locally or use a packaged release instead.


# Create non-root user (OpenShift SCC compatible)
RUN useradd -r -u 1000 -g 0 -m -d /home/clouduser -s /bin/bash clouduser \
&& mkdir -p /workspace \
&& chown -R 1000:0 /workspace /home/clouduser \
&& chmod -R g=u /workspace /home/clouduser

USER 1000
WORKDIR /workspace

CMD ["/bin/bash"]