From 5a7236e76ffdc4738db2cf2079104665180d004e Mon Sep 17 00:00:00 2001
From: Sergiy Markin <smarkin@mirantis.com>
Date: Thu, 24 Apr 2025 17:37:24 +0000
Subject: [PATCH] Libyaml install from apt

This PS is to install libyaml from apt instead of
building it from source. Also we upgrade the Helm
version to 3.17.3 because of CVE.

In order to decrease the image size *-dev libs are
installed only when needed to build/install Python
packages.

Change-Id: I274cc6987b8c887a2ac46ac8c785fe19ed05de51
---
 .zuul.yaml                              |  4 +-
 bindep.txt                              |  1 +
 images/deckhand/Dockerfile.ubuntu_jammy | 55 +++++++++++++------------
 tools/helm_install.sh                   |  2 +-
 4 files changed, 32 insertions(+), 30 deletions(-)

diff --git a/.zuul.yaml b/.zuul.yaml
index 92881cfb..16281fa3 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -154,7 +154,7 @@
       flannel_version: v0.25.4
       metallb_setup: false
       metallb_version: "0.13.12"
-      helm_version: "v3.14.0"
+      helm_version: "v3.17.3"
       crictl_version: "v1.30.1"
       zuul_osh_relative_path: ../../openstack/openstack-helm
       zuul_osh_infra_relative_path: ../../openstack/openstack-helm
@@ -254,7 +254,7 @@
     parent: deckhand-base
     vars:
       site: airskiff
-      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.16.4-linux-amd64.tar.gz
+      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz
       HTK_COMMIT: 49c117443391cec75e0bd52bb4a9d033325927ad
       OSH_COMMIT: 49c117443391cec75e0bd52bb4a9d033325927ad
       CLONE_DECKHAND: false
diff --git a/bindep.txt b/bindep.txt
index 30caf7cc..502ebc12 100644
--- a/bindep.txt
+++ b/bindep.txt
@@ -9,6 +9,7 @@ libkrb5-dev [platform:dpkg]
 libpq-dev [platform:dpkg]
 libsasl2-dev [platform:dpkg]
 libssl-dev [platform:dpkg]
+libyaml-dev [platform:dpkg]
 libre2-dev [platform:dpkg]
 postgresql [platform:dpkg]
 postgresql-contrib [platform:dpkg]
diff --git a/images/deckhand/Dockerfile.ubuntu_jammy b/images/deckhand/Dockerfile.ubuntu_jammy
index fb53d9ae..e5aa81a5 100644
--- a/images/deckhand/Dockerfile.ubuntu_jammy
+++ b/images/deckhand/Dockerfile.ubuntu_jammy
@@ -38,26 +38,15 @@ EXPOSE $PORT
 RUN set -x && \
     apt-get update && apt-get upgrade -y && \
     apt-get -y install \
-    automake \
     ca-certificates \
     curl \
-    g++ \
-    gcc \
-    git \
-    libffi-dev \
-    libpq-dev \
-    libssl-dev \
-    libtool \
-    make \
     netbase \
     netcat \
     python3 \
     python3-dateutil \
     python3-dev \
-    python3-pip \
     python3-setuptools \
     --no-install-recommends \
-    && python3 -m pip install -U pip \
     && apt-get clean \
     && rm -rf \
         /var/lib/apt/lists/* \
@@ -67,21 +56,6 @@ RUN set -x && \
         /usr/share/doc \
         /usr/share/doc-base
 
-# Install LibYAML
-ENV LD_LIBRARY_PATH=/usr/local/lib
-
-ARG LIBYAML_VERSION=0.2.5
-RUN set -ex \
-    && git clone https://github.com/yaml/libyaml.git \
-    && cd libyaml \
-    && git checkout $LIBYAML_VERSION \
-    && ./bootstrap \
-    && ./configure \
-    && make \
-    && make install \
-    && cd .. \
-    && rm -fr libyaml
-
 # Create deckhand user
 RUN useradd -ms /bin/bash deckhand
 
@@ -94,7 +68,34 @@ RUN chown -R deckhand: /home/deckhand \
 
 # Set work directory and install dependencies
 WORKDIR /home/deckhand
-RUN pip3 install --no-cache-dir -r requirements-frozen.txt
+
+RUN set -ex \
+        && buildDeps=' \
+        automake \
+        gcc \
+        libffi-dev \
+        libpq-dev \
+        libssl-dev \
+        libtool \
+        libyaml-dev \
+        make \
+        python3-pip \
+        ' \
+        && apt-get -qq update \
+        # Keep git separate so it's not removed below
+        && apt-get install -y $buildDeps git --no-install-recommends \
+        && python3 -m pip install -U pip \
+        && pip3 install -r requirements-frozen.txt --no-cache-dir \
+        && apt-get purge -y --auto-remove $buildDeps \
+        && apt-get autoremove -yqq --purge \
+        && apt-get clean \
+        && rm -rf \
+            /var/lib/apt/lists/* \
+            /tmp/* \
+            /var/tmp/* \
+            /usr/share/man \
+            /usr/share/doc \
+            /usr/share/doc-base
 
 # Setting deckhand version for BPR
 ENV PBR_VERSION 1.1
diff --git a/tools/helm_install.sh b/tools/helm_install.sh
index 1cebfa21..491889b9 100755
--- a/tools/helm_install.sh
+++ b/tools/helm_install.sh
@@ -17,7 +17,7 @@
 set -x
 
 HELM=$1
-HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz"}
+HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz"}
 
 
 function install_helm_binary {