kolla/docker/helm-repository/Dockerfile.j2
Martin André 27bab79096 Download binaries more securely
Obtain binaries from encrypted source when we're unable to check for
their signatures. This should provide better security than downloading
the files over HTTP but does not replace signature verification or file
integrity check.

Related-Bug: #1791674
Change-Id: I7d6eed9ab14ceb130ea4f5f03d893ddaaa0a7acd
2018-09-10 19:19:16 +02:00

78 lines
2.4 KiB
Django/Jinja

FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% block helm_repository_version %}
ENV helm_version=2.3.0 \
helm_port=8879 \
helm_address=0.0.0.0
{% endblock %}
{% block helm_repository_header %}{% endblock %}
{% set os_client_config='/usr/lib/python2.7/site-packages/os_client_config/defaults.json' %}
{% import "macros.j2" as macros with context %}
{% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
{% set helm_repo_packages = [
'git',
'jq',
'python2-pip'
] %}
{% elif base_distro in ['debian', 'ubuntu'] %}
{% set helm_repo_packages = [
'git',
'jq',
'python-pip'
] %}
{% if base_distro == 'debian' %}
{% set os_client_config='/usr/local/lib/python2.7/dist-packages/os_client_config/defaults.json' %}
{% endif %}
{% endif %}
{{ macros.install_packages(helm_repo_packages | customizable("packages")) }}
{% block helm_repository_source_install_python_pip %}
RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py \
&& python get-pip.py \
&& rm get-pip.py
{% endblock %}
{% set helm_repository_pip_packages = [
'pyyaml'
] %}
RUN {{ macros.install_pip(helm_repository_pip_packages | customizable("pip_packages"), constraints = false) }}
{% if base_arch == 'x86_64' %}
ENV helm_arch=amd64
{% elif base_arch == 'aarch64' %}
ENV helm_arch=arm64
{% else %}
ENV helm_arch={{ base_arch }}
{% endif %}
{% block helm_repository_install_kubernetes_helm %}
# TODO(mandre) check for file integrity instead of downloading from an HTTPS source
RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz https://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
&& sudo tar --strip-components 1 -C /usr/bin linux-${helm_arch}/helm -zxvf /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
&& sudo chmod 755 /usr/bin/helm \
&& rm /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz
{% endblock %}
RUN useradd --user-group --create-home --home-dir /home/helm helm \
&& sudo mkdir /helm-repo \
&& sudo chmod 755 /helm-repo \
&& sudo chown -R helm: /helm-repo/
USER helm
RUN helm init --client-only
CMD helm serve --address $helm_address:$helm_port --repo-path /helm-repo
{% block helm_repository_footer %}{% endblock %}
{% block footer %}{% endblock %}