Skip to content

CLOUD-910: Add docker image to run tests on pipelines #3385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

CLOUD-910: Add docker image to run tests on pipelines #3385

wants to merge 9 commits into from

Conversation

valmiranogueira
Copy link
Contributor

Add github action to build the docker image every monday. Latest version is always updated and patch version is incremented.

@valmiranogueira valmiranogueira changed the title Add docker image to run tests on pipelines CLOUD-910: Add docker image to run tests on pipelines Jun 17, 2025
nogueiraanderson
nogueiraanderson requested changes Jul 1, 2025
View reviewed changes
Copy link
Contributor

@nogueiraanderson nogueiraanderson left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review - Request Changes

Thank you for implementing the base Docker image for cloud testing pipelines. The concept is excellent and will help improve pipeline efficiency. However, I've identified several critical issues that need to be addressed before merging.

Critical Issues

  1. Architecture Mismatch (BLOCKER)

    • The Dockerfile hardcodes ARCH="amd64" while the workflow builds for both linux/amd64 and linux/arm64
    • This will cause ARM64 builds to download incorrect binaries and fail
    • Fix: Use Docker BuildKit's TARGETARCH variable instead of hardcoded architecture

  2. Security Vulnerabilities

    • Container runs as root user (security risk)
    • Multiple curl | bash commands without signature verification
    • Most tools use "latest" versions (supply chain risk)

  3. Platform-Specific Issues

    • Google Cloud SDK download hardcoded to x86_64 (line 58)
    • kubectl-assert installation uses || true which hides errors

📋 Recommendations

Immediate fixes required:

# Replace hardcoded ARCH with BuildKit variable
ARG TARGETARCH
ENV ARCH=${TARGETARCH}

# Add non-root user
RUN useradd -m -s /bin/bash clouduser
USER clouduser

# Pin versions and verify checksums
ARG KUBECTL_VERSION=v1.31.3
RUN curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \
    curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256" && \
    echo "$(cat kubectl.sha256) kubectl" | sha256sum --check

@valmiranogueira
Copy link
Contributor Author

valmiranogueira commented Sep 18, 2025
edited
Loading

@nogueiraanderson, I could fix some of the previous comments. Regarding the latest versions: it’s the same approach for pipelines—the idea is to always keep the newest versions in updated images. For example, the GitHub Action calculates a new tag for every build.

Related to the user: I set it to jenkins because Jenkins is the default user for the containers, but it can be changed if needed.

Signature verification could be implemented, I will check on that

@valmiranogueira
Copy link
Contributor Author

Added checksum verification.

@valmiranogueira valmiranogueira marked this pull request as draft September 23, 2025 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hors hors Awaiting requested review from hors hors is a code owner

@nmarukovich nmarukovich Awaiting requested review from nmarukovich nmarukovich is a code owner

@jvpasinatto jvpasinatto Awaiting requested review from jvpasinatto jvpasinatto is a code owner

@eleo007 eleo007 Awaiting requested review from eleo007 eleo007 is a code owner

@nogueiraanderson nogueiraanderson Awaiting requested review from nogueiraanderson

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@valmiranogueira @nogueiraanderson