Skip to content

CLOUD-910: Add docker image to run tests on pipelines#3385

Draft
valmiranogueira wants to merge 9 commits intomasterfrom
CLOUD-910
Draft

CLOUD-910: Add docker image to run tests on pipelines#3385
valmiranogueira wants to merge 9 commits intomasterfrom
CLOUD-910

Conversation

@valmiranogueira
Copy link
Contributor

@valmiranogueira valmiranogueira commented Jun 13, 2025

Add github action to build the docker image every monday. Latest version is always updated and patch version is incremented.

@valmiranogueira valmiranogueira changed the title Add docker image to run tests on pipelines CLOUD-910: Add docker image to run tests on pipelines Jun 17, 2025
nogueiraanderson
nogueiraanderson requested changes Jul 1, 2025
View reviewed changes
Copy link
Contributor

@nogueiraanderson nogueiraanderson left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review - Request Changes

Thank you for implementing the base Docker image for cloud testing pipelines. The concept is excellent and will help improve pipeline efficiency. However, I've identified several critical issues that need to be addressed before merging.

Critical Issues

  1. Architecture Mismatch (BLOCKER)

    • The Dockerfile hardcodes ARCH="amd64" while the workflow builds for both linux/amd64 and linux/arm64
    • This will cause ARM64 builds to download incorrect binaries and fail
    • Fix: Use Docker BuildKit's TARGETARCH variable instead of hardcoded architecture

  2. Security Vulnerabilities

    • Container runs as root user (security risk)
    • Multiple curl | bash commands without signature verification
    • Most tools use "latest" versions (supply chain risk)

  3. Platform-Specific Issues

    • Google Cloud SDK download hardcoded to x86_64 (line 58)
    • kubectl-assert installation uses || true which hides errors

📋 Recommendations

Immediate fixes required:

# Replace hardcoded ARCH with BuildKit variable
ARG TARGETARCH
ENV ARCH=${TARGETARCH}

# Add non-root user
RUN useradd -m -s /bin/bash clouduser
USER clouduser

# Pin versions and verify checksums
ARG KUBECTL_VERSION=v1.31.3
RUN curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \
    curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256" && \
    echo "$(cat kubectl.sha256) kubectl" | sha256sum --check

@valmiranogueira
Copy link
Contributor Author

valmiranogueira commented Sep 18, 2025
edited
Loading

@nogueiraanderson, I could fix some of the previous comments. Regarding the latest versions: it’s the same approach for pipelines—the idea is to always keep the newest versions in updated images. For example, the GitHub Action calculates a new tag for every build.

Related to the user: I set it to jenkins because Jenkins is the default user for the containers, but it can be changed if needed.

Signature verification could be implemented, I will check on that

@valmiranogueira
Copy link
Contributor Author

valmiranogueira commented Sep 20, 2025

Added checksum verification.

@valmiranogueira valmiranogueira marked this pull request as draft September 23, 2025 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hors hors Awaiting requested review from hors hors is a code owner

@nmarukovich nmarukovich Awaiting requested review from nmarukovich nmarukovich is a code owner

@jvpasinatto jvpasinatto Awaiting requested review from jvpasinatto jvpasinatto is a code owner

@eleo007 eleo007 Awaiting requested review from eleo007 eleo007 is a code owner

@nogueiraanderson nogueiraanderson Awaiting requested review from nogueiraanderson

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@valmiranogueira @nogueiraanderson