hardcode kustomize download to bypass github api rate limits

[trdoyle81]

What type of PR is this?
/kind failing-test

What does this PR do / why we need it:
Fixes flaky OpenShift CI images job failures.

The install_kustomize.sh script in the CI Dockerfile queries the GitHub API, which frequently gets blocked by rate limits (403 API Rate Limit Exceeded) due to shared CI IPs. This causes a silent download failure and crashes the build during the tar extraction. This PR replaces the script with a direct curl | tar download of Kustomize v5.8.1. This bypasses the GitHub API completely and makes the CI build deterministic.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #

Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:
podman build -t ci-test .

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Chores
  • Updated build configuration to enhance Kustomize installation using versioned tarball downloads with explicit dependency management. Default version is now v5.8.1, providing more reliable and reproducible builds.

Walkthrough

The Dockerfile adds a parameterized KUSTOMIZE_VERSION build argument (defaulting to v5.8.1) and replaces the prior script-based Kustomize installation with a direct curl download and tar extraction of the versioned release tarball into /usr/local/bin.

Changes

Kustomize Installation Versioning

Layer / File(s)	Summary
Kustomize version argument and direct installation openshift-ci/build-root/Dockerfile	Build argument KUSTOMIZE_VERSION=v5.8.1 is added and used to fetch the corresponding release tarball directly via curl and tar, replacing the prior install_kustomize.sh script-based approach.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: replacing GitHub API-based Kustomize installation with hardcoded direct download to bypass rate limits.
Description check	✅ Passed	The description is directly related to the changeset, explaining the problem (GitHub API rate limits), the solution (direct curl download), and testing approach.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign naveena-058 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• openshift-ci/build-root/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@openshift-ci/build-root/Dockerfile`:
- Line 18: The Dockerfile currently downloads and installs kustomize using the
RUN curl ... | tar -xz pipeline with KUSTOMIZE_VERSION but performs no integrity
check; update the Dockerfile to fetch the corresponding release checksum or
signature for kustomize (using KUSTOMIZE_VERSION), verify the downloaded archive
before extracting (e.g., compare sha256/sha512 against the release checksum or
verify a GPG signature), and only copy the binary to /usr/local/bin if the
verification succeeds; reference the existing KUSTOMIZE_VERSION variable and the
kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz artifact when implementing the
checksum/sig retrieval and verification step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 8d9e56c1-8ad1-4b23-adc2-2ac0b82e005b

📥 Commits

Reviewing files that changed from the base of the PR and between 949f348 and b008a14.

📒 Files selected for processing (1)

• openshift-ci/build-root/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add integrity verification for the downloaded Kustomize binary

Line 18 installs an executable without checksum/signature validation. That creates a supply-chain risk in the CI image build path.

Suggested hardening change

 ARG KUSTOMIZE_VERSION=v5.8.1
+ARG KUSTOMIZE_SHA256=<official_sha256_for_linux_amd64>

 # Install Kustomize
-RUN curl -sSL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | tar -xz -C /usr/local/bin
+RUN curl -fsSLo /tmp/kustomize.tar.gz "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz" && \
+    echo "${KUSTOMIZE_SHA256}  /tmp/kustomize.tar.gz" | sha256sum -c - && \
+    tar -xzf /tmp/kustomize.tar.gz -C /usr/local/bin && \
+    chmod +x /usr/local/bin/kustomize && \
+    rm -f /tmp/kustomize.tar.gz

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift-ci/build-root/Dockerfile` at line 18, The Dockerfile currently
downloads and installs kustomize using the RUN curl ... | tar -xz pipeline with
KUSTOMIZE_VERSION but performs no integrity check; update the Dockerfile to
fetch the corresponding release checksum or signature for kustomize (using
KUSTOMIZE_VERSION), verify the downloaded archive before extracting (e.g.,
compare sha256/sha512 against the release checksum or verify a GPG signature),
and only copy the binary to /usr/local/bin if the verification succeeds;
reference the existing KUSTOMIZE_VERSION variable and the
kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz artifact when implementing the
checksum/sig retrieval and verification step.

Source: Coding guidelines

[openshift-ci]

@trdoyle81: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.19-kuttl-sequential	b008a14	link	true	/test v4.19-kuttl-sequential
ci/prow/v4.14-kuttl-parallel	b008a14	link	false	/test v4.14-kuttl-parallel
ci/prow/v4.14-kuttl-sequential	b008a14	link	false	/test v4.14-kuttl-sequential

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.