Skip to content

hardcode kustomize download to bypass github api rate limits #1171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
trdoyle81 wants to merge 1 commit into
base: master
Choose a base branch
from
+2 −2
Open

hardcode kustomize download to bypass github api rate limits #1171

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions openshift-ci/build-root/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ FROM quay.io/devtools_gitops/go-toolset:1.26.2
USER root

ARG OPERATOR_SDK_VERSION=1.35.0
ARG KUSTOMIZE_VERSION=v5.8.1

# Install kubectl tool which is used in e2e-tests
RUN curl -sSL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
Expand All @@ -14,8 +15,7 @@ RUN curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/relea
chmod +x /usr/local/bin/argocd

# Install Kustomize
RUN wget https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh && \
bash install_kustomize.sh /usr/local/bin && rm install_kustomize.sh
RUN curl -sSL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | tar -xz -C /usr/local/bin

@coderabbitai coderabbitai Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add integrity verification for the downloaded Kustomize binary

Line 18 installs an executable without checksum/signature validation. That creates a supply-chain risk in the CI image build path.

Suggested hardening change 
 ARG KUSTOMIZE_VERSION=v5.8.1
+ARG KUSTOMIZE_SHA256=<official_sha256_for_linux_amd64>

 # Install Kustomize
-RUN curl -sSL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | tar -xz -C /usr/local/bin
+RUN curl -fsSLo /tmp/kustomize.tar.gz "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz" && \
+    echo "${KUSTOMIZE_SHA256}  /tmp/kustomize.tar.gz" | sha256sum -c - && \
+    tar -xzf /tmp/kustomize.tar.gz -C /usr/local/bin && \
+    chmod +x /usr/local/bin/kustomize && \
+    rm -f /tmp/kustomize.tar.gz
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift-ci/build-root/Dockerfile` at line 18, The Dockerfile currently
downloads and installs kustomize using the RUN curl ... | tar -xz pipeline with
KUSTOMIZE_VERSION but performs no integrity check; update the Dockerfile to
fetch the corresponding release checksum or signature for kustomize (using
KUSTOMIZE_VERSION), verify the downloaded archive before extracting (e.g.,
compare sha256/sha512 against the release checksum or verify a GPG signature),
and only copy the binary to /usr/local/bin if the verification succeeds;
reference the existing KUSTOMIZE_VERSION variable and the
kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz artifact when implementing the
checksum/sig retrieval and verification step.

Source: Coding guidelines


# Install operator-sdk
RUN curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/v${OPERATOR_SDK_VERSION}/operator-sdk_linux_amd64 && \
Expand Down
Loading