From 9364849941747be9d6bc0a68a73d2ae84eb7a4d2 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 25 Jan 2026 20:44:21 -0800
Subject: [PATCH] Add kubectl container, update zim-watcher to use local image

---
 .../manifests/kiwix/cronjob-zim-watcher.yaml  |  2 +-
 containers/kubectl/Dockerfile                 | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 containers/kubectl/Dockerfile

diff --git a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml
index 491736f..3532676 100644
--- a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml
+++ b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml
@@ -14,7 +14,7 @@ spec:
           serviceAccountName: zim-watcher
           containers:
             - name: watcher
-              image: bitnami/kubectl:1.34.1
+              image: registry.ops.eblu.me/blumeops/kubectl:v1.0.0
               command: ["/bin/bash", "-c"]
               args:
                 - |
diff --git a/containers/kubectl/Dockerfile b/containers/kubectl/Dockerfile
new file mode 100644
index 0000000..745efe6
--- /dev/null
+++ b/containers/kubectl/Dockerfile
@@ -0,0 +1,24 @@
+# Minimal kubectl container
+# Multi-arch build: downloads correct binary for target platform
+
+FROM alpine:3.21 AS downloader
+
+ARG TARGETARCH
+ARG KUBECTL_VERSION=v1.34.1
+
+RUN apk add --no-cache curl && \
+    curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \
+    chmod +x kubectl
+
+FROM alpine:3.21
+
+COPY --from=downloader /kubectl /usr/local/bin/kubectl
+
+# Add ca-certificates for HTTPS connections and bash for scripts
+RUN apk add --no-cache ca-certificates bash
+
+# Run as non-root
+RUN adduser -D -u 1000 kubectl
+USER kubectl
+
+ENTRYPOINT ["kubectl"]