Erich Blume
0e2c10176d
## Summary - Enable OIDC + API key authentication on zot with anonymous pull preserved - Enforce tag immutability for version tags - Adopt commit-SHA-based container image tagging Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`). ## Test plan - [ ] Anonymous pull still works - [ ] Unauthenticated push fails (401) - [ ] CI container builds pass with new auth and tagging - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/231
39 lines
1.1 KiB
Docker
39 lines
1.1 KiB
Docker
# Minimal kubectl container
|
|
# Multi-arch build: downloads correct binary for target platform
|
|
|
|
ARG CONTAINER_APP_VERSION=v1.34.4
|
|
|
|
FROM alpine:3.22 AS downloader
|
|
|
|
ARG TARGETARCH
|
|
ARG CONTAINER_APP_VERSION
|
|
ARG KUBECTL_VERSION=${CONTAINER_APP_VERSION}
|
|
|
|
RUN apk add --no-cache curl && \
|
|
# Detect architecture - use TARGETARCH if set, otherwise detect from uname
|
|
if [ -n "$TARGETARCH" ]; then \
|
|
ARCH="$TARGETARCH"; \
|
|
else \
|
|
UNAME_ARCH=$(uname -m); \
|
|
case "$UNAME_ARCH" in \
|
|
aarch64|arm64) ARCH="arm64" ;; \
|
|
x86_64) ARCH="amd64" ;; \
|
|
*) echo "Unsupported architecture: $UNAME_ARCH"; exit 1 ;; \
|
|
esac; \
|
|
fi && \
|
|
echo "Downloading kubectl for $ARCH..." && \
|
|
curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \
|
|
chmod +x kubectl
|
|
|
|
FROM alpine:3.22
|
|
|
|
COPY --from=downloader /kubectl /usr/local/bin/kubectl
|
|
|
|
# Add ca-certificates for HTTPS connections and bash for scripts
|
|
RUN apk add --no-cache ca-certificates bash
|
|
|
|
# Run as non-root
|
|
RUN adduser -D -u 1000 kubectl
|
|
USER kubectl
|
|
|
|
ENTRYPOINT ["kubectl"]
|