chore(dogfood): fix dogfood image (#7603)

* chore(dogfood): update keys, add script to do so * chore(dogfood): fix urls in Dockerfile * fmt
2023-05-19 15:09:34 +01:00 · 2023-05-19 15:09:34 +01:00 · a29c4c543d
parent e375169ac0
commit a29c4c543d
13 changed files with 64 additions and 3 deletions
--- a/dogfood/Dockerfile
+++ b/dogfood/Dockerfile
@ -226,7 +226,7 @@ ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \

 # cloud_sql_proxy, for connecting to cloudsql instances
 # the upstream go.mod prevents this from being installed with go install
-RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_proxy "https://storage.googleapis.com/cloudsql-proxy/v${CLOUD_SQL_PROXY_VERSION}/cloud_sql_proxy.linux.amd64" && \
+RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_proxy "https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v${CLOUD_SQL_PROXY_VERSION}/cloud-sql-proxy.linux.amd64" && \
 	chmod a=rx /usr/local/bin/cloud_sql_proxy && \
 	# dive for scanning image layer utilization metrics in CI
 	curl --silent --show-error --location "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.tar.gz" | \
@ -246,8 +246,7 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox
 	tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \
 	# kube-linter for linting Kubernetes objects, including those
 	# that Helm generates from our charts
-	curl --silent --show-error --location "https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- kube-linter && \
+	curl --silent --show-error --location "https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux" --output /usr/local/bin/kube-linter && \
 	# kubens and kubectx for managing Kubernetes namespaces and contexts
 	curl --silent --show-error --location "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \
--- a/dogfood/files/usr/share/keyrings/ansible.gpg
+++ b/dogfood/files/usr/share/keyrings/ansible.gpg
--- a/dogfood/files/usr/share/keyrings/docker.gpg
+++ b/dogfood/files/usr/share/keyrings/docker.gpg
--- a/dogfood/files/usr/share/keyrings/github-cli.gpg
+++ b/dogfood/files/usr/share/keyrings/github-cli.gpg
--- a/dogfood/files/usr/share/keyrings/google-chrome.gpg
+++ b/dogfood/files/usr/share/keyrings/google-chrome.gpg
--- a/dogfood/files/usr/share/keyrings/google-cloud.gpg
+++ b/dogfood/files/usr/share/keyrings/google-cloud.gpg
--- a/dogfood/files/usr/share/keyrings/hashicorp.gpg
+++ b/dogfood/files/usr/share/keyrings/hashicorp.gpg
--- a/dogfood/files/usr/share/keyrings/microsoft.gpg
+++ b/dogfood/files/usr/share/keyrings/microsoft.gpg
--- a/dogfood/files/usr/share/keyrings/neovim.gpg
+++ b/dogfood/files/usr/share/keyrings/neovim.gpg
--- a/dogfood/files/usr/share/keyrings/nodesource.gpg
+++ b/dogfood/files/usr/share/keyrings/nodesource.gpg
--- a/dogfood/files/usr/share/keyrings/postgresql.gpg
+++ b/dogfood/files/usr/share/keyrings/postgresql.gpg
--- a/dogfood/files/usr/share/keyrings/yarnpkg.gpg
+++ b/dogfood/files/usr/share/keyrings/yarnpkg.gpg
--- a/dogfood/update-keys.sh
+++ b/dogfood/update-keys.sh
@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+
+curl_flags=(
+	--silent
+	--show-error
+	--location
+)
+
+gpg_flags=(
+	--dearmor
+	--yes
+)
+
+pushd "$PROJECT_ROOT/dogfood/files/usr/share/keyrings"
+# Upstream Docker signing key
+curl "${curl_flags[@]}" "https://download.docker.com/linux/ubuntu/gpg" |
+	gpg "${gpg_flags[@]}" --output="docker.gpg"
+
+# Google Cloud signing key
+curl "${curl_flags[@]}" "https://packages.cloud.google.com/apt/doc/apt-key.gpg" |
+	gpg "${gpg_flags[@]}" --output="google-cloud.gpg"
+
+# Google Linux Software repository signing key (Chrome)
+curl "${curl_flags[@]}" "https://dl.google.com/linux/linux_signing_key.pub" |
+	gpg "${gpg_flags[@]}" --output="google-chrome.gpg"
+
+# Microsoft repository signing key (Edge)
+curl "${curl_flags[@]}" "https://packages.microsoft.com/keys/microsoft.asc" |
+	gpg "${gpg_flags[@]}" --output="microsoft.gpg"
+
+# Upstream PostgreSQL signing key
+curl "${curl_flags[@]}" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" |
+	gpg "${gpg_flags[@]}" --output="postgresql.gpg"
+
+# NodeSource signing key
+curl "${curl_flags[@]}" "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" |
+	gpg "${gpg_flags[@]}" --output="nodesource.gpg"
+
+# Yarnpkg signing key
+curl "${curl_flags[@]}" "https://dl.yarnpkg.com/debian/pubkey.gpg" |
+	gpg "${gpg_flags[@]}" --output="yarnpkg.gpg"
+
+# Ansible PPA signing key
+curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6125e2a8c77f2818fb7bd15b93c4a3fd7bb9c367" |
+	gpg "${gpg_flags[@]}" --output="ansible.gpg"
+
+# Neovim signing key
+curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9dbb0be9366964f134855e2255f96fcf8231b6dd" |
+	gpg "${gpg_flags[@]}" --output="neovim.gpg"
+
+# Hashicorp signing key
+curl "${curl_flags[@]}" "https://apt.releases.hashicorp.com/gpg" |
+	gpg "${gpg_flags[@]}" --output="hashicorp.gpg"
+
+# GitHub CLI signing key
+curl "${curl_flags[@]}" "https://cli.github.com/packages/githubcli-archive-keyring.gpg" |
+	gpg "${gpg_flags[@]}" --output="github-cli.gpg"
+popd