Merge pull request #31 from theohbrothers/enhancement/improve-dockerf…

…ile-style-and-validate-sops Enhancement: Improve dockerfile style and validate `sops`
theohbrothers · Mar 11, 2023 · bac8661 · bac8661
2 parents 0a031ef + af6c57d
commit bac8661
Show file tree

Hide file tree

Showing 12 changed files with 185 additions and 90 deletions.
diff --git a/generate/templates/Dockerfile.ps1 b/generate/templates/Dockerfile.ps1
@@ -29,8 +29,11 @@ RUN apk add --no-cache git
             'sops' {
 
 @"
-# Note: `sops` does not provide binaries for other arch other than `linux/i386` and `linux/amd64`. So `sops` might not work on other architectures.
-RUN wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops
+RUN set -eux; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version
 
 RUN apk add --no-cache gnupg
 
@@ -46,24 +49,35 @@ RUN apk add --no-cache gnupg
         switch ($c) {
             'git' {
 @"
-RUN apt-get update \
-    && apt-get install -y git \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y git; \
+    rm -rf /var/lib/apt/lists/*
 
 
 "@
             }
             'sops' {
 @"
-# Note: `sops` does not provide binaries for other arch other than `linux/i386` and `linux/amd64`. So `sops` might not work on other architectures.
-RUN apt-get update \
-    && apt-get install -y wget \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN apt-get update \
-    && (apt-get install -y gpg || apt-get install -y gpgv2) \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y `$buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y `$buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
+
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 
 "@

diff --git a/variants/6.0.2-ubuntu-16.04-git-sops/Dockerfile b/variants/6.0.2-ubuntu-16.04-git-sops/Dockerfile
@@ -12,17 +12,28 @@ ENV COMPlus_EnableDiagnostics=0
 # Install Pester
 RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0 -MaximumVersion 4.10.1 -ErrorAction Stop'
 
-RUN apt-get update \
-    && apt-get install -y git \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y git; \
+    rm -rf /var/lib/apt/lists/*
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN apt-get update \
-    && apt-get install -y wget \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y $buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y $buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
-RUN apt-get update \
-    && (apt-get install -y gpg || apt-get install -y gpgv2) \
-    && rm -rf /var/lib/apt/lists/*
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
diff --git a/variants/6.1.3-alpine-3.8-git-sops/Dockerfile b/variants/6.1.3-alpine-3.8-git-sops/Dockerfile
@@ -14,8 +14,11 @@ RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0
 
 RUN apk add --no-cache git
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops
+RUN set -eux; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version
 
 RUN apk add --no-cache gnupg
 
diff --git a/variants/6.1.3-ubuntu-18.04-git-sops/Dockerfile b/variants/6.1.3-ubuntu-18.04-git-sops/Dockerfile
@@ -12,17 +12,28 @@ ENV COMPlus_EnableDiagnostics=0
 # Install Pester
 RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0 -MaximumVersion 4.10.1 -ErrorAction Stop'
 
-RUN apt-get update \
-    && apt-get install -y git \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y git; \
+    rm -rf /var/lib/apt/lists/*
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN apt-get update \
-    && apt-get install -y wget \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y $buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y $buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
-RUN apt-get update \
-    && (apt-get install -y gpg || apt-get install -y gpgv2) \
-    && rm -rf /var/lib/apt/lists/*
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
diff --git a/variants/6.2.4-alpine-3.8-git-sops/Dockerfile b/variants/6.2.4-alpine-3.8-git-sops/Dockerfile
@@ -14,8 +14,11 @@ RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0
 
 RUN apk add --no-cache git
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops
+RUN set -eux; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version
 
 RUN apk add --no-cache gnupg
 
diff --git a/variants/6.2.4-ubuntu-18.04-git-sops/Dockerfile b/variants/6.2.4-ubuntu-18.04-git-sops/Dockerfile
@@ -12,17 +12,28 @@ ENV COMPlus_EnableDiagnostics=0
 # Install Pester
 RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0 -MaximumVersion 4.10.1 -ErrorAction Stop'
 
-RUN apt-get update \
-    && apt-get install -y git \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y git; \
+    rm -rf /var/lib/apt/lists/*
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN apt-get update \
-    && apt-get install -y wget \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y $buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y $buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
-RUN apt-get update \
-    && (apt-get install -y gpg || apt-get install -y gpgv2) \
-    && rm -rf /var/lib/apt/lists/*
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
diff --git a/variants/7.0.3-alpine-3.9-git-sops/Dockerfile b/variants/7.0.3-alpine-3.9-git-sops/Dockerfile
@@ -14,8 +14,11 @@ RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0
 
 RUN apk add --no-cache git
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops
+RUN set -eux; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version
 
 RUN apk add --no-cache gnupg
 
diff --git a/variants/7.0.3-ubuntu-18.04-git-sops/Dockerfile b/variants/7.0.3-ubuntu-18.04-git-sops/Dockerfile
@@ -12,17 +12,28 @@ ENV COMPlus_EnableDiagnostics=0
 # Install Pester
 RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0 -MaximumVersion 4.10.1 -ErrorAction Stop'
 
-RUN apt-get update \
-    && apt-get install -y git \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y git; \
+    rm -rf /var/lib/apt/lists/*
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN apt-get update \
-    && apt-get install -y wget \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y $buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y $buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
-RUN apt-get update \
-    && (apt-get install -y gpg || apt-get install -y gpgv2) \
-    && rm -rf /var/lib/apt/lists/*
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
diff --git a/variants/7.1.5-alpine-3.13-git-sops/Dockerfile b/variants/7.1.5-alpine-3.13-git-sops/Dockerfile
@@ -14,8 +14,11 @@ RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0
 
 RUN apk add --no-cache git
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops
+RUN set -eux; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version
 
 RUN apk add --no-cache gnupg
 
diff --git a/variants/7.1.5-ubuntu-20.04-git-sops/Dockerfile b/variants/7.1.5-ubuntu-20.04-git-sops/Dockerfile
@@ -12,17 +12,28 @@ ENV COMPlus_EnableDiagnostics=0
 # Install Pester
 RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0 -MaximumVersion 4.10.1 -ErrorAction Stop'
 
-RUN apt-get update \
-    && apt-get install -y git \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y git; \
+    rm -rf /var/lib/apt/lists/*
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN apt-get update \
-    && apt-get install -y wget \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y $buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y $buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
-RUN apt-get update \
-    && (apt-get install -y gpg || apt-get install -y gpgv2) \
-    && rm -rf /var/lib/apt/lists/*
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
diff --git a/variants/7.2.0-alpine-3.14-git-sops/Dockerfile b/variants/7.2.0-alpine-3.14-git-sops/Dockerfile
@@ -14,8 +14,11 @@ RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0
 
 RUN apk add --no-cache git
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops
+RUN set -eux; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version
 
 RUN apk add --no-cache gnupg
 
diff --git a/variants/7.2.0-ubuntu-20.04-git-sops/Dockerfile b/variants/7.2.0-ubuntu-20.04-git-sops/Dockerfile
@@ -12,17 +12,28 @@ ENV COMPlus_EnableDiagnostics=0
 # Install Pester
 RUN pwsh -c 'Install-Module Pester -Force -Scope AllUsers -MinimumVersion 4.0.0 -MaximumVersion 4.10.1 -ErrorAction Stop'
 
-RUN apt-get update \
-    && apt-get install -y git \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y git; \
+    rm -rf /var/lib/apt/lists/*
 
-# Note: sops does not provide binaries for other arch other than linux/i386 and linux/amd64. So sops might not work on other architectures.
-RUN apt-get update \
-    && apt-get install -y wget \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops && chmod +x /usr/local/bin/sops \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y $buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y $buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
-RUN apt-get update \
-    && (apt-get install -y gpg || apt-get install -y gpgv2) \
-    && rm -rf /var/lib/apt/lists/*
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*