bapung/ngn-agent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
78fd4002fda8724d443dcf1dd04ea218bb7a22ce
ngn-agent/docker/Dockerfile
Bagas Purwa Sentika 78fd4002fd feat(09-tooling-portable-setup-01): create Dockerfile with version-pinned tool installations 
- FROM nikolaik/python-nodejs:python3.11-nodejs20 with deprecation comment
- ARGs for version pinning (terraform 1.15.6, helm 4.2.1, kubectl 1.36.1, pup 1.1.0)
- System dependencies: curl, ca-certificates, unzip, gnupg, wget
- AWS CLI v2 via official curl/unzip/install method
- Terraform via HashiCorp apt repo (version-pinned)
- kubectl via Google Kubernetes apt repo (NOT version-pinned)
- Helm via Buildkite apt repo (version-pinned)
- Datadog CLI (pup) via GitHub releases binary download
- All downloads over HTTPS with GPG key verification (T-09-01)
- No COPY . (T-09-02 mitigation)
- D-01 through D-03 referenced in comments
- --no-install-recommends and apt list cleanup
2026-06-15 23:18:47 +08:00

99 lines
5.1 KiB
Docker
Raw Blame History

# =============================================================================
# ngn-agent Docker Image — Custom Hermes image with platform engineering tools
# =============================================================================
# D-01: Base image tag python3.11-nodejs20 — verify availability at build time;
# if manifest not found, update to python3.11-nodejs22-bookworm
# (Node.js 20 EOL April 2026).
FROM nikolaik/python-nodejs:python3.11-nodejs20
LABEL description="ngn-agent: Custom Hermes Docker image with platform engineering tools"
LABEL maintainer="ngn-agent"
# =============================================================================
# Tool version pinning (D-02: pin for reproducibility)
# =============================================================================
ARG TERRAFORM_VERSION=1.15.6
ARG HELM_VERSION=4.2.1
ARG KUBECTL_VERSION=1.36.1
ARG PUPP_VERSION=1.1.0
# =============================================================================
# Install system dependencies (single RUN, clean apt lists after)
# =============================================================================
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
unzip \
gnupg \
wget \
&& rm -rf /var/lib/apt/lists/*
# =============================================================================
# Install AWS CLI v2 (D-03: official curl → unzip → ./aws/install method)
# No apt repo for v2 — use the bundled installer.
# T-09-01: download over HTTPS.
# =============================================================================
RUN curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& unzip -q awscliv2.zip \
&& ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli \
&& rm -rf awscliv2.zip aws/
# =============================================================================
# Install Terraform (D-03: HashiCorp apt repo, version-pinned)
# T-09-01: HTTPS + GPG key verification.
# =============================================================================
RUN wget -O- https://apt.releases.hashicorp.com/gpg 2>/dev/null \
| gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
| tee /etc/apt/sources.list.d/hashicorp.list > /dev/null \
&& apt-get update && apt-get install -y --no-install-recommends terraform=${TERRAFORM_VERSION} \
&& rm -rf /var/lib/apt/lists/*
# =============================================================================
# Install kubectl (D-03: Google Kubernetes apt repo)
# NOT version-pinned — must match target cluster version.
# T-09-01: HTTPS + GPG key verification.
# =============================================================================
RUN curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.36/deb/Release.key \
| gpg --dearmor -o /usr/share/keyrings/kubernetes-apt-keyring.gpg \
&& echo 'deb [signed-by=/usr/share/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.36/deb/ /' \
| tee /etc/apt/sources.list.d/kubernetes.list > /dev/null \
&& apt-get update && apt-get install -y --no-install-recommends kubectl \
&& rm -rf /var/lib/apt/lists/*
# =============================================================================
# Install Helm (D-03: Buildkite apt repo, version-pinned)
# T-09-01: HTTPS + GPG key verification.
# =============================================================================
RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey \
| gpg --dearmor -o /usr/share/keyrings/helm.gpg \
&& echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
| tee /etc/apt/sources.list.d/helm-stable-debian.list > /dev/null \
&& apt-get update && apt-get install -y --no-install-recommends helm=${HELM_VERSION} \
&& rm -rf /var/lib/apt/lists/*
# =============================================================================
# Install Datadog CLI — pup (D-03: GitHub releases binary)
# T-09-01: download over HTTPS.
# =============================================================================
RUN curl -fsSL "https://github.com/DataDog/pup/releases/download/v${PUPP_VERSION}/pup_${PUPP_VERSION}_Linux_x86_64.tar.gz" \
-o /tmp/pup.tar.gz \
&& tar xzf /tmp/pup.tar.gz -C /usr/local/bin/ pup \
&& rm -f /tmp/pup.tar.gz
# =============================================================================
# Verify all tool installations
# =============================================================================
RUN echo "=== Tool versions ===" \
&& aws --version \
&& terraform --version \
&& helm version --short \
&& kubectl version --client --output=yaml 2>/dev/null | grep gitVersion || true \
&& pup --version || true
# =============================================================================
# Default command (matching base image behavior)
# =============================================================================
CMD ["bash"]
Reference in New Issue View Git Blame Copy Permalink