feat: add CI workflow and Dockerfile for kubectl image

ravilock · ravilock · commit ec5fa58d6156 · 2025-09-03T15:00:43.000-03:00
Introduce a GitHub Actions workflow to build and publish a Docker image
containing kubectl. The workflow supports multi-architecture builds and
caches Docker layers for efficiency. Add a Dockerfile that downloads the
specified kubectl release, verifies its checksum, and sets up a minimal
runtime environment with a non-root user.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,44 @@
+name: ci
+on: [push, pull_request]
+jobs:
+  image:
+    name: "Publish kubectl image on Docker Hub"
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        kubectl:
+          - v1.34.0
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
+      - uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      - name: Set Docker tags
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]] || [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            echo DOCKER_TAGS=tsuru/kubectl:${{ matrix.kubectl }},tsuru/kubectl:${{ matrix.kubectl }}-${GITHUB_REF##*/} >> $GITHUB_ENV
+          else
+            echo DOCKER_TAGS=tsuru/kubectl:${{ matrix.kubectl }}-${GITHUB_REF##*/} >> $GITHUB_ENV
+          fi
+      - uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - uses: docker/build-push-action@v5
+        if: github.event_name != 'pull_request'
+        with:
+          push: true
+          tags: ${{ env.DOCKER_TAGS }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            KUBECTL_RELEASE=${{ matrix.kubectl }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,21 @@
+FROM docker.io/debian:bookworm AS build
+
+ARG KUBECTL_RELEASE
+ARG TARGETPLATFORM
+
+RUN apt-get update \
+  && apt-get install -y apt-transport-https ca-certificates curl gnupg
+
+WORKDIR /bin
+
+RUN set -x \
+  && curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_RELEASE}/bin/${TARGETPLATFORM}/kubectl" \
+  && curl -LO "https://dl.k8s.io/release/${KUBECTL_RELEASE}/bin/${TARGETPLATFORM}/kubectl.sha256" \
+  && echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check \
+  && chmod +x kubectl
+
+RUN useradd -u 1000 -U -m kubectl
+
+USER kubectl
+ENTRYPOINT ["/bin/kubectl"]
+CMD ["help"]
