From e96713115f8e6434dee69af076a08daf69b5359a Mon Sep 17 00:00:00 2001
From: Sergiy Markin <smarkin@mirantis.com>
Date: Thu, 24 Apr 2025 19:58:44 +0000
Subject: [PATCH] Libyaml and cfssl install from apt

This PS is to install libyaml and cfssl from apt
instead of building it from source. Also we
upgrade the Helm version to 3.17.3 because of CVE.

In order to decrease the image size *-dev libs are
installed only when needed to build/install Python
packages.

Change-Id: Ia83805799f46f5b20008f0a9393ab508078926e4
---
 bindep.txt                                    |  1 +
 doc/source/configuration/host-system.rst      |  4 +-
 examples/basic/HostSystem.yaml                |  2 +-
 examples/complete/HostSystem.yaml             |  2 +-
 examples/containerd/HostSystem.yaml           |  2 +-
 examples/gate/HostSystem.yaml                 |  2 +-
 images/promenade/Dockerfile.ubuntu_jammy      | 60 ++++++++++---------
 tests/unit/api/test_validatedesign.py         |  2 +-
 .../unit/builder_data/simple/HostSystem.yaml  |  2 +-
 tools/gate/default-config-env                 |  2 +-
 tools/helm_install.sh                         |  2 +-
 tools/image_tags.py                           |  2 +-
 tools/registry/IMAGES                         |  2 +-
 13 files changed, 46 insertions(+), 39 deletions(-)

diff --git a/bindep.txt b/bindep.txt
index ff6c6c12..054f9b4a 100644
--- a/bindep.txt
+++ b/bindep.txt
@@ -10,4 +10,5 @@ libpq-dev [platform:dpkg]
 libsasl2-dev [platform:dpkg]
 libssl-dev [platform:dpkg]
 libre2-dev [platform:dpkg]
+libyaml-dev [platform:dpkg]
 apt-utils [platform:dpkg]
diff --git a/doc/source/configuration/host-system.rst b/doc/source/configuration/host-system.rst
index 058b85a9..3438b5e8 100644
--- a/doc/source/configuration/host-system.rst
+++ b/doc/source/configuration/host-system.rst
@@ -22,7 +22,7 @@ Sample Document to run containers in Docker runtime
       images:
         haproxy: haproxy:2.4
         helm:
-          helm: lachlanevenson/k8s-helm:v3.16.4
+          helm: lachlanevenson/k8s-helm:v3.17.3
         monitoring_image: busybox:1.28.3
       packages:
         repositories:
@@ -121,7 +121,7 @@ Sample Document to run containers in Containerd runtime
       images:
         haproxy: haproxy:2.4
         helm:
-          helm: lachlanevenson/k8s-helm:v3.16.4
+          helm: lachlanevenson/k8s-helm:v3.17.3
         monitoring_image: busybox:1.28.3
       packages:
         additional:
diff --git a/examples/basic/HostSystem.yaml b/examples/basic/HostSystem.yaml
index 8439a805..784102ed 100644
--- a/examples/basic/HostSystem.yaml
+++ b/examples/basic/HostSystem.yaml
@@ -85,7 +85,7 @@ data:
     monitoring_image: &busybox busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.16.4
+      helm: lachlanevenson/k8s-helm:v3.17.3
   packages:
     common:
       repositories:
diff --git a/examples/complete/HostSystem.yaml b/examples/complete/HostSystem.yaml
index 03ad0e54..f880fef3 100644
--- a/examples/complete/HostSystem.yaml
+++ b/examples/complete/HostSystem.yaml
@@ -85,7 +85,7 @@ data:
     monitoring_image: busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.16.4
+      helm: lachlanevenson/k8s-helm:v3.17.3
   packages:
     common:
       repositories:
diff --git a/examples/containerd/HostSystem.yaml b/examples/containerd/HostSystem.yaml
index 5cb21920..34e2c6a5 100644
--- a/examples/containerd/HostSystem.yaml
+++ b/examples/containerd/HostSystem.yaml
@@ -85,7 +85,7 @@ data:
     monitoring_image: &busybox busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.16.4
+      helm: lachlanevenson/k8s-helm:v3.17.3
   packages:
     common:
       additional:
diff --git a/examples/gate/HostSystem.yaml b/examples/gate/HostSystem.yaml
index 2c1bc6cc..7a3633ee 100644
--- a/examples/gate/HostSystem.yaml
+++ b/examples/gate/HostSystem.yaml
@@ -85,7 +85,7 @@ data:
     monitoring_image: &busybox busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.16.4
+      helm: lachlanevenson/k8s-helm:v3.17.3
   packages:
     common:
       repositories:
diff --git a/images/promenade/Dockerfile.ubuntu_jammy b/images/promenade/Dockerfile.ubuntu_jammy
index 628cfa82..089c8d31 100644
--- a/images/promenade/Dockerfile.ubuntu_jammy
+++ b/images/promenade/Dockerfile.ubuntu_jammy
@@ -49,48 +49,54 @@ RUN set -ex \
     && apt update -qq \
     && apt upgrade -y \
     && apt-get install --no-install-recommends -y \
-        automake \
         ca-certificates \
         curl \
         dnsutils \
-        gcc \
-        git \
         gpg \
         gpg-agent \
-        libpcre3-dev \
-        libtool \
-        libpq-dev \
-        make \
         python3-dev \
-        python3-pip \
         python3-setuptools \
         rsync \
+        # this will install golang-cfssl 1.2.0 in Jammy
+        golang-cfssl \
     && ln -s /usr/bin/python3 /usr/bin/python \
-    && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
-    && chmod 555 /usr/local/bin/cfssl \
-    && python3 -m pip install -U pip \
     && apt-get autoremove -yqq --purge \
     && apt-get clean \
     && useradd -u 1000 -g users -d /opt/promenade promenade \
     && rm -rf /var/lib/apt/lists/*
 
-# Install LibYAML
-ENV LD_LIBRARY_PATH=/usr/local/lib
-
-ARG LIBYAML_VERSION=0.2.5
-RUN set -ex \
-    && git clone https://github.com/yaml/libyaml.git \
-    && cd libyaml \
-    && git checkout $LIBYAML_VERSION \
-    && ./bootstrap \
-    && ./configure \
-    && make \
-    && make install \
-    && cd .. \
-    && rm -fr libyaml
-
 COPY requirements-frozen.txt /opt/promenade
-RUN pip3 install --no-cache-dir -r requirements-frozen.txt
+
+RUN set -ex \
+        && buildDeps=' \
+        automake \
+        gcc \
+        libpcre3-dev \
+        libffi-dev \
+        libpq-dev \
+        libssl-dev \
+        libtool \
+        libyaml-dev \
+        libvirt-dev \
+        make \
+        python3-pip \
+        pkg-config \
+        ' \
+        && apt-get -qq update \
+        # Keep git separate so it's not removed below
+        && apt-get install -y $buildDeps git --no-install-recommends \
+        && python3 -m pip install -U pip \
+        && pip3 install --no-cache-dir -r requirements-frozen.txt \
+        && apt-get purge -y --auto-remove $buildDeps \
+        && apt-get autoremove -yqq --purge \
+        && apt-get clean \
+        && rm -rf \
+            /var/lib/apt/lists/* \
+            /tmp/* \
+            /var/tmp/* \
+            /usr/share/man \
+            /usr/share/doc \
+            /usr/share/doc-base
 
 # Setting promenade version for BPR
 ENV PBR_VERSION 0.9.0
diff --git a/tests/unit/api/test_validatedesign.py b/tests/unit/api/test_validatedesign.py
index 05962846..0741dde5 100644
--- a/tests/unit/api/test_validatedesign.py
+++ b/tests/unit/api/test_validatedesign.py
@@ -153,7 +153,7 @@ VALID_DOCS = [
             'images': {
                 'haproxy': 'haproxy:2.4',
                 'helm': {
-                    'helm': 'lachlanevenson/k8s-helm:v3.16.4'
+                    'helm': 'lachlanevenson/k8s-helm:v3.17.3'
                 }
             },
             'packages': {
diff --git a/tests/unit/builder_data/simple/HostSystem.yaml b/tests/unit/builder_data/simple/HostSystem.yaml
index b3e5ba4d..e2aa4d32 100644
--- a/tests/unit/builder_data/simple/HostSystem.yaml
+++ b/tests/unit/builder_data/simple/HostSystem.yaml
@@ -38,7 +38,7 @@ data:
     monitoring_image: &busybox busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.16.4
+      helm: lachlanevenson/k8s-helm:v3.17.3
   packages:
     common:
       repositories:
diff --git a/tools/gate/default-config-env b/tools/gate/default-config-env
index 11144e3a..e72b9a8d 100644
--- a/tools/gate/default-config-env
+++ b/tools/gate/default-config-env
@@ -9,7 +9,7 @@ IMAGE_DEP_CHECK=quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
 IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12
 IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal
 IMAGE_HAPROXY=haproxy:2.4
-IMAGE_HELM=lachlanevenson/k8s-helm:v3.16.4
+IMAGE_HELM=lachlanevenson/k8s-helm:v3.17.3
 IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.32.1
 IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.32.1
 IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.32.1
diff --git a/tools/helm_install.sh b/tools/helm_install.sh
index 1f7898ac..bab8ef59 100755
--- a/tools/helm_install.sh
+++ b/tools/helm_install.sh
@@ -17,7 +17,7 @@
 set -x
 
 HELM=$1
-HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.16.4-linux-amd64.tar.gz"}
+HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz"}
 
 
 function install_helm_binary {
diff --git a/tools/image_tags.py b/tools/image_tags.py
index 5d8a27f5..9bb829d6 100644
--- a/tools/image_tags.py
+++ b/tools/image_tags.py
@@ -1,4 +1,4 @@
-#!/bin/python
+#!/bin/python3
 
 import json
 import logging
diff --git a/tools/registry/IMAGES b/tools/registry/IMAGES
index 0e93eac9..3cf79101 100644
--- a/tools/registry/IMAGES
+++ b/tools/registry/IMAGES
@@ -6,7 +6,7 @@ registry.k8s.io/kube-apiserver-amd64,v1.32.1,apiserver
 registry.k8s.io/kube-controller-manager-amd64,v1.32.1,controller-manager
 registry.k8s.io/kube-scheduler-amd64,v1.32.1,scheduler
 registry.k8s.io/kube-proxy-amd64,v1.32.1,proxy
-lachlanevenson/k8s-helm,v3.16.4,helm
+lachlanevenson/k8s-helm,v3.17.3,helm
 quay.io/airshipit/armada,master,armada
 quay.io/airshipit/armada-operator,latest,armada-operator
 quay.io/calico/cni,v3.4.0,calico-cni