tools: Build kubectl image

This image will be used by our helm charts to verify that a kata-containers deployment is correct. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-01-24 22:15:40 +00:00 · 2026-01-12 12:08:40 +01:00
parent 183507beeb
commit 26dfcb627b
2 changed files with 97 additions and 0 deletions
--- a/.github/workflows/build-kubectl-image.yaml
+++ b/.github/workflows/build-kubectl-image.yaml
@@ -0,0 +1,68 @@
+name: Build kubectl multi-arch image
+
+on:
+  schedule:
+    # Run every Sunday at 00:00 UTC
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+    # Allow manual triggering
+  push:
+    branches:
+      - main
+    paths:
+      - 'tools/packaging/kubectl/Dockerfile'
+      - '.github/workflows/build-kubectl-image.yaml'
+
+permissions: {}
+
+env:
+  REGISTRY: quay.io
+  IMAGE_NAME: kata-containers/kubectl
+
+jobs:
+  build-and-push:
+    name: Build and push multi-arch image
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Login to Quay.io
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - name: Generate image metadata
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest
+            type=raw,value={{date 'YYYYMMDD'}}
+            type=sha,prefix=
+
+      - name: Build and push multi-arch image
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        with:
+          context: tools/packaging/kubectl/
+          file: tools/packaging/kubectl/Dockerfile
+          platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
--- a/tools/packaging/kubectl/Dockerfile
+++ b/tools/packaging/kubectl/Dockerfile
@@ -0,0 +1,29 @@
+# Copyright (c) 2026 Kata Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Alpine-based image with kubectl for multi-arch support
+# Used for kata-deploy verification jobs and other kubectl operations
+
+ARG ALPINE_VERSION=3.23
+FROM alpine:${ALPINE_VERSION}
+
+# Install bash, curl, and download kubectl
+# hadolint ignore=DL3018
+RUN apk add --no-cache bash curl ca-certificates && \
+    ARCH=$(uname -m) && \
+    case "${ARCH}" in \
+        x86_64)  KUBECTL_ARCH=amd64 ;; \
+        aarch64) KUBECTL_ARCH=arm64 ;; \
+        ppc64le) KUBECTL_ARCH=ppc64le ;; \
+        s390x)   KUBECTL_ARCH=s390x ;; \
+        *)       echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \
+    esac && \
+    KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt) && \
+    curl -fL --progress-bar -o /usr/local/bin/kubectl \
+        "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${KUBECTL_ARCH}/kubectl" && \
+    chmod +x /usr/local/bin/kubectl && \
+    kubectl version --client
+
+# Default to bash shell
+CMD ["/bin/bash"]