Skip to content

fixing helm build failure #965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fixing helm build failure #965

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a4fa222
fixing helm build failure
saurabh-arios Sep 12, 2025
8f6a9ce
Merge branch 'master' into helm-fix
saurabh-arios Sep 12, 2025
63bc03b
Merge branch 'master' into helm-fix
saurabh-arios Sep 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@ ENV VIRTUAL_ENV=/app/venv
ENV PATH="$VIRTUAL_ENV/bin:$PATH"

# Needed for kubectl
ENV VERIFY_CHECKSUM=true \
VERIFY_SIGNATURES=true
RUN curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key -o Release.key

# Set the architecture-specific kube lineage URLs
Expand Down Expand Up @@ -59,8 +57,13 @@ RUN if [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
RUN chmod 777 argocd
RUN ./argocd --help

# Install Helm
RUN curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Install Helm - https://github.com/helm/helm-www/pull/1750/files
RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
| tee /etc/apt/sources.list.d/helm-stable-debian.list \
&& apt-get update \
&& apt-get install -y helm \
&& rm -rf /var/lib/apt/lists/*
Comment on lines +60 to +66
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Harden Helm APT install: avoid pipe-to-gpg, reduce deps, and pin/hold for reproducibility

Current pipeline-to-gpg can mask download failures, and unpinned installs hurt repeatability. Also install with no-recommends and hold the package to prevent accidental upgrades.

Apply this diff within this RUN block:

-RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
-    | tee /etc/apt/sources.list.d/helm-stable-debian.list \
-    && apt-get update \
-    && apt-get install -y helm \
-    && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey -o /tmp/helm.gpgkey \
+    && gpg --batch --yes --dearmor -o /usr/share/keyrings/helm.gpg /tmp/helm.gpgkey \
+    && rm -f /tmp/helm.gpgkey \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
+    | tee /etc/apt/sources.list.d/helm-stable-debian.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends helm \
+    && apt-mark hold helm \
+    && rm -rf /var/lib/apt/lists/*

Please confirm the upstream source and key fingerprint to lock this down:

🌐 Web query:

As of September 2025, is packages.buildkite.com/helm-linux/helm-debian the official APT repository recommended by Helm docs? What is the current GPG key fingerprint for this repo?

💡 Result:

No — Helm's official docs (helm.sh) recommend the APT repo at https://baltocdn.com/helm/stable/debian/ (not packages.buildkite.com). [1][2]

The signing key used by that repo is commonly referenced by key ID 294AC4827C1A168A (seen in Helm community/GitHub reports). [3][4]

Sources:

  • Helm installation docs (Apt instructions pointing at baltocdn.com). [1]
  • Example Helm apt install instructions / mirrors. [2]
  • Helm community issue showing the repo public-key ID NO_PUBKEY 294AC4827C1A168A. [3]
  • Additional discussion/examples referencing the same key ID. [4]

Harden Helm APT install, verify upstream repo & GPG key (Dockerfile: lines 60–66)

Apply the hardening diff below (avoid pipe-to-gpg, use --no-install-recommends, hold package). Also: the Dockerfile currently points at packages.buildkite.com — Helm's docs recommend the official APT repo at https://baltocdn.com/helm/stable/debian/ and the signing key is commonly referenced by key ID 294AC4827C1A168A; replace the repo with the official one or confirm packages.buildkite.com is intentional and provide the full GPG fingerprint before merging.

-RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
-    | tee /etc/apt/sources.list.d/helm-stable-debian.list \
-    && apt-get update \
-    && apt-get install -y helm \
-    && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey -o /tmp/helm.gpgkey \
+    && gpg --batch --yes --dearmor -o /usr/share/keyrings/helm.gpg /tmp/helm.gpgkey \
+    && rm -f /tmp/helm.gpgkey \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
+    | tee /etc/apt/sources.list.d/helm-stable-debian.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends helm \
+    && apt-mark hold helm \
+    && rm -rf /var/lib/apt/lists/*
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Install Helm - https://github.com/helm/helm-www/pull/1750/files
RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
| tee /etc/apt/sources.list.d/helm-stable-debian.list \
&& apt-get update \
&& apt-get install -y helm \
&& rm -rf /var/lib/apt/lists/*
# Install Helm - https://github.com/helm/helm-www/pull/1750/files
RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey -o /tmp/helm.gpgkey \
&& gpg --batch --yes --dearmor -o /usr/share/keyrings/helm.gpg /tmp/helm.gpgkey \
&& rm -f /tmp/helm.gpgkey \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
| tee /etc/apt/sources.list.d/helm-stable-debian.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends helm \
&& apt-mark hold helm \
&& rm -rf /var/lib/apt/lists/*


# Set up poetry
ARG PRIVATE_PACKAGE_REGISTRY="none"
Expand Down Expand Up @@ -132,7 +135,7 @@ COPY --from=builder /app/argocd /usr/local/bin/argocd
RUN argocd --help

# Set up Helm
COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
COPY --from=builder /usr/bin/helm /usr/local/bin/helm
RUN chmod 555 /usr/local/bin/helm
RUN helm version

Expand Down