Issues when downloading kubectl and kubectl version

[egandro]

Hello,

I noticed a small issue with our setup:

This call https://github.com/passbolt/charts-passbolt/blob/eb164d48361f48f6e2bed0ac6ecdc48398da8a5d/templates/job-create-gpg.yaml#L53 is causing some troubles.

curl -v -L -s https://dl.k8s.io/release/stable.txt

* Issue another request to this URL: 'https://storage.googleapis.com/kubernetes-release/release/stable.txt'
*   Trying 172.217.16.144:443...
*   Trying 2a00:1450:4001:827::2010:443...
* Immediate connect fail for 2a00:1450:4001:827::2010: Network is unreachable
*   Trying 2a00:1450:4001:808::2010:443...
...

I would suggest introducing a kubectl download configuration variable kubectl_download_cmd this will give more flexibility in how to download and where to download.

Even probably some weird proxy options people need to set.

Thx.

[dlen]

Oh I see you are right!

Thanks for the feedback we will definitely add this one

[egandro]

I have a PR for this:

https://github.com/passbolt/charts-passbolt/pull/6

[egandro]

Here my 5 cents...

Passpolt is a security product - a lot of time, sweat, tears, coffee and fun went into it!

So try find an official image with an official kubectl inside :) and let the user decide by the image tag what version to choose.

That will gain trust.

Downloading kubectl isn't the best choice.

[egandro]

This is how gitlab injects it

https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/values.yaml#L741

[dlen]

Yeah I agree using kubectl image would create more trust for the community. I was about to merge your PR but maybe you want to change the approach.

[egandro]

I have a meanwhile hack for my needs.

I am using asible kubernetes.core.helm and I added timeout: 90m - which is super braindead - but after a while the download will work.

Happy to help you with testing when you have a solution. Just ping me here.

[egandro]

I have a new image for you: https://hub.docker.com/r/bitnami/kubectl/

This is trusted, as all sorts of k8s distro e.g. Rancher/k3s is using it.

->edit: check this - they have tags - 1.25.7-debian-11-r4

[dlen]

Your initial PR has been merged. Further discussion on which image to use needs to happen. I will close the issue though as solved and we can open a new one to iterate on the solution.

Thanks a lot for your contribution!

[egandro]

@dlen I also found out the root cause of my error. I am using k3s on a root server. Unfortunately the k3s setup wasn't 100% correct for ipv6. So I fixed this.

Never the less - it's a good thing to add the level of flexibility with the image.

[dlen]

Thanks for clarifying @egandro ! I'm actually thinking to make all the calls directly with curl so no kubectl to download. That would be simpler I think. It is on the bottom of the backlog though.

Thanks again for your feedback we really appreciate it!

[ButtersBrewery]

So I've noticed that presetting this in the values.yaml completely negates what @dlen updated in the job-create-gpg.yaml.

It took a bit for me to realize why the ./kubectl lines were failing when running on Arm64, even though the arch check should've prevented that.