From 20e880c5f6dbb16712427962b9cad241901bdc46 Mon Sep 17 00:00:00 2001
From: Francisco Ewerton de Araujo Silva <ewerton116@gmail.com>
Date: Wed, 18 Feb 2026 17:48:27 -0300
Subject: [PATCH] fix(create-kubernetes-binaries-iso-with-cilium.sh):
 Improvements suggested by Copilot.

cks: harden ISO build script with pipefail, --fail, and strict mode:
- Replace 'set -e' with 'set -o errexit', 'set -o nounset', 'set -o pipefail';
- Add TRACE env var support for debug with 'set -o xtrace';
- Add --fail (-f) flag to curl commands in pipelines to prevent silent;
- Add --fail and tar.gz integrity validation for etcd download;
- Fix ARCH validation error message to list all accepted values
  (x86_64, amd64, aarch64, arm64).

cks: fix semver comparison using sort -V instead of awk:

- Replace awk numeric comparison with a sort -V based version_lt()
function. The previous approach treated '1.9.0' as 1.9 and '1.18.0'
as 1.18, making 1.9 > 1.18 and selecting the wrong source for
kubelet.service and 10-kubeadm.conf.

cks: vendor kubelet.service and 10-kubeadm.conf to reduce supply-chain risk:

- Vendor kubelet.service and 10-kubeadm.conf from shapeblue/cloudstack-nonoss
into the repository instead of fetching them at build time from a mutable
remote branch. These files are executed with root privileges as systemd
units, and pinning to a mutable branch without checksum verification
posed a supply-chain risk.

cks: only add Cilium Helm repo if not already configured:

- Replace 'helm repo add ... || true' with an explicit check via
'helm repo list'. The previous approach suppressed all failures
(including network/DNS errors), which could cause a later, less-clear
failure during 'helm template'.

cks: move Cilium ISO script to scripts/util/cks/ and add download progress:

- Move create-kubernetes-binaries-iso-with-cilium.sh to scripts/util/cks/
  alongside vendored kubelet.service and 10-kubeadm.conf;
- Download kubeadm, kubelet, kubectl individually with --progress-bar
  for visibility during long downloads.
---
 scripts/util/cks/10-kubeadm.conf              | 11 ++++
 ...ate-kubernetes-binaries-iso-with-cilium.sh | 51 ++++++++++++++-----
 scripts/util/cks/kubelet.service              | 12 +++++
 3 files changed, 62 insertions(+), 12 deletions(-)
 create mode 100644 scripts/util/cks/10-kubeadm.conf
 rename scripts/util/{ => cks}/create-kubernetes-binaries-iso-with-cilium.sh (85%)
 create mode 100644 scripts/util/cks/kubelet.service

diff --git a/scripts/util/cks/10-kubeadm.conf b/scripts/util/cks/10-kubeadm.conf
new file mode 100644
index 00000000000..cb49e797540
--- /dev/null
+++ b/scripts/util/cks/10-kubeadm.conf
@@ -0,0 +1,11 @@
+
+[Service]
+Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
+Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
+# This is a file that "kubeadm init" and "kubeadm join" generate at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
+EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
+# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
+# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
+EnvironmentFile=-/etc/default/kubelet
+ExecStart=
+ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
diff --git a/scripts/util/create-kubernetes-binaries-iso-with-cilium.sh b/scripts/util/cks/create-kubernetes-binaries-iso-with-cilium.sh
similarity index 85%
rename from scripts/util/create-kubernetes-binaries-iso-with-cilium.sh
rename to scripts/util/cks/create-kubernetes-binaries-iso-with-cilium.sh
index 111266edd96..671820c8c2a 100755
--- a/scripts/util/create-kubernetes-binaries-iso-with-cilium.sh
+++ b/scripts/util/cks/create-kubernetes-binaries-iso-with-cilium.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
@@ -16,7 +17,13 @@
 # specific language governing permissions and limitations
 # under the License.
 
-set -e
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [[ "${TRACE-0}" == "1" ]]; then
+    set -o xtrace
+fi
 
 if [ $# -lt 8 ]; then
     echo "============================================================================================================"
@@ -56,12 +63,19 @@ elif [ "${6}" = "aarch64" ] || [ "${6}" = "arm64" ]; then
   ARCH="arm64"
   ARCH_SUFFIX="aarch64"
 else
-  echo "ERROR: ARCH must be 'x86_64' or 'aarch64'."
+  echo "ERROR: ARCH must be one of: x86_64, amd64, aarch64, or arm64."
   exit 1
 fi
 
 RELEASE="v${2}"
-VAL="1.18.0"
+MIN_UPSTREAM_VERSION="1.18.0"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# version_lt returns 0 (true) if $1 < $2 using semver-aware comparison
+version_lt() {
+  [ "$(printf '%s\n%s' "$1" "$2" | sort -V | head -n1)" = "$1" ] && [ "$1" != "$2" ]
+}
+
 output_dir="${1}"
 start_dir="$PWD"
 iso_dir=$(mktemp -d)
@@ -95,7 +109,10 @@ echo "Downloading Kubernetes tools ${RELEASE}..."
 k8s_dir="${working_dir}/k8s"
 mkdir -p "${k8s_dir}"
 cd "${k8s_dir}"
-curl -sS -L --remote-name-all https://dl.k8s.io/release/"${RELEASE}"/bin/linux/${ARCH}/{kubeadm,kubelet,kubectl}
+for binary in kubeadm kubelet kubectl; do
+  echo "  Downloading ${binary}..."
+  curl --progress-bar -fL "https://dl.k8s.io/release/${RELEASE}/bin/linux/${ARCH}/${binary}" -o "${binary}"
+done
 kubeadm_file_permissions=$(stat --format '%a' kubeadm)
 chmod +x kubeadm
 
@@ -103,19 +120,19 @@ echo "Downloading kubelet.service ${RELEASE}..."
 cd "${start_dir}"
 kubelet_service_file="${working_dir}/kubelet.service"
 touch "${kubelet_service_file}"
-if [[ $(echo "${2} $VAL" | awk '{print ($1 < $2)}') == 1 ]]; then
-  curl -sSL "https://raw.githubusercontent.com/kubernetes/kubernetes/${RELEASE}/build/debs/kubelet.service" | sed "s:/usr/bin:/opt/bin:g" > "${kubelet_service_file}"
+if version_lt "${2}" "${MIN_UPSTREAM_VERSION}"; then
+  curl -sSfL "https://raw.githubusercontent.com/kubernetes/kubernetes/${RELEASE}/build/debs/kubelet.service" | sed "s:/usr/bin:/opt/bin:g" > "${kubelet_service_file}"
 else
-  curl -sSL "https://raw.githubusercontent.com/shapeblue/cloudstack-nonoss/main/cks/kubelet.service" | sed "s:/usr/bin:/opt/bin:g" > "${kubelet_service_file}"
+  sed "s:/usr/bin:/opt/bin:g" "${SCRIPT_DIR}/kubelet.service" > "${kubelet_service_file}"
 fi
 
 echo "Downloading 10-kubeadm.conf ${RELEASE}..."
 kubeadm_conf_file="${working_dir}/10-kubeadm.conf"
 touch "${kubeadm_conf_file}"
-if [[ $(echo "${2} $VAL" | awk '{print ($1 < $2)}') == 1 ]]; then
-  curl -sSL "https://raw.githubusercontent.com/kubernetes/kubernetes/${RELEASE}/build/debs/10-kubeadm.conf" | sed "s:/usr/bin:/opt/bin:g" > "${kubeadm_conf_file}"
+if version_lt "${2}" "${MIN_UPSTREAM_VERSION}"; then
+  curl -sSfL "https://raw.githubusercontent.com/kubernetes/kubernetes/${RELEASE}/build/debs/10-kubeadm.conf" | sed "s:/usr/bin:/opt/bin:g" > "${kubeadm_conf_file}"
 else
-  curl -sSL "https://raw.githubusercontent.com/shapeblue/cloudstack-nonoss/main/cks/10-kubeadm.conf" | sed "s:/usr/bin:/opt/bin:g" > "${kubeadm_conf_file}"
+  sed "s:/usr/bin:/opt/bin:g" "${SCRIPT_DIR}/10-kubeadm.conf" > "${kubeadm_conf_file}"
 fi
 
 AUTOSCALER_URL="https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/cloudstack/examples/cluster-autoscaler-standard.yaml"
@@ -139,7 +156,11 @@ if ! command -v helm > /dev/null 2>&1; then
   exit 1
 fi
 
-helm repo add cilium https://helm.cilium.io/ > /dev/null 2>&1 || true
+# Add the Cilium Helm repository only if it is not already configured
+if ! helm repo list 2>/dev/null | awk 'NR>1 {print $1}' | grep -qx "cilium"; then
+  helm repo add cilium https://helm.cilium.io/ > /dev/null 2>&1
+fi
+
 echo "Updating Helm repositories..."
 helm repo update
 echo "Generating Cilium manifest with Helm..."
@@ -260,6 +281,12 @@ etcd_dir="${working_dir}/etcd"
 mkdir -p "${etcd_dir}"
 ETCD_VERSION=v${7}
 echo "Downloading etcd ${ETCD_VERSION}..."
-curl -sS -L "https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${ARCH}.tar.gz" -o "${etcd_dir}/etcd-linux-${ARCH}.tar.gz"
+curl -sSfL "https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${ARCH}.tar.gz" -o "${etcd_dir}/etcd-linux-${ARCH}.tar.gz"
+
+# Validate that the downloaded etcd archive is a valid tar.gz
+if ! tar -tzf "${etcd_dir}/etcd-linux-${ARCH}.tar.gz" > /dev/null; then
+    echo "ERROR: Downloaded etcd archive is invalid or corrupted."
+    exit 1
+fi
 
 mkisofs -o "${output_dir}/${build_name}" -J -R -l "${iso_dir}"
\ No newline at end of file
diff --git a/scripts/util/cks/kubelet.service b/scripts/util/cks/kubelet.service
new file mode 100644
index 00000000000..9712664deaf
--- /dev/null
+++ b/scripts/util/cks/kubelet.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=kubelet: The Kubernetes Node Agent
+Documentation=http://kubernetes.io/docs/
+
+[Service]
+ExecStart=/usr/bin/kubelet
+Restart=always
+StartLimitInterval=0
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target