feat: adding gcloud CLI to ubi9 and ubi10

[ibuziuk]

https://docs.cloud.google.com/sdk/gcloud

ibuziuk@ibuziuk-mac google-cloud-sdk % cat LICENSE 
The Google Cloud CLI and its source code are licensed under Apache
License v. 2.0 (the "License"), unless otherwise specified by an alternate
license file.

You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Note that if you use the Google Cloud CLI with any Google Cloud Platform
products, your use is additionally going to be governed by the license agreement
or terms of service, as applicable, of the underlying Google Cloud Platform
product with which you are using the Google Cloud CLI. For example, if you are
using the Google Cloud CLI with Google App Engine, your use would additionally
be governed by the Google App Engine Terms of Service.

This also means that if you were to create works that call Google APIs, you
would still need to agree to the terms of service (usually, Google's
Developer Terms of Service at https://developers.google.com/terms) for those
APIs separately, as this code does not grant you any special rights to use
the services.

[coderabbitai]

Warning

Rate limit exceeded

@ibuziuk has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes and 17 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 37 minutes and 17 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 42c2130b-04d7-4546-8ca4-398c962fc280

📥 Commits

Reviewing files that changed from the base of the PR and between 91e6e72 and 5639f7e.

📒 Files selected for processing (2)

• universal/ubi10/Dockerfile
• universal/ubi9/Dockerfile

📝 Walkthrough

Walkthrough

Two UBI Dockerfile configurations are updated to include Google Cloud CLI installation. Both images download the gcloud binary for amd64 and arm64 architectures, install it to /usr/local, prepend it to the PATH environment variable, and configure bash completion.

Changes

Cohort / File(s)	Summary
Google Cloud CLI Installation universal/ubi9/Dockerfile, universal/ubi10/Dockerfile	Adds gcloud binary installation for amd64 and arm64 architectures, updates PATH to include /usr/local/google-cloud-sdk/bin, and configures bash completion for gcloud commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Cloud tools now bundled with care,
Two base images, perfectly paired,
amd64, arm64 in sight,
gcloud commands, burning bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: adding Google Cloud CLI to two Dockerfile variants (ubi9 and ubi10).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch gcloud

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

universal/ubi9/Dockerfile (1)

443-474: Missing checksum verification for gcloud CLI download.

Same as the UBI10 Dockerfile - other tools in this file verify checksums (helm, kustomize, terraform, tekton, knative, krew, e2fsprogs). Add checksum verification for consistency and security.

♻️ Proposed fix to add checksum verification

 GCLOUD_TGZ="google-cloud-cli-${GCLOUD_VERSION}-linux-${GCLOUD_ARCH}.tar.gz"
 GCLOUD_TGZ_URL="https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/${GCLOUD_TGZ}"
+GCLOUD_SHA256_URL="${GCLOUD_TGZ_URL}.sha256"
 
 curl -sSLO "${GCLOUD_TGZ_URL}"
+curl -sSLO "${GCLOUD_SHA256_URL}"
+echo "$(cat ${GCLOUD_TGZ}.sha256)  ${GCLOUD_TGZ}" | sha256sum -c -
 tar -xzf "${GCLOUD_TGZ}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@universal/ubi9/Dockerfile` around lines 443 - 474, Add checksum verification
for the Google Cloud CLI download by retrieving the expected checksum for
GCLOUD_TGZ (use a trusted source for the checksum tied to GCLOUD_VERSION),
compute the downloaded archive's checksum (from GCLOUD_TGZ_URL download),
compare them and fail the build if they do not match; update the RUN heredoc
block that creates TEMP_DIR and downloads GCLOUD_TGZ (referencing GCLOUD_TGZ,
GCLOUD_TGZ_URL, GCLOUD_VERSION and TARGETARCH) to perform the checksum
fetch/compare before extracting and running ./google-cloud-sdk/install.sh, and
ensure TEMP_DIR is cleaned up on both success and checksum-failure paths.

universal/ubi10/Dockerfile (1)

475-506: Add checksum verification for gcloud CLI download.

All other tool installations in this Dockerfile (helm, kustomize, terraform, tekton, knative, krew, e2fsprogs) verify checksums after downloading, but the gcloud installation is missing this step. Google publishes SHA256 checksums at:
https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${VERSION}-linux-${ARCH}.tar.gz.sha256

♻️ Proposed fix

 GCLOUD_TGZ="google-cloud-cli-${GCLOUD_VERSION}-linux-${GCLOUD_ARCH}.tar.gz"
 GCLOUD_TGZ_URL="https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/${GCLOUD_TGZ}"
+GCLOUD_SHA256_URL="${GCLOUD_TGZ_URL}.sha256"
 
 curl -sSLO "${GCLOUD_TGZ_URL}"
+curl -sSLO "${GCLOUD_SHA256_URL}"
+echo "$(cat ${GCLOUD_TGZ}.sha256)  ${GCLOUD_TGZ}" | sha256sum -c -
 tar -xzf "${GCLOUD_TGZ}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@universal/ubi10/Dockerfile` around lines 475 - 506, Add SHA256 checksum
verification after downloading the gcloud tarball: construct the checksum URL
using GCLOUD_VERSION and GCLOUD_ARCH (parallel to GCLOUD_TGZ_URL), download the
.sha256 file, verify the downloaded file (GCLOUD_TGZ) using sha256sum -c (or
equivalent) and fail the build if it does not match; place this check in the
same RUN <<EOF block after curl -sSLO "${GCLOUD_TGZ_URL}" and before tar -xzf
"${GCLOUD_TGZ}" so the install.sh and mv google-cloud-sdk steps only run on
verified content.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@universal/ubi10/Dockerfile`:
- Around line 475-506: Add SHA256 checksum verification after downloading the
gcloud tarball: construct the checksum URL using GCLOUD_VERSION and GCLOUD_ARCH
(parallel to GCLOUD_TGZ_URL), download the .sha256 file, verify the downloaded
file (GCLOUD_TGZ) using sha256sum -c (or equivalent) and fail the build if it
does not match; place this check in the same RUN <<EOF block after curl -sSLO
"${GCLOUD_TGZ_URL}" and before tar -xzf "${GCLOUD_TGZ}" so the install.sh and mv
google-cloud-sdk steps only run on verified content.

In `@universal/ubi9/Dockerfile`:
- Around line 443-474: Add checksum verification for the Google Cloud CLI
download by retrieving the expected checksum for GCLOUD_TGZ (use a trusted
source for the checksum tied to GCLOUD_VERSION), compute the downloaded
archive's checksum (from GCLOUD_TGZ_URL download), compare them and fail the
build if they do not match; update the RUN heredoc block that creates TEMP_DIR
and downloads GCLOUD_TGZ (referencing GCLOUD_TGZ, GCLOUD_TGZ_URL, GCLOUD_VERSION
and TARGETARCH) to perform the checksum fetch/compare before extracting and
running ./google-cloud-sdk/install.sh, and ensure TEMP_DIR is cleaned up on both
success and checksum-failure paths.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 398b5548-5d7c-46ee-a66a-7b62349055b7

📥 Commits

Reviewing files that changed from the base of the PR and between 1909a73 and 91e6e72.

📒 Files selected for processing (2)

• universal/ubi10/Dockerfile
• universal/ubi9/Dockerfile

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ibuziuk, rohanKanojia

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[github-actions]

Pull Request images published ✨

Base: quay.io/devfile/base-developer-image:pr-253
UDI: quay.io/devfile/universal-developer-image:pr-253

[github-actions]

Pull Request images published ✨

Base: quay.io/devfile/base-developer-image:pr-253
UDI: quay.io/devfile/universal-developer-image:pr-253