fix: replace Bitnami images with direct downloads

Dockerfile

@@ -15,16 +15,26 @@ FROM python:3.11.13-bookworm
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-COPY --from=docker:23 /usr/local/bin/* /usr/bin/
-COPY --from=docker:23 /usr/local/libexec/docker/cli-plugins/* /usr/libexec/docker/cli-plugins/
-COPY --from=mikefarah/yq:4.40.5 /usr/bin/yq /usr/bin/yq
-COPY --from=bitnami/kubectl:1.28.6 /opt/bitnami/kubectl/bin/kubectl /usr/local/bin
-COPY --from=bitnami/minio-client:2024.5.9 /opt/bitnami/minio-client/bin/mc /usr/local/bin
+COPY --from=docker:28 /usr/local/bin/* /usr/bin/
+COPY --from=docker:28 /usr/local/libexec/docker/cli-plugins/* /usr/libexec/docker/cli-plugins/
+COPY --from=mikefarah/yq:4.49.2 /usr/bin/yq /usr/bin/yq
 COPY --from=age /tmp/age/age /usr/bin/age
 COPY --from=sops /tmp/sops /usr/local/bin/sops
 RUN chmod +x /usr/local/bin/sops
 
-RUN apt-get update && apt-get install -qq --no-install-recommends python3 python3-pip libyaml-dev
+RUN apt-get update && apt-get install -qq --no-install-recommends \
+    curl ca-certificates \
+    python3 python3-pip libyaml-dev \
+ && rm -rf /var/lib/apt/lists/*
+
+# Install kubectl (official upstream binary)
+ARG KUBECTL_VERSION=1.28.6
+RUN curl -fsSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl \
+    && chmod +x /usr/local/bin/kubectl
+
+# Install MinIO client (mc) - use MinIO's release binary
+RUN curl -fsSL "https://dl.min.io/client/mc/release/linux-amd64/mc" -o /usr/local/bin/mc \
+    && chmod +x /usr/local/bin/mc
 
 ARG tutor_release
 ENV TUTOR_RELEASE=$tutor_release
@@ -34,10 +44,7 @@ RUN pip install "tutor==${TUTOR_RELEASE}" \
                 "tutor-discovery==${TUTOR_RELEASE}" \
                 "tutor-forum==${TUTOR_RELEASE}" \
                 "tutor-mfe==${TUTOR_RELEASE}" \
-                "tutor-minio==${TUTOR_RELEASE}" \
-                "tutor-notes==${TUTOR_RELEASE}" \
-                "tutor-webui==${TUTOR_RELEASE}" \
-                "tutor-xqueue==${TUTOR_RELEASE}"
+                "tutor-notes==${TUTOR_RELEASE}"
 
 # installing AWS cli https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
 RUN curl -sSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/tmp/awscliv2.zip" \

README.md

@@ -10,7 +10,8 @@ Images are published to: `abstract2tech/tutor-ci`
 
 You can build any Tutor version by specifying it when triggering the workflow. Common versions include:
 Tested version:
-- "14.2.3"   
+
+- "14.2.3"
 - "14.2.4"
 - "14.2.5"
 - "15.3.3"
@@ -57,9 +58,36 @@ Not tested:
 
 ## How to Use
 
+## Replacing Bitnami images / binaries
+
+The Dockerfile previously used commented Bitnami multi-stage COPYs for two helper tools:
+
+- kubectl (bitnami/kubectl:1.28.6)
+- mc — MinIO client (bitnami/minio-client:2024.5.9)
+
+Rather than copying these from Bitnami images, the build now downloads the official upstream
+binaries for each tool and installs them into `/usr/local/bin`:
+
+- kubectl — downloaded from the official Kubernetes release binary (pinned to `1.28.6` in the Dockerfile)
+- mc — downloaded from MinIO's release binary
+
+Why this change?
+
+- Avoid reliance on third-party vendor images for small helper binaries.
+- Pinning a known release binary reduces surprise changes caused by upstream image base changes.
+- Reduces the number of build stages/sizes when those images aren't otherwise needed.
+
+If you'd rather copy from alternate images (for example an official docker image that already contains the binaries):
+
+1. Identify a replacement image and the correct path to the binary inside it (e.g. `/usr/bin/mc` or `/kubectl`).
+2. Replace the relevant `curl`-download lines in the `Dockerfile` with an equivalent `COPY --from=<image>:<tag> <path-to-binary> /usr/local/bin/<bin>`.
+
+Note: pin versions explicitly when using downloads or image tags to keep builds reproducible.
+
 ## Prerequisites
 
 For maintainers who want to trigger builds:
+
 - GitHub account with access to this repository
 - Docker Hub secret `DOCKER_REGISTRY_PASSWORD` must be configured in repository settings
 
@@ -72,5 +100,6 @@ For maintainers who want to trigger builds:
 5. Click "Run workflow"
 
 The workflow will:
+
 - Build a Docker image with the specified Tutor version
-- Push it to Docker Hub as `abstract2tech/tutor-ci:<version>`
+- Push it to Docker Hub as `abstract2tech/tutor-ci:<version>`