gdisdevops · dheeg · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/README.md b/README.md
@@ -4,17 +4,19 @@ Jenkins JNLP images with additional tooling.
 
 ## Jenkins Inbound Agent
 
-INBOUND_AGENT_VERSION=jenkins/inbound-agent:alpine-jdk21  
-VAULT_VERSION=1.20.4  
-PACKER_VERSION=1.14.2  
-TERRAFORM_1_VERSION=1.13.3  
-KUBECTL_VERSION=1.31.8  
-HELM_VERSION=v3.19.0  
-ANSIBLE_VERSION=11.11.0  
-INFRACOST_VERSION=v0.10.40  
-COSIGN_VERSION=2.6.1  
-SENTRY_CLI_VERSION=2.56.1  
-CHECKOV_VERSION=3.2.477  
-VAULT_CRD_RENDERER_VERSION=1.0.7  
-PIP_HVAC_VERSION=2.3.0  
-KYVERNO_CLI_VERSION=v1.14.2  
+INBOUND_AGENT_VERSION=jenkins/inbound-agent:alpine-jdk21
+VAULT_VERSION=1.21.2
+PACKER_VERSION=1.14.3
+TERRAFORM_1_VERSION=1.14.3
+KUBECTL_VERSION=1.33.6
+HELM_VERSION=3.19.2
+ANSIBLE_VERSION=11.12.0
+INFRACOST_VERSION=0.10.40
+COSIGN_VERSION=2.6.2
+SENTRY_CLI_VERSION=2.58.4
+CHECKOV_VERSION=3.2.497
+VAULT_CRD_RENDERER_VERSION=1.0.8
+PIP_HVAC_VERSION=2.4.0
+KYVERNO_CLI_VERSION=1.15.2
+NIXOS_CHANNEL=nixos-25.11
+TENV_VERSION=4.9.1
diff --git a/jenkins-inbound-agent/Dockerfile b/jenkins-inbound-agent/Dockerfile
@@ -15,6 +15,8 @@ ARG CHECKOV_VERSION=3.2.497
 ARG VAULT_CRD_RENDERER_VERSION=1.0.8
 ARG PIP_HVAC_VERSION=2.4.0
 ARG KYVERNO_CLI_VERSION=v1.15.2
+ARG NIXOS_CHANNEL=nixos-25.11
+ARG TENV_VERSION=4.9.1
 
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 
@@ -67,7 +69,8 @@ RUN set -eux; \
   SENTRY_DOWNLOAD_URL="https://release-registry.services.sentry.io/apps/sentry-cli/${SENTRY_CLI_VERSION}?response=download&arch=aarch64&platform=Linux&package=sentry-cli"; \
   SENTRY_HASHSUM=$(curl "https://release-registry.services.sentry.io/apps/sentry-cli/${SENTRY_CLI_VERSION}" | jq -r '.files."sentry-cli-Linux-aarch64".checksums."sha256-hex"');\
   VAULT_CRD_RENDERER_URL="https://github.com/DaspawnW/vault-crd-helm-renderer/releases/download/v${VAULT_CRD_RENDERER_VERSION}"; \
-  KYVERNO_CLI_DOWNLOAD_URL="https://github.com/kyverno/kyverno/releases/download/${KYVERNO_CLI_VERSION}/kyverno-cli_${KYVERNO_CLI_VERSION}_linux_arm64.tar.gz" \
+  KYVERNO_CLI_DOWNLOAD_URL="https://github.com/kyverno/kyverno/releases/download/${KYVERNO_CLI_VERSION}/kyverno-cli_${KYVERNO_CLI_VERSION}_linux_arm64.tar.gz"; \
+  TENV_DOWNLOAD_URL="https://github.com/tofuutils/tenv/releases/download/v${TENV_VERSION}/tenv_v${TENV_VERSION}_Linux_arm64.tar.gz" \
   ;; \
   x86_64) \
   VAULT_DOWNLOAD_URL="https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip"; \
@@ -82,7 +85,8 @@ RUN set -eux; \
   SENTRY_DOWNLOAD_URL="https://release-registry.services.sentry.io/apps/sentry-cli/${SENTRY_CLI_VERSION}?response=download&arch=x86_64&platform=Linux&package=sentry-cli"; \
   SENTRY_HASHSUM=$(curl "https://release-registry.services.sentry.io/apps/sentry-cli/${SENTRY_CLI_VERSION}" | jq -r '.files."sentry-cli-Linux-x86_64".checksums."sha256-hex"');\
   VAULT_CRD_RENDERER_URL="https://github.com/DaspawnW/vault-crd-helm-renderer/releases/download/v${VAULT_CRD_RENDERER_VERSION}"; \
-  KYVERNO_CLI_DOWNLOAD_URL="https://github.com/kyverno/kyverno/releases/download/${KYVERNO_CLI_VERSION}/kyverno-cli_${KYVERNO_CLI_VERSION}_linux_x86_64.tar.gz" \
+  KYVERNO_CLI_DOWNLOAD_URL="https://github.com/kyverno/kyverno/releases/download/${KYVERNO_CLI_VERSION}/kyverno-cli_${KYVERNO_CLI_VERSION}_linux_x86_64.tar.gz"; \
+  TENV_DOWNLOAD_URL="https://github.com/tofuutils/tenv/releases/download/v${TENV_VERSION}/tenv_v${TENV_VERSION}_Linux_x86_64.tar.gz" \
   ;; \
   *) \
   echo "Unsupported arch: ${ARCH}"; \
@@ -139,10 +143,11 @@ RUN set -eux; \
   sha1sum vault-crd-helm-renderer.jar; \
   mkdir -p /opt/daspawnw; \
   mv vault-crd-helm-renderer.jar /opt/daspawnw/vault-crd-helm-renderer.jar; \
-  #### install tfenv
-  mkdir -p /etc/tfenv; \
-  git clone --depth 1 https://github.com/tfutils/tfenv.git /etc/tfenv; \
-  chown -R jenkins /etc/tfenv; \
+  #### install tenv
+  _tenv_tmp_dir=$(mktemp -d) && cd "${_tenv_tmp_dir}"; \
+  curl -L "${TENV_DOWNLOAD_URL}" -o "tenv.tar.gz"; \
+  tar -xvzf "tenv.tar.gz" && chmod +x "tenv" && mv "tenv" /usr/bin; \
+  cd && rm -rf "${_tenv_tmp_dir}"; \
   #### install kyverno cli
   _kyverno_cli_tmp_dir=$(mktemp -d) && cd "${_kyverno_cli_tmp_dir}"; \
   curl -L "${KYVERNO_CLI_DOWNLOAD_URL}" -o "${_kyverno_cli_tmp_dir}/kyverno_cli.tar.gz"; \
@@ -152,25 +157,27 @@ RUN set -eux; \
   rm -rf "${_kyverno_cli_tmp_dir}"; \
   #### nix installation permissions
   mkdir -p /nix/var/nix/profiles /nix/var/nix/gcroots /nix/var/nix/db; \
-  chown -R jenkins:jenkins /nix; 
+  chown -R jenkins:jenkins /nix;
 
 COPY --chown=jenkins:jenkins jenkins-inbound-agent/bin/post-renderer.sh jenkins-inbound-agent/bin/check-default-namespace.sh /usr/bin/
 
 USER jenkins
 
-#### install terraform with tfenv and helm diff
+#### install helm diff
 RUN helm plugin install https://github.com/databus23/helm-diff
 
-ENV PATH="/home/jenkins/.nix-profile/bin:$PATH:/etc/tfenv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+#### nix setup
+ENV PATH="/home/jenkins/.nix-profile/bin:$PATH:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 ENV NIX_PROFILES="/nix/var/nix/profiles/default /home/jenkins/.nix-profile"
 ENV NIX_SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"
-ENV XDG_DATA_DIRS="$XDG_DATA_DIRS:/home/jenkins/.nix-profile/share:/nix/var/nix/profiles/default/share"
+ENV XDG_DATA_DIRS="/home/jenkins/.nix-profile/share:/nix/var/nix/profiles/default/share"
 
-RUN nix-channel --add https://nixos.org/channels/nixos-25.11 nixpkgs && \
+RUN nix-channel --add https://nixos.org/channels/${NIXOS_CHANNEL} nixpkgs && \
     nix-channel --update
 
-RUN tfenv install ${TERRAFORM_1_VERSION} \
-  && tfenv use ${TERRAFORM_1_VERSION}
+#### install terraform with tenv
+RUN tenv tf install ${TERRAFORM_1_VERSION} \
+  && tenv tf use ${TERRAFORM_1_VERSION}
 
 # test CLIs
 RUN kubectl version --client && \
@@ -184,4 +191,5 @@ RUN kubectl version --client && \
   checkov --version && \
   ansible --version && \
   nix --version && \
-  aws --version
+  aws --version && \
+  tenv --version