CNG: kubectl binary download is not verified during build

Summary

Spawned by #1306 (closed)

The kubectl binary that is downloaded during the build of kubectl image we use for shared-secrets and certmanager-issuer charts is not verified as viable & executable.

We should consider at least confirming the download is a binary 🤦, exits 0, and preferably actually returns Client Version: ${KUBECTL_VERSION}.

Steps to reproduce

git checkout https://gitlab.com/gitlab-org/build/CNG.git
cd CNG/kubectl
docker build -t kubectl-chaos --build-arg KUBECTL_VERSION=chaos .
docker run --rm kubectl-chaos kubectl version --client=true --short