diff --git a/krm-functions/kubeval-validator/Dockerfile b/krm-functions/kubeval-validator/Dockerfile index 8bbd659c9..861e50876 100644 --- a/krm-functions/kubeval-validator/Dockerfile +++ b/krm-functions/kubeval-validator/Dockerfile @@ -1,6 +1,13 @@ ARG GO_IMAGE=gcr.io/gcp-runtimes/go1-builder:1.15 ARG PLUGINS_RELEASE_IMAGE=alpine:3.12.0 + FROM ${GO_IMAGE} as function +# Inject custom root certificate authorities if needed +# Docker does not have a good conditional copy statement and requires that a source file exists +# to complete the copy function without error. Therefore the README.md file will be copied to +# the image every time even if there are no .crt files. +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates ENV PATH "/usr/local/go/bin:$PATH" ENV CGO_ENABLED=0 WORKDIR /go/src/ @@ -11,6 +18,13 @@ COPY image/main.go . RUN go build -v -o /usr/local/bin/config-function ./ FROM ${PLUGINS_RELEASE_IMAGE} as release +# Inject custom root certificate authorities if needed +# Docker does not have a good conditional copy statement and requires that a source file exists +# to complete the copy function without error. Therefore the README.md file will be copied to +# the image every time even if there are no .crt files. +RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates ENV PYTHONUNBUFFERED=1 RUN echo "**** install Python ****" && \ apk add --no-cache python3 && \ diff --git a/krm-functions/kubeval-validator/certs/README.md b/krm-functions/kubeval-validator/certs/README.md new file mode 100755 index 000000000..7d04f7ec4 --- /dev/null +++ b/krm-functions/kubeval-validator/certs/README.md @@ -0,0 +1,6 @@ +# Additional Docker image root certificate authorities +If you require additional certificate authorities for your Docker image: +* Add ASCII PEM encoded .crt files to this directory + * The files will be copied into your docker image at build time. + +To update manually copy the .crt files to /usr/local/share/ca-certificates/ and run sudo update-ca-certificates. \ No newline at end of file