Add certificate injection support to images

This change adds support for injecting certificates into Docker images during the build process using the same setup as airshipctl. Some proxy servers use custom certificates, and those must be trusted by the container. Signed-off-by: Drew Walters <andrew.walters@att.com> Change-Id: I7d00e416c2e27c2a362b9dc09c1e9e41216b0fe4
2021-02-23 19:13:51 +00:00 · 2021-02-23 19:13:51 +00:00 · ee193b056b
parent acb3d02e83
commit ee193b056b
3 changed files with 25 additions and 0 deletions
--- a/8
+++ b/8
@ -5,6 +5,14 @@ FROM gcr.io/gcp-runtimes/go1-builder:1.13 as builder

 ENV PATH "/usr/local/go/bin:$PATH"

+# Inject custom root certificate authorities if needed.
+# Docker does not have a good conditional copy statement and requires that a
+# source file exists to complete the copy function without error. Therefore, the
+# README.md file will be copied to the image every time even if there are no
+# .crt files.
+COPY ./certs/* /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
--- a/certs/README.md
+++ b/certs/README.md
@ -0,0 +1,8 @@
+# Additional Docker image root certificate authorities
+
+If you require additional certificate authorities for your Docker image:
+* Add ASCII PEM encoded .crt files to this directory
+  * The files will be copied into your docker image at build time.
+
+To update manually copy the `.crt` files to `/usr/local/share/ca-certificates/`
+and run `sudo update-ca-certificates`.
--- a/images/jump-host/Dockerfile
+++ b/images/jump-host/Dockerfile
@ -1,9 +1,18 @@
 ARG BASE_IMAGE=gcr.io/google-appengine/python
 FROM ${BASE_IMAGE}

+# Inject custom root certificate authorities if needed.
+# Docker does not have a good conditional copy statement and requires that a
+# source file exists to complete the copy function without error. Therefore, the
+# README.md file will be copied to the image every time even if there are no
+# .crt files.
+COPY ./certs/* /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 RUN apt-get update
 RUN apt-get install -y --no-install-recommends jq

+RUN pip3 config set global.cert /etc/ssl/certs/ca-certificates.crt
 RUN pip3 install requests python-dateutil redfishtool

 CMD ["/bin/bash"]