Add certificate injection support to images

This change adds support for injecting certificates into Docker images
during the build process using the same setup as airshipctl. Some proxy
servers use custom certificates, and those must be trusted by the
container.

Signed-off-by: Drew Walters <andrew.walters@att.com>
Change-Id: I7d00e416c2e27c2a362b9dc09c1e9e41216b0fe4
This commit is contained in:
Drew Walters
2021-02-23 19:13:51 +00:00
parent acb3d02e83
commit ee193b056b
3 changed files with 25 additions and 0 deletions

View File

@@ -5,6 +5,14 @@ FROM gcr.io/gcp-runtimes/go1-builder:1.13 as builder
ENV PATH "/usr/local/go/bin:$PATH" ENV PATH "/usr/local/go/bin:$PATH"
# Inject custom root certificate authorities if needed.
# Docker does not have a good conditional copy statement and requires that a
# source file exists to complete the copy function without error. Therefore, the
# README.md file will be copied to the image every time even if there are no
# .crt files.
COPY ./certs/* /usr/local/share/ca-certificates/
RUN update-ca-certificates
WORKDIR /workspace WORKDIR /workspace
# Copy the Go Modules manifests # Copy the Go Modules manifests
COPY go.mod go.mod COPY go.mod go.mod

8
certs/README.md Normal file
View File

@@ -0,0 +1,8 @@
# Additional Docker image root certificate authorities
If you require additional certificate authorities for your Docker image:
* Add ASCII PEM encoded .crt files to this directory
* The files will be copied into your docker image at build time.
To update manually copy the `.crt` files to `/usr/local/share/ca-certificates/`
and run `sudo update-ca-certificates`.

View File

@@ -1,9 +1,18 @@
ARG BASE_IMAGE=gcr.io/google-appengine/python ARG BASE_IMAGE=gcr.io/google-appengine/python
FROM ${BASE_IMAGE} FROM ${BASE_IMAGE}
# Inject custom root certificate authorities if needed.
# Docker does not have a good conditional copy statement and requires that a
# source file exists to complete the copy function without error. Therefore, the
# README.md file will be copied to the image every time even if there are no
# .crt files.
COPY ./certs/* /usr/local/share/ca-certificates/
RUN update-ca-certificates
RUN apt-get update RUN apt-get update
RUN apt-get install -y --no-install-recommends jq RUN apt-get install -y --no-install-recommends jq
RUN pip3 config set global.cert /etc/ssl/certs/ca-certificates.crt
RUN pip3 install requests python-dateutil redfishtool RUN pip3 install requests python-dateutil redfishtool
CMD ["/bin/bash"] CMD ["/bin/bash"]