From ee193b056b47bc7443d7b1edf9c78ba565533e55 Mon Sep 17 00:00:00 2001 From: Drew Walters Date: Tue, 23 Feb 2021 19:13:51 +0000 Subject: [PATCH] Add certificate injection support to images This change adds support for injecting certificates into Docker images during the build process using the same setup as airshipctl. Some proxy servers use custom certificates, and those must be trusted by the container. Signed-off-by: Drew Walters Change-Id: I7d00e416c2e27c2a362b9dc09c1e9e41216b0fe4 --- Dockerfile | 8 ++++++++ certs/README.md | 8 ++++++++ images/jump-host/Dockerfile | 9 +++++++++ 3 files changed, 25 insertions(+) create mode 100644 certs/README.md diff --git a/Dockerfile b/Dockerfile index 0251359..3dd1bbc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,14 @@ FROM gcr.io/gcp-runtimes/go1-builder:1.13 as builder ENV PATH "/usr/local/go/bin:$PATH" +# Inject custom root certificate authorities if needed. +# Docker does not have a good conditional copy statement and requires that a +# source file exists to complete the copy function without error. Therefore, the +# README.md file will be copied to the image every time even if there are no +# .crt files. +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates + WORKDIR /workspace # Copy the Go Modules manifests COPY go.mod go.mod diff --git a/certs/README.md b/certs/README.md new file mode 100644 index 0000000..2a07450 --- /dev/null +++ b/certs/README.md @@ -0,0 +1,8 @@ +# Additional Docker image root certificate authorities + +If you require additional certificate authorities for your Docker image: +* Add ASCII PEM encoded .crt files to this directory + * The files will be copied into your docker image at build time. + +To update manually copy the `.crt` files to `/usr/local/share/ca-certificates/` +and run `sudo update-ca-certificates`. diff --git a/images/jump-host/Dockerfile b/images/jump-host/Dockerfile index bd55285..ebc0715 100644 --- a/images/jump-host/Dockerfile +++ b/images/jump-host/Dockerfile @@ -1,9 +1,18 @@ ARG BASE_IMAGE=gcr.io/google-appengine/python FROM ${BASE_IMAGE} +# Inject custom root certificate authorities if needed. +# Docker does not have a good conditional copy statement and requires that a +# source file exists to complete the copy function without error. Therefore, the +# README.md file will be copied to the image every time even if there are no +# .crt files. +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates + RUN apt-get update RUN apt-get install -y --no-install-recommends jq +RUN pip3 config set global.cert /etc/ssl/certs/ca-certificates.crt RUN pip3 install requests python-dateutil redfishtool CMD ["/bin/bash"]