From 9105c6bcd07592f88807e36ec29cb0b11377abc0 Mon Sep 17 00:00:00 2001 From: Alexander Hughes Date: Thu, 8 Apr 2021 13:43:41 -0400 Subject: [PATCH] Fix openssl in krm-functions images Users behind firewalls may be unable to build all the airshipctl images as a result of OpenSSL errors stemming from certificates used with the proxy. To address this, the images impacted have been updated to copy the proxy certificate from airshipctl/certs into the image and run update-ca-certificates command. This is the same behavior that already exists in the base airshipctl image and is simply being extended to the images in krm-functions. Change-Id: I436d1e25fb0726ab7576fec44a7ef2f9fd20f2bd Signed-off-by: Alexander Hughes --- krm-functions/cloud-init/Dockerfile.sample | 8 +++++++ .../replacement-transformer/Dockerfile.sample | 8 +++++++ krm-functions/templater/Dockerfile.sample | 8 +++++++ krm-functions/toolbox/Dockerfile | 22 +++++++++++++++++-- 4 files changed, 44 insertions(+), 2 deletions(-) diff --git a/krm-functions/cloud-init/Dockerfile.sample b/krm-functions/cloud-init/Dockerfile.sample index fb8018033..f05f6020c 100644 --- a/krm-functions/cloud-init/Dockerfile.sample +++ b/krm-functions/cloud-init/Dockerfile.sample @@ -1,4 +1,12 @@ FROM gcr.io/gcp-runtimes/go1-builder:1.15 as builder + +# Inject custom root certificate authorities if needed +# Docker does not have a good conditional copy statement and requires that a source file exists +# to complete the copy function without error. Therefore the README.md file will be copied to +# the image every time even if there are no .crt files. +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates + ENV CGO_ENABLED=0 WORKDIR /go/src/ COPY image/go.mod . diff --git a/krm-functions/replacement-transformer/Dockerfile.sample b/krm-functions/replacement-transformer/Dockerfile.sample index fb8018033..f05f6020c 100644 --- a/krm-functions/replacement-transformer/Dockerfile.sample +++ b/krm-functions/replacement-transformer/Dockerfile.sample @@ -1,4 +1,12 @@ FROM gcr.io/gcp-runtimes/go1-builder:1.15 as builder + +# Inject custom root certificate authorities if needed +# Docker does not have a good conditional copy statement and requires that a source file exists +# to complete the copy function without error. Therefore the README.md file will be copied to +# the image every time even if there are no .crt files. +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates + ENV CGO_ENABLED=0 WORKDIR /go/src/ COPY image/go.mod . diff --git a/krm-functions/templater/Dockerfile.sample b/krm-functions/templater/Dockerfile.sample index fb8018033..f05f6020c 100644 --- a/krm-functions/templater/Dockerfile.sample +++ b/krm-functions/templater/Dockerfile.sample @@ -1,4 +1,12 @@ FROM gcr.io/gcp-runtimes/go1-builder:1.15 as builder + +# Inject custom root certificate authorities if needed +# Docker does not have a good conditional copy statement and requires that a source file exists +# to complete the copy function without error. Therefore the README.md file will be copied to +# the image every time even if there are no .crt files. +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates + ENV CGO_ENABLED=0 WORKDIR /go/src/ COPY image/go.mod . diff --git a/krm-functions/toolbox/Dockerfile b/krm-functions/toolbox/Dockerfile index 6ce5587b9..d431b1400 100644 --- a/krm-functions/toolbox/Dockerfile +++ b/krm-functions/toolbox/Dockerfile @@ -1,6 +1,15 @@ ARG RELEASE_IMAGE=scratch FROM ${RELEASE_IMAGE} as kctl -RUN apk add curl + +RUN apk update && apk add curl + +# Inject custom root certificate authorities if needed +# Docker does not have a good conditional copy statement and requires that a source file exists +# to complete the copy function without error. Therefore the README.md file will be copied to +# the image every time even if there are no .crt files. +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates + RUN curl -L "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl" \ -o /kubectl RUN chmod +x /kubectl @@ -14,7 +23,16 @@ COPY krm-functions/toolbox/main.go . RUN /usr/local/go/bin/go build -v -o /usr/local/bin/config-function ./ FROM ${RELEASE_IMAGE} as calicoctl -RUN apk add curl + +RUN apk update && apk add curl + +# Inject custom root certificate authorities if needed +# Docker does not have a good conditional copy statement and requires that a source file exists +# to complete the copy function without error. Therefore the README.md file will be copied to +# the image every time even if there are no .crt files. +COPY ./certs/* /usr/local/share/ca-certificates/ +RUN update-ca-certificates + RUN curl -L "https://github.com/projectcalico/calicoctl/releases/download/v3.18.1/calicoctl" \ -o /calicoctl RUN chmod +x /calicoctl