From 3003e431a8eb9496728d2f6ecec71f1ebef573ba Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Fri, 22 Oct 2021 16:21:26 -0400 Subject: [PATCH] deployment: remove DST_Root_CA_X3 from docker images (#2677) (#2698) --- .github/Dockerfile-release | 8 ++++++++ .github/workflows/test.yaml | 18 ++++++++++++++++++ Dockerfile | 7 +++++++ Dockerfile.debug | 2 ++ 4 files changed, 35 insertions(+) diff --git a/.github/Dockerfile-release b/.github/Dockerfile-release index ab1d2380c..62fcf72f9 100644 --- a/.github/Dockerfile-release +++ b/.github/Dockerfile-release @@ -1,5 +1,12 @@ ARG ARCH +# build our own root trust store from current stable +FROM debian:stable as casource +RUN apt-get update && apt-get install -y ca-certificates +# Remove expired root (https://github.com/pomerium/pomerium/issues/2653) +RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates + + FROM busybox:latest as build RUN touch /config.yaml @@ -8,5 +15,6 @@ ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY pomerium* /bin/ COPY --from=build /config.yaml /pomerium/config.yaml +COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT [ "/bin/pomerium" ] CMD ["-config","/pomerium/config.yaml"] diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 9a49ade6c..032188b2e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -182,6 +182,24 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + - name: Hadolint - Master + uses: hadolint/hadolint-action@v1.5.0 + with: + Dockerfile: Dockerfile + ignore: DL3059 + failure-threshold: error + - name: Hadolint - Debug + uses: hadolint/hadolint-action@v1.5.0 + with: + Dockerfile: Dockerfile.debug + ignore: DL3059 + failure-threshold: error + - name: Hadolint - Release + uses: hadolint/hadolint-action@v1.5.0 + with: + Dockerfile: .github/Dockerfile-release + ignore: DL3059 + failure-threshold: error - name: build run: docker build . diff --git a/Dockerfile b/Dockerfile index b465c1808..d0fd8b10d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,10 +15,17 @@ RUN make build NAME=pomerium RUN make build NAME=pomerium-cli RUN touch /config.yaml +# build our own root trust store from current stable +FROM debian:stable as casource +RUN apt-get update && apt-get install -y ca-certificates +# Remove expired root (https://github.com/pomerium/pomerium/issues/2653) +RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates + FROM gcr.io/distroless/base:debug ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/ COPY --from=build /config.yaml /pomerium/config.yaml +COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT [ "/bin/pomerium" ] CMD ["-config","/pomerium/config.yaml"] diff --git a/Dockerfile.debug b/Dockerfile.debug index 08786c435..a0cf05140 100644 --- a/Dockerfile.debug +++ b/Dockerfile.debug @@ -20,6 +20,8 @@ FROM alpine:latest ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium RUN apk add --no-cache ca-certificates libc6-compat gcompat +# Remove expired root (https://github.com/pomerium/pomerium/issues/2653) +RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/ COPY --from=build /config.yaml /pomerium/config.yaml COPY --from=build /go/bin/dlv /bin