3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-07 05:12:45 +02:00
Code Issues Projects Releases Packages Wiki Activity

deployment: remove DST_Root_CA_X3 from docker images (#2677) (#2698)

Browse source
This commit is contained in:
Travis Groth 2021-10-22 16:21:26 -04:00 committed by GitHub
parent 6900fe9533
commit 3003e431a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.github/Dockerfile-release vendored
View file

@ -1,5 +1,12 @@
ARG ARCH ARG ARCH
# build our own root trust store from current stable
FROM debian:stable as casource
RUN apt-get update && apt-get install -y ca-certificates
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates
FROM busybox:latest as build FROM busybox:latest as build
RUN touch /config.yaml RUN touch /config.yaml
@ -8,5 +15,6 @@ ENV AUTOCERT_DIR /data/autocert
WORKDIR /pomerium WORKDIR /pomerium
COPY pomerium* /bin/ COPY pomerium* /bin/
COPY --from=build /config.yaml /pomerium/config.yaml COPY --from=build /config.yaml /pomerium/config.yaml
COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ENTRYPOINT [ "/bin/pomerium" ] ENTRYPOINT [ "/bin/pomerium" ]
CMD ["-config","/pomerium/config.yaml"] CMD ["-config","/pomerium/config.yaml"]

18
.github/workflows/test.yaml vendored
View file

@ -182,6 +182,24 @@ jobs:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Hadolint - Master
uses: hadolint/hadolint-action@v1.5.0
with:
Dockerfile: Dockerfile
ignore: DL3059
failure-threshold: error
- name: Hadolint - Debug
uses: hadolint/hadolint-action@v1.5.0
with:
Dockerfile: Dockerfile.debug
ignore: DL3059
failure-threshold: error
- name: Hadolint - Release
uses: hadolint/hadolint-action@v1.5.0
with:
Dockerfile: .github/Dockerfile-release
ignore: DL3059
failure-threshold: error
- name: build - name: build
run: docker build . run: docker build .

7
Dockerfile
View file

@ -15,10 +15,17 @@ RUN make build NAME=pomerium
RUN make build NAME=pomerium-cli RUN make build NAME=pomerium-cli
RUN touch /config.yaml RUN touch /config.yaml
# build our own root trust store from current stable
FROM debian:stable as casource
RUN apt-get update && apt-get install -y ca-certificates
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates
FROM gcr.io/distroless/base:debug FROM gcr.io/distroless/base:debug
ENV AUTOCERT_DIR /data/autocert ENV AUTOCERT_DIR /data/autocert
WORKDIR /pomerium WORKDIR /pomerium
COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/ COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/
COPY --from=build /config.yaml /pomerium/config.yaml COPY --from=build /config.yaml /pomerium/config.yaml
COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ENTRYPOINT [ "/bin/pomerium" ] ENTRYPOINT [ "/bin/pomerium" ]
CMD ["-config","/pomerium/config.yaml"] CMD ["-config","/pomerium/config.yaml"]

2
Dockerfile.debug
View file

@ -20,6 +20,8 @@ FROM alpine:latest
ENV AUTOCERT_DIR /data/autocert ENV AUTOCERT_DIR /data/autocert
WORKDIR /pomerium WORKDIR /pomerium
RUN apk add --no-cache ca-certificates libc6-compat gcompat RUN apk add --no-cache ca-certificates libc6-compat gcompat
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates
COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/ COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/
COPY --from=build /config.yaml /pomerium/config.yaml COPY --from=build /config.yaml /pomerium/config.yaml
COPY --from=build /go/bin/dlv /bin COPY --from=build /go/bin/dlv /bin