From 30cd8a8472b963259365be6dccb6a4e290e022ce Mon Sep 17 00:00:00 2001 From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> Date: Mon, 18 Sep 2023 15:47:10 -0700 Subject: [PATCH] ci: remove ca-certificates workaround (#4488) Update our Dockerfiles to debian12 distroless base images and remove the ca-certificates workaround (Debian 12 has dropped the problematic expired root certificate). --- .github/Dockerfile-release | 10 +--------- .github/Dockerfile-release-debug | 10 +--------- .github/Dockerfile-release-debug-nonroot | 10 +--------- .github/Dockerfile-release-nonroot | 10 +--------- Dockerfile | 9 +-------- 5 files changed, 5 insertions(+), 44 deletions(-) diff --git a/.github/Dockerfile-release b/.github/Dockerfile-release index cc42c8d6a..98c9626c2 100644 --- a/.github/Dockerfile-release +++ b/.github/Dockerfile-release @@ -1,18 +1,10 @@ -# build our own root trust store from current stable -FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource -RUN apt-get update && apt-get install -y ca-certificates=20210119 -# Remove expired root (https://github.com/pomerium/pomerium/issues/2653) -RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates - - FROM busybox:latest@sha256:caa382c432891547782ce7140fb3b7304613d3b0438834dce1cad68896ab110a as build RUN touch /config.yaml -FROM gcr.io/distroless/base:latest@sha256:b0216a38315e7d4e14a70338f4bcfdf622bcd2ca2f3fcb48de446c4bb51f7243 +FROM gcr.io/distroless/base-debian12:latest@sha256:d64f5483d2fd0cec2260941c443cb2947102e46e1a9fe36a321d0a788c1a49e0 ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY pomerium /bin/ COPY --from=build /config.yaml /pomerium/config.yaml -COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT [ "/bin/pomerium" ] CMD ["-config","/pomerium/config.yaml"] diff --git a/.github/Dockerfile-release-debug b/.github/Dockerfile-release-debug index 45629c2c2..e1041e8e4 100644 --- a/.github/Dockerfile-release-debug +++ b/.github/Dockerfile-release-debug @@ -1,18 +1,10 @@ -# build our own root trust store from current stable -FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource -RUN apt-get update && apt-get install -y ca-certificates=20210119 -# Remove expired root (https://github.com/pomerium/pomerium/issues/2653) -RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates - - FROM busybox:latest@sha256:caa382c432891547782ce7140fb3b7304613d3b0438834dce1cad68896ab110a as build RUN touch /config.yaml -FROM gcr.io/distroless/base:debug@sha256:3a6219499a89088ff5d37ce8fd3e3a61fccb75ef05a4e0ba2092ea92d380f48f +FROM gcr.io/distroless/base-debian12:debug@sha256:d2890b2740037c95fca7fe44c27e09e91f2e557c62cf0910d2569b0dedc98ddc ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY pomerium /bin/ COPY --from=build /config.yaml /pomerium/config.yaml -COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT [ "/bin/pomerium" ] CMD ["-config","/pomerium/config.yaml"] diff --git a/.github/Dockerfile-release-debug-nonroot b/.github/Dockerfile-release-debug-nonroot index 537e02813..5d2ddfba0 100644 --- a/.github/Dockerfile-release-debug-nonroot +++ b/.github/Dockerfile-release-debug-nonroot @@ -1,18 +1,10 @@ -# build our own root trust store from current stable -FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource -RUN apt-get update && apt-get install -y ca-certificates=20210119 -# Remove expired root (https://github.com/pomerium/pomerium/issues/2653) -RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates - - FROM busybox:latest@sha256:caa382c432891547782ce7140fb3b7304613d3b0438834dce1cad68896ab110a as build RUN touch /config.yaml -FROM gcr.io/distroless/base:debug-nonroot@sha256:dbce382b7e6bc34dd49db2c07b759797039ca144089a134617ac1de5a3bc5f27 +FROM gcr.io/distroless/base-debian12:debug-nonroot@sha256:d53efe9604cae04e8c02df63e3b22040c64e2db505e0074325a6bc1b710a0ada ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY pomerium /bin/ COPY --from=build /config.yaml /pomerium/config.yaml -COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT [ "/bin/pomerium" ] CMD ["-config","/pomerium/config.yaml"] diff --git a/.github/Dockerfile-release-nonroot b/.github/Dockerfile-release-nonroot index c61676271..8e75da29d 100644 --- a/.github/Dockerfile-release-nonroot +++ b/.github/Dockerfile-release-nonroot @@ -1,18 +1,10 @@ -# build our own root trust store from current stable -FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource -RUN apt-get update && apt-get install -y ca-certificates=20210119 -# Remove expired root (https://github.com/pomerium/pomerium/issues/2653) -RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates - - FROM busybox:latest@sha256:caa382c432891547782ce7140fb3b7304613d3b0438834dce1cad68896ab110a as build RUN touch /config.yaml -FROM gcr.io/distroless/base:nonroot@sha256:49d2923f35d66b8402487a7c01bc62a66d8279cd42e89c11b64cdce8d5826c03 +FROM gcr.io/distroless/base-debian12:nonroot@sha256:832c73e0fadf08a6bc2680534057df63983146676248aa20f9ed52b8f0b662f9 ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY pomerium /bin/ COPY --from=build /config.yaml /pomerium/config.yaml -COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT [ "/bin/pomerium" ] CMD ["-config","/pomerium/config.yaml"] diff --git a/Dockerfile b/Dockerfile index 249bc86d9..4ec34fa70 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,17 +29,10 @@ COPY --from=ui /build/ui/dist ./ui/dist RUN make build-go NAME=pomerium RUN touch /config.yaml -# build our own root trust store from current stable -FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource -RUN apt-get update && apt-get install -y ca-certificates=20210119 -# Remove expired root (https://github.com/pomerium/pomerium/issues/2653) -RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates - -FROM gcr.io/distroless/base:debug@sha256:357bc96a42d8db2e4710d8ae6257da3a66b1243affc03932438710a53a8d1ac6 +FROM gcr.io/distroless/base-debian12:debug@sha256:d2890b2740037c95fca7fe44c27e09e91f2e557c62cf0910d2569b0dedc98ddc ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/ COPY --from=build /config.yaml /pomerium/config.yaml -COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT [ "/bin/pomerium" ] CMD ["-config","/pomerium/config.yaml"]