pin to a debian:latest image for casource base image (#4250) (#4310)

The debian 'stable' images configure apt to install from the rolling
'stable' repository, rather than a specific Debian release. Thus even
though we pin to a specific Docker image digest, the packages installed
by 'apt-get' can change when a new Debian release is promoted to stable.

Instead, pin to an image where apt is configured to install from
repositories for a specific Debian release (in this case, bullseye).
This commit is contained in:
Kenneth Jenkins 2023-06-16 14:20:09 -07:00 committed by GitHub
parent cd833fcf00
commit d8d59ddded
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 10 additions and 10 deletions

View file

@ -1,6 +1,6 @@
# build our own root trust store from current stable
FROM debian:stable@sha256:1c3446475ac28a9f42a4627d8945d7bed88b8128b5850b61c5890ff47f317681 as casource
RUN apt-get update && apt-get install -y ca-certificates
FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
RUN apt-get update && apt-get install -y ca-certificates=20210119
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

View file

@ -1,6 +1,6 @@
# build our own root trust store from current stable
FROM debian:stable@sha256:1c3446475ac28a9f42a4627d8945d7bed88b8128b5850b61c5890ff47f317681 as casource
RUN apt-get update && apt-get install -y ca-certificates
FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
RUN apt-get update && apt-get install -y ca-certificates=20210119
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

View file

@ -1,6 +1,6 @@
# build our own root trust store from current stable
FROM debian:stable@sha256:1c3446475ac28a9f42a4627d8945d7bed88b8128b5850b61c5890ff47f317681 as casource
RUN apt-get update && apt-get install -y ca-certificates
FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
RUN apt-get update && apt-get install -y ca-certificates=20210119
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

View file

@ -1,6 +1,6 @@
# build our own root trust store from current stable
FROM debian:stable@sha256:1c3446475ac28a9f42a4627d8945d7bed88b8128b5850b61c5890ff47f317681 as casource
RUN apt-get update && apt-get install -y ca-certificates
FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
RUN apt-get update && apt-get install -y ca-certificates=20210119
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

View file

@ -30,8 +30,8 @@ RUN make build-go NAME=pomerium
RUN touch /config.yaml
# build our own root trust store from current stable
FROM debian:stable@sha256:1fbdbcfb07b174d245e5f26191aa0401294ae5612a406cdb407f1f6fa6e29e23 as casource
RUN apt-get update && apt-get install -y ca-certificates
FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
RUN apt-get update && apt-get install -y ca-certificates=20210119
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates